Firejail: Can't seem to stop .Xauthority or .asound from being created/copied

Created on 22 Jul 2019  路  7Comments  路  Source: netblue30/firejail

firejail 0.9.60

I would like to run shell scripts that don't require network, X11 or sound

firejail --x11=none --net=none --nosound --private=./ sh

All 7 comments

  1. --private=./ for what?
  2. firejail --x11=none --net=none --nosound ls -l .Xauthority should show you r-------- and owner: nobody => firejail --x11=none --net=none --nosound cat .Xauthority ends in Permission denied
  3. If you want that they don't exist, you need to use whitelist.
    EDIT:
    To deny access to .asound you need --blacklist=${HOME}/.asound.
rusty-snake picture rusty-snake on 22 Jul 2019

Hi

1 I need to block any writing to filesystem except for the current directory and /tmp. --chroot seems to want the cwd to be owned by root.

2 The current directory is a build directory whch will be synced with a git repo after each shell script has been tested, so I don't want any extra files created.

I have tried to whitelist them but it makes no difference:

whitelist ${HOME}/.asoundrc
whitelist ${HOME}/.Xauthority

in both default.profile and whitelist-common.inc.

Thanks

EDIT

It seems --chroot wants a real chroot with /proc etc. anyway.

slackhead picture slackhead on 22 Jul 2019

Well, now I get you setup and intend.

I have tried to whitelist them but it makes no difference:

whitelisting the files you want, not the files you don't want. Anyway.

I need to block any writing to filesystem except for the current directory and /tmp.

--private=. will only protect ${HOME}.
You can use --read-only=PATH to mount PATH ro.

rusty-snake picture rusty-snake on 22 Jul 2019

@slackhead can you try firejail --x11=none --net=none --nosound --whitelist=${HOME}/GIT_REPO bash SCRIPT

rusty-snake picture rusty-snake on 22 Jul 2019

Thanks, that helps a lot. I have a couple of different ideas. This one blacklists /tmp too:

firejail \
  --shell=none \
  --net=none \
  --x11=none \
  --nosound \
  --blacklist=/tmp \
  --whitelist=`pwd` \
  --noprofile $@

I also will need to run some scripts as root and be able to use ccache. I think something like this should work if I set the ccache directory to a named overlay in /root/.firejail/sbo/odiff/root/.ccache

firejail \
--net=none \
--shell=none \
--nosound \
--x11=none \
--noprofile \
--read-only=`pwd` \
--overlay-named=sbo \
sh <script>

Hopefully that leaves only /tmp writeable, and I should be able to find /root/.firejail to see if anything tried write anywhere else.

slackhead picture slackhead on 22 Jul 2019

IMHO it would be "more right" to indeed not copy these files if there is a nosound or x11 none option.

smitsohu picture smitsohu on 26 Jul 2019
👍2

Should be fixed.

smitsohu picture smitsohu on 7 Aug 2019
🚀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nuxwin picture nuxwin  路  3Comments
Vincent43 picture Vincent43  路  3Comments
fl-chris picture fl-chris  路  4Comments
polyzen picture polyzen  路  4Comments
ghost picture ghost  路  3Comments