New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firejail with grsecurity #141
Comments
Hi, thanks for responding to my inquiry so quickly! On a side note, I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only. Here's what my fstab looks like now: |
I put a copy of your config here, in case it expires on pastebin:
|
The problem is related to the proc-restrictions of GrSec (CONFIG_GRKERNSEC_PROC=y, CONFIG_GRKERNSEC_PROC_USERGROUP=y or CONFIG_GRKERNSEC_PROC_USER=y). Assuming you have chosen "CONFIG_GRKERNSEC_PROC_USERGROUP=y" with the trusted group 123 then the user opening a firejail-instance must be member of group 123. Otherwise firejail cannot look onto /proc and fails with the "existing sandbox error" (I am on gentoo and tested it with my self-compiled hardened-kernel) However, inserting the user into the trusted group 123 is more a workaround then a fix, because the user get rights he should not get. One could overcome this problem if firejail would execute its instances as a special "user" (for example this user could be called firejail). (Polkit for example acts like that and uses the user polkitd for its actions. Therefore inserting polkitd into 123 solves all polkit related problems!) Then one could put this special user (firejail) into the trusted group 123 without putting the regular user into the trusted group. Additionally this would have one further advantage: With grsec one can forbid any network access to some user/group. Assuming that firejail opens a sandbox with the rights of the special user "firejail" one could forbid network access to the regular user but the regular user could open a program with network access via firejail. This leads to a regular user which can only access internet through firejail. I hope this was understandable and not to chaotic ;-) PS: If my suggestion is problematic, because one user is not sufficient if a bunch of regular users would use firejail at the same time on the same machine, one could introduce a firejail user named "user_firejail" for every regular user. PPS: The "reply"-field on https://l3net.wordpress.com/projects/firejail/ does not work for me?!? |
Thanks for the write-up. I'll have to give it a try and see what is going on. What do you mean by "replay" field? |
With reply-field I meant the field where one can write an answer. |
Moved from the blog:
Got a question regarding the “an existing sandbox was detected…” error. I’m running a grsec kernel, and I’ve got two users. User A has /usr/bin/firejail as the shell while user B has /bin/bash. When I bring up a terminal emulator (xterm, uxterm, or xfce terminal) in either of the users, I see this error. When I run firejail –tree, the processes shows up. Even when I log into something like TTY2 without a GUI, I get the same error when attempting to go into firejail or run something with firejail. Should I disable grsec’s chroot restrictions? I’ve tried disabling several (caps, fchdir, shmat, unix, ect) with out any success. When I run firejail without a grsec kernel, firejail works flawlessly. What do?
The text was updated successfully, but these errors were encountered: