Problem when curl is sandboxed with Firejail

[Irvinehimself]

Firstly, I would like to point out that I really love this utility, it is a real life saver. However, there is a problem when curl is sandboxed using the default Firejail profile. Basically, "nordvpn update" breaks at line 82 when it can’t find the NordVpn.zip to check the md5sum.

I am using Arch Linux, and Pacman works fine in a similar sandbox. Searching journalctl, I can find a few blacklist violations for the firejail kate, (a text editor,) and the "firejail catfish", (a search utility,) but no blacklist violations for "firejail curl".

In fact the only journalctl entries for nordvpn are similar to the following:

--: stupidme : TTY=pts/1 ; PWD=/home/stupidme ; USER=root ; COMMAND=/usr/bin/nordvpn update
--: pam_unix(sudo:session): session opened for user root by (uid=0)
--: pam_unix(sudo:session): session closed for user root
--: stupidme : TTY=pts/1 ; PWD=/home/stupidme ; USER=root ; COMMAND=/usr/bin/nordvpn infos
--: pam_unix(sudo:session): session opened for user root by (uid=0)
--: pam_unix(sudo:session): session closed for user root

Running "nordvpn infos" with curl sandboxed, I get the following error:

$ sudo nordvpn infos
Updating servers list...
Traceback (most recent call last):
  File "/etc/openvpn/client/nordvpn/servers.py", line 23, in <module>
    print >>sys.stderr, "Can't read {}".format(args.servers_filename)
TypeError: unsupported operand type(s) for >>: 'builtin_function_or_method' and '_io.TextIOWrapper'
$

In a situation like this, it is difficult to identify the source of the problem, but, as I said, Pacman has no problems with curl running in an identical sandbox.

If you would like more details, or would like me to run some tests, I would be glad to do so.

Irvine

[Irvinehimself]

Okay, I think I am starting to figure this out. I am not quite sure whether it is the seccomp or the caps restrictions on curl, but inside the curl sandbox the openvpn directory is read only. Pacman/Yaourt don't have this problem because they use an intermediate tmp directory, which, inside the curl sandbox, is read/write and non-executable.

Anyway, once the download is finished, curl, along with it's sandbox, is closed and the downloaded files can be checked for integrity before being unpacked and copied to their final destination.

With security currently being a major issue, the use of a VPN along with programs like Firejail is becoming increasingly common. I need to investigate this further, but, will keep you informed of any fix.

[Irvinehimself]

On further investigation: Pacman has no problems with curl being sandboxed, and neither does Yaourt when installing official packages. On the other hand Yaourt does have a problem when trying to install from the AUR.

I made a small test bash to use a sandboxed curl to download into my ${HOME} directory, which works fine without sudo.

#!/bin/bash

curl -sI https://nordvpn.com/api/files/zipv2

tmpdir="${HOME}/Work/FirjailApparmor/NordTest/TestCurl/"
mkdir "$tmpdir"
cd "$tmpdir"

curl -sS -o nordvpn.zip https://nordvpn.com/api/files/zipv2

By the way, if you think I am making an issue of this, consider that *curl has been susceptible to a number of recent security advisories in it'sown right, while some it's dependencies have had recent advisories rated as critical, Currently, wget, is dependent on glibc which is rated critically vulnerable

As it stands, even weakening the Firejail profile to get it to work, curl is still running with root privileges.

[nstinus]

Thank you very much for your detailed explanation. I know this has been outstanding for a while and I am sorry for it. I do not use firejail and know nothing about it. Have you been able to work around this issue? I am willing to try alternatives but you seem to say that wget is not better... In any case, if you can work on a PR, I'll be more than happy to look at it.

[Irvinehimself]

I eventually solved the problem by writing a couple of discrete shells. The first uses wget to fetch the openvpn configurations which I load with nm-applet, and the other uses curl to fetch the server list, which I parse into a database. Both wget and curl are sandboxed by default, and neither shell has any problems with this.

As a result, I no longer use your utility. However, since I am now much more experienced with Firejail, I took another look at the curl profile and suspect that the problems I described above relating to both your utility and Yaourt-AUR, have something to do with the lines 'noexec tmp' and/or 'private tmp' in the default curl profile for Firejail. Although, truthfully, I am just guessing and, to be certain, I would really need to re-install your utility and painstakingly comment/un-comment each line.

I am sorry I can't really be of more help, but it was over a year ago.

Irvine