Package: firejail Version: 0.9.64.4-2 Severity: normal X-Debbugs-Cc: debbug.firej...@sideload.33mail.com
There is no problem if the --noprofile option is given. But if firejail is allowed to use the default profile (/etc/firejail/wget.profile), fetched files cannot be written to the local directory. ===8<------------------------------ $ firejail --net=vnet0 --dns="$mydns" --noblacklist=. wget --no-netrc "$url" --«timestamp»-- «url» Resolving web.archive.org (web.archive.org)... 207.241.237.3 Connecting to web.archive.org (web.archive.org)|207.241.237.3|:80... connected. HTTP request sent, awaiting response... 302 FOUND Location: http://web.archive.org/web/«url» [following] --«timestamp»-- http://web.archive.org/web/«url» Reusing existing connection to web.archive.org:80. HTTP request sent, awaiting response... 200 OK Length: 33763692 (36M) [audio/mpeg] myfile.mp3: Permission denied Cannot write to ‘myfile.mp3’ (Permission denied). ===8<------------------------------ This is /etc/firejail/wget.profile: ===8<------------------------------ # Firejail profile for wget # Description: Retrieves files from the web # This file is overwritten after every install/update quiet # Persistent local customizations include wget.local # Persistent global definitions include globals.local noblacklist ${HOME}/.netrc noblacklist ${HOME}/.wget-hsts noblacklist ${HOME}/.wgetrc blacklist /tmp/.X11-unix blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local #include disable-xdg.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all ipc-namespace machine-id netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp seccomp.block-secondary shell none tracelog private-bin wget private-cache private-dev # depending on workflow you can uncomment the below or put this private-etc in your wget.local #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc #private-tmp dbus-user none dbus-system none memory-deny-write-execute ===8<------------------------------ -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'testing'), (990, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail depends on: ii libapparmor1 2.13.6-10 ii libc6 2.31-13+deb11u5 ii libselinux1 3.1-3 Versions of packages firejail recommends: ii firejail-profiles 0.9.64.4-2+deb11u1 ii iproute2 5.10.0-4 ii iptables 1.8.7-1 ii xauth 1:1.1-1 ii xdg-dbus-proxy 0.1.2-2 ii xpra 3.0.13+dfsg1-1 ii xvfb 2:1.20.11-1+deb11u3 firejail suggests no packages. -- Configuration Files: /etc/firejail/firejail.config changed: cgroup no -- no debconf information
