Firejail and Java

[djaniel]

Hi,
I want to run a java application contained in Firejail. I didn't write the java application and I want to make sure the application only has access to the directory from which it is launched. What I did is:

Myapp is installed in ~/myapp_project/bin/myapp
The directory is on the path env variable, so I can call myapp easily.

I created the firejail profile file by doing

firejail --build=myapp.profile myapp --nogui --nosplash

Then I try to use the profile file when calling myapp and use the private argument to define the current directory as the home of the sand box.

firejail --deterministic-exit-code --private=. --profile=~/path/to/myapp.profile --output-stderr=logfile myapp --nogui --nosplash

Unfortunately I get Error: no suitable myapp executable found

If I remove the private argument everything works fine. I opened myapp.profile and I checked for the whitelists folders which I believe are the necessary folders to find and execute myapp inside the sand box.

I also tried adding the following lines in the profile file.
ignore apparmor
ignore noexec ${HOME}
Being a little frustrated I didn't check in depth how this parameters change the sandbox environment.

Can you please help me with this issue? I a nutshell, I want to execute myapp and allow write access only to the current directory.

[glitsj16]

Have you tried using full path unstead of . with private=foo yet? There's also a private-cwd=foo option. The latter requires full directory path too AFAICT.

[rusty-snake]

@glitsj16 it has nothing to do with relative/fullpath.

[glitsj16]

Without knowing how your myapp.profile looks like, here's an example based on profile.template:

$ cat ~/.config/firejail/myapp.profile

# Firejail profile for https://github.com/netblue30/firejail/discussions/6005
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include myapp.local
# Persistent global definitions
include globals.local

blacklist ${RUNUSER}
blacklist /usr/libexec

# blacklisting example
blacklist ${HOME}/this.is.blacklisted

ignore noexec ${HOME}

# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

# whitelisting <cwd> via (scripted) CLI flag
#include whitelist-common.inc
#include whitelist-run-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc

apparmor
caps.drop all
hostname myapp
ipc-namespace
machine-id
net none
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
noprinters
nosound
notv
nou2f
novideo
protocol unix
seccomp
seccomp.block-secondary
tracelog
x11 none

disable-mnt
# private <cwd> via (scripted) CLI flag
private-bin java,myapp
private-cache
private-dev
private-etc
private-opt none
private-tmp

dbus-user none
dbus-system none

deterministic-exit-code
memory-deny-write-execute
#read-only ${HOME}
#read-write ${HOME}
restrict-namespaces

# sandbox name (for easy file transfer, shutting down the sandbox,...)
myapp

With that in place you can try the below from CLI

$ firejail --output-stderr=logfile --private=. --whitelist=${PWD} -- myapp --nogui --nosplash

[djaniel]

Hello, I gave it another try today. I kept having the same results.
Whenever I launch firejail with the --private flag, my app is not found.

$ firejail --output-stderr=logfile --private --whitelist=${PWD} myapp --nogui --nosplash
Reading profile /home/$USER/.config/firejail/myapp.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: "shell none" command in the profile file is done by default; the command will be deprecated
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 289409, child pid 289411
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
11 programs installed in 72.90 ms
Warning: skipping lsb-release for private /etc
Warning: skipping fedora-release for private /etc
Warning: skipping timezone for private /etc
Private /etc installed in 39.36 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 206.61 ms
Error: no suitable myapp executable found

Parent is shutting down, bye...

I will keep trying and reading the manual, Any hints will be greatly appreciated.

[kmk3]

Firstly, what are the distribution version and firejail version?

$ firejail --deterministic-exit-code --private=. --profile=~/path/to/myapp.profile --output-stderr=logfile myapp --nogui --nosplash
[...]
Error: no suitable myapp executable found

$ firejail --output-stderr=logfile --private --whitelist=${PWD} myapp --nogui --nosplash
[...]
Error: no suitable myapp executable found

Note that:

• --private and --private= do different things and are intended for
  different use cases (save nothing vs save into a specific directory)
• whitelisting and some related commands are incompatible with --private=
  (see firejail(1) and mkdir in profile does not respect --private=<directory> #903)
• If "myapp" is somewhere in ${HOME} but is outside of the directory in
  --private=, it will likely not exist in the sandbox and so firejail will be
  unable to execute it

Is "myapp" in ${HOME}?

Does it work if you put it in $PWD?

Example:

firejail --private="$PWD" ./myapp --nogui --nosplash

Do the following commands output any errors?

firejail --noprofile --private="$PWD" which -a myapp
firejail --noprofile --private="$PWD" ls $(which -a myapp)

[djaniel]

Hi and thank you for your reply,

I am using firejail version 0.9.72 on Centos Stream 8.

Thank you for clarifying the use of --private. I use --private=. because I want myapp to create files and folders only on $PWD and keep them after the process ends. I tried --private in desperation.

Yes, myapp is located in ~/myapp_repo/bin/myapp. This path is included in the $PATH.

Here are the results of the commands you wrote:

$ firejail --noprofile which -a myapp
Parent pid 295175, child pid 295176
Child process initialized in 18.39 ms
/home/USER/myapp_repo/bin/myapp

Parent is shutting down, bye...

$ firejail --noprofile --private="$PWD" ls $(which -a myapp)
Parent pid 295795, child pid 295796
Child process initialized in 20.12 ms
ls: cannot access '/home/USER/myapp_repo/bin/myapp': No such file or directory

Parent is shutting down, bye...

We can conclude that, inside the sandbox, myapp does not exist.

I continued doing some testing. I did:

$ cd ~/myapp_repo/bin
$ firejail --private=. --output-stderr=logfile --noprofile ./myapp --nogui --nosplash
Child process initialized in 21.33 ms
cat: ./../etc/myapp.clusters: No such file or directory
/bin/bash: ./../platform*/lib/nbexec: No such file or directory

Parent is shutting down, bye...

So, inside the sandbox myapp exists but it starts looking for other configuration folders and files in ~/myapp_repo and it fails to start. Therefore I did:

$ cd ~/myapp_repo
$ firejail --private=${PWD} --output-stderr=logfile --noprofile  ./bin/myapp  --nogui --nosplash
Parent pid 298555, child pid 298557
Child process initialized in 23.35 ms
Error: no suitable ./bin/myapp executable found

Parent is shutting down, bye...

Wow, I am feeling lost. Probably I should try --private-bin?

[kmk3]

Hi and thank you for your reply,

No problem.

Yes, myapp is located in ~/myapp_repo/bin/myapp. This path is included in the
$PATH.

I continued doing some testing. I did:

$ cd ~/myapp_repo/bin
$ firejail --private=. --output-stderr=logfile --noprofile ./myapp --nogui --nosplash
Child process initialized in 21.33 ms
cat: ./../etc/myapp.clusters: No such file or directory
/bin/bash: ./../platform*/lib/nbexec: No such file or directory

Parent is shutting down, bye...

So, inside the sandbox myapp exists but it starts looking for other
configuration folders and files in ~/myapp_repo and it fails to start.
Therefore I did:

$ cd ~/myapp_repo
$ firejail --private=${PWD} --output-stderr=logfile --noprofile  ./bin/myapp  --nogui --nosplash
Parent pid 298555, child pid 298557
Child process initialized in 23.35 ms
Error: no suitable ./bin/myapp executable found

Parent is shutting down, bye...

So at least the executable is apparently found in the first case above.

From the error messages, it looks like the program tries to access files in
other directories in ~/myapp_repo, so restricting it to ~/myapp_repo/bin is
unlikely to work.

Also, it's strange that the executable is found with --private=. in
~/myapp_repo/bin but not --private=${PWD} in ~/myapp_repo.

Does it work with --private=. in ~/myapp_repo?

Are there any symlinks being used, especially ones that point to outside of
${HOME}?

What is the output of the following:

cd ~/myapp_repo
firejail --quiet --noprofile --private=. ls -l . bin bin/myapp

I'd suggest opening a shell and looking around in the sandbox, then trying to
execute "myapp" manually from the shell:

cd ~/myapp_repo
firejail --quiet --noprofile --private=. --tab /bin/bash
# example commands
ls -l . bin bin/myapp
./bin/myapp

Wow, I am feeling lost. Probably I should try --private-bin?

I think that private-bin would only result in less executables being
available in the sandbox.

Note: To make the sandbox even more permissive, it's possible to use
--profile=noprofile instead of --noprofile, though I don't think that it
would help in this specific case.

[djaniel]

Hi,
Thanks to your feedback, I found a solution. The problem was the location of my ~/myapp_repo. It was located at my home and --private made the repository 'disappear' from my home.

I thought that creating a firejail profile for myapp could solve the problem. It didn't work.

What I did:

1. More importantly I moved myapp_repo to /usr/local. As I mentioned myapp is written in java, so the myapp_repo has several folders and files, including the bin subdirectory.
2. Trying to keep things clean, I create a symbolic link to /usr/local/myapp_repo/bin/myapp in /usr/local/bin.
3. I removed ~/myapp_repo from $PATH.

That was it. Now I can run myapp in firejail issuing:

firejail --noprofile --private=.  myapp 

About the noprofile flag. I did try to create a profile using the --build flag, but it didn't work. Why? I don't know. I thought firejail was creating a very permissive profile. I would say that automatic profile creation is not suitable for my java environment.

Thanks for your help.

[glitsj16]

Automatic profile creation is still far from ideal, regardless of the environment. Perhaps a future AI integration can enhance it (and we can have only a few profiles instead of 1000+).

More important in the present though is realizing --noprofile is more of a debug tool instead of a tight sandbox profile. Behind the scenes it uses default.profile, which I would recommend looking into more closely:

firejail/etc/profile-a-l/default.profile

Lines 8 to 9 in 72edd96

	# generic GUI profile
	# depending on your usage, you can enable some of the commands below:

You'll have to keep experimenting to get a reasonably hardened sandbox for your java adventure. But now you've moved your files out of ${HOME} this could take less time/effort.