Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no way to selectively disable quiet-by-default in firejail.config #3125

Closed
jonleivent opened this issue Jan 5, 2020 · 4 comments
Closed

no way to selectively disable quiet-by-default in firejail.config #3125

jonleivent opened this issue Jan 5, 2020 · 4 comments
Labels
enhancement New feature request

Comments

@jonleivent
Copy link

There is no way to re-enable firejail output once quiet-by-default yes is in /etc/firejail/firejail.config.

I have quiet-by-default yes in my firejail.config so that profiles I have tested don't pollute my .xesssion-errors file. Unfortunately, there doesn't seem to be a way to re-enable verbose output for testing new profiles, short of editing firejail.config each time. I tried --ignore=quiet, --ignore=quiet-by-default, etc. with nothing working. Hence "quiet-by-default" is a bit of a misnomer.

As an alternative to quiet-by-default yes, I tried putting quiet in globals.local, but that still allows a few lines of output to get into .xsession-errors when starting up jails in ways other than the command line. BTW - I use firecfg, so I can't easily put --quiet on every firejail command line.

I recommend having a separate configuration for firejail when started via firecfg symlink vs. when started manually. Alternatively, add a --config=file command-line option to firejail - although that might violate security in multi-user environments.

I'm using firejail 0.9.58.2 in Debian buster.
@rusty-snake rusty-snake added the enhancement New feature request label Jan 5, 2020
@rusty-snake
Copy link
Collaborator

Something like noquiet.

For everyone with the same problem and a newer firejail version. Since 0.9.60 it is possible to set FIREJAIL_QUIET=yes (env var).

@jonleivent
Copy link
Author

Is there a description of firejail env vars somewhere?

@rusty-snake
Copy link
Collaborator

No.

$ grep "etenv(" src/**/*.c                                                                                              ⎇ master a849f8c -U
src/faudit/dbus.c:	char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
src/faudit/main.c:	if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
src/faudit/pid.c:	char *str = getenv("container");
src/faudit/pid.c:		str = getenv("SNAP");
src/fcopy/main.c:	char *quiet = getenv("FIREJAIL_QUIET");
src/fcopy/main.c:	char *debug = getenv("FIREJAIL_DEBUG");
src/fcopy/main.c:	char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
src/firecfg/main.c:	char *user = getenv("SUDO_USER");
src/firecfg/util.c:	char *path1 = getenv("PATH");
src/firejail/appimage.c:	if (setenv("APPIMAGE", abspath, 1) < 0)
src/firejail/appimage.c:	if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
src/firejail/appimage.c:	if (size != 0 && setenv("ARGV0", appimage, 1) < 0)
src/firejail/appimage.c:	if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0)
src/firejail/checkcfg.c:				if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1)
src/firejail/chroot.c:	if (getenv("FIREJAIL_X11")) {
src/firejail/dbus.c:	if (setenv("DBUS_SESSION_BUS_ADDRESS", env_var, 1) == -1) {
src/firejail/env.c:	if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0)
src/firejail/env.c:	if (setenv("QML_DISABLE_DISK_CACHE", "1", 1) < 0)
src/firejail/env.c://	if (setenv("QTWEBENGINE_DISABLE_SANDBOX", "1", 1) < 0)
src/firejail/env.c://	if (setenv("MOZ_NO_REMOTE, "1", 1) < 0)
src/firejail/env.c:	if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc,
src/firejail/env.c:	if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0)
src/firejail/env.c:	if (setenv("KDE_FORK_SLAVES", "1", 1) < 0)
src/firejail/env.c:		char *prompt = getenv("FIREJAIL_PROMPT");
src/firejail/env.c:		if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
src/firejail/env.c:		if (setenv("PROMPT_COMMAND", ":", 1) < 0) // unsetenv() will not work here, bash still picks it up from somewhere
src/firejail/env.c:		setenv("FIREJAIL_QUIET", "yes", 1);
src/firejail/env.c:			if (setenv(env->name, env->value, 1) < 0)
src/firejail/env.c:			unsetenv(env->name);
src/firejail/fs.c:	char *xauth = getenv("XAUTHORITY");
src/firejail/fs_whitelist.c:			char *env = getenv("TMP");
src/firejail/join.c:			setenv("DISPLAY", display_str, 1);
src/firejail/main.c:	shell = getenv("SHELL");
src/firejail/main.c:	assert(getenv("LD_PRELOAD") == NULL);
src/firejail/main.c:	char *env_quiet = getenv("FIREJAIL_QUIET");
src/firejail/main.c:	char *container_name = getenv("container");
src/firejail/no_sandbox.c:	char *str = getenv("container");
src/firejail/paths.c:	char *path = getenv("PATH");
src/firejail/paths.c:		setenv("PATH", path, 1);
src/firejail/profile.c:	return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11"));
src/firejail/profile.c:			char *x11env = getenv("FIREJAIL_X11");
src/firejail/profile.c:			char *x11env = getenv("FIREJAIL_X11");
src/firejail/profile.c:			char *x11env = getenv("FIREJAIL_X11");
src/firejail/profile.c:			char *x11env = getenv("FIREJAIL_X11");
src/firejail/pulseaudio.c:	char *name = getenv("XDG_RUNTIME_DIR");
src/firejail/pulseaudio.c:		if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
src/firejail/run_symlink.c:	char *p = getenv("PATH");
src/firejail/run_symlink.c:	assert(getenv("LD_PRELOAD") == NULL);
src/firejail/sandbox.c:	char *mycont = getenv("container");
src/firejail/sandbox.c:		char *path1 = getenv("PATH");
src/firejail/sandbox.c:		printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
src/firejail/sbox.c:		char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
src/firejail/sbox.c:			if (setenv("FIREJAIL_FILE_COPY_LIMIT", cl, 1) == -1)
src/firejail/sbox.c:			setenv("FIREJAIL_QUIET", "yes", 1);
src/firejail/sbox.c:			setenv("FIREJAIL_DEBUG", "yes", 1);
src/firejail/x11.c:	const char *display_str = getenv("DISPLAY");
src/firejail/x11.c:	setenv("FIREJAIL_X11", "yes", 1);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:	setenv("DISPLAY", display_str, 1);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:	setenv("FIREJAIL_X11", "yes", 1);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:	setenv("DISPLAY", display_str, 1);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:	setenv("DISPLAY", display_str, 1);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:				assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:		assert(getenv("LD_PRELOAD") == NULL);
src/firejail/x11.c:	setenv("FIREJAIL_X11", "yes", 1);
src/firejail/x11.c:	char *display = getenv("DISPLAY");
src/firejail/x11.c:	char *envar = getenv("XAUTHORITY");
src/firejail/x11.c:	if (setenv("XAUTHORITY", dest, 1) < 0)
src/firejail/x11.c:	char *xauthority = getenv("XAUTHORITY");
src/fldd/main.c:	char *quiet = getenv("FIREJAIL_QUIET");
src/fnetfilter/main.c:	char *quiet = getenv("FIREJAIL_QUIET");
src/fnet/main.c:	char *quiet = getenv("FIREJAIL_QUIET");
src/fseccomp/main.c:	char *quiet = getenv("FIREJAIL_QUIET");
src/libtrace/libtrace.c:	char *logfile = getenv("FIREJAIL_TRACEFILE");

@rusty-snake rusty-snake mentioned this issue May 13, 2021
Open
netblue30 added a commit that referenced this issue May 30, 2021
@netblue30
allow --debug if quite-by-default is set (#3125, #4168)
65b7cd7
@netblue30
Copy link
Owner

netblue30 commented May 30, 2021
edited
Loading

Fixed! More fixes coming, tracking them in #4275.

@matu3ba matu3ba mentioned this issue Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonleivent @netblue30 @rusty-snake