netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.83k stars 568 forks source link

firefox: Warning: I can run programs in /run/user/1000 #6445

Closed Utini2000 closed 2 months ago

Utini2000 commented 3 months ago

Hi all,

I noticed that jailcheck reports for firefox with the stock firefox.profile (not modifications):

68426:username::/usr/bin/firejail /usr/bin/firefox 
   Virtual dirs: /home/username, /tmp, /var/tmp, /dev, /usr/share, 
                 /run/user/1000, 
   Warning: I can run programs in /run/user/1000
   Networking: enabled

I think this might be due using PSD (profile daemon sync) and having the whole firefox profile in tmpfs. Adding "noexec /run/user/1000/" didn't help.

But I guess it should not be possible for firefox to exec something in /run/user/1000/ for security reasons?

rusty-snake commented 3 months ago

https://github.com/netblue30/firejail/blob/e8b693c814a4e157bcae6f5c60d1624d185d8837/etc/profile-a-l/firefox-common.profile#L12

Utini2000 commented 3 months ago

@rusty-snake thanks for the hint! I can't recall enabling it manually, shouldn't it be disabled out of the box for security reasons?

rusty-snake commented 3 months ago

It is disabled by default https://github.com/netblue30/firejail/blob/e8b693c814a4e157bcae6f5c60d1624d185d8837/etc/firejail.config#L22-L23

Utini2000 commented 2 months ago

Thanks!