The ˋ--forceˋ flag isn't working within distrobox
neurodiverseEsoteric opened this issue · comments
I tried running ˋfirejail --force ---private librewolfˋ inside a distrobox of archlinux on a fedora-based distro which doesn't offer librewolf at all, but firejail still ignored everything for being run inside of a "sandbox..."
How old is your firejail?
You should upgrade to fix multiple vulnerabilities.
It's archlinux, it shouldn't be that old
That defeats the purpose of avoiding all host system and app breakages being blamed on my installing outsider software (it's not just librewolf)
I tried running ˋfirejail --force ---private librewolfˋ inside a distrobox of archlinux on a fedora-based distro which doesn't offer librewolf at all, but firejail still ignored everything for being run inside of a "sandbox..."
(1) I'm assuming the triple dash in ---private is a typo and isn't the actual command you ran.
(2) Firejail dropped the --force option since version 0.9.54:
Lines 490 to 491 in db09546
For example, when running firejail --force --private librewolf on Arch Linux with 0.9.72, you should see:
Error: invalid --force command line option
Not sure what the actual problem is. Can you rephrase your issue?
Oh if it did throw that error i didn't see it...how do I put --force back in?
ok thanks
FWIW, the following contaiers are supported container=(lxc|docker|lxc-libvirt|systemd-nspawn|rkt) firejail ... according to
firejail/src/firejail/no_sandbox.c
Lines 29 to 38 in db09546
Wait nob that release is a thouzandoulus years old...
FWIW, the following contaiers are supported
container=(lxc|docker|lxc-libvirt|systemd-nspawn|rkt) firejail ...according tofirejail/src/firejail/no_sandbox.c
Lines 29 to 38 in db09546
What would happen if I just naively added distrobox to the list?
Either it works or it does not work.
It didn't work, firejail still detects a sandbox...
firejail/src/firejail/no_sandbox.c
Lines 41 to 47 in db09546
That's the first check, if it still detects a sandbox you added the wrong value.
Ah, it might be one of these pod-based labels:
(how did you get the code preview thing?)
Okay I added the right values, but...
Reading profile /usr/local/etc/firejail/librewolf.profile
Reading profile /usr/local/etc/firejail/firefox-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-proc.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-run-common.inc
Reading profile /usr/local/etc/firejail/whitelist-runuser-common.inc
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
firejail version 0.9.73
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.own io.gitlab.librewolf.*" and 1 other dbus-user filter rule.
Parent pid 15028, child pid 15029
Warning: cannot find /var/run/utmp
Error: cannot create /dev/zero device: Operation not permitted
Error: proc 15028 cannot sync with peer: unexpected EOF
Peer 15029 unexpectedly exited with status 1
Does podman support need to be added into firejail?
- Try if --profile=noprofile works.
- Try rootfull podman with --privileged and --security-opt=label=disable --security-opt=seccomp=unconfined
By rootful podman you mean run distrobox with the --root flag?
I never used distrobox but firejail might not work inside rootless podman (https://github.com/containers/podman#rootless).
Distrobox keeps freezing the entire OS whever I try creating a rootful container...and the podman command used to "enter" the container, ˋpodman exec,ˋ doesn't take the "--security-opt" flag, anyway...