need a small help to finish this firejail profile for vs code

roinincoder · 2020-07-04 15:50:09

I've made the following firejail profile but have a small issue. Running node.js package manager commands fails with this permission error which I don't know how to fix. Please let me know if you have any suggestions.

System: Kernel 5.7 and GNOME
Startup: Apparmor and firejail-default
Version: VS Code Bin

$ npx yarn
npx: installed 1 in 2.481s
yarn install v1.22.4
[1/4] Resolving packages...
success Already up-to-date.
$ yarn run install-server && yarn run install-client
/bin/sh: /tmp/yarn--1593869173651-0.9121885674392283/yarn: /bin/sh: bad interpreter: Permission denied
error Command failed with exit code 126.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

Here's the profile

include code.local
include globals.local

# persisted files/dirs
noblacklist ${HOME}/.config/Code
noblacklist ${HOME}/.config/Code - OSS
noblacklist ${HOME}/.vscode

whitelist ${HOME}/.config/Code
whitelist ${HOME}/.config/Code - OSS
whitelist ${HOME}/.vscode

# Allows files commonly used by IDEs
include allow-common-devel.inc

include disable-common.inc
include disable-passwdmgr.inc
include disable-programs.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp

private-cache
private-dev
private-tmp
private-bin bash,sh,id,grep,env,dirname,basename,npm,node,npx,which,python,pip
private-opt visual-studio-code

PS: IDE has extensions which run unrestricted. See 52116-640258007 on their Github repository.

heywoodlh · 2020-07-05 03:48:53

My suspicion is that the following portion is causing an issue:

private-bin ... sh

Maybe try removing that entire line and see if the error goes away. That may at least narrow down the issue.

I noticed on my Arch install that /bin/sh is just a symlink to bash, I wonder if the same thing is somehow causing an issue on your system:

❯ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 May 22 06:29 /bin/sh -> bash*

I tried installing your profile in /etc/firejail/vscode-custom.profile and I couldn't even get it to launch with the line that I recommended you comment out. So I can't really replicate the same issue:

heywoodlh@arch-inspiron ~]$ firejail --profile=/etc/firejail/vscode-custom.profile /usr/bin/code
Reading profile /etc/firejail/vscode-custom.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 6129, child pid 6130
Warning: skipping visual-studio-code for private /opt
Private /opt installed in 0.12 ms
15 programs installed in 50.54 ms
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 93.31 ms
execvp: No such file or directory

Parent is shutting down, bye...

Once I commented out the following line in /etc/firejail/vscode-custom.profile I was able to get VSCode to launch:

#private-bin bash,sh,id,grep,env,dirname,basename,npm,node,npx,which,python,pip

And I also didn't have that same permission issue when I ran npx yarn from the terminal in VSCode:

[heywoodlh@arch-inspiron ~]$ npx yarn
npx: installed 1 in 1.732s
yarn install v1.22.4
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...

success Saved lockfile.
Done in 0.06s.
[heywoodlh@arch-inspiron ~]$

roinincoder · 2020-07-05 12:21:58

Thanks for the reply, wasn't expecting any .

The vs code is installed via AUR visual-studio-code-bin which installs it at /opt/visual-studio-code and I think this is related to why you couldn't run the profile, that is, your installation is not at /opt/visual-studio-code, but please do verify that as I'm curious why you'd even get "No such file or directory" error.

Like you mentioned the private-bin line is the cause, commenting that does fix the profile. However I'm a bit skeptic about allowing all commands to run inside the IDE, I've never needed more than a handful of command to run inside the integrated terminal or via development tools. At the very least I'd like to disable sudo, although I'm not sure how efficient that is as I hear gaining root privilege in Linux is not difficult to achieve (Qubes OS team run their VM terminals as root by default due to this same reason). So does restricting the available commands achieve anything substantial that would worth the efforts of accomplishing it?

Edit 1
One last issue is the scripts under node_modules/.bin that try to run the Node.js shebang line #!/usr/bin/env node keep failing with "bad interpreter: Permission denied". What can i change to fix this?

Last edited by roinincoder (2020-07-05 12:53:51)

glitsj16 · 2020-07-06 06:51:08

Hi, as already pointed out your private-bin is too restrictive and misses at least the most important one: code (otherwise /usr/bin/code will never be found). In this case you'd need to have all the commands that are being used in /usr/bin/code referenced in that private-bin line. I would strongly recommend against that though, because it will sooner rather than later break using the terminal functionality inside visual-studio, as terminal emulators are known to be almost impossible to sandbox (at least if you want expected functionality).

Also, there is already a default firejail profile for code in /etc/firejail/code.profile. It's way easier to maintain customizations by using a code.local file instead of redoing things from scratch.

On another note, there isn't a problem with whitelisting paths in a firejail profile persé, but you have to understand the implications of doing so. In this case it means your sandboxed app will only see that part of your filesystem, which isn't very handy in a code editor IMO. E.g. you won't be able to read/write anything in a ${HOME}/bin, just to give one example. Personally I would take those out of the profile. In fact, that might very well solve the issue you mention under 'Edit 1'. If you really like to restrict the sandbox via whitelisting you must ensure all the needed paths are whitelisted, including commands under /usr/bin (use ${PATH}/foo in that case).

roinincoder · 2020-07-08 18:42:20

I've already removed the private-bin line before posting "Edit 1". Then everything worked except the mentioned issue in "Edit 1". Do you happen to know why there's a difference between running the same command successfully via integrated terminal and running into error when using another secondary process like yarn or npx? For example, the terminal can access "/usr/local/bin", but yarn cannot and throws error for "syscall=access" which is weird. How are the two any different? is this related to how firejail works?

glitsj16 · 2020-07-08 19:12:23

The issue under "Edit 1" might be a side-effect of your custom firejail profile. If you still have any whitelist lines in it, /usr/bin/node might not be accessible (which would explain the error you mention) and would need an additional whitelist ${PATH}/node. Do you still use any whitelisting in your current code.profile?

roinincoder · 2020-07-09 09:34:05

found a couple of interesting issues. Firstly the apparmor is preventing a load of stuff that should work fine:

apparmor="DENIED" operation="exec" profile="firejail-default" name="/tmp/yarn--<random bs>.<random bs>/yarn" pid=1234 comm="sh" requested_mask="x" denied_mask="x"

Why would it restrict the yarn? furthermore why is it not executing the yarn from /usr/lib/node_modules (global installation)? I can verify the emulator has access to yarn and profile has access to the node_modules (obv). Even more puzzling is the creation of this yarn folder under /tmp which contains two executable "node" and "yarn".

So i think we're looking at apparmor issue and not firejail anymore. Verified by removing the --apparmor flag and it worked fine.

Last edited by roinincoder (2020-07-09 09:37:23)

Arch Linux

#1 2020-07-04 15:50:09

need a small help to finish this firejail profile for vs code

#2 2020-07-05 03:48:53

Re: need a small help to finish this firejail profile for vs code

#3 2020-07-05 12:21:58

Re: need a small help to finish this firejail profile for vs code

#4 2020-07-06 06:51:08

Re: need a small help to finish this firejail profile for vs code

#5 2020-07-08 18:42:20

Re: need a small help to finish this firejail profile for vs code

#6 2020-07-08 19:12:23

Re: need a small help to finish this firejail profile for vs code

#7 2020-07-09 09:34:05

Re: need a small help to finish this firejail profile for vs code

Board footer