Firejail: Whitelisting doesn't work if whitelisted path is a symlink

Created on 26 Mar 2016  路  21Comments  路  Source: netblue30/firejail 
cp -a ~/Downloads /opt/
ln -s /opt/Downloads ~/Downloads
ln -s /usr/bin/firejail /usr/local/bin/firefox
firefox

error is:

Error: invalid whitelist path /home/n1trux/Downloads
enhancement
Source
picture n1trux
👍4

All 21 comments

I guess I should allow this type of functionality. Let me think about it, thanks!

netblue30 picture netblue30 on 26 Mar 2016
👍1

+1 - worked with older versions (in Ubuntu) but stopped working on current version

tobykurien picture tobykurien on 31 Mar 2016

Same here.
I can't access .mplayer path from firefox cause It's a symlink to my dotfiles.

Even more I think I can't blacklist /bin -> /usr/bin from firefox for the very same reason and private-bin is not working either...

liloman picture liloman on 23 Apr 2016

I have the issue too: my .cache is symlinked to /dev/shm/unburden-username/cache using unburden-home-dir and the default FF profile from /etc/firejail/firefox.profile leads to
Error: invalid whitelist path /home/username/.cache/mozilla/firefox

PS: using version from debian testing

sciamano picture sciamano on 14 Jun 2016
👍1

I think I will have to drop this enhancement. I cannot allow symlinks from /home/user and from /tmp directories. There will be tones of security problems related to SUID binary. The safe thing for now is to wait, maybe somebody comes up with an idea how this can be done safely.

netblue30 picture netblue30 on 14 Jun 2016

So which do you think will be the solution for those using symlinks?

Hardlinks? (if the same partition)

I have to do something with this issue for sure cause the .mplayer issue is rather cumbersome for me (but how there isn't audio yet it is really not important cause I stopped launching mplayer/youtube-dl from the brower, bothersome but "temporal" till fixed the sound issue). ;)

liloman picture liloman on 20 Jun 2016

I don't know, maybe I can allow it on Grsecurity systems. It is really a kernel problem, never recognized as such by the kernel people.

netblue30 picture netblue30 on 20 Jun 2016

They are starting to implement grsecurity now... so who knows? :dancer:

What about checking for symlinks and using readlink to point to the target dir? It would be a userspace solution and Torvalds would be pretty happy about that. ;)

liloman picture liloman on 22 Jun 2016
👍1

Whitelisting symlinks outside user home directory is implemented.

netblue30 picture netblue30 on 12 Jul 2016

Awesome man. :)

I just figured it out right now.

Nice!

liloman picture liloman on 20 Jul 2016

Not working for me. Using 0.9.54

TensorTom picture TensorTom on 22 Jul 2018 
firejail --apparmor opera --disable-seccomp-filter-sandbox
Reading profile /home/zbyszek/.config/firejail/opera.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3692, child pid 3693
Error: invalid whitelist path /home/zbyszek/.config/opera
Error: proc 3692 cannot sync with peer: unexpected EOF
Peer 3693 unexpectedly exited with status 1
Linux-Fan picture Linux-Fan on 22 Feb 2020

Same problem here (Arch Linux x86-64, apparmor enabled). Firefox will start but I'll get an error message that I can't save my downloads to ~/Downloads which is a symlink to a downloads folder on another btrfs subvolume.

cjsthompson picture cjsthompson on 27 Feb 2020

@cjsthompson Where exactly is that other btrfs subvolume mounted? Keep in mind that /etc/firejail/firefox-common.profile uses disable-mnt, so that will block access to /mnt, /media, /run/mount and /run/media. You will have to explicitly grant access to the symlinked downloads folder.

glitsj16 picture glitsj16 on 27 Feb 2020

It's mounted on /data and chown -R ~user.~user and chmod -R 0750.

cjsthompson picture cjsthompson on 27 Feb 2020

@cjsthompson Have you tried adding whitelist /data to a firefox-common.local file yet?

glitsj16 picture glitsj16 on 27 Feb 2020

Not a firefox-common.local but the /etc/firejail/whitelist-common.local and when I do that, then firefox won't start at all with "invalid whitelist path".

cjsthompson picture cjsthompson on 28 Feb 2020

/data is unusual path. Maybe you could use /mnt or /media ?

Vincent43 picture Vincent43 on 28 Feb 2020

I found the problem. It's in /etc/apparmor.d/firejail-default :

##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,

Adding /data to this list fixes the problem. Perhaps it would be useful to mention this somewhere.

cjsthompson picture cjsthompson on 6 Mar 2020

You may add local apparmor modifications to /etc/apparmor.d/local/firejail-{default,local} like:
/data/** w,

Vincent43 picture Vincent43 on 6 Mar 2020

That's indeed even better. Thanks for the tip.

cjsthompson picture cjsthompson on 6 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  3Comments
semente picture semente  路  4Comments
reinerh picture reinerh  路  3Comments
francoism90 picture francoism90  路  4Comments
yourcelf picture yourcelf  路  4Comments