firejail: can't chroot into jail and can't do "apt update"

September 15, 2019 163 views
WordPress Security

Hello,

I know this tutorial is 5 years old now, but I am trying to use it to install nginx inside a sandbox. I am using Ubuntu 18.04, and something important seems to have changed since 16.04, which keeps firejail from working as described in this tutorial. The trouble starts when I try to chroot into the db jail:

root@linux-box:~# firejail --chroot=/jails/db --name=db
Warning: default profile disabled by --chroot option
Parent pid 4464, child pid 4465
The new log directory is /proc/4465/root/var/log
Warning: failed to unmount /sys
Warning: whitelist feature is disabled in chroot
Child process initialized in 25.87 ms
root@linux-box:~# 

“linux-box” is the host’s name. As you can see, firejail complains about /sys and it doesn’t seen to chroot 100% into the jail, because the command line still looks the same as before. In your tutorial, the command line looks very different to the one of the host.

When I try to run “apt-get update”, I get this errors:

root@linux-box:~# apt-get update
Hit:1 http://cdn-fastly.deb.debian.org/debian stable InRelease
Get:2 http://cdn-fastly.deb.debian.org/debian stable/main Translation-en [5967 kB]
Fetched 5967 kB in 5s (1257 kB/s)    
Reading package lists... Done
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_stable_InRelease - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_stable_main_i18n_Translation-en.bz2 - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_stable_main_i18n_Translation-en - PrepareFiles (13: Permission denied)
E: Failed to fetch store:/var/lib/apt/lists/partial/deb.debian.org_debian_dists_stable_main_i18n_Translation-en.bz2  rename failed, Permission denied (/var/lib/apt/lists/partial/deb.debian.org_debian_dists_stable_main_i18n_Translation-en -> /var/lib/apt/lists/deb.debian.org_debian_dists_stable_main_i18n_Translation-en).
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@linux-box:~# 

Do you have any idea what in particular has changed that much between 16.04 and 18.04 that keeps firejail from working as you described it?

Many thanks in advance!

1 Answer

I’ve not tested this myself, but I believe that the firejail version that you’ve used might be the issue.

What is the exact firejail version that you’ve used? Make sure that it is the latest one compatible with Ubuntu 18.04 as the one from the article is firejail_0.9.8.1_1_amd64.deb which is from 2014 and might not work with Ubuntu 18.04.

Here’s a list of the available versions:

https://sourceforge.net/projects/firejail/files/firejail/

Have another answer? Share your knowledge.