Sample Header Ad - 728x90

create custom profile to run man using firejail

1 vote
1 answer
1224 views
security man container sandbox firejail
I'm trying to use [firejail](https://firejail.wordpress.com/) (version 0.9.58.2) for application sandboxing on my Debian Stable machine. From what I understand it's possible to create a custom configuration file for each application but I wasn't successful in doing so. Currently I'm trying to write a custom man.profile-file, since it [sounds quite easy](https://firejail.wordpress.com/documentation-2/building-custom-profiles/) . I put a file with the following content in my ~/.config/firejail/-directory: 
noblacklist /usr/share/man/
noblacklist /usr/lib/man-db/

include whitelist-var-common.inc

seccomp
shell none

private-bin sed,less,man,groff,nroff,tbl,bash
private-dev
But when I run man less, my pager opens only with an empty page and after closing I can read following error message: 
Reading profile /home/$USER/.config/firejail/man.profile
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 42020, child pid 42045
7 programs installed in 10.65 ms
Child process initialized in 10.69 ms
/usr/bin/man: command exited with status 255: (cd /usr/share/man && /usr/lib/man-db/zsoelim) | (cd /usr/share/man && /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t ISO-8859-1//IGNORE) | (cd /usr/share/man && tbl) | (cd /usr/share/man && nroff -mandoc -rLL=189n -rLT=189n -Tutf8)
What am I doing wrong? Any ideas/pointers are appreciated! ----- Update (thanks @@artem-s-tashkinov): when running strace -f -e file -o /tmp/man.log man less (after first performing sudo firecfg --clean) and examining the output of /tmp/man.log I found that several other files were read while invoking man less. Therefore I updated the lines starting with private-bin and private-lib to include the following: 
private-bin sed,less,man,groff,nroff,tbl,bash,terminfo,locale
private-lib /usr/lib/man-db,/usr/share/groff,/usr/share/locale,/usr/share/terminfo,/usr/share/man,/usr/lib/x86_64-linux-gnu,/lib/x86_64-linux-gnu,/usr/lib/charset.alias,/etc/ld.so.preload,/etc/ld.so.cache,/etc/manpath.config,/etc/suid-debug,/etc/terminfo,/etc/sysless,/etc/localtime
But the result is still negative: man less yields the following error: 
bin/bash: error while loading shared libraries: libtinfo.so.6: cannot open shared object file: No such file or directory                                                                        
/usr/bin/man: command exited with status 127: (cd /usr/share/man && /usr/lib/man-db/zsoelim) | (cd /usr/share/man && /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE) | (cd /usr/share/man && preconv -e UTF-8) | (cd /usr/share/man && tbl) | (cd /usr/share/man && nroff -mandoc -rLL=189n -rLT=189n -Tutf8)
When looking for the location of libtinfo.so.6 using find /lib -name "*libtinfo*" the result is in /lib/x86_64-linux-gnu/, which is included in the private-lib-line. And when eliminating the lines starting with private-bin and private-lib, it works (but obviously without the additional sandboxing).
Asked by n0542344 (416 rep)
Oct 28, 2020, 07:08 PM
Last activity: Oct 28, 2020, 08:10 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "security"
More questions tagged "man"
More questions tagged "container"
Footer Ad - 728x90