broken - Githubissues

pigmonkey / firewarden

Open a file via the specified application within a private Firejail sandbox.

The Unlicense

74 stars 7 forks source link

broken #5

Closed cyrinux closed 6 years ago

cyrinux commented 6 years ago

Hi man, I get this since few day. I use arch with last firejail-git r4189.0c2cbf05-1

❯ firewarden -d -i chromium https://www.nsa.gov/ia/
Reading profile /home/cyril/.config/firejail/chromium.profile
Reading profile /home/cyril/.config/firejail/chromium-common.profile
Reading profile /etc/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 15614, child pid 15615

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-15614       A7:67:6C:85:99:C1  10.10.33.33      255.255.0.0      UP    

Error: "firewarden/2018-08-29T09:19:43+02:00" is an invalid filename
Error: proc 15614 cannot sync with peer: unexpected EOF

Any idea?

pigmonkey commented 6 years ago

I only use stable firejail releases, and don't follow its development closely between releases, so I'm not sure what they changed to cause this.

The invalid filename is related to either our --private-srv or private-opt flags. Firewarden passes both of those bogus filenames because (as of firejail 0.9.54) that is the only way to end up with empty /srv and /opt in the jail. Perhaps firejail is changing those flags to act more like --private-dev.

The firewarden command you gave is the equivalent of running (except for the network isolation):

/usr/bin/firejail --private-srv=firewarden/2018-08-29T09:19:43+02:00 --private-opt=firewarden/2018-08-29T09:19:43+02:00 --private --private-dev chromium --no-first-run --no-default-browser-check --enforce-webrtc-ip-permission-check https://www.nsa.gov/ia/

Try running that and you should get the same error.

Try taking out --private-srv and --private-opt and see if either of those fixes it.

cyrinux commented 6 years ago

Hey @pigmonkey thanks for reply. This works without --private-srv and --private-opt

pigmonkey commented 6 years ago

Can you pass --private-srv and --private-opt without additional options and still end up with empty directories?

$ firejail --noprofile --private-srv --private-opt bash
$ ls /srv
$ ls /opt

cyrinux commented 6 years ago

--private-opt and --private-srv are invalid args without value :/

pigmonkey commented 6 years ago

And firejail --noprofile --private-srv=nonexistentfile bash throws the invalid filename error?

cyrinux commented 6 years ago

No true, this works firejail --noprofile --private-srv=nonexistentfile bash, with an empty /srv dir.

❯ firejail --noprofile --private-srv=nonexistentfile bash
Parent pid 30701, child pid 30702
Warning: skipping nonexistentfile for private /srv
Private /srv installed in 0.20 ms
Child process initialized in 26.68 ms

Same for opt and srv

❯ firejail --noprofile --private-srv=nonexistentfile --private-opt=nonexistentfile bash
Parent pid 31277, child pid 31278
Warning: skipping nonexistentfile for private /opt
Private /opt installed in 0.25 ms
Warning: skipping nonexistentfile for private /srv
Private /srv installed in 0.12 ms
Child process initialized in 36.31 ms
[cyril@laptop ~]$ ls /opt/
[cyril@laptop ~]$ ls /opt/
[cyril@laptop ~]$

pigmonkey commented 6 years ago

Does 7017f485 fix it?

cyrinux commented 6 years ago

Yes man this fix 👍 🍺