Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1025386: firejail: cannot use gdb with --allow-debuggers --profile=firefox
98 views
Skip to first unread message
Vincent Lefevre
Dec 3, 2022, 2:10:04 PM12/3/22
to
Package: firejail
Version: 0.9.70-2
Severity: normal
I get the following error:
zira:~> firejail --allow-debuggers --profile=firefox gdb
Reading profile /etc/firejail/firefox.profile
Reading profile /home/vinc17/.config/firejail/firefox.local
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /home/vinc17/.config/firejail/firefox-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 1626894, child pid 1626897
Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 130.58 ms
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
PYTHONHOME = (not set)
PYTHONPATH = (not set)
program name = '/usr/bin/python'
isolated = 0
environment = 1
user site = 1
import site = 1
sys._base_executable = '/usr/bin/python'
sys.base_prefix = '/usr'
sys.base_exec_prefix = '/usr'
sys.platlibdir = 'lib'
sys.executable = '/usr/bin/python'
sys.prefix = '/usr'
sys.exec_prefix = '/usr'
sys.path = [
'/usr/lib/python310.zip',
'/usr/lib/python3.10',
'/usr/lib/lib-dynload',
]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'
Current thread 0x00007f32e84a9640 (most recent call first):
<no Python frame>
Parent is shutting down, bye...
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-5-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firejail depends on:
ii libapparmor1 3.0.7-1+b2
ii libc6 2.36-6
ii libselinux1 3.4-1+b3
Versions of packages firejail recommends:
ii firejail-profiles 0.9.70-2
ii iproute2 6.0.0-1+b1
ii iptables 1.8.8-1
ii xauth 1:1.1.1-1
ii xdg-dbus-proxy 0.1.4-2
ii xserver-xephyr 2:21.1.4-3
ii xvfb 2:21.1.4-3
firejail suggests no packages.
-- no debconf information
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Version: 0.9.70-2
Severity: normal
I get the following error:
zira:~> firejail --allow-debuggers --profile=firefox gdb
Reading profile /etc/firejail/firefox.profile
Reading profile /home/vinc17/.config/firejail/firefox.local
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /home/vinc17/.config/firejail/firefox-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 1626894, child pid 1626897
Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 130.58 ms
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
PYTHONHOME = (not set)
PYTHONPATH = (not set)
program name = '/usr/bin/python'
isolated = 0
environment = 1
user site = 1
import site = 1
sys._base_executable = '/usr/bin/python'
sys.base_prefix = '/usr'
sys.base_exec_prefix = '/usr'
sys.platlibdir = 'lib'
sys.executable = '/usr/bin/python'
sys.prefix = '/usr'
sys.exec_prefix = '/usr'
sys.path = [
'/usr/lib/python310.zip',
'/usr/lib/python3.10',
'/usr/lib/lib-dynload',
]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'
Current thread 0x00007f32e84a9640 (most recent call first):
<no Python frame>
Parent is shutting down, bye...
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-5-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firejail depends on:
ii libapparmor1 3.0.7-1+b2
ii libc6 2.36-6
ii libselinux1 3.4-1+b3
Versions of packages firejail recommends:
ii firejail-profiles 0.9.70-2
ii iproute2 6.0.0-1+b1
ii iptables 1.8.8-1
ii xauth 1:1.1.1-1
ii xdg-dbus-proxy 0.1.4-2
ii xserver-xephyr 2:21.1.4-3
ii xvfb 2:21.1.4-3
firejail suggests no packages.
-- no debconf information
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reiner Herrmann
Dec 10, 2022, 1:00:04 PM12/10/22
to
Hi Vincent,
On Sat, Dec 03, 2022 at 07:59:43PM +0100, Vincent Lefevre wrote:
> zira:~> firejail --allow-debuggers --profile=firefox gdb
[...]
According to the firejail manpage, --allow-debuggers only takes care of
allowing system calls commonly used by debugging tools (e.g. ptrace).
It it not a parameter to broadly allow any debugger including their
dependency chains.
Debugging tools that have dependencies (like in your example gdb -> python3)
need to be handled additionally (either by asking gdb to not use the
python3 extensions, or by adding parameters that whitelist it).
With the following command line I was able to get a gdb shell:
> $ firejail --allow-debuggers --include=/etc/firejail/allow-python3.inc --profile=firefox gdb
> [...]
> (gdb)
Kind regards,
Reiner
On Sat, Dec 03, 2022 at 07:59:43PM +0100, Vincent Lefevre wrote:
> zira:~> firejail --allow-debuggers --profile=firefox gdb
allowing system calls commonly used by debugging tools (e.g. ptrace).
It it not a parameter to broadly allow any debugger including their
dependency chains.
Debugging tools that have dependencies (like in your example gdb -> python3)
need to be handled additionally (either by asking gdb to not use the
python3 extensions, or by adding parameters that whitelist it).
With the following command line I was able to get a gdb shell:
> $ firejail --allow-debuggers --include=/etc/firejail/allow-python3.inc --profile=firefox gdb
> [...]
> (gdb)
Kind regards,
Reiner
Vincent Lefevre
Dec 22, 2022, 1:30:03 PM12/22/22
to
Hi Reiner,
On 2022-12-10 18:48:39 +0100, Reiner Herrmann wrote:
> Debugging tools that have dependencies (like in your example gdb -> python3)
> need to be handled additionally (either by asking gdb to not use the
> python3 extensions, or by adding parameters that whitelist it).
>
> With the following command line I was able to get a gdb shell:
> > $ firejail --allow-debuggers --include=/etc/firejail/allow-python3.inc --profile=firefox gdb
> > [...]
> > (gdb)
However, this is not a good solution from a security point of view.
There's a difference between allowing Python completely and just
embedding in some given application.
This could also be an issue in gdb. There should be a way to disable
Python, or have Python automatically disabled when not available.
On 2022-12-10 18:48:39 +0100, Reiner Herrmann wrote:
> Debugging tools that have dependencies (like in your example gdb -> python3)
> need to be handled additionally (either by asking gdb to not use the
> python3 extensions, or by adding parameters that whitelist it).
>
> With the following command line I was able to get a gdb shell:
> > $ firejail --allow-debuggers --include=/etc/firejail/allow-python3.inc --profile=firefox gdb
> > [...]
> > (gdb)
There's a difference between allowing Python completely and just
embedding in some given application.
This could also be an issue in gdb. There should be a way to disable
Python, or have Python automatically disabled when not available.
Reiner Herrmann
Dec 22, 2022, 1:40:03 PM12/22/22
to
On Thu, Dec 22, 2022 at 07:20:07PM +0100, Vincent Lefevre wrote:
> Hi Reiner,
>
> On 2022-12-10 18:48:39 +0100, Reiner Herrmann wrote:
> > Debugging tools that have dependencies (like in your example gdb -> python3)
> > need to be handled additionally (either by asking gdb to not use the
> > python3 extensions, or by adding parameters that whitelist it).
> >
> > With the following command line I was able to get a gdb shell:
> > > $ firejail --allow-debuggers --include=/etc/firejail/allow-python3.inc --profile=firefox gdb
> > > [...]
> > > (gdb)
>
> However, this is not a good solution from a security point of view.
> There's a difference between allowing Python completely and just
> embedding in some given application.
This was just a suggestion to show that it is possible to run gdb.
> Hi Reiner,
>
> On 2022-12-10 18:48:39 +0100, Reiner Herrmann wrote:
> > Debugging tools that have dependencies (like in your example gdb -> python3)
> > need to be handled additionally (either by asking gdb to not use the
> > python3 extensions, or by adding parameters that whitelist it).
> >
> > With the following command line I was able to get a gdb shell:
> > > $ firejail --allow-debuggers --include=/etc/firejail/allow-python3.inc --profile=firefox gdb
> > > [...]
> > > (gdb)
>
> However, this is not a good solution from a security point of view.
> There's a difference between allowing Python completely and just
> embedding in some given application.
If the permissions are too broad for you, you can create your own include
that is more narrow and only allows what is needed by gdb.
> This could also be an issue in gdb. There should be a way to disable
> Python, or have Python automatically disabled when not available.
with your original "firejail --allow-debuggers --profile=firefox gdb"
command line.
Kind regards,
Reiner
Vincent Lefevre
Dec 22, 2022, 2:50:03 PM12/22/22
to
On 2022-12-22 19:27:37 +0100, Reiner Herrmann wrote:
> You can install gdb-minimal. It does not have Python-support and works
> with your original "firejail --allow-debuggers --profile=firefox gdb"
> command line.
But it is not co-installable with gdb. This is silly!
> You can install gdb-minimal. It does not have Python-support and works
> with your original "firejail --allow-debuggers --profile=firefox gdb"
> command line.
gdb-minimal apparently doesn't have source highlighting,
so I would need both. Or there should be a 3rd package
gdb-nopython.
Reiner Herrmann
Dec 22, 2022, 3:00:04 PM12/22/22
to
On Thu, Dec 22, 2022 at 08:41:26PM +0100, Vincent Lefevre wrote:
> On 2022-12-22 19:27:37 +0100, Reiner Herrmann wrote:
> > You can install gdb-minimal. It does not have Python-support and works
> > with your original "firejail --allow-debuggers --profile=firefox gdb"
> > command line.
>
> But it is not co-installable with gdb. This is silly!
>
> gdb-minimal apparently doesn't have source highlighting,
> so I would need both. Or there should be a 3rd package
> gdb-nopython.
Please consider opening a bug against the gdb package then.
> On 2022-12-22 19:27:37 +0100, Reiner Herrmann wrote:
> > You can install gdb-minimal. It does not have Python-support and works
> > with your original "firejail --allow-debuggers --profile=firefox gdb"
> > command line.
>
> But it is not co-installable with gdb. This is silly!
>
> gdb-minimal apparently doesn't have source highlighting,
> so I would need both. Or there should be a 3rd package
> gdb-nopython.
I think there is nothing I could change in firejail.
Regards,
Reiner
0 new messages