Error mounting tmpfs: fs.c:499 fs_tmpfs: Invalid argument Error: proc 22812 cannot sync with peer: unexpected EOF

[darmon77]

Running having unexpected behavior in its default configuration in all its profiles.

firejail telegram-desktop
Reading profile /etc/firejail/telegram-desktop.profile
Reading profile /etc/firejail/telegram.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: private-cache feature is disabled in Firejail configuration file
Warning: private-etc feature is disabled in Firejail configuration file
Parent pid 22812, child pid 22815
Warning: cannot find /dev/null/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Error mounting tmpfs: fs.c:499 fs_tmpfs: Invalid argument
Error: proc 22812 cannot sync with peer: unexpected EOF
Peer 22815 unexpectedly exited with status 1

firejail --debug telegram-desktop
Mounting tmpfs on /usr/share, check owner: no
Error mounting tmpfs: fs.c:499 fs_tmpfs: Invalid argument
Error: proc 22956 cannot sync with peer: unexpected EOF
Peer 22959 unexpectedly exited with status 1

Environment

• LSB Version: 1.0
  Distributor ID: VoidLinux
  Description: Void Linux
  Release: rolling
  Codename: void

• firejail version 0.9.66

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

[smitsohu]

Hi @darmon77, thanks for reporting this.

Can you please post the output of

ls -ld /usr /usr/share
findmnt --target /usr/share

[darmon77]

root@dennis:|⇒ ls -ld /usr /usr/share
drwxr-xr-x 10 root root 4096 Feb 10 01:25 /usr
drwxr-xr-x 220 root root 4096 Jul 2 23:09 /usr/share
root@dennis|⇒ findmnt --target /usr/share
TARGET SOURCE FSTYPE OPTIONS
/ /dev/mapper/data77--vg-root ext4 rw,relatime

[D-RX]

Same problem on Void Linux, using musl, but with just:
firejail firefox
Error output is essentially the same.

I've run strace and gdb on firejail with the args set to firefox. The problem is in the call to mount in fs.c:498 (function fs_tmpfs). Arguments to mount are:
source (rdi) => "tmpfs"
target (rsi) => "/proc/self/fd/8", which is a symbolic link to /usr/share
filesystem (rdx) => "tmpfs"
mountflags (r10) = 0x1
data (r8) => "mode=755,uid=0,gid=0"
The call to mount returns EINVAL or -1.
The stack trace shows that this is called from tmpfs_topdirs, which was called from fs_whitelist in a child process __cloned from firejail.

strace shows that there are several successful calls to mount with filesystem set to "tmpfs" before this.

I have essentially the same output as darmon77 to (just a different device name from fndmnt):

ls -ld /usr /usr/share
findmnt --target /usr/share

[smitsohu]

At first I thought we are carrying over a mountflag that is not compatible with tmpfs, but this doesn't seem to be the case.

mountflags (r10) = 0x1

Instead we have wrong mountflags, which is a separate and possibly related bug: 0x1 is the read-only flag, which Firejail actually is supposed to remove:

firejail/src/firejail/fs.c

Lines 488 to 492 in 110a74f

	// preserve mount flags, but remove read-only flag
	struct statvfs buf;
	if (fstatvfs(fd, &buf) == -1)
	errExit("fstatvfs");
	unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);

[smitsohu]

Just for the record, I cannot reproduce on Debian or Fedora at the moment.

[D-RX]

Sorry, there was a mistake in my earlier post. The value in mountflags for the mount syscall should actually be 0x26. I was looking at the call to mount just at line fs.c:498, but stepped by line rather than instruction. Following to the syscall by instruction shows that mountflags (r10) is set to 0x26 (from rcx) just before the syscall instruction (the rcx vs. r10 is just user-space vs. kernel-space calling conventions). The return value from the syscall to mount is -22 (decimal).

Also, I understand that this bug does not appear in Void Linux when using glibc, but only when using musl.

[smitsohu]

The value in mountflags for the mount syscall should actually be 0x26

Thanks. We need to remove MS_REMOUNT. I'll put a fix shortly.

[D-RX]

I can verify that modifying the value ANDed with the mount flags in the firejail binary to effect the same as your commit ba5f5c8 i.e. to include clearing MS_REMOUNT:
unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
(that is, the ANDed value goes from ... FF EF FE -> ... FF EF DE)
does fix the bug in Void Linux using musl.
Thanks!

[smitsohu]

Guess we can close if there is nothing left to do. Thanks everyone!