Firejail: When we use the --private-dev option with the --chroot option, the /dev/log socket is missing
Current behavior
The /dev/log socket is missing.
Expected behavior
The /dev/log socket should be here (as stated in documentation):
....
--private-dev
Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available.
Example:
$ firejail --private-dev
Parent pid 9887, child pid 9888
Child process initialized
$ ls /dev
dri full log null ptmx pts random shm snd tty urandom zero
$
....
Additional info
Without the --private-dev option, result is as follow:
@srv01:/home/nuxwin$ ls /dev/
autofs full network_latency sda5 tty11 tty24 tty37 tty5 tty62 vcs2 vhci
block fuse network_throughput sg0 tty12 tty25 tty38 tty50 tty63 vcs3 vhost-net
bsg hpet null sg1 tty13 tty26 tty39 tty51 tty7 vcs4 watchdog
btrfs-control hugepages port shm tty14 tty27 tty4 tty52 tty8 vcs5 watchdog0
cdrom initctl ppp snapshot tty15 tty28 tty40 tty53 tty9 vcs6 xconsole
char input psaux snd tty16 tty29 tty41 tty54 ttyS0 vcsa zero
console kmsg ptmx sr0 tty17 tty3 tty42 tty55 ttyS1 vcsa1
core log pts stderr tty18 tty30 tty43 tty56 ttyS2 vcsa2
cpu loop-control random stdin tty19 tty31 tty44 tty57 ttyS3 vcsa3
cpu_dma_latency mapper rtc stdout tty2 tty32 tty45 tty58 uhid vcsa4
cuse mcelog rtc0 tty tty20 tty33 tty46 tty59 uinput vcsa5
disk mem sda tty0 tty21 tty34 tty47 tty6 urandom vcsa6
dvd mqueue sda1 tty1 tty22 tty35 tty48 tty60 vcs vfio
fd net sda2 tty10 tty23 tty36 tty49 tty61 vcs1 vga_arbiter
With the --private-dev option, result is as follow:
@srv01:/home/nuxwin$ ls /dev/
full null ptmx pts random shm snd tty urandom zero
@srv01:/home/nuxwin$
Info about my environment:
root@srv01:/usr/local/etc/firejail# firejail --version
firejail version 0.9.42~rc1
X11 support is disabled.
root@srv01:/usr/local/etc/firejail# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.5 (jessie)
Release: 8.5
Codename: jessie
root@srv01:/var/chroot/InstantSSH/shared_jail/dev# systemctl --version
systemd 215
+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR
root@srv01:/var/chroot/InstantSSH/shared_jail/dev# ls -la /dev/log
lrwxrwxrwx 1 root root 28 août 11 01:06 /dev/log -> /run/systemd/journal/dev-log
Note that the chroot is created with makejail and some internal utilities.
Thank you for your interest.
nuxwin
All 7 comments
Le 13/08/2016 à 04:38, Fred Barclay a écrit :
For what it's worth, |/dev/log| is present on my machine when using
the |--private-dev| option:
|$ firejail --private-dev dash|
...
|$ ls /dev|
|dri full log null ptmx pts random shm snd tty urandom zero|Comparitively, the following is visible outside of firejail:
|$ ls /dev autofs disk kmsg null sda2 snapshot tty13 tty24 tty35 tty46
tty57 ttyS1 vcs1 vcsa4 block dm-0 kvm port sda3 snd tty14 tty25 tty36
tty47 tty58 ttyS2 vcs2 vcsa5 bsg dri log ppp sda4 sr0 tty15 tty26
tty37 tty48 tty59 ttyS3 vcs3 vcsa6 btrfs-control dvd loop-control
psaux sda5 stderr tty16 tty27 tty38 tty49 tty6 uhid vcs4 vcsa7 bus
dvdrw MAKEDEV ptmx sda6 stdin tty17 tty28 tty39 tty5 tty60 uinput vcs5
vcsa8 cdrom ecryptfs mapper pts sda7 stdout tty18 tty29 tty4 tty50
tty61 urandom vcs6 vfio cdrw fb0 mcelog random sda8 tty tty19 tty3
tty40 tty51 tty62 v4l vcs7 vga_arbiter char fd media0 rfkill sdb tty0
tty2 tty30 tty41 tty52 tty63 vboxdrv vcs8 vhci console full mem rtc
sg0 tty1 tty20 tty31 tty42 tty53 tty7 vboxdrvu vcsa vhost-net core
fuse net rtc0 sg1 tty10 tty21 tty32 tty43 tty54 tty8 vboxnetctl vcsa1
video0 cpu_dma_latency hpet network_latency sda sg2 tty11 tty22 tty33
tty44 tty55 tty9 vboxusb vcsa2 xconsole cuse input network_throughput
sda1 shm tty12 tty23 tty34 tty45 tty56 ttyS0 vcs vcsa3 zero |My OS is LMDE 2 "Betsy" (close, but not the same as, Debian Jessie).
Firejail looks like this:|$ firejail --version firejail version 0.9.42~rc2 Compile time support:
- AppArmor support is disabled - bind support is enabled - chroot
support is enabled - file and directory whitelisting support is
enabled - file transfer support is enabled - networking support is
enabled - seccomp-bpf support is enabled - user namespace support is
enabled - X11 snadboxing support is enabled |—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/706#issuecomment-239597366,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHqmlTkxOujcCgDnR82O6vAqml6AQ8Uks5qfS4NgaJpZM4JjkwR.
@Fred-Barclay https://github.com/Fred-Barclay
You've removed your comment but I'll answer you ;)
$ firejail --private-dev dash
Works also for me. In such a case, the /dev/log socket is present.
However, I've clearly mentionned that the problem occurs when using
the --private-dev option with the ̀--chroot` option (case of a login shell
via FireJail).
Thank you.
Laurent Declercq
iHMS/i-MSCP Project Director
nuxwin
on 13 Aug 2016
@nuxwin Right... I hadn't noticed that you used --chroot as well when I made that reply. :smile: Once I realised it I deleted my comment.
Fred-Barclay
on 13 Aug 2016
@Fred-Barclay No grave ;)
Anyway, from my point of view, re-mouting /dev/log is something strange. What will be the result if the syslog daemon is restarted ? Normally, We use a proxy (syslogproxyd) but here, it seem that there is no way to tell firejail to not take care of /dev/log.
@netblue30 You're thinking about this?
nuxwin
on 13 Aug 2016
Ugly bug!
netblue30
on 13 Aug 2016
@netblue30
Would be great to have a fix as soon as possible. Then, I would be able to release my InstantSSH plugin with FireJail support. I hope that the problem doesn't comes from systemd (they played a lot with syslog and their journal)... I'll try with a distro without systemd to see If I can reproduce.
BTW: No pressure ;)
nuxwin
on 14 Aug 2016
@netblue30 Bug found. On latest Debian distro with systemd (such as Jessie), /dev/log is a symlink to /run/systemd/journal/dev-log. Once I mounted /run/systemd/journal/dev-log (I mounted full rundir in fact) in my chroot, this worked as expected. I'll provide a fix soon. We should avoid mounting full system rundir inside chroot. Thus, I'll see how we can handle that.
Note that even without the --private-dev option this doesn't work in chroot as long as /run/systemd/journal/dev-log is not mounted inside the chroot.
nuxwin
on 15 Aug 2016
Sure, send a patch. Thanks!
netblue30
on 15 Aug 2016
Related issues
crass
·
3Comments
semente
·
4Comments
fl-chris
·
4Comments
nuxwin
·
3Comments
HulaHoopWhonix
·
4Comments