Firejail: /dev/fd symlink is missing when using private-dev

Created on 26 Jul 2019  路  5Comments  路  Source: netblue30/firejail

When enabling private-dev a symlink from /dev/fd -> /proc/self/fd is missing. It might be a good idea to just create it, e.g. bash uses it for process substitution.

enhancement
Source
picture simonfxr
👍1

Most helpful comment

OK, I'll add /dev/fd,stderr,stdin,stdout. These are symlinks to existing files in /proc.

I'll get rid of /dev/log, it makes sense only for running servers as root. The others are more problematic:

  • /dev/snd is the sound card, mainly used by ALSA - flatpak supports only pulseaudio
  • /dev/dri is the 3D acceleration
  • /dev/hidraw* - human interface device, it could be anything: mouse, keyboard, audio card...
  • /dev/usb - I think it is brought in by the hidraw devices above.
picture netblue30 on 1 Aug 2019
👍3

All 5 comments

We may consider re-examining private-dev contents in general. For example here's the difference between content exposed by firejail vs flatpak:

$ firejail --noprofile --private-dev bash
Warning: an existing sandbox was detected. bash will run without any additional sandboxing features
$ ls /dev
dri  full  hidraw0  hidraw1  hidraw2  hidraw3  hidraw4  hidraw5  log  null  ptmx  pts  random  shm  snd  tty  urandom  usb  zero

$ flatpak run org.freedesktop.Platform
[馃摝 org.freedesktop.Platform ~]$ ls /dev
console  core  fd  full  null  ptmx  pts  random  shm  stderr  stdin  stdout  tty  urandom  zero
Vincent43 picture Vincent43 on 26 Jul 2019
👍2

stderr, stdin, stdout will also be used in some scripts.

rusty-snake picture rusty-snake on 27 Jul 2019

OK, I'll add /dev/fd,stderr,stdin,stdout. These are symlinks to existing files in /proc.

I'll get rid of /dev/log, it makes sense only for running servers as root. The others are more problematic:

  • /dev/snd is the sound card, mainly used by ALSA - flatpak supports only pulseaudio
  • /dev/dri is the 3D acceleration
  • /dev/hidraw* - human interface device, it could be anything: mouse, keyboard, audio card...
  • /dev/usb - I think it is brought in by the hidraw devices above.
netblue30 picture netblue30 on 1 Aug 2019
👍3

To complete above /dev/snd can be removed with --nosound, /dev/dri by --no3d and /dev/hidraw* + /dev/usb by --nou2f.

Vincent43 picture Vincent43 on 1 Aug 2019
👍1

The original issue is fixed in f25e8d684659eb001407d3eaa58f90671acdd1a9

smitsohu picture smitsohu on 24 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fl-chris picture fl-chris  路  4Comments
yourcelf picture yourcelf  路  4Comments
semente picture semente  路  4Comments
kmotoko picture kmotoko  路  3Comments
reinerh picture reinerh  路  3Comments