Firejail: Creating temporary filesystem from shell fails

firejail --noprofile firefox runs with the expected output

Parent pid 85355, child pid 85356
Child process initialized in 2.75 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

@matu3ba FWIW I have firefox-esr on Debian 10 and unfortunately can't reproduce - does this happen for other programs too or just firefox?

My output for comparison:

fred@theupsidedown  ~  firejail --private /usr/bin/firefox-esr
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 29221, child pid 29222
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/gvfs
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 102.95 ms

EDIT: a few more questions

1. What's the output of whereis firefox?

1. Have you run firecfg? If not sure, check the output of firecfg --list

I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here.

Edit 2: try firejail --private /usr/bin/firefox

It looks like you have used firecfg so firefox would be starting in firejail automatically - so firejail --private firefox is calling firejail --private on an already-firejailed firefox (i.e. attempting to double-sandbox). Hence the issues.
Probably someone else can explain it better than me though..

firejail --private /usr/bin/firefox works. Thanks.
Are double-sandboxes now forbidden?
Then the output (expecting users to give the absolute path) could be handled better for users than

Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

whereis firefox
firefox: /usr/bin/firefox /usr/lib/firefox /usr/local/bin/firefox
firecfg --list | grep firefox
/usr/local/bin/firefox

Are double-sandboxes now forbidden?

Forbidden no, but it sure isn't advised to run firejail like that. If you do, either applications will fail to start, or end up being executed in a sandbox environment that isn't designed for them. In other words, expect breakage just about everywhere.

I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here.

@Fred-Barclay It sure looks that way. But that doesn't explain why all the firejail files ended up under /usr/local. @matu3ba Did you install firejail from git manually by any chance? I don't think there's an official Manjaro repository that carries firejail 0.9.63. If you show us your PKGBUILD, we can help to un-confuse your setup.

Are double-sandboxes now forbidden?

Forbidden no, but it sure isn't advised to run firejail like that. If you do, either applications will fail to start, or end up being executed in a sandbox environment that isn't designed for them. In other words, expect breakage just about everywhere.

This contradicts or is unclear regarding advisory from the usage section of the blog.

I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here.

@Fred-Barclay It sure looks that way. But that doesn't explain why all the firejail files ended up under /usr/local. @matu3ba Did you install firejail from git manually by any chance? I don't think there's an official Manjaro repository that carries firejail 0.9.63. If you show us your PKGBUILD, we can help to un-confuse your setup.

Yes, I do use the latest git master. The bug report template should ask this.

Yes, I do use the latest git master.

Thanks for clearing that up. If you didn't use the ---prefix=/usr flag, I suggest you do ( see the firejail-git PKGBUILD on AUR for example). On a side-note, if you're going to use firejail from git, it is not uncommon to rebuild several times a day. A compiler cache like ccache can speed things up quite a bit for such a workflow, just a tip.

After taking care of all that and reinstalling firejail, you might as well reset all the symlinks firecfg has put in /usr/local/bin too:

$ sudo firecfg --clean
$ sudo firecfg

Or alternatively use the python script @rusty-snake offered in #2624. When all that is done you _should_ now see expected behaviour when running firejail firefox from the command line and bring some regained sanity to your system.

FYI: I use a script to complie and install firejail. Customize as you want.

#!/bin/bash

# Copyright © 2020 rusty-snake
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

set -e
./configure --prefix=/usr \
#    --enable-selinux
#    --enable-apparmor \
#    --disable-chroot \
#    --disable-file-transfer \
#    --disable-firetunnel \
#    --disable-network \
#    --disable-overlayfs \
#    --disable-private-home \
#    --disable-seccomp \
#    --disable-userns \
#    --disable-whitelist \
#    --disable-x11 \
make
# sudo make install-strip -- broken for me
sudo make install
# Use pre/post-globals.local:
sudo awk -i inplace '
{ 
  if ($0 == "include globals.local") {
    has_globals = 1
    print "include pre-globals.local"
  } else {
    print
  }
}
ENDFILE { 
  if (has_globals)
    print "\ninclude post-globals.local"
  has_globals = 0
}
' /etc/firejail/*.profile
echo "Appending the following to /etc/firejail/firejail.config for hardening ..."
cat << EOF | sudo tee -a /etc/firejail/firejail.config

#############
# Hardening #
#############

# Deny apparmor
#apparmor no

# Deny bind
#bind no

# Deny cgroup
#cgroup no

# Deny chroot
#chroot no

# Force disable-mnt
#disable-mnt yes

# Disable file transfer
#file-transfer no

# Force nonewprivs
force-nonewprivs yes

# Deny join
#join no

# Deny name
#name-change no

# Deny net netfilter and interface
#network no

# Deny overlayfs
#overlayfs no

# Deny private-home
#private-home no

# Deny private-cache
#private-cache no

# Deny private-lib
#private-lib no

# Resrict network features to root only
restricted-network yes

# Deny seccomp
#seccomp no

# Deny noroot
#userns no

# Deny whitelist
#whitelist no

# Deny x11
#x11 no
EOF

Yes, I do use the latest git master.

Thanks for clearing that up. If you didn't use the ---prefix=/usr flag, I suggest you do ( see the firejail-git PKGBUILD on AUR for example). On a side-note, if you're going to use firejail from git, it is not uncommon to rebuild several times a day. A compiler cache like ccache can speed things up quite a bit for such a workflow, just a tip.

Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pkgversion='Arch Linux 9.3.0-1' --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --enable-shared --enable-threads=posix --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release --enable-default-pie --enable-default-ssp --enable-cet=auto gdc_include_dir=/usr/include/dlang/gdc

After taking care of all that and reinstalling firejail, you might as well reset all the symlinks firecfg has put in /usr/local/bin too:

$ sudo firecfg --clean
$ sudo firecfg

Or alternatively use the python script @rusty-snake offered in #2624. When all that is done you _should_ now see expected behaviour when running firejail firefox from the command line and bring some regained sanity to your system.

Removing firejail with sudo make uninstall and building with AUR yields the exact same error on running firejail --private firefox.

Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 108.65 ms
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

Can you reproduce? If this is intended not to work, it should be documented or better an according user feedback should be given.

@rusty-snake @glitsj16 Thanks for the build setup recommendations though. Since the AUR is more easily usable for me I tried that one and found no difference.
@rusty-snake Your script looks very nice for digging into options.

on debian stable:
$ firejail firefox [...] Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found `````` It works fine if I remove "shell none" from the profile or if provide a full path:
firejail --ignore=shell firefox
firejail /usr/bin/firefox
`````

@netblue30
Yes, but this behavior (of not allowing nested sandboxes) should be added to Desktop integration in the README.md.
And in the best case for users from distributions an according output should be given.

As a workaround you can remove /usr/local/bin from $PATH (in the sandbox).

Since this worked before and users may depend on this behavior, the solution options would be:

1. force users updating their scripts
2. checking and writing this inside firejails config file in etc/firejail/firejail.config
3. writing something new for dynamic handling until next stable release

@matu3ba This was all a bit confusing at first, but this should fix the issue.

_ca6eec7 can be reverted_

In the past firejail has shows Warning: an existing sandbox was detected. /usr/bin/XXX will run without any additional sandboxing features when starting a firecfg symlink, but now it shows bash: /usr/local/bin/XXX: Permission denied. So I bisect this and found 0e85136b. The issue here is that gjs is in firecfg.config, therefore the first occurs of gjs in ${PATH} is /usr/local/bin/gjs, which is a symlinl to /usr/bin/firejail. The blacklist ${PATH}/gjs in 0e85136b will then blacklist /usr/bin/firejail.
As a workaround add noblacklist ${PATH}/gjs in firefox.local (and where else it is needed) or remove /usr/local/bin/gjs.

How do we want to fix this?

1. drop gjs from firecfg
2. drop blacklist gjs
3. skip firecfg-symlinks while searching ${PATH}

@rusty-snake Nice detective work. I didn't like taking out shell none in firefox-common.profile but wasn't aware at the time there was an alternative.

How do we want to fix this?

drop gjs from firecfg
drop blacklist gjs
skip firecfg-symlinks while searching ${PATH}

I would go with 1, drop gjs from firecfg. That seems to be the least invasive. I would prefer to keep Warning: an existing sandbox was detected. /usr/bin/XXX will run without any additional sandboxing features, as that is a valuable indication something is wrong in a user's firejail setup. Just me though...

@glitsj16 @rusty-snake I would prefer not removing stuff that contains programs and thus the third option.
In the message the additional sandboxing features sound abit vague. Potential unsafe setting/option does sound better to me.
The warning could be adapted to:
Warning: Bypassing firecfg $firecfgPATH for loading $BINPATH with the according profile. See #issue

Almost forgot, I reverted https://github.com/netblue30/firejail/commit/ca6eec7dcf388c3d0bf52f54c56f7c957b8b777b. Can we close here?

@glitsj16 Tested your revert c6e77685d4744321d7e0f39b1332c383991bade6.
firejail --ignore=shell firefox works as expected, but firejail firefox and firejail --private firefox still fail.
It is abit confusing that the naming in firefox-common.profile is different (shell none ).

I have a benchmark running for 1.5 days and would need to restart to definitely confirm though.

Would be nice, if the discussion starting with would be continued elsewhere or a decision be written.

It is abit confusing that the naming in firefox-common.profile is different (shell none ).

Using --ignore="shell none" should work just the same if that's less confusing for you. All --ignore specifications can be double-quoted like this BTW.

@matu3ba Did you remove the gjs symlink in /usr/local/bin? @rusty-snake's alternative assumes that to be non-existing, which is why it is now dropped from firecfg via https://github.com/netblue30/firejail/commit/2cbdc4399a2a98ee6822ea2512eaaee0c39dac5b. At least that's my understanding of the discussion here.

Would be nice, if the discussion starting with would be continued elsewhere or a decision be written.

Why move it? We're dealing with it right here :-)

@matu3ba Did you remove the gjs symlink in /usr/local/bin? @rusty-snake's alternative assumes that to be non-existing, which is why it is now dropped from firecfg via 2cbdc43. At least that's my understanding of the discussion here.

Yes. Also I did move gjs.profile from /usr/local/etc/firejail, but it still has the error in commit c6e77685d4744321d7e0f39b1332c383991bade6. However I still want to restart tomorrow (due to driver updates after Kernel update), to be sure.

firejail firefox
...
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

Funnily the hash also ends in bade6.

Would be nice, if the discussion starting with would be continued elsewhere or a decision be written.

Why move it? We're dealing with it right here :-)

Ah. 👍

@glitsj16 Nope, still does not work on master (c6e77685d4744321d7e0f39b1332c383991bade6).

firejail --profile=firefox bash -c 'ls -l $(which firefox)'

firejail --profile=firefox bash -c 'ls -l $(which firefox)'

Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 327.11 ms
-rwxr-xr-x 1 nobody nobody 45  6. Apr 13:43 /usr/bin/firefox

If you use --debug, you get trying #/usr/local/bin/firefox# Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features ?

firejail --debug firefox from commit e467bf5be33c8543cc20e9297ef09f878a68bb3a

No supplementary groups
]0;firejail firefox Child process initialized in 331.74 ms
starting application
LD_PRELOAD=(null)
execvp argument 0: firefox
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found
Searching $PATH for firefox
trying #/home/user/.cargo/bin/firefox#
trying #/home/user/.local/bin/firefox#
trying #/usr/local/bin/firefox#
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter

Parent is shutting down, bye...

firejail --shell=none --debug firefox does not complain at all.

What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ?
Also I dont see any Disable /usr/bin/* or alike on running grep -rn "/usr/bin/*" etc.

What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ?

Why should it disable firefox?

What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ?

Why should it disable firefox?

Sorry, that was wrong. It should disable /usr/bin depending on the use case.

Why do you want to blacklist /usr/bin?

I dont like the idea some other broken program may be altered to rsync my data over web.

You can use blacklist ${PATH}/rsync to blacklist rsync if you want. In addition you can use private-bin to restrict the available programs to a whitelisted minimum. (An attacker still can have its own rsync).

Fixed in e4249dec74a83b6564d9dda19ed069ee438cf4b0 ?

@smitsohu Indeed fixed with commit e4249de. Thanks for pointing that out.