Firejail: Allow binaries to run in ${HOME}/bin/** while having noexec ${HOME}
As the name says: I want to allow running binaries off ~/bin and its subdirectories, even in profiles with noexec ${HOME}.
Is there a way to achieve this? I have tried:
ignore apparmor
whitelist ${HOME}/bin
noblacklist ${HOME}/bin/torguard/torguard-bin
Example debug output:
Whitelisting /home/john/bin
732 721 259:4 /bin /home/john/bin rw,relatime master:55 - ext4 /dev/sda2 rw,attr2,inode64,noquota
mountid=732 fsname=/bin dir=/home/john/bin fstype=ext4
Mounting read-only /home/john/bin
Current directory: /home/john/bin/torguard
Child process initialized in 231.60 ms
/home/botto/bin/torguard/torguard-bin starting application
execvp argument 0: /home/john/bin/torguard/torguard-bin
Error: no suitable /home/john/bin/torguard/torguard-bin executable found
And here's the full profile:
# Persistent local customizations
include torguard.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/torguard
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-passwdmgr.inc
mkdir ${HOME}/.config/torguard
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/torguard
include whitelist-common.inc
include whitelist-var-common.inc
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
protocol unix,inet,inet6,netlink
seccomp
shell none
disable-mnt
private-dev
private-tmp
noexec ${HOME}
Firejail version:
firejail version 0.9.58.2
Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
The only thing in my /etc/firejail/globals.local is:
apparmor
Everything else is on default values.
pedrib
All 10 comments
noexec is to disable the opportunity to run a executable in the dir and all its subdirs and subsubdirs, ... . Since there is no exec option in firejail you can't revert this for some subdirs. So you must use ignore noexec ${HOME}.
Because you have apparmor in your globals.local, I think that your system has AA.
Because AA has the more powerful globbing, you could try it with this.
e.g. noexec ${HOME}/{**^bin}
I'm not using AA, so I can't help find the full rule for AA.
rusty-snake
on 31 Aug 2019
Thanks! Any plans to make this exec available? I assume I'm not the only one to need this.
And thanks a lot for your work.
pedrib
on 31 Aug 2019
You can achieve this with owner /{,run/firejail/mnt/oroot/}home/bin/** ix, in /etc/apparmor.d/local/firejail-local (or /etc/apparmor.d/local/firejail-default in debian).
After that run sudo apparmor_parser -r /etc/apparmor.d/firejail-default and replace ignore apparmor with ignore noexec ${HOME} in firejail profile.
I believe exec rule can't be added because user could then remount arbitrary noexec dirs in their system.
EDIT: @rusty-snake right, fixed.
Vincent43
on 31 Aug 2019
Suggestion: s/ignore noexec/ignore noexec ${HOME}/g
rusty-snake
on 31 Aug 2019
@pedrib I'm closing here due to inactivity, please fell free to reopen if you have more questions.
rusty-snake
on 10 Sep 2019
@rusty-snake @Vincent43 thanks, I ended up putting the stuff in /opt so that I could leave the noexec ${HOME} in place, but might change it as you suggested.
pedrib
on 10 Sep 2019
@rusty-snake I am having trouble running a script in $HOME/bin when using mpv. In mpv, I have a key bound to the script in input.conf, e.g. DEL run "/home/rieje/bin/mpv-testme". Without firejail, it runs fine. With firejail, running the script with the DEL key in mpv gives the errorRunning subprocess failed: initwith the default profile. I then addignore nexec ${HOME}. I commented outapparmor` (I'm using stock kernel so it's not using better integrated apparmor anyway) and it's the same.
Any ideas? I just want to allow this single script for mpv (or whatever is the best way to implement whitelisting a script in $HOME).
Additional info: I'm on latest version of Arch Linux with latest version of Firejail. With the default profile, mpv does not play any videos at all and does not show any errors in the terminal unless I disable seccomp, which I've done.
rieje
on 18 Sep 2020
mpv does not play any videos at all and does not show any errors in the terminal unless I disable seccomp, which I've done.
AMD GPU? Try seccomp !kcmp (#3219).
Any ideas? I just want to allow this single script for mpv (or whatever is the best way to implement whitelisting a script in $HOME).
Is this a elf-binary or bash,perl,...-script?
If it requires a interpreter, you need to allow it, use include allow-XXX.inc and add it to private-bin. Shell scripts likely need more programs in private-bin such as ls,awk,grep,….
You maybe need to allow /bin/sh to start the script.
noblacklist ${PATH}/sh
private-bin sh
AMD GPU? Try seccomp !kcmp (#3219).
Yea, it's an AMD GPU and replacing seccomp with that works.
Is this a elf-binary or bash,perl,...-script?
Sorry yea, this is an sh script. It actually calls another simple sh script that uses notify-send, but for now to make things simple, I just want mpv to use /home/rieje/bin/mpv-testme which the single command notify-send testme. I now have private-bin env,mpv,python*,youtube-dl,bash,sh,notify-send,mpv-testme but the same issue occurs. I've also added:
noblacklist ${PATH}/sh
noblacklist /home/rieje/bin/mpv-testme
noblacklist /usr/bin/notify-send
but it seems to have no effect.
rieje
on 18 Sep 2020
Too obviously for me, but $HOME is noexec. So try this mpv.local
ignore noexec ${HOME}
private-bin bash,sh,notify-send
# and for firejail 0.9.64 also
noblacklist ${PATH}/sh
noblacklist ${PATH}/bash
EDIT: Wait, you said that you add it. weird.
rusty-snake
on 19 Sep 2020
Related issues
nuxwin
·
3Comments
SkewedZeppelin
·
3Comments
crass
·
3Comments
ghost
·
3Comments
bryce-lynch
·
4Comments