Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

google-chrome: real home is accessible with --private= (dbus) #5246

Closed
7 tasks done
lukypko opened this issue Jul 12, 2022 · 6 comments
Closed
7 tasks done

google-chrome: real home is accessible with --private= (dbus) #5246

lukypko opened this issue Jul 12, 2022 · 6 comments
Labels
notabug The behavior is as intended or the issue was caused by user error or by an old version

Comments

@lukypko
Copy link

lukypko commented Jul 12, 2022
edited
Loading

Description

google-chrome is able to access file list when using --private=FOLDER option

Steps to Reproduce

  • download a google-chrome-stable_current_amd64.deb from https://google.com web page
  • install it using dpkg -i google-chrome-stable_current_amd64.deb
  • mkdir -p ~/temp/youtube (can be any folder, but I used this one)
  • cd ~/temp/youtube
  • no other google-chrome instances are running; ps aux|grep -i chrom[e]|wc -l = 0
  • run firejail --private=$(pwd) --noprofile /usr/bin/google-chrome-stable
  • in a running google-chrome press CTRL+O (to open a file dialog)
  • you can see list of files in your home directory and recently opened files (which is wrong)
  • when you try to open some file (for example image/txt/pdf file), error in google-chrome is showed:
    "Your file couldn’t be accessed,
    It may have been moved, edited, or deleted.,
    ERR_FILE_NOT_FOUND"
  • so files are not readable which is correct behavior

Expected behavior

When specify a command line option --private=$FOLDER, then only files from a $FOLDER should be visible in a $HOME folder, "recently opened files should be only from $FOLDER (if there were some files opened previously)

It looks like the issue is in "open file dialog" which have access to all files in my $HOME folder

Actual behavior

When specify a command line option --private=$FOLDER, then all files from $HOME folder are visible in "open file dialog" and I can select a file. google chrome then display an error that file is not readable
When trying to upload some file to virustotal, then file is uploaded successfully, but file size is 0 bytes (just to check whether it is possible read and upload a file using a javascript)

When open home folder as a URL in a google-chrome so /home/luky in my case, I see just expected content of my $FOLDER file, so this works correctly too

Running without any profiles

firejail --private=`pwd`  --noprofile /usr/bin/google-chrome-stable
Parent pid 3458157, child pid 3458158
Child process initialized in 35.11 ms
[4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
Fontconfig error: Cannot load default config file: No such file: (null)

Running using an existing profiles

firejail --private=`pwd` /usr/bin/google-chrome-stable
Reading profile /etc/firejail/google-chrome-stable.profile
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3460196, child pid 3460197
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 611.12 ms
[4:38:0712/120310.381051:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:38:0712/120310.381297:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967129:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967196:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967274:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.969111:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.969213:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
Fontconfig error: Cannot load default config file: No such file: (null)

Parent is shutting down, bye...
  • the issue is that google-chrome is able to get a list of files and traverse a whole $HOME dir, when you are using firejail option --private=FOLDER

Additional context

Maybe it is related just to open file dialog and its caching, because when I click on a image file in "open file dialog" on a right side I see a small image preview. So it looks like that "open file dialog" is able to access file list and read file content to make a small image preview, but google-chrome itself cannot access a file content (as running with --private=FOLDER command line option)

firefox is using the same "open file dialog" and when I run:

firejail --private=$(pwd) --noprofile firefox --no-remote

then "open file dialog" in a firefox is not showing files from original $HOME folder, it is showing files from --private=$FOLDER, which is correct behavior

So it looks like that google-chrome is using "open file dialog" a different way and can escape from firejail container, which is wrong

Environment

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Ubuntu 21.04"

kernel

Linux lukynb 5.11.0-40-generic #44-Ubuntu SMP Wed Oct 20 16:16:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

firejail version 0.9.70

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail --private=`pwd` --noprofile /usr/bin/google-chrome-stable 

Parent pid 3458157, child pid 3458158
Child process initialized in 35.11 ms
[4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
Fontconfig error: Cannot load default config file: No such file: (null)

Output of LC_ALL=C firejail --debug --private=`pwd` --noprofile /usr/bin/google-chrome-stable 

firejail --debug --private=`pwd`  --noprofile /usr/bin/google-chrome-stable
Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/google-chrome-stable' 
Command name #google-chrome-stable#
DISPLAY=:1 parsed as 1
Using the local network stack
Parent pid 3459610, child pid 3459611
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1762 1602 8:2 /etc /etc ro,noatime master:1 - ext4 /dev/sda2 rw
mountid=1762 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1767 1762 8:2 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw
mountid=1767 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1768 1602 8:2 /var /var ro,noatime master:1 - ext4 /dev/sda2 rw
mountid=1768 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
1778 1768 8:2 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw
mountid=1778 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
1779 1602 8:2 /usr /usr ro,noatime master:1 - ext4 /dev/sda2 rw
mountid=1779 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0
Mount-bind /home/luky/temp/youtube on top of /home/luky
1877 1808 8:2 /home/luky/temp/youtube /home/luky rw,noatime master:1 - ext4 /dev/sda2 rw
mountid=1877 fsname=/home/luky/temp/youtube dir=/home/luky fstype=ext4
Mounting a new /root directory
Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
rebuilding /etc directory
Creating empty /run/firejail/mnt/dns-etc/emacs directory
Creating empty /run/firejail/mnt/dns-etc/ipp-usb directory
Creating empty /run/firejail/mnt/dns-etc/sensors3.conf file
Creating empty /run/firejail/mnt/dns-etc/pipewire directory
Creating empty /run/firejail/mnt/dns-etc/logcheck directory
Creating empty /run/firejail/mnt/dns-etc/sysctl.d directory
Creating empty /run/firejail/mnt/dns-etc/issue file
Creating empty /run/firejail/mnt/dns-etc/networkd-dispatcher directory
Creating empty /run/firejail/mnt/dns-etc/services file
Creating empty /run/firejail/mnt/dns-etc/cron.daily directory
Creating empty /run/firejail/mnt/dns-etc/iproute2 directory
Creating empty /run/firejail/mnt/dns-etc/rarfiles.lst file
Creating empty /run/firejail/mnt/dns-etc/java-11-openjdk directory
Creating empty /run/firejail/mnt/dns-etc/default directory
Creating empty /run/firejail/mnt/dns-etc/apt directory
Creating empty /run/firejail/mnt/dns-etc/rc4.d directory
Creating empty /run/firejail/mnt/dns-etc/perl directory
Creating empty /run/firejail/mnt/dns-etc/python3.9 directory
Creating empty /run/firejail/mnt/dns-etc/passwd- file
Creating empty /run/firejail/mnt/dns-etc/apache2 directory
Creating empty /run/firejail/mnt/dns-etc/firebird directory
Creating empty /run/firejail/mnt/dns-etc/menu-methods directory
Creating empty /run/firejail/mnt/dns-etc/vulkan directory
Creating empty /run/firejail/mnt/dns-etc/netconfig file
Creating empty /run/firejail/mnt/dns-etc/sensors.d directory
Creating empty /run/firejail/mnt/dns-etc/dillo directory
Creating empty /run/firejail/mnt/dns-etc/debian_version file
Creating empty /run/firejail/mnt/dns-etc/xdg directory
Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file
Creating empty /run/firejail/mnt/dns-etc/mysql directory
Creating empty /run/firejail/mnt/dns-etc/dbus-1 directory
Creating empty /run/firejail/mnt/dns-etc/dkms directory
Creating empty /run/firejail/mnt/dns-etc/syslog.d directory
Creating empty /run/firejail/mnt/dns-etc/selinux directory
Creating empty /run/firejail/mnt/dns-etc/reader.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/.java directory
Creating empty /run/firejail/mnt/dns-etc/inputrc file
Creating empty /run/firejail/mnt/dns-etc/profile.d directory
Creating empty /run/firejail/mnt/dns-etc/cron.d directory
Creating empty /run/firejail/mnt/dns-etc/sudoers file
Creating empty /run/firejail/mnt/dns-etc/calendar directory
Creating empty /run/firejail/mnt/dns-etc/alsa directory
Creating empty /run/firejail/mnt/dns-etc/pm directory
Creating empty /run/firejail/mnt/dns-etc/resolv3.conf file
Creating empty /run/firejail/mnt/dns-etc/sane.d directory
Creating empty /run/firejail/mnt/dns-etc/modules file
Creating empty /run/firejail/mnt/dns-etc/rc3.d directory
Creating empty /run/firejail/mnt/dns-etc/sudoers.d directory
Creating empty /run/firejail/mnt/dns-etc/skel directory
Creating empty /run/firejail/mnt/dns-etc/GNUstep directory
Creating empty /run/firejail/mnt/dns-etc/alternatives directory
Creating empty /run/firejail/mnt/dns-etc/login.defs file
Creating empty /run/firejail/mnt/dns-etc/networks file
Creating empty /run/firejail/mnt/dns-etc/fuse.conf file
Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file
Creating empty /run/firejail/mnt/dns-etc/udev directory
Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file
Creating empty /run/firejail/mnt/dns-etc/ucf.conf file
Creating empty /run/firejail/mnt/dns-etc/legal file
Creating empty /run/firejail/mnt/dns-etc/syslog.conf file
Creating empty /run/firejail/mnt/dns-etc/dhcp directory
Creating empty /run/firejail/mnt/dns-etc/thunderbird directory
Creating empty /run/firejail/mnt/dns-etc/gnome directory
Creating empty /run/firejail/mnt/dns-etc/subuid- file
Creating empty /run/firejail/mnt/dns-etc/sudo_logsrvd.conf file
Creating empty /run/firejail/mnt/dns-etc/xattr.conf file
Creating empty /run/firejail/mnt/dns-etc/hostname file
Creating empty /run/firejail/mnt/dns-etc/hosts.deny file
Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory
Creating empty /run/firejail/mnt/dns-etc/modules-load.d directory
Creating empty /run/firejail/mnt/dns-etc/fstab file
Creating empty /run/firejail/mnt/dns-etc/network directory
Creating empty /run/firejail/mnt/dns-etc/smartd.conf file
Creating empty /run/firejail/mnt/dns-etc/libccid_Info.plist file
Creating empty /run/firejail/mnt/dns-etc/polkit-1 directory
Creating empty /run/firejail/mnt/dns-etc/ssh directory
Creating empty /run/firejail/mnt/dns-etc/pulse directory
Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf file
Creating empty /run/firejail/mnt/dns-etc/terminfo directory
Creating empty /run/firejail/mnt/dns-etc/ldap directory
Creating empty /run/firejail/mnt/dns-etc/firefox directory
Creating empty /run/firejail/mnt/dns-etc/firejail directory
Creating empty /run/firejail/mnt/dns-etc/shadow file
Creating empty /run/firejail/mnt/dns-etc/kernel directory
Creating empty /run/firejail/mnt/dns-etc/libblockdev directory
Creating empty /run/firejail/mnt/dns-etc/vdpau_wrapper.cfg file
Creating empty /run/firejail/mnt/dns-etc/java-8-openjdk directory
Creating empty /run/firejail/mnt/dns-etc/bash_completion file
Creating empty /run/firejail/mnt/dns-etc/tlp.conf file
Creating empty /run/firejail/mnt/dns-etc/modprobe.d directory
Creating empty /run/firejail/mnt/dns-etc/issue.net file
Creating empty /run/firejail/mnt/dns-etc/magic file
Creating empty /run/firejail/mnt/dns-etc/update-motd.d directory
Creating empty /run/firejail/mnt/dns-etc/timidity directory
Creating empty /run/firejail/mnt/dns-etc/shadow- file
Creating empty /run/firejail/mnt/dns-etc/depmod.d directory
Creating empty /run/firejail/mnt/dns-etc/snmp directory
Creating empty /run/firejail/mnt/dns-etc/timezone file
Creating empty /run/firejail/mnt/dns-etc/mime.types file
Creating empty /run/firejail/mnt/dns-etc/lsb-release file
Creating empty /run/firejail/mnt/dns-etc/java-16-openjdk directory
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/ImageMagick-6 directory
Creating empty /run/firejail/mnt/dns-etc/libreoffice directory
Creating empty /run/firejail/mnt/dns-etc/libnl-3 directory
Creating empty /run/firejail/mnt/dns-etc/ltrace.conf file
Creating empty /run/firejail/mnt/dns-etc/bash_completion.d directory
Creating empty /run/firejail/mnt/dns-etc/subuid file
Creating empty /run/firejail/mnt/dns-etc/manpath.config file
Creating empty /run/firejail/mnt/dns-etc/gshadow- file
Creating empty /run/firejail/mnt/dns-etc/X11 directory
Creating empty /run/firejail/mnt/dns-etc/samba directory
Creating empty /run/firejail/mnt/dns-etc/papersize file
Creating empty /run/firejail/mnt/dns-etc/group file
Creating empty /run/firejail/mnt/dns-etc/mc directory
Creating empty /run/firejail/mnt/dns-etc/webfsd.conf file
Creating empty /run/firejail/mnt/dns-etc/acpi directory
Creating empty /run/firejail/mnt/dns-etc/host.conf file
Creating empty /run/firejail/mnt/dns-etc/python2.7 directory
Creating empty /run/firejail/mnt/dns-etc/tlp.d directory
Creating empty /run/firejail/mnt/dns-etc/groff directory
Creating empty /run/firejail/mnt/dns-etc/hostapd directory
Creating empty /run/firejail/mnt/dns-etc/mpv directory
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file
Creating empty /run/firejail/mnt/dns-etc/udisks2 directory
Creating empty /run/firejail/mnt/dns-etc/debconf.conf file
Creating empty /run/firejail/mnt/dns-etc/hdparm.conf file
Creating empty /run/firejail/mnt/dns-etc/dictionaries-common directory
Creating empty /run/firejail/mnt/dns-etc/binfmt.d directory
Creating empty /run/firejail/mnt/dns-etc/ufw directory
Creating empty /run/firejail/mnt/dns-etc/smi.conf file
Creating empty /run/firejail/mnt/dns-etc/subgid- file
Creating empty /run/firejail/mnt/dns-etc/shells file
Creating empty /run/firejail/mnt/dns-etc/locale.gen file
Creating empty /run/firejail/mnt/dns-etc/security directory
Creating empty /run/firejail/mnt/dns-etc/mbuffer.rc file
Creating empty /run/firejail/mnt/dns-etc/gtk-3.0 directory
Creating empty /run/firejail/mnt/dns-etc/avahi directory
Creating empty /run/firejail/mnt/dns-etc/group- file
Creating empty /run/firejail/mnt/dns-etc/cups directory
Creating empty /run/firejail/mnt/dns-etc/mailcap.order file
Creating empty /run/firejail/mnt/dns-etc/rc6.d directory
Creating empty /run/firejail/mnt/dns-etc/ghostscript directory
Creating empty /run/firejail/mnt/dns-etc/sudo.conf file
Creating empty /run/firejail/mnt/dns-etc/init.d directory
Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf.dpkg-old file
Creating empty /run/firejail/mnt/dns-etc/grub.d directory
Creating empty /run/firejail/mnt/dns-etc/rpc file
Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file
Creating empty /run/firejail/mnt/dns-etc/minidlna.conf file
Creating empty /run/firejail/mnt/dns-etc/fonts directory
Creating empty /run/firejail/mnt/dns-etc/pam.conf file
Creating empty /run/firejail/mnt/dns-etc/magic.mime file
Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file
Creating empty /run/firejail/mnt/dns-etc/hp directory
Creating empty /run/firejail/mnt/dns-etc/rcS.d directory
Creating empty /run/firejail/mnt/dns-etc/protocols file
Creating empty /run/firejail/mnt/dns-etc/update-manager directory
Creating empty /run/firejail/mnt/dns-etc/console-setup directory
Creating empty /run/firejail/mnt/dns-etc/gai.conf file
Creating empty /run/firejail/mnt/dns-etc/initramfs-tools directory
Creating empty /run/firejail/mnt/dns-etc/schroot directory
Creating empty /run/firejail/mnt/dns-etc/deluser.conf file
Creating empty /run/firejail/mnt/dns-etc/logrotate.d directory
Creating empty /run/firejail/mnt/dns-etc/apport directory
Creating empty /run/firejail/mnt/dns-etc/matplotlibrc file
Creating empty /run/firejail/mnt/dns-etc/rc2.d directory
Creating empty /run/firejail/mnt/dns-etc/machine-id file
Creating empty /run/firejail/mnt/dns-etc/ethertypes file
Creating empty /run/firejail/mnt/dns-etc/glvnd directory
Creating empty /run/firejail/mnt/dns-etc/rearj.cfg file
Creating empty /run/firejail/mnt/dns-etc/subgid file
Creating empty /run/firejail/mnt/dns-etc/apparmor directory
Creating empty /run/firejail/mnt/dns-etc/pam.d directory
Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file
Creating empty /run/firejail/mnt/dns-etc/wgetrc file
Creating empty /run/firejail/mnt/dns-etc/smartmontools directory
Creating empty /run/firejail/mnt/dns-etc/profile file
Creating empty /run/firejail/mnt/dns-etc/libpaper.d directory
Creating empty /run/firejail/mnt/dns-etc/passwd file
Creating empty /run/firejail/mnt/dns-etc/gtk-2.0 directory
Creating empty /run/firejail/mnt/dns-etc/python3 directory
Creating empty /run/firejail/mnt/dns-etc/rc0.d directory
Creating empty /run/firejail/mnt/dns-etc/dpkg directory
Creating empty /run/firejail/mnt/dns-etc/mailcap file
Creating empty /run/firejail/mnt/dns-etc/wireshark directory
Creating empty /run/firejail/mnt/dns-etc/cron.weekly directory
Creating empty /run/firejail/mnt/dns-etc/apparmor.d directory
Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory
Creating empty /run/firejail/mnt/dns-etc/sysctl.conf file
Creating empty /run/firejail/mnt/dns-etc/gshadow file
Creating empty /run/firejail/mnt/dns-etc/environment file
Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file
Creating empty /run/firejail/mnt/dns-etc/openal directory
Creating empty /run/firejail/mnt/dns-etc/locale.alias file
Creating empty /run/firejail/mnt/dns-etc/nanorc file
Creating empty /run/firejail/mnt/dns-etc/gss directory
Creating empty /run/firejail/mnt/dns-etc/hosts file
Creating empty /run/firejail/mnt/dns-etc/libibverbs.d directory
Creating empty /run/firejail/mnt/dns-etc/dconf directory
Creating empty /run/firejail/mnt/dns-etc/icedtea-web directory
Creating empty /run/firejail/mnt/dns-etc/lighttpd directory
Creating empty /run/firejail/mnt/dns-etc/rc5.d directory
Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file
Creating empty /run/firejail/mnt/dns-etc/adduser.conf file
Creating empty /run/firejail/mnt/dns-etc/iwd directory
Creating empty /run/firejail/mnt/dns-etc/rc1.d directory
Creating empty /run/firejail/mnt/dns-etc/PackageKit directory
Creating empty /run/firejail/mnt/dns-etc/gdb directory
Creating empty /run/firejail/mnt/dns-etc/resolv.conf file
Creating empty /run/firejail/mnt/dns-etc/inetd.d directory
Creating empty /run/firejail/mnt/dns-etc/systemd directory
Creating empty /run/firejail/mnt/dns-etc/hosts.allow file
Creating empty /run/firejail/mnt/dns-etc/inetd.conf file
Creating empty /run/firejail/mnt/dns-etc/ssl directory
Mount-bind /run/firejail/mnt/dns-etc on top of /etc
Current directory: /home/luky/temp/youtube
DISPLAY=:1 parsed as 1
Masking all X11 sockets except /tmp/.X11-unix/X1
Mounting read-only /run/firejail/mnt/seccomp
2419 1744 0:78 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=2419 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             180 ..
-rw-r--r-- luky     luky             568 seccomp
-rw-r--r-- luky     luky             432 seccomp.32
-rw-r--r-- luky     luky               0 seccomp.postexec
-rw-r--r-- luky     luky               0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Running '/usr/bin/google-chrome-stable'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/usr/bin/google-chrome-stable' 
Child process initialized in 77.05 ms
monitoring pid 4

[4:118:0712/115244.283472:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:118:0712/115244.283812:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:118:0712/115244.284377:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
Fontconfig error: Cannot load default config file: No such file: (null)

@rusty-snake rusty-snake added the invalid This doesn't seem right label Jul 12, 2022
@rusty-snake
Copy link
Collaborator

chromium* uses portals for it's file dialog.

Related/Duplicate of: #5032.

@rusty-snake rusty-snake closed this as not planned Won't fix, can't repro, duplicate, stale Jul 12, 2022
@rusty-snake
Copy link
Collaborator

firefox: Set widget.use-xdg-desktop-portal.file-picker=1 on about:config and you get the same.

@lukypko
Copy link
Author

lukypko commented Jul 12, 2022

OK, I can confirm that when I set widget.use-xdg-desktop-portal.file-picker=1 in firefox, then firefox (immediately without a restart) is showing a content of $HOME folder, so behave exactly the same as in google-chrome.

It works without a package use-xdg-desktop-portalinstalled.

So I guess, it is not a plan to support that in a firejail, actually "the application" cannot access file content, just the "file picker".

Some other links:
Support portals
https://forum.manjaro.org/t/browsers-like-firefox-require-xdg-desktop-portal-package-to-use-os-default-file-manager/106933
https://bugzilla.mozilla.org/show_bug.cgi?id=1285711#c31
https://forum.manjaro.org/t/set-nemo-as-default-filemanager/83387/8

@rusty-snake
Copy link
Collaborator

rusty-snake commented Jul 12, 2022
edited
Loading

it is not a plan to support that in a firejail

  1. It would be more work than we have development power at firejail side at the moment.
  2. It needs to be supported by x-d-p.

see also #4716

@kmk3 kmk3 added notabug The behavior is as intended or the issue was caused by user error or by an old version and removed invalid This doesn't seem right labels Jul 12, 2022
@rusty-snake rusty-snake mentioned this issue Aug 9, 2022
Closed
@marcalia
Copy link

I have the same problem with google-chrome running in firejail on debian 11 (xfce4) using the option --private=folder.
Trying to upload a file via the dialogue results in an error complaining about a 0 byte file.
Workaround:
Opening a file via file://... in the address bar, this shows the intended folder structure, and copying the address into the upload dialogue by opening the input filed via ctrl+l leads to a successful upload.

@wonbug
Copy link

wonbug commented Feb 24, 2023
edited
Loading

To pile on, I'm having a similar issue with google-chrome on Ubuntu 22.04.2 LTS. I confirmed it's running firejailed, yet the application is able to see the entirety of my disk, including the root directory. On a previous installation, it can only access the Downloads directory as one would expect. Do I need to take additional steps to limit what files Chrome can access?

@kmk3 kmk3 changed the title google-chrome is able to access file list when using --private=FOLDER option google-chrome: original paths are accessible with --private= (dbus) Sep 4, 2024
@kmk3 kmk3 changed the title google-chrome: original paths are accessible with --private= (dbus) google-chrome: real home is accessible with --private= (dbus) Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
notabug The behavior is as intended or the issue was caused by user error or by an old version
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kmk3 @rusty-snake @marcalia @lukypko @wonbug