Firejail: Maximum profile include level was reached

Created on 23 Jun 2018  路  5Comments  路  Source: netblue30/firejail

I seem to have a quite customized setup, and since version 0.9.54 firejail complains (and fails starting) with the above message if I try to start thunderbird (edit: I should say that I linked /usr/local/bin/thunderbird to firejail):

$ thunderbird
Reading profile /home/fe/.config/firejail/thunderbird.profile
Reading profile /home/fe/.local/share/firejail/thunderbird.local
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /home/fe/.config/firejail/disable-common.inc.local
Error: maximum profile include level was reached

The file /home/fe/.local/share/firejail/thunderbird.local doesn't include anything, so /home/fe/.config/firejail/disable-common.inc.local is on the 7th include level. This file contains one further include of ~/.local/share/firejail/disable-common.local but the chain ends there.

My guess is that this happens because the thunderbird profile now includes the firefox profile.

Why is the limit so low? I couldn't find any option to increase the maximum include level.

bug
Source
picture ferreum

Most helpful comment

Yes, it was to prevent infinite recursion - increased the level to 16 - https://github.com/netblue30/firejail/commit/bc2a81b29961243bdec88dcbb3cd7e7f88ea50e4

picture netblue30 on 30 Jun 2018
👍2

All 5 comments

The limit is 6, defined as MAX_INCLUDE_LEVEL https://github.com/netblue30/firejail/blob/dc96a6c6fa677dcad87119bf828f6cea16c8d56d/src/firejail/firejail.h#L107

and it is enforced here
https://github.com/netblue30/firejail/blob/dc96a6c6fa677dcad87119bf828f6cea16c8d56d/src/firejail/profile.c#L1224-L1228

According to git blame it was added back in the early days before we had .local and .global files.
We should probably consider increasing it maybe to 8 or 10.

SkewedZeppelin picture SkewedZeppelin on 24 Jun 2018
👍1

@netblue30 why do we have an include limit?

Fred-Barclay picture Fred-Barclay on 24 Jun 2018

Maybe to prevent recursion?

reinerh picture reinerh on 26 Jun 2018
👍2

To prevent (infinite) recursion, the limit doesn't need to be this low - may aswell increase it to 32 or higher. What I'm concerned about is that each recursion may need a hard to determine amout of stack, so this could lead to security issues from stack overflows. This is also why I refrained from patching the limit myself.

ferreum picture ferreum on 26 Jun 2018

Yes, it was to prevent infinite recursion - increased the level to 16 - https://github.com/netblue30/firejail/commit/bc2a81b29961243bdec88dcbb3cd7e7f88ea50e4

netblue30 picture netblue30 on 30 Jun 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dandelionred picture dandelionred  路  3Comments
polyzen picture polyzen  路  4Comments
SkewedZeppelin picture SkewedZeppelin  路  3Comments
semente picture semente  路  4Comments
reinerh picture reinerh  路  3Comments