[SOLVED] Firejail Won't Sandbox Dissenter Browser (Snap Packages)

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
user73
Level 1
Level 1
Posts: 31
Joined: Tue Aug 06, 2019 12:50 pm

[SOLVED] Firejail Won't Sandbox Dissenter Browser (Snap Packages)

Post by user73 » Fri Oct 04, 2019 4:39 pm

So I've just installed the Dissenter Browser from here.

The browser works fine, but I can't seem to figure out how to sandbox it with Firejail. I tried mimicking the instructions for Firefox Browser from Easy Linux Tips, realizing in the process that I've been running Firefox without sandbox the whole time because you actually have to launch it from the destktop, but:

1. It won't even launch from the desktop icon.

2. It spits this out if I try to do a one-off launch from the terminal:

Code: Select all

firejail env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/dissenter-browser_dissenter.desktop /snap/bin/dissenter-browser.dissenter %U

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 20619, child pid 20620
Warning: cleaning all supplementary groups
Child process initialized in 73.30 ms
2019/10/04 15:27:29.085873 cmd_run.go:884: WARNING: cannot create user data directory: cannot create "/home/jpbaiocchi/snap/dissenter-browser/5": mkdir /home/jpbaiocchi/snap/dissenter-browser: permission denied
need to run as root or suid

Parent is shutting down, bye...


I don't know if Firejail is working with Firefox either. Firefox launches from desktop with no problem, but when I try to check the status with

Code: Select all

firejail --tree
, I either get nothing or a few lines of ambiguous, but innocuous-looking code.

Should mention I did do a fresh install of Firejail using the latest LTS version, although I had to remove the existing, official repo version to do so (missed that in the instructions too apparently). An overwrite wouldn't work.

EDIT: Here's a breakdown of the system-

Code: Select all

~$ inxi -Fxzd
System:    Host: BRUISER Kernel: 4.15.0-65-generic x86_64 bits: 64 gcc: 7.4.0
           Desktop: Cinnamon 3.8.9 (Gtk 3.22.30-1ubuntu4) Distro: Linux Mint 19 Tara
Machine:   Device: desktop Mobo: ASUSTeK model: SABERTOOTH 990FX R2.0 v: Rev 1.xx serial: N/A
           UEFI: American Megatrends v: 2103 date: 11/06/2013
Battery    hidpp__0: charge: N/A condition: NA/NA Wh model: Logitech Wireless Keyboard K330 status: Discharging
           hidpp__1: charge: N/A condition: NA/NA Wh
           model: Logitech Wireless Mouse M215 2nd Gen status: Discharging
CPU:       8 core AMD FX-8350 Eight-Core (-MCP-) arch: Bulldozer rev.0 cache: 16384 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm) bmips: 64215
           clock speeds: max: 4000 MHz 1: 1403 MHz 2: 1403 MHz 3: 1394 MHz 4: 1403 MHz 5: 1443 MHz 6: 1405 MHz
           7: 1403 MHz 8: 1403 MHz
Graphics:  Card: NVIDIA GK107 [GeForce GT 640] bus-ID: 06:00.0
           Display Server: x11 (X.Org 1.19.6 ) drivers: nvidia (unloaded: modesetting,fbdev,vesa,nouveau)
           Resolution: 1920x1080@60.00hz
           OpenGL: renderer: GeForce GT 640/PCIe/SSE2 version: 4.6.0 NVIDIA 390.116 Direct Render: Yes
Audio:     Card-1 NVIDIA GK107 HDMI Audio Controller driver: snd_hda_intel bus-ID: 06:00.1
           Card-2 Advanced Micro Devices [AMD/ATI] SBx00 Azalia (Intel HDA)
           driver: snd_hda_intel bus-ID: 00:14.2
           Sound: Advanced Linux Sound Architecture v: k4.15.0-65-generic
Network:   Card-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           driver: r8169 v: 2.3LK-NAPI port: b000 bus-ID: 0a:00.0
           IF: enp10s0 state: down mac: <filter>
           Card-2: D-Link System DWA-125 Wireless N 150 Adapter(rev.A2) [Ralink RT3070]
           driver: rt2800usb v: 2.3.0 usb-ID: 002-002
           IF: wlx1cbdb932dc46 state: N/A mac: N/A
Drives:    HDD Total Size: 3100.1GB (15.0% used)
           ID-1: /dev/sda model: ST2000DM001 size: 2000.4GB
           ID-2: /dev/sdb model: WDC_WD800JD size: 80.0GB
           ID-3: USB /dev/sdc model: USB_DISK_2.0 size: 15.5GB
           ID-4: USB /dev/sdd model: Flash_Disk size: 4.0GB
           ID-5: USB /dev/sde model: Elements_1048 size: 1000.2GB
           Optical-1: /dev/sr0 model: ATAPI iHAS324   W rev: HL16 dev-links: cdrom,cdrw,dvd,dvdrw
           Features: speed: 125x multisession: yes
           audio: yes dvd: yes rw: cd-r,cd-rw,dvd-r,dvd-ram state: running
Partition: ID-1: / size: 21G used: 16G (79%) fs: ext4 dev: /dev/sdb1
           ID-2: /home size: 37G used: 24G (68%) fs: ext4 dev: /dev/sdb3
           ID-3: swap-1 size: 17.58GB used: 0.00GB (0%) fs: swap dev: /dev/sdb2
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 20.1C mobo: N/A gpu: 0.0:38C
           Fan Speeds (in rpm): cpu: 0
Info:      Processes: 255 Uptime: 8 min Memory: 1369.9/32068.1MB Init: systemd runlevel: 5 Gcc sys: 7.4.0
           Client: Shell (bash 4.4.201) inxi: 2.3.56 
Last edited by user73 on Sat Oct 05, 2019 12:51 pm, edited 2 times in total.

User avatar
JoeFootball
Level 7
Level 7
Posts: 1918
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: Firejail Won't Sandbox Dissenter Browser

Post by JoeFootball » Fri Oct 04, 2019 5:00 pm

user73 wrote: I don't know if Firejail is working with Firefox either.
Does firejail --list return your active sandboxes?

Joe

User avatar
pbear
Level 8
Level 8
Posts: 2435
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Firejail Won't Sandbox Dissenter Browser

Post by pbear » Sat Oct 05, 2019 12:58 am

You're using Cinnamon, right? (You should include system info with each thread.)
If so, take a look at this post by xenopeek, which explains how to do a symlink launcher.
Time flies like an arrow. Fruit flies like a banana.
If your problem has been solved, please edit the thread title.

user73
Level 1
Level 1
Posts: 31
Joined: Tue Aug 06, 2019 12:50 pm

Re: Firejail Won't Sandbox Dissenter Browser

Post by user73 » Sat Oct 05, 2019 11:45 am

JoeFootball wrote:
Fri Oct 04, 2019 5:00 pm
Does firejail --list return your active sandboxes?

Joe
I don't know whether this means it's working or not.

Code: Select all

$ firejail --list
6221:[username]::firejail firefox 

User avatar
smurphos
Level 13
Level 13
Posts: 4605
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Firejail Won't Sandbox Dissenter Browser

Post by smurphos » Sat Oct 05, 2019 12:06 pm

Firejail doesn't support sandboxing snap apps as far as I know....https://github.com/netblue30/firejail/issues/2397
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
JoeFootball
Level 7
Level 7
Posts: 1918
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: Firejail Won't Sandbox Dissenter Browser

Post by JoeFootball » Sat Oct 05, 2019 12:14 pm

user73 wrote: I don't know whether this means it's working or not.

Code: Select all

$ firejail --list
6221:[username]::firejail firefox 
It's working. That particular sandbox session is parent pid number 6221, via your username, with firefox running. :)

Joe

user73
Level 1
Level 1
Posts: 31
Joined: Tue Aug 06, 2019 12:50 pm

Re: Firejail Won't Sandbox Dissenter Browser

Post by user73 » Sat Oct 05, 2019 12:49 pm

Okay, thanks guys. That clears things up.

To Future Reader: The layman's takeaway is that snap packages, such as my Dissenter Browser, cannot be directly sandboxed, which was what I was trying to do. You can technically sandbox the software that executes the packages, but not the packages themselves. Sandboxing the software won't sandbox the packages, but it doesn't really matter since snaps have their own version of sandboxing built in. Firejail was conflicting with the existing protections of the package, which why it couldn't launch. Long story short: For the time being, you don't need to sandbox snaps.

Post Reply

Return to “Software & Applications”