search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.73k stars 561 forks source link

Option to disable suid calls, except to firejail #7

Closed boltronics closed 9 years ago

boltronics commented 9 years ago

I've got a nice setup with firejail for icedove and iceweasel, where my shortcuts and Xfce "preferred applications" settings all have the application commands prefixed with firejail. So far so good.

But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open firejail iceweasel and fails - no suid support. I can't call iceweasel directly either, since the icedove profile is blocking .mozilla which iceweasel requires. I have to open iceweasel up manually first, and only then click on the link, which gets tiresome after a while.

It would be nice to have a profile option (if it's technically possible) to have the suid /usr/bin/firejail binary available for execution to apps like icedove, but no other suid binary. That should make the software more usable in situations like the one described.

netblue30 commented 9 years ago

But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open firejail iceweasel and fails - no suid support.

This is because firejail icedove disables SUID binaries, and "firejail iceweasel" will fail because it needs SUID. I'll mark it as a bug, it needs to be fixed. Thanks.

netblue30 commented 9 years ago

I think I have a fix, give it a try. When it starts, Firejail checks if it is running in a sandbox, and will start the program as is if a sandbox is detected. Works fine for me in icedove:

$ icedove
Reading profile /etc/firejail/icedove.profile
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-history.inc
Parent pid 3180, child pid 3181

Child process initialized

(icedove:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-0UXCvH5q8u: Connection refused

** (icedove:1): WARNING **: Could not connect: Connection refused
Warning: an existing sandbox was detected. /usr/bin/iceweasel https://lxer.com will run without any additional sandboxing features in a /bin/sh shell

You will get that warning from Firejail, "an existing sandbox was detected", and iceweasel will be started in the sandbox set by icedove.