-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash when mountinfo contains line over 4096 bytes #6450
Comments
Note that this is not about overlayfs support in firejail, but failing to start when an existing overlayfs is mounted. This might also happen with other mounts that create a very long line in mountinfo. Unfortunately |
# Actually 255 bytes for almost everything except of FAT32, but you know, trailing-nul-byte, some implementations, ...
max_filename="$(head -c 254 < /dev/zero | tr '\0' 'x')"
# (254 "x" + 1 "/") * 16 = 4080; MAX_PATH is 4096
very_long_path="$(for _ in {1..16}; do echo -n "/$max_filename"; done)"
# Create it in a tmpfs, in the worst case you need to hard-reboot but it will not break the next boot if there is some buggy tool.
mkdir -p /tmp$very_long_path
mount -o bind /tmp$very_long_path /tmp$very_long_path
# Test firejail
umount /tmp$very_long_path
rm -rf /tmp/xxx<TAB> |
Thanks, I could reproduce this with a long path length. Looking at the code a quick fix is to simply increase Starting a firejail with a long mountinfo line of 131112 bytes takes around 241ms instead of the normal 6.4ms without it mounted. So this probably needs a better solution in the parser. |
Description
Firejail crashes with
Error: cannot read /proc/self/mountinfo
when an overlayfs is mounted with a lot of lowerdirs.Steps to Reproduce
firejail --noprofile bash
overlayfs_test.fish
Note that this uses the newer
lowerdir+
syntax to add lowerdirs one by one, which is only supported since kernel version 6.7 or 6.8.Additional context
It seems to be related to a 4096 byte limit somewhere and not the amount of lowerdirs.
mount
syntax of appending lowerdirs withlowerdir=d1:d2:d...
stopped working for lines longer then 256 bytes. This is why the newerlowerdir+
option is needed.LIBMOUNT_FORCE_MOUNT2=always
and is limited to a longer option length of max 4096 bytes.lowerdir+
syntax allows to create a much longer entry in/proc/self/mountinfo
then was previously possible.See util-linux/util-linux#2287 and util-linux/util-linux#1992 (comment).
Environment
Compile time support
Checklist
/usr/bin/vlc
) "fixes" it).Log
Output of
env LC_ALL=C firejail --noprofile bash
Output of
env LC_ALL=C firejail --debug --noprofile bash
The text was updated successfully, but these errors were encountered: