Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bugfix: do not interact with dbus directory if dbus proxy is disabled #6591

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

bugfix: do not interact with dbus directory if dbus proxy is disabled #6591

wants to merge 1 commit into from

Conversation

powerjungle
Copy link
Contributor

No description provided.

kmk3
kmk3 reviewed Dec 28, 2024
View reviewed changes
Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For clarity, does the current code cause any issues or is this intended to just
keep /run/firejail cleaner?

@powerjungle
Copy link
Contributor Author

powerjungle commented Dec 28, 2024
edited
Loading

It did cause an issue when I was running firejail inside a chroot environment. That's not important, but I also realized there's no point in that code running if we disable the dbus proxy code anyway, just to keep things cleaner.

@powerjungle powerjungle force-pushed the fix/dbus-folder-creation branch from dbf0059 to 40ce858 Compare December 28, 2024 16:05
@kmk3 kmk3 added the bugfix This fixes a bug label Dec 29, 2024
@powerjungle powerjungle force-pushed the fix/dbus-folder-creation branch from 40ce858 to b5d4ea3 Compare December 29, 2024 22:52
@kmk3
Copy link
Collaborator

kmk3 commented Jan 4, 2025

It did cause an issue when I was running firejail inside a chroot
environment. That's not important, but I also realized there's no point in
that code running if we disable the dbus proxy code anyway, just to keep
things cleaner.

I see, but it is currently marked as a bugfix and it's not immediately obvious
what the bug is/what are the practical effects of creating/bind-mounting the
directory.

Could you add those details to the commit message?

By the way, firejail in a chroot is likely an uncommon environment, but if you
have any tips, use cases, etc about it, feel free to add them to the wiki.

@powerjungle
Copy link
Contributor Author

powerjungle commented Jan 4, 2025
edited
Loading

I see, but it is currently marked as a bugfix and it's not immediately obvious what the bug is

Sorry about that. Well the bug was, trying to run firejail inside of a firejail --chroot=/somedir --noprofile causes an assert to fail which checks whether the mode for /run/firejail/dbus is correct, which in this case means 0755, but the issue is that when inside of a "firejail chroot", that directory is mounted with mode 0400 probably to isolate the chroot better, which makes sense. Even when running sudo firejail --chroot=/somedir --noprofile, the /run/firejail/dbus directory still has the mode 0400.

I said that it's not important, because this use case shouldn't change the fact that it shouldn't create and care about the directory if firejail is built with dbus disabled. It's just a small cleanup. I probably shouldn't have called it a bugfix, but I just felt like it might cause issues in some other weird situations as well.

By the way, firejail in a chroot is likely an uncommon environment, but if you have any tips, use cases, etc about it, feel free to add them to the wiki.

Oh I forgot about the wiki, that's not a bad idea. Yeah I realize it's uncommon, actually I realized it even had a chroot argument very recently. I think it's a nice and relatively user friendly way to setup a "development environment" where you can install all dev packages in there and just isolate it from the "host system". Also testing out unstable software in that environment is really nice. Yes there are LXC and chroot/schroot, but all of those are a lot more tricky in my opinion and since I'm already using firejail for half of my programs anyway, why not use it for a simple "isolated environment" too. Yes, there are virtual machines too, but they're waaay too heavy for most daily use cases in my opinion, especially if you work on a laptop.

@powerjungle powerjungle force-pushed the fix/dbus-folder-creation branch from b5d4ea3 to 9a0016e Compare January 18, 2025 12:56
@kmk3
Copy link
Collaborator

kmk3 commented Jan 20, 2025

@powerjungle

(Offtopic)

Hello, please avoid rebasing to master without need (especially for branches
with only 1 commit, which usually end up being squashed/rebased anyway), as it
generates noise with notifications/timeline events, which likely results in
wasted time re-reviewing.

I think it's helpful to rebase to master when:

  • There have been a lot of new commits to master
  • There are new commits related to the PR or that touch related code
  • There are new commits that improve development/debugging of the PR (bugfix: parse --debug before using it #6579
    might be a good example)

kmk3
kmk3 reviewed Jan 31, 2025
View reviewed changes
Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about that. Well the bug was, trying to run firejail inside of a
firejail --chroot=/somedir --noprofile causes an assert to fail which
checks whether the mode for /run/firejail/dbus is correct, which in this
case means 0755, but the issue is that when inside of a "firejail chroot",
that directory is mounted with mode 0400 probably to isolate the chroot
better, which makes sense. Even when running sudo firejail --chroot=/somedir --noprofile, the /run/firejail/dbus directory still has the mode 0400.

Could you mention this issue in the commit message and how this code fixes it?
It would be nice to have it there for future reference.

It can be a short summary if you don't want to get into the details.

Also, it would be good to include the assert error message.

I said that it's not important, because this use case shouldn't change the
fact that it shouldn't create and care about the directory if firejail is
built with dbus disabled. It's just a small cleanup. I probably shouldn't
have called it a bugfix, but I just felt like it might cause issues in some
other weird situations as well.

I think it's fine to call this a bugfix, as it makes --chroot= work with a
--disable-dbusproxy build.

@powerjungle
bugfix: do not interact with dbus directory if dbus proxy is disabled
c011879 
Fix a failing assert when running `firejail` inside:
`firejail --chroot=somedir --noprofile`

firejail: ../../src/firejail/util.c:1039: create_empty_dir_as_root:
Assertion `(s.st_mode & 07777) == (mode)' failed.

The assert is checking whether the newly created `/run/firejail/dbus`
empty directory, has the correct mode set, which in this case is `0755`.
The issue is that, since the directory already exists and has the mode
`0400`, because of the first ran chroot command, the assert fails.

This commit circumvents this issue, by making `firejail` ignore the dbug
directory entirely, in the `src/firejail/preproc.c` file when compiling
the project using `configure --disable-dbusproxy`.
There's also really no need for `firejail` to care about that directory
if `--disable-dbusproxy` is used.
@powerjungle powerjungle force-pushed the fix/dbus-folder-creation branch from 9a0016e to c011879 Compare February 1, 2025 11:07
@powerjungle
Copy link
Contributor Author

Could you mention this issue in the commit message and how this code fixes it?

Done, I hope the commit description is clear.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kmk3 kmk3 kmk3 left review comments

Assignees
No one assigned
Labels
bugfix This fixes a bug
Projects
Release 0.9.74
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@powerjungle @kmk3