Project

General

Profile

Bug #2914

Firejail doesn't work after recent update

infinite_recursion - about 1 month ago - . Updated about 1 month ago.

Status:
unconfirmed
Priority:
bug
Assignee:
-
% Done:

0%


Description

After the update to recent version (0.9.64rc1-2), this error throws up:

$ firejail iceweasel
Reading profile /etc/firejail/iceweasel.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DBus user socket was not found.
$ No proxies specified

History

#1

Updated by freemor about 1 month ago

Updated firejail works fine here. Need more info

Which Flavour of Parabola are you using?
On What type of a machine?
Are you using "iceweasel-hardened-preferences" or any other enhancements?
Did you create a custom iceweasel.profile in the spast that may now be stale?

The line "No Proxies Specified" is interesting as I do not get any mention of a proxy while running: firejail iceweasel

Can you post the output of:
firejail --debug iceweasel

#2

Updated by infinite_recursion about 1 month ago

I use OpenRC Parabola, linux-libre-hardened, x86_64 . I use the default settings, haven't tampered iceweasel at all. My transmission-qt also doesn't work after fsck cleanup a couple of days earlier.

$ firejail --debug iceweasel
Autoselecting /bin/bash as shell
Building quoted command line: 'iceweasel' 
Command name #iceweasel#
Found iceweasel.profile profile in /etc/firejail directory
Reading profile /etc/firejail/iceweasel.profile
Found firefox.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Found firefox-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox-common.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
conditional BROWSER_DISABLE_U2F, nou2f
conditional BROWSER_DISABLE_U2F, private-dev
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DISPLAY=:0 parsed as 0
DBus user socket was not found.
starting xdg-dbus-proxy
sbox exec: /usr/bin/xdg-dbus-proxy --fd=8 --args=9 
Dropping all capabilities
Drop privileges: pid 10730, uid 1000, gid 1000, nogroups 1
No supplementary groups
$ No proxies specified
#3

Updated by freemor about 1 month ago

Firstly that debug output is suspiciously short. Mine ran to pages.
Secondly are you sure it's not a broswer issue?

try:

firejail --profile=/etc/firejail/iceweasel.profile bash

if that drops you into a bash prompt with no errors ( you can check you are in the jail by issuing the ls command to check that only Downloads is left)
then try launching iceweasel from there with just the command: iceweasel as you are already in a jail.

Also should the title of this be: "Things broken after fsck disk recovery"

When you talk of Transmission-qt are you saying that it doesn't work. or that there is a similar firejail failure with that program too?

#4

Updated by infinite_recursion about 1 month ago

Yes, it's very strange. VLC opens up with firejail but crashes on clicking "Open File". Iceweasel and Transmission don't start at all with firejail. Transmission-qt doesn't work currently even normally for me but iceweasel does. The above command gave me exactly the same error as in description above.

Yes, seems so that's a better title. I've requested better closing of files earlier for all type of system shutdowns or crashes in parabola.

Also, can you suggest how to find which packages have been tampered and clean the corrupted package after fsck. If I can do that, then I'll clear pacman cache and reinstall those packages. Direct reinstall doesn't seem to solve it for me.

#5

Updated by freemor about 1 month ago

I've been doing some digging on this and hitting a few firejail snags myself. It seems the latest release change several .profiles and also changed some of the default assumptions.

For example in my case mpv no longer plays local files. Looking into it it seems $HOME is no longer whitelisted in the profie.

Too soon for me to tell if this raises to the level of Bug. From what I'm reading so far and have seen in my own use cases it much more a case of deliberately changed behaviour. Which would be "Not-a-Bug" but having links to the changes and how to work with them might be a good addition to this BR.

Also available in: Atom PDF