Firefox 60.0 and Firejail

Questions about applications and software
Forum rules
Before you post please read how to get help
User avatar
Pepi
Level 5
Level 5
Posts: 932
Joined: Wed Nov 18, 2009 7:47 pm

Firefox 60.0 and Firejail

Post by Pepi »

Appears the new Firefox 60.0 won't work with Firejail. I just get a blank screen without any site connections. Run Firefox 60.0 without Firejail and it works fine

User avatar
Sir Charles
Level 7
Level 7
Posts: 1897
Joined: Thu Jan 04, 2018 1:00 pm

Re: Firefox 60.0 and Firejail

Post by Sir Charles »

+1
:(
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

User avatar
Pepi
Level 5
Level 5
Posts: 932
Joined: Wed Nov 18, 2009 7:47 pm

Re: Firefox 60.0 and Firejail

Post by Pepi »

FF 60 was suppose to fix the audio problem that FF 59 was having with Firejail :cry: They fixed it all right :mrgreen:

Capella
Level 1
Level 1
Posts: 17
Joined: Tue Nov 01, 2016 11:48 pm

Re: Firefox 60.0 and Firejail

Post by Capella »

Same here

ttjimera
Level 1
Level 1
Posts: 31
Joined: Fri Jun 27, 2014 8:47 pm

Re: Firefox 60.0 and Firejail

Post by ttjimera »

I have exactly the same problem after upgrading to FF60. The following message from syslog:

Code: Select all

audit: type=1326 audit(1526046249.391:108): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=31482 comm="firefox" exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f2c638ac65e code=0x0
audit: type=1326 audit(1526046249.528:109): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=31283 comm=4D696E6964756D7020577269746572 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f2c638ac65e code=0x0
Temporary have to run without firejail which kind of defeat the purpose.

User avatar
trytip
Level 12
Level 12
Posts: 4254
Joined: Tue Jul 05, 2016 1:20 pm

Re: Firefox 60.0 and Firejail

Post by trytip »

maybe posting an issue at the firejail developer page will get attention to fix this. https://github.com/netblue30/firejail/issues where i see already an issue for FF60
Image

JohnFrumm
Level 2
Level 2
Posts: 59
Joined: Sun Dec 03, 2017 12:49 pm

Re: Firefox 60.0 and Firejail

Post by JohnFrumm »

same here. And the worst part is I spent hours last weekend configuring firejail to work with FF 59 and it worked great!

Now I am trying to roll back to firefox 59.0, and I cannot figure out how. Never again will I install a new version of firefox via the package manager until I first download it via apt-get!!

Does anyone know a source for v59?
Have you backed up your computer recently?

ttjimera
Level 1
Level 1
Posts: 31
Joined: Fri Jun 27, 2014 8:47 pm

Re: Firefox 60.0 and Firejail

Post by ttjimera »

Thanks for the link to github. The solution given there is to change seccomp in firefox.profile (in /etc/firejail or ~/.config/firejail whichever you keep your profile files in) to the following:

Code: Select all

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
This works for me. It seems something in firejail they need to fix which they will only do so in ver. 0.9.54. The version of firejail in Mint 18.3 is 0.9.38.10.

JohnFrumm
Level 2
Level 2
Posts: 59
Joined: Sun Dec 03, 2017 12:49 pm

Re: Firefox 60.0 and Firejail

Post by JohnFrumm »

ttjimera wrote:
Fri May 11, 2018 11:12 am
Thanks for the link to github. The solution given there is to change seccomp in firefox.profile (in /etc/firejail or ~/.config/firejail whichever you keep your profile files in) to the following:

Code: Select all

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
This works for me. It seems something in firejail they need to fix which they will only do so in ver. 0.9.54. The version of firejail in Mint 18.3 is 0.9.38.10.
thank you for the fix, unfortunately it did not work for ver. 0.9.53. I works for a few pages, but then for some reason it locks up and crashes.

Gotta move on to doing actual work now... firejail disabled.
Have you backed up your computer recently?

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4215
Joined: Sat Sep 13, 2014 11:12 am
Location: Swimming

Re: Firefox 60.0 and Firejail

Post by Fred Barclay »

Hi guys, we're working on it. :) We had to change the seccomp filter as @ttjimera, but we've also found that there's another problem (with tracelog).

Please see viewtopic.php?f=47&t=269263&p=1469063#p1469063 for how to fix this.

When firejail 0.9.54 is released, it will contain both fixes and you can delete ~/.config/firejail/firefox.profile

Cheers!
Fred

EDIT: removed profile that will only work for firejail 0.9.54. Got a little ahead of myself here...
Last edited by Fred Barclay on Sun May 13, 2018 1:13 am, edited 2 times in total.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
chrisuk
Level 5
Level 5
Posts: 592
Joined: Thu Jun 12, 2008 6:16 am

Re: Firefox 60.0 and Firejail

Post by chrisuk »

If it helps, @Fred, I've been using Firefox 60 with firejail 0.9.50 without any problems since Wednesday... Debian Stretch based distro though... not tested on Mint or Ubuntu.
Chris

Manjaro MATE - MX Linux - LMDE MATE

User avatar
AZgl1500
Level 12
Level 12
Posts: 4092
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Firefox 60.0 and Firejail

Post by AZgl1500 »

So,

what is Firejail, and why do you use it?

Well, Google answered that:
About

Whitelisted home directory in Mozilla Firefox

Whitelisted home directory in Mozilla Firefox
Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
But, is it all that much needed?
I have used Firefox for 30 years, and not had any problems.
Linux Mint 19.3 Cinnamon

User avatar
sammiev
Level 4
Level 4
Posts: 369
Joined: Sat May 19, 2012 12:16 pm

Re: Firefox 60.0 and Firejail

Post by sammiev »

Firefox 60 with firejail 9.52 with no issues to report.

HowardB
Level 1
Level 1
Posts: 6
Joined: Tue Jan 21, 2014 3:20 am

Re: Firefox 60.0 and Firejail

Post by HowardB »

Glad to hear that I am not the only person who had this problem. I suspected that the problem was the sandbox but couldn't recall for the life of me how I installed it until I found it in the Launcher properties.

User avatar
AZgl1500
Level 12
Level 12
Posts: 4092
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Firefox 60.0 and Firejail

Post by AZgl1500 »

just installed Firejail and it is the latest version, so the fix should be taken care of?
Linux Mint 19.3 Cinnamon

User avatar
Pepi
Level 5
Level 5
Posts: 932
Joined: Wed Nov 18, 2009 7:47 pm

Re: Firefox 60.0 and Firejail

Post by Pepi »

AZgl1500 wrote:
Fri May 11, 2018 3:39 pm
just installed Firejail and it is the latest version, so the fix should be taken care of?
Didn't work for me :?:

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4215
Joined: Sat Sep 13, 2014 11:12 am
Location: Swimming

Re: Firefox 60.0 and Firejail

Post by Fred Barclay »

AZgl1500 wrote:
Fri May 11, 2018 3:39 pm
just installed Firejail and it is the latest version, so the fix should be taken care of?
No, not just yet. The latest version is 0.9.52. The fixes are in 0.9.54, which will be released soon. :)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4215
Joined: Sat Sep 13, 2014 11:12 am
Location: Swimming

Re: Firefox 60.0 and Firejail

Post by Fred Barclay »

AZgl1500 wrote:
Fri May 11, 2018 1:04 pm
But, is it all that much needed?
I have used Firefox for 30 years, and not had any problems.
Well, yes... and no.
Firefox is trustworthy IMHO and I'm not concerned about it being maliciuos.

That being said, it is a browser and so will be running loads of untrusted code (website scripts, etc) on your machine - and it's huge (and IMHO difficult to thouroughly audit). If a malicious script were to exploit firefox, it could wreak havoc on your personal files (or steal them), etc. Please bear in mind that this is a worst-case scenario. I'm not even remotely suggesting that this is a common or expected occurrence with firefox, only that it is possible. We do know, though, that there have been sucessfull firefox exploits that were capable of stealing ssh keys and other sensitive files, see https://blog.mozilla.org/security/2015/ ... the-wild/ IIRC we tested and verified that this exploit was stopped cold if firefox was running inside firejail.

Firejail locks down your /home/ directory viewable to Firefox to just your Downloads and a few config directories. It also implements seccomp filtering, drops all possible unix capabilities, adds a double layer of protection against attacks that attempt to gain root or additional privileges, and blocks several classes of attacks that rely on exec privileges in your /home or in /tmp. And so on.

Here's a good (and long!) description of what firejail is and does: https://firejail.wordpress.com/document ... sic-usage/

Side note: Firejail isn't just a firefox sandbox. Though that's one of the more common uses, at last count we support ~500 programmes with custom security profiles, and offer a generic, customisable profile for any other programmes. :)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
AZgl1500
Level 12
Level 12
Posts: 4092
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Firefox 60.0 and Firejail

Post by AZgl1500 »

That is enough for me to continue using it then, I also use a 'container' for Facebook.
having FF in a container would be better.
Linux Mint 19.3 Cinnamon

User avatar
Gruppo Sportivo
Level 3
Level 3
Posts: 159
Joined: Sun May 28, 2017 4:14 am
Location: Rotterdam (NL)

Re: Firefox 60.0 and Firejail

Post by Gruppo Sportivo »

Testing the first test release in 0.9.54 series,version 0.9.54~rc1-1 gives no problems so far..........
Image Image

Edit:
too quickly concluded after repeatedly switching to other sites firejail stuck (Gecko IO Thread)

Post Reply

Return to “Software & Applications”