No access to /tmp if blacklisted paths symlink to it

[birdie-github]

firejail-0.9.66-3.fc36.x86_64

Relevant debug strings:

[birdie@localhost ~]$ firejail --debug
Mounting tmpfs on /run/firejail/mnt directory
631 630 0:24 / /var/tmp rw,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=631 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /var/tmp
632 631 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=632 fsname=/ dir=/var/tmp fstype=tmpfs
635 634 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=635 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var/tmp
636 635 0:24 / /var/tmp ro,nosuid,nodev,noexec,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=636 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/nginx
Create the new utmp file
Mount the new utmp file
Relabeling /run/user as /run/user (system_u:object_r:user_tmp_t:s0)
Relabeling /run/user/1000 as /run/user/1000 (unconfined_u:object_r:user_tmp_t:s0)
Disable /tmp/ssh-XXXXXXsy8kyQ
Disable /tmp/.mozilla.ram (requested /home/birdie/.mozilla)
Disable /tmp (requested /home/birdie/.cache/mozilla)
Disable /tmp (requested /home/birdie/.cache/thunderbird)
1045 625 0:30 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,seclabel,mode=755
mountid=1045 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
1046 770 0:30 /pulse /home/birdie/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,seclabel,mode=755
mountid=1046 fsname=/pulse dir=/home/birdie/.config/pulse fstype=tmpfs
1049 625 0:30 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,seclabel,mode=755
mountid=1049 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs

[birdie@localhost ~]$ ls -la /tmp
ls: cannot open directory '/tmp': Permission denied

[birdie@localhost ~]$ ls -l / | grep tmp
dr--------.   2 nobody nobody    40 Aug 23 14:51 tmp

This is Fedora 36 with a custom kernel.

mount | grep " /tmp"
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,seclabel)

I am confused. The documentation makes it look like /tmp must be available.

[birdie-github]

--noprofile with or without --private-tmp works:

[birdie@localhost ~]$ firejail --noprofile --private-tmp
Parent pid 308522, child pid 308523
Child process initialized in 4.17 ms
[birdie@localhost ~]$ ls -la /tmp
total 4
drwxrwxrwt.  3 root root   60 Aug 23 16:45 .
dr-xr-xr-x. 20 root root 4096 Aug 23 15:41 ..
drwxrwxrwt.  2 root root   60 Aug 23 09:13 .X11-unix

[kmk3]

@birdie-github commented on Aug 23:

firejail-0.9.66-3.fc36.x86_64

That version is from over a year ago and is unsupported by us:

• https://github.com/netblue30/firejail/blob/fda7c1332edac4b4ebd9524fd272ea4444306ba6/SECURITY.md

Does it happen with 0.9.70 or with the version from master?

Relevant debug strings:

[birdie@localhost ~]$ firejail --debug
[...]
[birdie@localhost ~]$ ls -la /tmp
ls: cannot open directory '/tmp': Permission denied

[birdie@localhost ~]$ ls -l / | grep tmp
dr--------.   2 nobody nobody    40 Aug 23 14:51 tmp

This is Fedora 36 with a custom kernel.

I cannot reproduce this on Artix with the current master:

$ firejail --quiet --profile=default ls -la /tmp >/dev/null; echo $?
0

[birdie-github]

I've compiled version 0.9.70, the issue persists:

$ firejail --debug ls -la /tmp

Building quoted command line: 'ls' '-la' '/tmp' 
847 846 0:24 / /var/tmp rw,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=847 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /var/tmp
848 847 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=848 fsname=/ dir=/var/tmp fstype=tmpfs
851 850 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=851 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var/tmp
852 851 0:24 / /var/tmp ro,nosuid,nodev,noexec,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=852 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting tmpfs on /var/tmp
Disable /tmp/ssh-XXXXXXsy8kyQ
Disable /tmp (requested /home/birdie/.cache/mozilla)
Disable /tmp (requested /home/birdie/.cache/thunderbird)
Warning (blacklisting): cannot open /tmp/.wine-*: Permission denied
Warning (blacklisting): cannot open /tmp/akonadi-*: Permission denied
Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory
Running 'ls' '-la' '/tmp'  command through /bin/bash
execvp argument 2: 'ls' '-la' '/tmp' 
ls: cannot open directory '/tmp': Permission denied

[rusty-snake]

Disable /tmp (requested /home/birdie/.cache/mozilla)
Disable /tmp (requested /home/birdie/.cache/thunderbird)

Remove this symlinks.

${HOME}/.cache/{mozilla,thunderbird} are blacklisted by disabled programs.inc which is included in default.profile. And blacklist follows symlinks.

If you want them to be in a tmpfs, you can use firejail's private-cache feature or symlink them to somewhere in /tmp but not /tmp itself (which is risky anyway I guess) and have a look at systemd-tempfiles.

[birdie-github]

Without these symlinks this issue is gone but I'd love to leave everything as is.

Looks like I'll be removing these two rules from /etc/firejail/disable-programs.inc. I don't particular care if rogue applications could access my Firefox/Thunderbird cache directories. I have disk cache completely disabled anyways and these two directories are almost empty.

[birdie-github]

Still it would be great if firejail were a tad more verbose when it detects problems like this.

/tmp is such an integral part of Linux it must say something like,

Error: /etc/firejail/disable-programs.inc contains these two rules,
blacklist ${HOME}/.cache/mozilla
blacklist ${HOME}/.cache/thunerbird
which ultimately blacklist /tmp and make it inaccessible for programs.

The reason is we have detected
${HOME}/.cache/mozilla
${HOME}/.cache/thunderbird
which are symlinks to /tmp.

I guess it could be fixed in a few lines of code. Yes, this is verbose but it will spare a ton of time for users.

[rusty-snake]

Firejail does what you ask it for:

1. Please disable access to ~/.cache/mozilla
2. Firejail finds a symlink that says that ~/.cache/mozilla is found at /tmp.
3. Firejail disables /tmp

---

it must say something like,
...
I guess it could be fixed in a few lines of code. Yes, this is verbose but it will spare a ton of time for users.

We are already to complex. This should be added to firejail. If, we could develop a firelint program which analyzes profiles and gives recommendations.

/tmp is such an integral part of Linux it

This can be said about D-Bus, X11, ... as well.

[kmk3]

@birdie-github commented on Aug 28:

Without these symlinks this issue is gone but I'd love to leave everything as
is.

Note that there is also private-cache, which mounts a tmpfs directory at
~/.cache.

So it could be added to firefox-common.local and chromium-common.local.

Looks like I'll be removing these two rules from
/etc/firejail/disable-programs.inc. I don't particular care if rogue
applications could access my Firefox/Thunderbird cache directories. I have
disk cache completely disabled anyways and these two directories are almost
empty.

Does it work with disable-programs.inc as is + private-cache?

By the way, the rules can also be ignored by adding the following commands to
~/.config/firejail/disable-programs.local:

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.cache/thunderbird

[birdie-github]

By the way, the rules can also be ignored by adding the following commands to
~/.config/firejail/disable-programs.local:
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.cache/thunderbird

This works:

firejail ls -la /tmp &> /dev/null; echo $?
0

[kmk3]

Note that there is also private-cache, which mounts a tmpfs directory at
~/.cache.

So it could be added to firefox-common.local and chromium-common.local.

I see now that /tmp is still blacklisted even with private-cache:

$ ln -s /tmp ~/.cache/tmp
$ firejail --quiet --noprofile --private-cache \
  --blacklist='${HOME}/.cache/tmp' ls /tmp >/dev/null; echo $?
ls: cannot open directory '/tmp': Permission denied
2

To avoid issues with /tmp, I'd suggest symlinking such a directory to a more
specific path, such as ${XDG_RUNTIME_DIR}/.cache/mozilla
(${XDG_RUNTIME_DIR} is also tmpfs on basically every distro AFAIK).

Note that the target directory usually does not even have to exist before
running the program (and definitely not if private-cache is used).

Example:

$ test -z XDG_RUNTIME_DIR && XDG_RUNTIME_DIR="/run/user/$(id -u)"
$ ln -s "${XDG_RUNTIME_DIR}/.cache/foo" ~/.cache/foo
$ firejail --quiet --noprofile --private-cache \
  --blacklist='${HOME}/.cache/foo' ls /tmp >/dev/null; echo $?
0
$ firejail --quiet --noprofile --private-cache \
  --blacklist='${HOME}/.cache/foo' ls -l ~/.cache
total 0

And when using symlinks in this way, I'd also suggest blacklisting the target
paths (especially if not using private-cache). For example, by adding the
following to ~/.config/firejail/disable-programs.local:

blacklist ${RUNUSER}/.cache/mozilla
blacklist ${RUNUSER}/.cache/thunderbird

[rusty-snake]

${XDG_RUNTIME_DIR} is also tmpfs on basically every distro AFAIK

Unlike /tmp it is required to be so IIRC.

[kmk3]

In summary, firejail is working as intended and a workaround for the reported
issue was provided.

Closing this since there hasn't been any more activity.

Feel free to post updates and to request to reopen if you have more questions.