On 2019-01-29 00:48:00 +0100, Reiner Herrmann wrote:
> On Tue, Jan 29, 2019 at 12:40:11AM +0100, Vincent Lefevre wrote:
> > > What does "firejail --list" show?
> >
> > 20396:vinc17:firefox-1:/usr/bin/firejail --quiet --name=firefox
> > --env=BROWSER=firefox-esr firefox-esr
> >
> > But why is it called firefox-1? I have requested --name=firefox.
> > This makes no sense.
>
> It creates a firefox-1, if a sandbox called firefox was already existing
> at the time it is created.
This is not what is documented:
--name=name
Set sandbox name. Several options, such as --join
and --shutdown, can use this name to identify a
sandbox.
Example:
$ firejail --name=mybrowser firefox
If it creates a sandbox under the wrong name, this would at least be
a security issue, as --put would send files to the wrong sandbox!
> For some reason there seems to be a short-lived sandbox called firefox
> created, and at the same time another one.
This occurred when I restarted Firefox. If the old sandbox takes time
to terminate, then this could explain the problem. But in this case,
I would expect firejail to fail, not to create a sandbox with a wrong
name.
> That's why I asked in the other mail if your firefox-esr is maybe a
> symlink to to firejail.
>
> Perhaps some debug information will give more clues.
> Can you (after shutting down firefox) run the same command, but with
> --debug as an argument at the beginning?
When the problem occurs, I get:
Reading profile /etc/firejail/firefox-esr.profile
Autoselecting /bin/zsh as shell
Building quoted command line: 'firefox-esr'
Command name #firefox-esr#
Found firefox-esr.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Found firefox.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox-common.profile
Found firefox-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Warning: networking feature is disabled in Firejail configuration file
Warning: Sandbox name changed to firefox-1
DISPLAY=:0 parsed as 0
Parent pid 22807, child pid 22808
[...]
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
