search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.83k stars 568 forks source link

mkdir command works even when the path is blacklisted #6447

Closed elde-n closed 3 months ago

elde-n commented 3 months ago

The mkdir command in a profile file bypasses nowhitelist and blacklist override

Example: test.local

nowhitelist ${HOME}/test
blacklist ${HOME}/test

test.profile

mkdir ${HOME}/test
rusty-snake commented 3 months ago

It does not bypass them because it can not "bypass" them. You can not protect firejail from firejail with firejail.

So what's going on

1.

nowhitelist ${HOME}/test
mkdir ${HOME}/test

Firejail sees two commands, one asking to ignore any following whitelist ${HOME}/test command. And one command asking to create a directory at ${HOME}/test. One could say mkdir should respect a nowhitelist like it should for --private= (which has a bug and does not respect --private=). But see the next.

2.

blacklist ${HOME}/test
mkdir ${HOME}/test

Firejail sees two commands, one asking to blackist ${HOME}/test if it exists. And one command asking to create a directory at ${HOME}/test. While this order isn't very useful, flipping these two lines can make a different between a sandbox escape and blocking it.

elde-n commented 3 months ago

Well how would I avoid calling mkdir in a default profile? For example the default neomutt profile creates 6 trash directories in the home directory that are never used on my system

rusty-snake commented 3 months ago

Add ignore mkdir <PATH> to your neomutt.local.

elde-n commented 3 months ago

Thank you it's exactly what I was looking for!