Firejail and my browsers [SOLVED]

[Amii_Leigh]

I have several browsers installed: Palemoon, Iridium, Tor, Waterfox, and Seamonkey, just to have lots to choose from.
Just recently I updated the Firejail from what I had which worked at the time with everything I had installed, until I installed Waterfox, so I updated it and now Waterfox works just peachy. Only thing is, now that I've done that Tor will hang:

Code: Select all

 $ firejail /usr/bin/tor-browser-en
Reading profile /etc/firejail/tor-browser-en.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 1672, child pid 1673
Private /etc installed in 43.80 ms
Blacklist violations are logged to syslog
Child process initialized in 437.93 ms
Error: no suitable /usr/bin/tor-browser-en executable found

Parent is shutting down, bye...

It runs fine without firejail, but that's hardly the point in having a sandboxing application, am I right?
I also cannot start palemoon using firejail. I've posted about that issue on the Palemoon forums since it's only started this since I updated Palemoon to version 27.9.1:

Code: Select all

$ firejail palemoon
Reading profile /etc/firejail/palemoon.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3085, child pid 3086
TESTING warning: noblacklist /home/amii/.moonchild productions/pale moon not matched by a proper blacklist command in disable*.inc
Blacklist violations are logged to syslog
Child process initialized in 76.50 ms

It just hangs there until I close it.
I can run palemoon also without firejail so since I don't know how to write or modify code, I have to leave it to someone who can. Just so you can see what it looks like without firejail:

Code: Select all

$ palemoon

(pale moon:3634): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised

(pale moon:3634): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised

(pale moon:3634): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised

(pale moon:3634): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised

At this point, it's up and running.
Just so everyone interested knows just what machine is doing this:

Code: Select all

$ inxi -Fxz
System:    Host: Basically Kernel: 4.4.0-121-generic x86_64 (64 bit gcc: 4.8.4)
           Desktop: Cinnamon 2.8.8 (Gtk 3.10.8~8+qiana)
           Distro: Linux Mint 17.3 Rosa
Machine:   Mobo: ASUSTeK model: P5KPL-CM v: x.xx
           Bios: American Megatrends v: 0602 date: 02/24/2009
CPU:       Dual core Pentium E5300 (-MCP-) cache: 2048 KB
           flags: (lm nx sse sse2 sse3 ssse3 vmx) bmips: 10486
           clock speeds: max: 2600 MHz 1: 2000 MHz 2: 1600 MHz
Graphics:  Card: NVIDIA GK208 [GeForce GT 710B] bus-ID: 01:00.0
           Display Server: X.Org 1.17.1 drivers: nvidia (unloaded: fbdev,vesa,nouveau)
           Resolution: 1280x1024@60.0hz
           GLX Renderer: GeForce GT 710/PCIe/SSE2
           GLX Version: 4.5.0 NVIDIA 384.111 Direct Rendering: Yes
Audio:     Card-1 Intel NM10/ICH7 Family High Definition Audio Controller
           driver: snd_hda_intel bus-ID: 00:1b.0
           Card-2 NVIDIA GK208 HDMI/DP Audio Controller
           driver: snd_hda_intel bus-ID: 01:00.1
           Sound: Advanced Linux Sound Architecture v: k4.4.0-121-generic
Network:   Card: Qualcomm Atheros AR8121/AR8113/AR8114 Gigabit or Fast Ethernet
           driver: ATL1E port: ec00 bus-ID: 02:00.0
           IF: eth1 state: up speed: 100 Mbps duplex: full mac: <filter>
Drives:    HDD Total Size: 1070.2GB (28.2% used)
           ID-1: /dev/sda model: WDC_WD2500JB size: 250.1GB
           ID-2: /dev/sdb model: ST3500312CS size: 500.1GB
           ID-3: USB /dev/sdc model: Storage_Device size: 320.1GB
Partition: ID-1: / size: 226G used: 92G (43%) fs: ext4 dev: /dev/sda1
           ID-2: swap-1 size: 4.29GB used: 0.14GB (3%) fs: swap dev: /dev/sda5
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 45.0C mobo: 35.0C gpu: 0.0:36C
           Fan Speeds (in rpm): cpu: 2265 sys-1: 2393
Info:      Processes: 216 Uptime: 7 days Memory: 2677.3/3951.1MB
           Init: Upstart runlevel: 2 Gcc sys: 4.8.4
           Client: Shell (bash 4.3.111) inxi: 2.2.28 

Any kind of constructive consideration would be welcome. Thanks for reading!

[Amii_Leigh]

It's official. Palemoon, despite running fine before the 'upgrade' to 27.9.1 denies doing anything to make Palemoon not run within Firejail. As a matter of fact, they recommend NOT sandboxing Palemoon, as this will cause 'problems'.

I don't know what you expect us to do about it.. We didn't create nor have any ties to firejail.. Have you asked them? Also, sandboxing Pale Moon is a terrible idea.. It can cause issues.

It's odd that I'd never noticed anything about that before now.

[greerd]

Hey Amii,

I read your post, then decided to update palemoon regardless, because I didn't want to be running an out of date browser. Anyway, I got the very same problem.
I tried whitelisting instead of noblacklisting the two entries in my local palemoon.profile which got rid of the warning about improper blacklist command but it still doesn't display. Another strange thing is that it does run, according to system monitor (with noblacklist or whitelist) it just doesn't display on the desktop.

Guess it's back to FF until this is resolved.

[greerd]

Well, I got mine going by commenting out tracelog and private-bin palemoon in my locale palemoon.profile. Not sure how these two lines effect security though.

EDIT: I only have to comment out tracelog.

[Amii_Leigh]

Thank you Greerd. I got more satisfaction here than in the Palemoon forums, that's for sure!

[martywd]

FWIW, this comment out 'tracelog' fix with a 'pull request' has been submitted to the Firejail git by 'pizzadude'.

https://github.com/netblue30/firejail/i ... -387892360

.

[xdicey]

FWIW, this comment out 'tracelog' fix with a 'pull request' has been submitted to the Firejail git by 'pizzadude'.

https://github.com/netblue30/firejail/i ... -387892360

.

I have this problem but with firefox no longer running in FJ.
How is 'commenting out' done? Just delete the line?

I don't see etc/firefox-common.profile only /etc/firejail/firefox.profile then,

Code: Select all

caps.drop all
# machine-id breaks pulse audio; it should work fine in setups where sound is not required
#machine-id
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog

What exactly should I do re the tracelog line?
Thanks for any assist.

[Amii_Leigh]

FWIW, this comment out 'tracelog' fix with a 'pull request' has been submitted to the Firejail git by 'pizzadude'.

https://github.com/netblue30/firejail/i ... -387892360

.

I have this problem but with firefox no longer running in FJ.
How is 'commenting out' done? Just delete the line?

I don't see etc/firefox-common.profile only /etc/firejail/firefox.profile then,

Code: Select all

caps.drop all
# machine-id breaks pulse audio; it should work fine in setups where sound is not required
#machine-id
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
seccomp
shell none
#tracelog

What exactly should I do re the tracelog line?
Thanks for any assist.

Just put that # mark in front of the line that has 'tracelog' in it.Be sure to save it before closing the file.

[Fred Barclay]

How is 'commenting out' done? Just delete the line?

Just add a # to the beginning of the line, for example # tracelog.

You can also try firejail --ignore=tracelog firefox for a quick check if tracelog is indeed the culprit. If this works, then it's tracelog's fault.

Probably I will merge the tracelog fix mentioned above within a few hours. It'll definitely be in the next firejail release (unless we find something wrong or a better way to fix this between now and then, naturally. )

Well, I got mine going by commenting out tracelog and private-bin palemoon in my locale palemoon.profile. Not sure how these two lines effect security though.

tracelog is there to log attempted violations to syslog. For example, if a program tries to access a file or folder that firejail doesn't allow it to, tracelog will see this and log it. It doesn't add any extra security to firejail, but it's useful if you review your system logs or you're trying to debug firejail.

private-bin has more security impact. It limits the visible binaries inside your sandbox to only those in the line. So, for instance, for the example you have, only the launcher for palemoon is visible inside the sandbox. Bash and any other programs can't be started inside the sandbox. This is a good security boost.

[xdicey]

Just add a # to the beginning of the line, for example # tracelog.

You can also try firejail --ignore=tracelog firefox for a quick check if tracelog is indeed the culprit. If this works, then it's tracelog's fault.

Alas, neither worked. So not tracelog, uh?

Thanks for helping, guys.

[greerd]

Well, I got mine going by commenting out tracelog and private-bin palemoon in my locale palemoon.profile. Not sure how these two lines effect security though.

tracelog is there to log attempted violations to syslog. For example, if a program tries to access a file or folder that firejail doesn't allow it to, tracelog will see this and log it. It doesn't add any extra security to firejail, but it's useful if you review your system logs or you're trying to debug firejail.

private-bin has more security impact. It limits the visible binaries inside your sandbox to only those in the line. So, for instance, for the example you have, only the launcher for palemoon is visible inside the sandbox. Bash and any other programs can't be started inside the sandbox. This is a good security boost.

Thanks for the info, luckily, only tracelog has to be commented, I edited my post a couple of minutes after I made it but I should of made it more visible.

[greerd]

Just add a # to the beginning of the line, for example # tracelog.

You can also try firejail --ignore=tracelog firefox for a quick check if tracelog is indeed the culprit. If this works, then it's tracelog's fault.

Alas, neither worked. So not tracelog, uh?

Thanks for helping, guys.

Can you post the output of

Code: Select all

firejail firefox

from the terminal? Make sure you quit firefox first.

[xdicey]

Apparently other distros are having the same issue. I'm taking a break from FF while contentedly using Palemoon for the nonce until FJ or FF come up a fix.

Thanks all for your help.