如何将要使用 firejail 执行的目录列入白名单?
特别是,我想在 firejail 中执行 Firefox Nightly。但我收到以下错误:
$ firejail --profile=/etc/firejail/firefox.profile --whitelist=$HOME/software/firefox-nightly ./firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 769552, child pid 769553
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 91.60 ms
Exec failed with error: Permission denied
并使用 shell 进行测试:
$ firejail --profile=/etc/firejail/firefox.profile --whitelist=$HOME/software/firefox-nightly sh
[...]
$ ls -l firefox
-rwxr-xr-x 1 vinc17 vinc17 16928 2020-05-16 13:22:44 firefox
$ ./firefox
sh: 2: ./firefox: Permission denied
注:/etc/firejail/disable-exec.inc有noexec ${HOME}.但--ignore='noexec ${HOME}'紧接着添加firejail没有效果。将目录移动到下面/usr/local也没有效果。
答案1
我遇到了同样的问题,所以我在 firejail GitHub 存储库上询问。这是我收到的答案:
如果您想在家中执行软件,您需要ignore noexec ${HOME}和ignore apparmor。
cat > ~/.config/firejail/firefox-developer-edition.local <<EOF
ignore noexec ${HOME}
ignore apparmor
whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
EOF
我想对你来说,路径会略有不同:
whitelist ${HOME}/software/firefox-nightly
答案2
我遇到了这个错误,并能够通过apparmor在 中注释掉来解决它/etc/firejail/firefox-common.profile。