Cannot access .local file when running sudo firejail from home directory

[allisonok331]

Description

So for context, the owner of /bin/evince is sbx_user and it has 700 permissions.

-rwx------. 1 sbx_user sbx_user

As a separate user, say test_user, run the following command in the command line:

sudo -u sbx_user /usr/bin/firejail --debug /bin/evince.

When I run this command anywhere but /home/test_user it works fine and the evince application comes up in a sandboxed environment. However when I run this command in my home directory, it gives the following error:

Building quoted command line: '/bin/evince'
Command name #evince#
Found evince.profile profile in /etc/firejail directory
Reading profile /etc/firejail/evince.profile
Error: cannot access profile file: evince.local

Steps to Reproduce

• Run:

chown sbx_user:sbx_user /bin/display
chmod 700 /bin/display
chown sbx_user:sbx_user /etc/firejail/display.profile

• In /etc/sudoers add the following sudo rule:

ALL    ALL                 = (sbx_user) NOPASSWD: /usr/bin/firejail --debug /bin/evince

• As a separate user, run the following command in the command line from the home directory /home/test_user:

sudo -u sbx_user /usr/bin/firejail --debug /bin/evince

Expected Behavior

What I am hoping will happen is that the evince application will come up in the sandboxed environment, even when running the command from the user's home directory (~). I can even run the command in ~/Documents, but not in ~. I have tried to whitelist {HOME} and had no luck.

Actual Behavior

The error above is printed. If I comment out evince.local it will move onto all of the disable and whitelist files and yell about the .local inside of them. I did comment out the inclusion of all .local files in each profile and this solved the issue, but i feel like that is a temporary solution. Are the .local files necessary to have a fully functioning sandbox environment? What could my profile be missing or need to not get the issue about the .local file not being accessed. From what I have read the .local files are stored in ~/.config/firejail, I have tried to whitelist this as well and that changed nothing.

Behavior without a profile

Without a profile the application can come up fine, just not sandboxed.

Environment

• Linux 5.10.218-rt110-RedHawk-8.4.11-trace x86_64
• Redhawk 8.4
• firejail version 0.9.72

Additional context

sbx_user owns the evince.profile in /etc/firejail

There are no "*.local" files in /etc/firejail

Below is my evince.profile:

evince.profile

include evince.local
include globals.local

noblacklist ${HOME}/.local/share/gvfs-metadata

noblacklist ${HOME}/.config/evince

noblacklist ${HOME}/Documents
noblacklist ${HOME}/Pictures
noblacklist ${HOME}/Music
noblacklist ${HOME}/Videos
noblacklist ${HOME}/Desktop
noblacklist ${HOME}/Downloads
noblacklist ${HOME}

blacklist /usr/libexec

whitelist ${HOME}/Documents
whitelist ${HOME}/Pictures
whitelist ${HOME}/Music
whitelist ${HOME}/Videos
whitelist ${HOME}/Desktop
whitelist ${HOME}/Downloads
whitelist ${HOME}

include allow-bin-sh.inc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

whitelist /usr/share/doc
whitelist /usr/share/evince
whitelist /usr/share/poppler
whitelist /usr/share/tracker

include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

tracelog

disable-mnt

private-cache
private-dev
private-tmp

dbus-user filter
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.gtk.vfs.Daemon
dbus-user.talk org.gtk.vfs.Metadata
dbus-system none

restrict-namespaces

Appreciate any input, I know this may be an odd situation with the separate user owning the application rather than root. I do have the problem fixed when commenting .local out of each profile but not sure if that is the proper way to do things, thanks.

Relates to:

• Error fcopy: invalid ownership for file /usr/bin/display #6603
• modif: clarify error messages in profile.c #6605

[kmk3]

As a separate user, say test_user, run the following command in the command
line:

sudo -u sbx_user /usr/bin/firejail --debug /bin/evince.

When I run this command anywhere but /home/test_user it works fine and the
evince application comes up in a sandboxed environment. However when I run
this command in my home directory, it gives the following error:

Building quoted command line: '/bin/evince'
Command name #evince#
Found evince.profile profile in /etc/firejail directory
Reading profile /etc/firejail/evince.profile
Error: cannot access profile file: evince.local

Where is evince.local?

What is the output of:

ls -l /path/to/evince.local

Can the user running firejail access the file?

Also, the current error message is unfortunately unclear; please build/install
from #6605 and post the result with the updated error message.

[allisonok331]

There is no evince.local. There isn't any .local files

[kmk3]

There is no evince.local. There isn't any .local files

What is the error message with firejail-git?

[rusty-snake]

Possible duplicate of #3798