Firejail: /dev/null created with wrong permissions
Noticed when trying to start calibre:
$ calibre
Reading profile /etc/firejail/calibre.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 30619, child pid 30620
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 92.58 ms
Traceback (most recent call last):
File "/usr/bin/calibre", line 20, in <module>
sys.exit(calibre())
File "/usr/lib/calibre/calibre/gui_launch.py", line 74, in calibre
main(args)
File "/usr/lib/calibre/calibre/gui2/main.py", line 556, in main
gui_debug=gui_debug)
File "/usr/lib/calibre/calibre/gui2/main.py", line 380, in run_gui
app.load_builtin_fonts(scan_for_fonts=True)
File "/usr/lib/calibre/calibre/gui2/__init__.py", line 948, in load_builtin_fonts
from calibre.utils.fonts.scanner import font_scanner
File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 400, in <module>
font_scanner = FontScanner()
File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 199, in __init__
self.folders = folders + font_dirs() + [os.path.join(config_dir, 'fonts'),
File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 119, in font_dirs
return fc_list()
File "/usr/lib/calibre/calibre/utils/fonts/scanner.py", line 41, in fc_list
lib = find_library('fontconfig')
File "/usr/lib/python2.7/ctypes/util.py", line 274, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python2.7/ctypes/util.py", line 258, in _findSoname_ldconfig
null = open(os.devnull, 'wb')
IOError: [Errno 13] Permission denied: '/dev/null'
Parent is shutting down, bye...
and indeed:
firejail --profile=/etc/firejail/calibre.profile bash -c 'ls -l /dev/'
Reading profile /etc/firejail/calibre.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 14180, child pid 14181
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 132.88 ms
total 0
crw-rw-rw- 1 nobody nobody 1, 7 03-28 13:31 full
srw-rw-rw- 1 nobody nobody 0 03-28 11:33 log
-r-------- 1 nobody nobody 0 03-28 11:34 null
lrwxrwxrwx 1 nobody nobody 13 03-28 13:31 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 nobody nobody 0 03-28 13:31 pts
crw-rw-rw- 1 nobody nobody 1, 8 03-28 13:31 random
drwxrwxrwt 2 nobody nobody 40 03-28 13:31 shm
crw-rw-rw- 1 nobody nobody 5, 0 03-28 13:31 tty
crw-rw-rw- 1 nobody nobody 1, 9 03-28 13:31 urandom
crw-rw-rw- 1 nobody nobody 1, 5 03-28 13:31 zero
Parent is shutting down, bye...
Archlinux, firejail 0.9.58.2-1,
firejail --version
firejail version 0.9.58.2
Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
viq
All 6 comments
Interesting, for me it is ok in latest git version:
firejail --profile=/etc/firejail/calibre.profile bash -c 'ls -l /dev/'
Reading profile /etc/firejail/calibre.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.local
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 8959, child pid 8960
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 94.79 ms
total 0
crw-rw-rw- 1 nobody nobody 1, 7 Mar 29 12:40 full
srw-rw-rw- 1 nobody nobody 0 Mar 29 11:35 log
crw-rw-rw- 1 nobody nobody 1, 3 Mar 29 12:40 null
lrwxrwxrwx 1 nobody nobody 13 Mar 29 12:40 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 nobody nobody 0 Mar 29 12:40 pts
crw-rw-rw- 1 nobody nobody 1, 8 Mar 29 12:40 random
drwxrwxrwt 2 nobody nobody 40 Mar 29 12:40 shm
crw-rw-rw- 1 nobody nobody 5, 0 Mar 29 12:40 tty
crw-rw-rw- 1 nobody nobody 1, 9 Mar 29 12:40 urandom
crw-rw-rw- 1 nobody nobody 1, 5 Mar 29 12:40 zero
Vincent43
on 29 Mar 2019
👍1
@Vincent43 @viq @SkewedZeppelin Can reproduce with every profile that include disable-programs.inc
$ firejail --debug ls -l /dev/null | grep /dev/null
…
Disable /dev/null (requested /home/USER/.wget-hsts)
…
$ ls -l .wget-hsts
lrwxrwxrwx. … … … .wget-hsts -> /dev/null
I have symlinked .wget-hsts to /dev/null so that wget does not make hsts entries, because since 0.9.58 .wget-hsts is blacklisted, blacklisted FJ also /dev/null.
@viq have you symlinked something in your HOME to /dev/null? Try firejail --debug
rusty-snake
on 30 Mar 2019
👍1
@rusty-snake Yes, I remember some issues when I had something in home linked to /dev/null. As a workaround you may try making file/dir immutable with chattr +i <file> instead of linking to /dev/null.
Vincent43
on 30 Mar 2019
👍1
@Vincent43 already done ;)
rusty-snake
on 30 Mar 2019
@viq still an issue?
rusty-snake
on 11 May 2019
Going to close due to inactivity. @viq, if this is still an issue, please feel free to re-open.
chiraag-nataraj
on 21 May 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
Vincent43
·
3Comments
semente
·
4Comments
reinerh
·
3Comments
yourcelf
·
4Comments
fl-chris
·
4Comments