FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Here you are:

     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,840
    @sthmptn : Just to clarify: without Firejail you are able to read and create/write files in /files?

    What's the output of groups ?
     
  3. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Yes, that's correct; as soon as I issue 'firecfg --clean', I can read/write etc from this directory via LibreOffice. One thing to note is that even with Firejail active, I can still use programs such as Geany and KeepassXC sandboxed - I can read/write txt files etc via Geany and update a Keepass database on files. So this issue only /appears/ to be limited to LibreOffice (possibly the LibreOffice Firejail config.. but then you don't have the problem :doubt:)

    Thanks
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,840
    You can read/write files with those applications in your home directory - but in /files as well?
     
  5. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Hello, and thanks for continuing with this. I'm aware that this may not be solvable but I appreciate your efforts!

    To check other apps, I did the following:

    Installed geany and keepassxc.

    Issued sudo firecfg and confirmed apps are firejailed:

    Created a keepass database in home, restarted app, added an entry, restarted and confirmed entry was written to db.

    Did the same as above for /files directory.

    Created txt files in Geany at both home and /files, saved, and confirmed editing is possible in both locations.

     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,840
    @sthmptn : I have a suspicion: Can you write to /files with the firejailed LibreOffice if you add ignore apparmor to its profile?

    Background: The geany profile doesn't contain the apparmor rule - but the LIbreOffice profile does. Which means that it uses /etc/apparmor.d/firejail-default. And that one contains the following rule:
    Code:
    # Allow write access to paths writable in firejail which aren't used for
    # executing programs. /run, /proc and /sys are handled separately.
    # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
    ##########
    /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
    which doesn't include /files.
     
  7. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    hmm. Maybe I've misinterpreted your instructions?

    Code:
    $ cd ~
    $ mkdir -p .config/firejail
    $ cd .config/firejail
    $ cp /etc/firejail/libreoffice.profile libreoffice.profile
    $ nano ~/.config/firejail/libreoffice.profile
    :: added to the end of the file: ignore apparmor
    $ sudo firecfg
    
    Below is the dialog box that appears when attempting to open the existing file.

    As soon as I run sudo firecfg --clean, the file opens without errors/dialog.


    upload_2020-5-26_15-11-30.png


    And this is when trying to save a new document to /files (with Firejail enabled) - in case you were wondering about the "document in use" notification - this file has not been saved yet..

    upload_2020-5-26_15-19-23.png
     
    Last edited: May 26, 2020 at 10:21 AM
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,840
    The easiest way is that you delete ~/.config/firejail/libreoffice.profile and create a file libreoffice.local in that directory with just one entry: ignore apparmor

    EDIT: Of course, you could also simply comment apparmor in ~/.config/firejail/libreoffice.profile. But creating a .local file is simply easier in order to add or change rules in the upstream profile in /etc/firejail.

    EDIT2: See also these instructions.
     
    Last edited: May 26, 2020 at 11:03 AM
  9. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Hey, I was going to post last night when retesting but ran out of time.

    Good news! The instructions to remove existing and recreate a 'local' profile were successful. I tested in the VM and have no read/write problems within the directories.

    Code:
    $ rm .config/firejail/libreoffice.profile
    $ cd .config/firejail && echo ignore apparmor >> libreoffice.local
    
    BTW, I find the .local system much cleaner than recreating and editing the whole profile so thanks for that tip.

    Also, the link was informative; running firejail --noprofile libreoffice, allowed me to use LibreOffice without having to remove any Firejail configs (good for testing).

    Unfortunately my main system is still locking up whenever I try to add that local profile or even run with --noprofile. I can drop to the console via ctrl-alt+f2 but can't kill the processes and have to hard reset; the DE is just frozen with LibreOffice splashscreen. I'm going to start adding to the test VM to see what part of my set up causes this.

    Thank you ever so much for your help in solving this issue: Debian Buster > Apparmor > LibreOffice > Firejail = :sick:
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,840
    Good! So it's confirmed that /etc/apparmor.d/firejail-default was the culprit. I should have thought about that earlier - my aplogies.

    Yes, indeed. Btw., the reason why your first attempt didn't work was because an ignore ... rule must be located above the rule to be ignored in the respective profile. As the ...local files are included at the the top of each profile this makes sure that the rules therein take precedence.

    Regarding ignore apparmor: You can keep this modification, of course. However, that means that this additional protection will not be used in the LibreOffice profile. So a better alternative would be:
    1. In the file /etc/apparmor.d/local/firejail-local (which will not get overwritten by Firejail updates) you should add the rule
    Code:
    /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var,files}/** w,
    2. Consequence: Every firejailed application is now allowed to write to /files. If you don't want that I suggest to create the file ~/.config/firejail/globals.local and add the rule blacklist /files which effectively nullifies the change in 1. In order to make an exception for LibreOffice you just have to add noblacklist /files to libreoffice.local (and remove ignore apparmor).

    Or alternatively by executing it with the full path /usr/bin/libreoffice as this bypasses the respective symlink in /usr/local/bin.

    This is very weird, indeed. Have you searched in the logs by executing, e.g., journalctl -e | grep libreoffice or something like journalctl -e | grep -e failed -e Failed -e error -e Error -e ERROR -e DENIED -e denied -e failure -e Failure -e exception -e Exception when this happens?

    You're welcome :)
     
  11. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Thanks for the additional information above. Once fixed, I'm going to add the apparmor rules as you suggest - happy for that location to be writable as it's archived to another location/device in any case.

    I found a thread (firejail forum) where users are having similar issues starting LibreOffice and someone also mentions the error I was getting when it did start, i.e. read-only access.

    https://github.com/netblue30/firejail/issues/1703

    I realise that my issue is specifically related to a directory outside of home and we've found the culprit but thought it may be useful info if anyone else having issues reads this. I came across this while searching for "Blacklist violations are logged to syslog", which is in my logs when starting LO from the console.

    As I get time, I'm going to go through the profile and gradually uncomment out all the options to see if I can start LO when firejailed.

    I'll update if I can find anything useful.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.