disable-shell.inc breaks AppImages

[svc88]

Bug and expected behavior
When i upgraded to 0.9.63 from 0.9.62, i started having issues with keepassxc appimage.
The appimage didnt open up keepassxc, instead i saw an error in the log saying:

Reading profile /usr/local/etc/firejail/keepassxc.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-shell.inc
Reading profile /usr/local/etc/firejail/disable-xdg.inc
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Mounting appimage type 2
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.talk com.canonical.Unity.Session" and 6 other dbus-user filter rules.
Parent pid 6966, child pid 6969

**     Warning: dropping all Linux capabilities     **

Private /etc installed in 8.27 ms
Warning: not remounting /home/user/.gvfs
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 173.00 ms
execvp: Permission denied

Parent is shutting down, bye...

No profile or disabling firejail

• What changed calling firejail --noprofile PROGRAM in a shell?
  It runs

Environment

• Xubuntu 18.04
• Firejail version a9aabad

Additional context
This didnt happen with 0.9.62

[svc88]

If i run the appimage like so:
firejail ./KeePassXC-2.5.4-x86_64.AppImage
i get this error (if it helps) not sure what execv is?
execv error: No such file or directory

Possibly related to #2690 ?

[rusty-snake]

Where is the AI stored?

To sum-up:

$ firejail --noprofile --appimage KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --noprofile ./KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --profile=keepassxc --appimage KeePassXC-2.5.4-x86_64.AppImage
Fails with execvp: Permission denied
$ firejail --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage
Fails with execv error: No such file or directory

[svc88]

Where is the AI stored?

Do you mean where do i run it from? just from $HOME

To sum-up:

$ firejail --noprofile --appimage KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --noprofile ./KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --profile=keepassxc --appimage KeePassXC-2.5.4-x86_64.AppImage
Fails with execvp: Permission denied
$ firejail --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage
Fails with execv error: No such file or directory

Yes exactly. Not sure if this is related to the issue i mentioned.

[rusty-snake]

The last may work with firejail '--ignore=noexec ${HOME}' --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage.

[svc88]

firejail '--ignore=noexec ${HOME}' --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage

Reading profile /usr/local/etc/firejail/keepassxc.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-shell.inc
Reading profile /usr/local/etc/firejail/disable-xdg.inc
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.talk com.canonical.Unity.Session" and 6 other dbus-user filter rules.
Parent pid 1027, child pid 1028
3 programs installed in 6.86 ms
Warning fcopy: skipping /etc/alternatives/lzdiff, cannot find inode
Warning fcopy: skipping /etc/alternatives/updatedb, cannot find inode
Warning fcopy: skipping /etc/alternatives/nc, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzmore, cannot find inode
Warning fcopy: skipping /etc/alternatives/phar, cannot find inode
Warning fcopy: skipping /etc/alternatives/vim, cannot find inode
Warning fcopy: skipping /etc/alternatives/gnome-www-browser, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzcat, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzegrep, cannot find inode
Warning fcopy: skipping /etc/alternatives/php-cgi, cannot find inode
Warning fcopy: skipping /etc/alternatives/mt, cannot find inode
Warning fcopy: skipping /etc/alternatives/editor, cannot find inode
Warning fcopy: skipping /etc/alternatives/view, cannot find inode
Warning fcopy: skipping /etc/alternatives/ftp, cannot find inode
Warning fcopy: skipping /etc/alternatives/telnet, cannot find inode
Warning fcopy: skipping /etc/alternatives/c89, cannot find inode
Warning fcopy: skipping /etc/alternatives/php, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-session-manager, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-window-manager, cannot find inode
Warning fcopy: skipping /etc/alternatives/aclocal, cannot find inode
Warning fcopy: skipping /etc/alternatives/rlogin, cannot find inode
Warning fcopy: skipping /etc/alternatives/phar.phar, cannot find inode
Warning fcopy: skipping /etc/alternatives/www-browser, cannot find inode
Warning fcopy: skipping /etc/alternatives/cpp, cannot find inode
Warning fcopy: skipping /etc/alternatives/c++, cannot find inode
Warning fcopy: skipping /etc/alternatives/pico, cannot find inode
Warning fcopy: skipping /etc/alternatives/rmt, cannot find inode
Warning fcopy: skipping /etc/alternatives/traceroute6, cannot find inode
Warning fcopy: skipping /etc/alternatives/w, cannot find inode
Warning fcopy: skipping /etc/alternatives/fakeroot, cannot find inode
Warning fcopy: skipping /etc/alternatives/nodejs, cannot find inode
Warning fcopy: skipping /etc/alternatives/vi, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsonpointer, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzgrep, cannot find inode
Warning fcopy: skipping /etc/alternatives/pinentry, cannot find inode
Warning fcopy: skipping /etc/alternatives/locate, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsonschema, cannot find inode
Warning fcopy: skipping /etc/alternatives/automake, cannot find inode
Warning fcopy: skipping /etc/alternatives/infobrowser, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-www-browser, cannot find inode
Warning fcopy: skipping /etc/alternatives/unlzma, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsonpatch, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzcmp, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Warning fcopy: skipping /etc/alternatives/pftp, cannot find inode
Warning fcopy: skipping /etc/alternatives/cc, cannot find inode
Warning fcopy: skipping /etc/alternatives/google-chrome, cannot find inode
Warning fcopy: skipping /etc/alternatives/vimdiff, cannot find inode
Warning fcopy: skipping /etc/alternatives/unrar, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsondiff, cannot find inode
Warning fcopy: skipping /etc/alternatives/awk, cannot find inode
Warning fcopy: skipping /etc/alternatives/rsh, cannot find inode
Warning fcopy: skipping /etc/alternatives/rvim, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/rcp, cannot find inode
Warning fcopy: skipping /etc/alternatives/pager, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzless, cannot find inode
Warning fcopy: skipping /etc/alternatives/rview, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-terminal-emulator, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Warning fcopy: skipping /etc/alternatives/pinentry-x11, cannot find inode
Warning fcopy: skipping /etc/alternatives/nawk, cannot find inode
Warning fcopy: skipping /etc/alternatives/netcat, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzma, cannot find inode
Warning fcopy: skipping /etc/alternatives/from, cannot find inode
Warning fcopy: skipping /etc/alternatives/gnome-text-editor, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzfgrep, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/write, cannot find inode
Warning fcopy: skipping /etc/alternatives/ex, cannot find inode
Warning fcopy: skipping /etc/alternatives/c99, cannot find inode
Private /etc installed in 8.94 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.19 ms
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 108.48 ms
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...

[bbhtt]

Comment include disable-shell.inc and run firejail --profile=/home/korte/firejail/etc/profile-a-l/keepassxc.profile --appimage KeePassXC-2.6.0-x86_64.AppImage, works for me. Appimage is in /home/korte,firejail from git master.

[svc88]

@kortewegdevries thank you, it works. What is the significance of include disable-shell.inc? And why isnt it working with it enabled?

[svc88]

Also if we disable it, what are the security risks?

[rusty-snake]

My question: Why does it work?!! There is no shell in its private-bin!

[svc88]

@rusty-snake so is this a bug? If i keep it disabled will that mean that the sandbox is less secure?

[smitsohu]

The reason is that private-bin and private-lib are disabled when appimage is enabled. This doesn't seem to be documented in the man pages, which is a bug in my opinion.

firejail/src/firejail/sandbox.c

Lines 910 to 911 in fb145c3

	// private-bin is disabled for appimages
	if (arg_private_bin && !arg_appimage) {

firejail/src/firejail/sandbox.c

Lines 930 to 931 in fb145c3

	// private-lib is disabled for appimages
	if (arg_private_lib && !arg_appimage) {

That's probably because, the way it works right now, a shell is needed to run the AppImage.

[smitsohu]

This doesn't seem to be documented in the man pages, which is a bug in my opinion.

Maybe it would be good if Firejail could also print a warning.

[rusty-snake]

Can we do something like this?
https://github.com/netblue30/firejail/blob/master/src/firejail/profile.c#L1615

if (arg_appimage && strcmp(fname, "disable-shell.inc"))
    return;

[bbhtt]

The reason is that private-bin and private-lib are disabled when appimage is enabled.

Then is there a point in adding ?HAS_APPIMAGE: ignore private-bin to a profile?

[rusty-snake]

Then is there a point in adding ?HAS_APPIMAGE: ignore private-bin to all profile?

[smitsohu]

If i keep it disabled will that mean that the sandbox is less secure?

@svc88 Security does not degrade with regards to 0.9.62. As a matter of fact a shell is needed currently, so there is no degree of freedom anyway.

[rusty-snake]

I tried my Idea and it is not working (as I expected). firejail --profile=keepassxc --appimage KeePassXC-2.6.0-x86_64.AppImage will first read keepassxc.profile and the set arg_appimage = 1.

skip-disable-shell-if-appimage.patch

iff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a8722282..8d9a8d5d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1607,6 +1607,11 @@ static int include_level = 0;
 void profile_read(const char *fname) {
        EUID_ASSERT();
 
+       if (arg_appimage && strcmp(fname, "disable-shell.inc") == 0) {
+               fprintf(stderr, "Skipping disable-shell because of --appimage\n");
+               return;
+       }
+
        // exit program if maximum include level was reached
        if (include_level > MAX_INCLUDE_LEVEL) {
                fprintf(stderr, "Error: maximum profile include level was reached\n");

@netblue30 @smitsohu This fact make me thinking about ?HAS_APPIMAGE:. firejail -profile=kpxc.profile --appimage KeePassXC-2.6.0-x86_64.AppImage is broken! This means ?HAS_APPIMAGE: is broken with firejail [OPTIONS] --appimage [appimage-file and arguments].

kpxc.profile:

?HAS_APPIMAGE: noblacklist /bin/bash
blacklist /bin/bash

[bbhtt]

if (arg_appimage && strcmp(fname, "disable-shell.inc") == 0)

Add an option --allow-shell (arg_allow_shell) and force it whenever arg_appimage is set and skip like 1633-1641?

[rusty-snake]

--allow-shell could be confusing (comparing to shell none, does it support private-bin, ...). For what is it good?

[bbhtt]

arg_shell_none = 0 is already set when --appimage is specified? And shell none executes by path,different from allow shell which would allow shell inside a sandbox? What other way to ignore a line "include" from profile? Print a warning and exit like smitsohu said I guess.

[rusty-snake]

What other way to ignore a line "include" from profile?

patch and ignore 🙄 🤣
#2153 (comment)

Obvious patching is no solution for the majority, but it would be nice to have this patch in (after someone provided feedback).

[smitsohu]

Should we go through the conditionals after all command line and profile processing? Then, with 102f8d1 in , this bug could be solved just by updating the profiles. It also would avoid #3358 and similar problems.

[rusty-snake]

Should we go through the conditionals after all command line and profile processing?

👍

Then, with 102f8d1 in , this bug could be solved just by updating the profiles.

Where do you want to add ?HAS_APPIMAGE: ignore …? In globals.local?

[smitsohu]

Turns out it's not so straightforward with noblacklist and ignore and so on, obviously applying them at the very end doesn't make much sense. So one would need to parse them late, but push the commands in front. Then it also wouldn't matter where ?HAS_APPIMAGE: ignore include disable-shell.inc goes. Crazy or reasonable? I'm not sure anymore.

[smitsohu]

Or we do go through the conditionals at the end, after all other command line and profile options, and offer negated conditionals in addition to what we have now, something like ?HAS_NO_APPIMAGE:

This would sacrifice some flexibility, but make a cleaner interface. There could be a ?HAS_NO_APPIMAGE: include disable-shell.inc or similar line in the profiles.

Honestly I'm somewhat at a loss what to do here.

[rusty-snake]

For now we could enforce that --profile is used after --appimage. The general issue with conditions can be then solved later.

[netblue30]

Fixed! We were doing something similar for --allow-debuggers and disable-devel.inc. Give it a try, thanks.