Symlink handling woes

[haarp]

Hello,

I'm often seeing that symlink handling in firejail is extremely confusing. I've had challenges in the past (#3133) and I'm once again working on profiles (#5978)

I have a partially-encrypted home. ~/Private is encrypted and I move some dirs like ~/.mozilla into it and symlink ~/.mozilla -> Private/mozilla/.

Now I'm working the discord profile. I realize that the Private symlinking requires local changes that I won't be adding to the PR. But figuring out these changes... I'm at a loss.

noblacklist ${HOME}/Private, or nothing below ~/Private/ is ever accessible, Ok.

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

Should supposedly make ${HOME}/.mozilla/firefox/profiles.ini accessible. Except it acts on the symlink target, so ${HOME}/Private/mozilla/firefox/profiles.ini becomes accessible and ~/.mozilla is non-existent inside the jail. Now how to make ~/.mozilla (the symlink) available so this can actually work?

noblacklist ${HOME}/Private/mozilla does nothing.
whitelist ${HOME}/Private/mozilla/firefox/profiles.ini does nothing.
whitelist ${HOME}/.mozilla works, too well. It makes the entire Firefox profile without whitelisting available under both ~/.mozilla and ~/Private/mozilla.

The interactions of blacklist, noblacklist and whitelist in a symlinked setup is too confusing for me to follow. There is no directive to create a symlink after jail creation either.

What to do at this point? Thanks a lot!

[ghost]

I've installed discord on my Arch Linux box to assist in creating a hardened setup for it cfr. #5978.
An additional resource for allowing Firefox to open links: #5582.

Remarks pertaining to this specific use case and symlinking under ${HOME}:

IMO secure results are achieved by targetting both locations. Translating this rule-of-thumb for your specific use case I'd try the following:

• add blacklist ${HOME}/Private to your globals.local
• add noblacklist ${HOME}/Private to any foo.local you want to allow access to that location
• add whitelist ${HOME}/Private/<subdir> to that same foo.local when it's a whitelisting profile

To sum up:

$ cat ~/.config/firejail/globals.local
[...]
blacklist ${HOME}/Private

$ cat ~/.config/firejail/discord.local
# Firejail profile for discord
# Persistent local customizations

## globals.local overrides

# lift ${HOME}/Private blacklisting
noblacklist ${HOME}/Private

$ cat ~/.config/firejail/discord-common.local
# Firejail profile for discord-common
# Persistent local customizations

# Discord modules like discord_{rpc,spellcheck,utils,voice} depend on nodejs
# Allow node (disabled by disable-interpreters.inc)
include allow-nodejs.inc

# Disabled until someone reported positive feedback
ignore ignore include disable-interpreters.inc
ignore ignore include disable-xdg.inc
ignore ignore include whitelist-runuser-common.inc
ignore ignore include whitelist-usr-share-common.inc
ignore ignore apparmor
ignore ignore disable-mnt
ignore ignore private-cache
#ignore dbus-user none
ignore ignore dbus-system none

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
whitelist ${HOME}/Private/mozilla/firefox/profiles.ini

dbus-user filter
# allow D-Bus notifications
dbus-user.talk org.freedesktop.Notifications
# allow D-Bus secrets
dbus-user.talk org.freedesktop.secrets
# allow D-Bus communication with firefox for opening links
dbus-user.talk org.mozilla.*
private-bin firefox
ignore dbus-user none

Hope this helps to untangle your symlink woes...

[haarp]

Hello @glitsj16, very sorry for the long radio silence. I've barely had time to work on projects lately. Thanks a lot for the detailed answer!

I've tried a few variations but still couldn't get a satisfactory solution. I'll try to break it down to a minimal config:

Test case: firejail --profile=discord bash
discord.local:

# TEST
private-bin ls,cat,firefox

noblacklist ${HOME}/Private

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
whitelist ${HOME}/Private/mozilla/firefox/profiles.ini

dbus-user.talk org.mozilla.*

Result: ~/Private/mozilla/firefox/profiles.ini is accessible as intended from within the jail. But the ~/.mozilla symlink is missing.

Now I try adding whitelist ${HOME}/.mozilla.

Result: ~/.mozilla symlink exists now, but ~/Private/mozilla is fully accessible with no restrictions at all.

How do i tell firejail to add the symlink, but without fully whitelisting the symlink target? From the manpage: Symbolic link handling: Whitelisting a path that is a symbolic link will also whitelist the path that it points to.

Thanks!

[haarp]

Hmm, I don't see any way of solving this with current firejail directives. I think whitelist is missing some logic.

whitelist ${HOME}/.mozilla when ~/.mozilla is a symlink: Whitelists the symlink target and creates the symlink itself in the jail
whitelist ${HOME}/.mozilla/firefox/profiles.ini when ~/.mozilla is a symlink: Whitelists the file after resolving the symlink but doesn't create the symlink itself

The whitelist directive should probably move up the path in reverse until it encounters a symlink and create it aswell. Or is this dumb?

(Hacky alternative: There already exists a mkdir directive. Adding a mklink directive for this use case would work. Not very elegant tho)

[haarp]

I think this is an actual limitation. I've opened #6058 for this.

[ghost]

Result: ~/Private/mozilla/firefox/profiles.ini is accessible as intended from within the jail. But the ~/.mozilla symlink is missing.
Now I try adding whitelist ${HOME}/.mozilla.
Result: ~/.mozilla symlink exists now, but ~/Private/mozilla is fully accessible with no restrictions at all.

Revisiting this I played around a bit more and for me the below seems to do the trick:

$ cat ~/.config/firejail/discord.local
# Firejail profile for discord
# Persistent local customizations

# symlink handling woes
# https://github.com/netblue30/firejail/discussions/5980
# open links in sandboxed Firefox

## globals.local overrides

# lift ${HOME}/Private blacklisting
noblacklist ${HOME}/Private

## discord.profile additions
# keep in mind the ordering 'logic' is important here
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.mozilla/firefox
noblacklist ${HOME}/.mozilla/firefox/profiles.ini
blacklist ${HOME}/.mozilla/firefox/*
blacklist ${HOME}/.mozilla/*
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Private/mozilla/*

private-bin ls,cat,firefox

dbus-user.talk org.mozilla.*

HTH

[haarp]

Thanks! That actually made it work. I didn't consider using /* wildcards this way.

I managed to strip some lines and threw in a read-only for good measure:

noblacklist ${HOME}/Private

noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
blacklist ${HOME}/.mozilla/firefox/*
whitelist ${HOME}/.mozilla
dbus-user.talk org.mozilla.*
private-bin firefox

~/Private never actually needs to be referred to, with the exception of the initial noblacklist of course.

It's a messy workaround, so #6058 is still valid :)

[ghost]

It's a messy workaround, so #6058 is still valid :)

Agreed!

[ghost]

For the record, there are alternatives available that don't rely on D-Bus for URL-opening support but use socket-based tech. Those might offer nicer/less confusing ways to integrate in your custom Firejail setup:

#5364
#5574

All this doesn't invalidate your arguments for implementing #6058.

[haarp]

I actually had a look at fireurl several times while debugging URL opening, but never managed to wrap my head around it ^^

[kmk3]

I actually had a look at fireurl several times while debugging URL opening,
but never managed to wrap my head around it ^^

See also the shell script version:

• Custom URL handlers and fireurl #5582

It currently needs some manual setup but it's a bit simpler.