Firejail: Pull request #3268 broke firejail

Created on 14 Mar 2020 · 20Comments · Source: netblue30/firejail

Running any program with firejail gives this error and exits:

[user@mycomputer ~]$ chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3388, child pid 3389
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Error fstat: fs.c:486 fs_remount_simple: Permission denied
Error: proc 3388 cannot sync with peer: unexpected EOF
Peer 3389 unexpectedly exited with status 1

Nothing is in the journal. Tested it with firejail built from commit b1d54b042fba798fd54037c403bc188c6ffd9240, the commit directly before pull request #3268 was merged, and everything works fine.

Running on Arch with GNOME on Xorg. Running on a btrfs filesystem on the built-in RAID1 support. Maybe it is getting confused about my btrfs subvolumes?

My fstab is here:
https://paste.ubuntu.com/p/XVpR38cHZy/

My root btrfs subvolume (subvolid=5):
https://paste.ubuntu.com/p/8nmpWw3NDK/

bug

Source

corecontingency

Most helpful comment

Could someone confirm it is fixed in 3d35c039074cc11fbacf8de5bc8cb1a0952ceae4 ?

smitsohu on 14 Mar 2020

👍2

All 20 comments

Confirming with a much more simple setup (ext4 root + xfs home).

rusty-snake on 14 Mar 2020

Could break it down to noexec ${RUNUSER} in disable-exec.inc.
firejail '--ignore=noexec ${RUNUSER}' true works.

rusty-snake on 14 Mar 2020

read-only ${RUNUSER} is also affected.

rusty-snake on 14 Mar 2020

Hm, that's an interesting error. Could you do me favor and run

firejail --noprofile --noexec='${RUNUSER}' --debug
findmnt -R /run

and paste the output here? Thanks!

smitsohu on 14 Mar 2020

I don't seem to be affected (not sure whether that's a good thing). Running Arch on ext4 shows this for the commands @smitsohu suggested, perhaps it can help throw some light onto this.

glitsj16 on 14 Mar 2020

STR:

Download Fedora Workstadion 31 https://download.fedoraproject.org/pub/fedora/linux/releases/31/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-31-1.9.iso
Start it in e.g. gnome-boxes
sudo dnf install make
git clone --depth=1 https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make
sudo make install
firejail --profile=/etc/firejail/disable-exec.inc true

rusty-snake on 14 Mar 2020

firejail --noprofile --noexec='${RUNUSER}' --debug

Autoselecting /bin/bash as shell
Command name #/bin/bash#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 40918, child pid 40919
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-CcwCj4dw,guid=85cfdff6cbcb0cd610b20f635e6cc5b7
IBUS_DAEMON_PID=1677
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
572 405 253:0 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel
mountid=572 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
573 572 253:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel
mountid=573 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
576 574 0:37 / /var/tmp rw,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=576 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /var/lib/nfs/rpc_pipefs
577 575 0:29 / /var/lib/nfs/rpc_pipefs ro,relatime master:2 - rpc_pipefs rpc_pipefs rw
mountid=577 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /var/tmp
578 576 0:37 / /var/tmp ro,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=578 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var
583 582 0:37 / /var/tmp ro,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=583 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var/lib/nfs/rpc_pipefs
584 581 0:29 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:2 - rpc_pipefs rpc_pipefs rw
mountid=584 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var/tmp
585 583 0:37 / /var/tmp ro,nosuid,nodev,noexec,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=585 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /usr
586 405 253:0 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel
mountid=586 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Mounting noexec /run/user/1000
679 676 0:25 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev master:13 - tmpfs tmpfs rw,seclabel,mode=755
mountid=679 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Error fstat: fs.c:486 fs_remount_simple: Permission denied
Error: proc 40918 cannot sync with peer: unexpected EOF
Peer 40919 unexpectedly exited with status 1

findmnt -R /run

TARGET                  SOURCE     FSTYPE          OPTIONS
/run                    tmpfs      tmpfs           rw,nosuid,nodev,seclabel,mode=755
├─/run/initramfs/live   /dev/sr0   iso9660         ro,relatime,nojoliet,check=s,map=n,blocksize=2048
└─/run/user/1000        tmpfs      tmpfs           rw,nosuid,nodev,relatime,seclabel,size=203348k,mode=700,uid=1000,gid=1000
  └─/run/user/1000/gvfs gvfsd-fuse fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000

rusty-snake on 14 Mar 2020

@glitsj16 Thanks for the confirmation, I've used this patch for a couple of weeks, it's been fine for me as well so far.

@rusty-snake Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

smitsohu on 14 Mar 2020

Suspecting either FUSE or SELinux to be the culprit here. The problem is I'm temporarily in a situation where my machine is too weak to set up a VM :cry:

I guess I need to revert the merge.

smitsohu on 14 Mar 2020

@rusty-snake Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

Yes.

Suspecting either FUSE or SELinux to be the culprit here.

SELinux would create some logs.

The problem is I'm temporarily in a situation where my machine is too weak to set up a VM

IDK if it is helpfull, but the live-system (e.g. over USB) is enough.

rusty-snake on 14 Mar 2020

Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

Yes.

Thanks. This is FUSE. I'll try to add a workaround.

smitsohu on 14 Mar 2020

Late to the party, but here you go:

firejail --noprofile --noexec='${RUNUSER}' --debug

findmnt -R /run

@rusty-snake Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

This does not work for me.

[user@mycomputer ~]$ firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'
Parent pid 3125, child pid 3126
Error fstat: fs.c:486 fs_remount_simple: Permission denied
Error: proc 3125 cannot sync with peer: unexpected EOF
Peer 3126 unexpectedly exited with status 1

Suspecting either FUSE or SELinux to be the culprit here.

I do not have SELinux installed/enabled on my system, although Apparmor is.

corecontingency on 14 Mar 2020

Can you try this.
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}'

rusty-snake on 14 Mar 2020

Can you try this.
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}'

That worked.

[user@mycomputer ~]$ firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}'
Parent pid 3911, child pid 3912
Child process initialized in 10.54 ms

corecontingency on 14 Mar 2020

👍1

temporary workarounds ATM:

git checkout b1d54b042fba798fd54037c403bc188c6ffd9240
disable-exec.local: ignore noexec ${RUNUSER}
disable-exec.local: blacklist ${RUNUSER}/gvfs and other fuse mounts in ${RUNUSER}
disable all fuse mounts in ${RUNUSER}

rusty-snake on 14 Mar 2020

👍1

Can confirm this is an issue in Debian 10 (kernel 5.4 series from backports).

For my case, firejail --blacklist='${RUNUSER}/gvfs' <program_name> is good enough...