Giters

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox

Home Page:https://firejail.wordpress.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

zoom profile bypasses --private (mkdir/mkfile)

vinc17fr opened this issue · comments

commented

Description

When I use --private with the zoom profile, files and directories are created in my real home directory.

Steps to Reproduce

  1. Run firejail --private=some_directory --profile=/etc/firejail/zoom.profile
  2. In an another terminal (or after quitting firejail), from the home directory, run:
    ls -ld .zoom .cache/zoom .config/zoomus.conf

Expected behavior

These files/directories should not exist (if they didn't exist initially).

Actual behavior

I get in my real home directory:

drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .cache/zoom
-rw------- 1 vinc17 vinc17    0 2024-04-15 12:52:59 .config/zoomus.conf
drwx------ 2 vinc17 vinc17 4096 2024-04-15 12:52:59 .zoom

Behavior without a profile

N/A. The issue is due to the zoom profile, which does

mkdir ${HOME}/.cache/zoom
mkfile ${HOME}/.config/zoomus.conf
mkdir ${HOME}/.zoom

Since Zoom will run from the private directory, these files/directories should be created in the private directory.

Environment

  • Linux distribution and version: Debian/unstable
  • Firejail version (firejail --version): 0.9.72

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Reading profile /etc/firejail/zoom.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 577596, child pid 577600
Child process initialized in 70.73 ms

commented

I forgot about it, but this seems to be the more general bug #903 (I thought that this was specific to the zoom profile and was looking for Zoom-related bugs).

commented

Yep, this is a duplicate of #903. Until there's a proper fix, use the workaround mentioned in the man page:

firejail/src/man/firejail.1.in

Lines 2064 to 2070 in 27cd032

Bug: Even with this enabled, some commands (such as mkdir, mkfile and
private-cache) will still operate on the original home directory.
Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
and "ignore mkfile".
For details, see
.UR https://github.com/netblue30/firejail/issues/903
#903