181: Quick lessons with firejail

I’ve been meaning to install firejail for a while but never got around to it, making all the imaginable excuses around possible impact, utility, etc. etc. I finally bit the bullet and installed it last night. I read the manpages and the associated resources on the Arch and Gento wikis. I applied profiles to feh, zathura, and my local installation of Firefox Nightly. What did I learn?

Running things out of your home directory is a little exceptional

I don’t keep Nightly in any system-wide location – it lives in my home directory, and I invoke it with my usual slurry of shell functions (stick it in a particular memory cgroup hierarchy, ground its stdout and stderr into /dev/null, and background it).

Upfront: firejail’s firefox profile prohibits access to our home directory (save for Downloads, .cache, .mozilla, and possibly others). My Nightly installation lives in ~/Documents – unreachable WRT the jail.

My first experience with firejail, then, was a frustrating head-to-desk affair where it stubbornly refused to execute /home/kalvin/Documents/Nightly/firefox. The error message read “No suitable … executable found,” which didn’t help at all even with the debug messages switched on. I could see it reporting an attempted exec call on the file, so it wasn’t some silly path expansion problem, but it didn’t offer up any other helpful self-diagnostics.

Of course, the resounding silence from Google staring back at me told me that this was definitely me in the wrong somewhere, so I dove back into the configuration to understand the imposed access controls. The eureka moment happened when I wrote my own firefox.local profile allowing access to ${HOME}/Documents, which worked at last!

(Ultimately, I erased the local config and just moved Nightly into my downloads directory.)

There’s (usually) no reason for my graphical applications to access the controlling terminal

My favorite bash function is called “quiet.” Succinctly,

function quiet() {
# Background argv, grounding std{out,err} to /dev/null.
"$@" 1>/dev/null 2>/dev/null &
}
# This is even more succinct as
# "$@" &>/dev/null &
# but I understand that is a bash extension, not a POSIX shell
# specification.

Upfront: feh will call tcsetattr() (I didn’t research why) if it detects its stdin connected to a tty. I have no use for terminal interaction with feh, so I might as well cut loose its stdin.

My last firejail adventure of the night was attempting to apply the feh profile. I always use feh by calling it from my ever-present terminal on the directory or file I want to view. Unfortunately, when I tried to run it in firejail, it started almost immediately in a frozen state. The problem disappears if I don’t background the process.

After lots of hemming and hawing, I noticed it also complained (after getting unstuck) that a call to tcsetattr() failed. The feh manpage explains that feh accepts input from stdin to allow for some graphical control. I don’t need this, and all it manages to do is net itself SIGTTOU (because I’ve backgrounded it).

I have amended my favorite function to

function quiet() {
"$@" 1>/dev/null 2>/dev/null </dev/null
}

and we’ll see if that works all right for me.

J39M

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s