Firejail beta-testers wanted!

Chat about just about anything else
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Firejail beta-testers wanted!

Post by Fred Barclay » Wed May 09, 2018 11:35 pm

Hey mates!
We're going to be releasing firejail 0.9.54 soon, and I'd really appreciate anyone who's willing to be a tester for our first rc ("release candidate" - it's a beta release, or the software equivalent of a rough draft).

We've had a big improvement this time around - dbus is now blocked as much as possible! This is great because dbus, while needed by many programs, can sometimes be used to circumvent the security provided by sandbox. Disabling dbus access is a big step forward for firejail IMHO.

On the other hand, blocking it when it's actually needed can cause some programs to crash. We've found and fixed many of these, but these issues sometimes depend on Linux distro and individual configuration. It would be a nightmare to find and cover every potential issue on our own before the final release of firejail 0.9.54 -- so any help you can provide would be much appreciated!

Sound good? Here's all you need to do to help:
1. Download firejail 0.9.54-rc from https://sourceforge.net/projects/fireja ... /firejail/. If you're using 64-bit Mint, download firejail_0.9.54~rc1_1_amd64.deb, else for 32-bit Mint, please choose firejail_0.9.54~rc1_1_i386.deb.

2. Go to your Downloads folder and double-click the firejail .deb file to launch GDebi. This will guide you through the installation process.

3. Just use firejail as normal! If you notice something has quit working that used to be fine for your previous version, just let me know and we'll try to track it down and fix it. Please also let me know what version of Mint you're using, and if it's 64- or 32-bit. If you're not sure, running inxi -Fxz in your terminal, then posting the output, should give me what I need.

Cheers, and thanks!
Fred
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Amii_Leigh
Level 5
Level 5
Posts: 635
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Firejail beta-testers wanted!

Post by Amii_Leigh » Thu May 10, 2018 12:07 am

I installed it Fred, I'm going to try it out with all of my browsers too. :)
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.

User avatar
Amii_Leigh
Level 5
Level 5
Posts: 635
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Firejail beta-testers wanted!

Post by Amii_Leigh » Thu May 10, 2018 12:45 am

Waterfox 56.1.0 works!
Seamonkey 2.49.3 works!
Tor 7.5.4 Won't Start, Does not show up in System Monitor
Palemoon:

Code: Select all

$ firejail palemoon
Reading profile /etc/firejail/palemoon.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 23270, child pid 23271
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 132.18 ms
It's hung at this point.

I'm using

Code: Select all

$ inxi -Fxz
System:    Host: Basically Kernel: 4.4.0-124-generic x86_64 (64 bit gcc: 4.8.4)
           Desktop: Cinnamon 2.8.8 (Gtk 3.10.8~8+qiana)
           Distro: Linux Mint 17.3 Rosa
Machine:   Mobo: ASUSTeK model: P5KPL-CM v: x.xx
           Bios: American Megatrends v: 0602 date: 02/24/2009
CPU:       Dual core Pentium E5300 (-MCP-) cache: 2048 KB
           flags: (lm nx sse sse2 sse3 ssse3 vmx) bmips: 10486
           clock speeds: max: 2600 MHz 1: 1600 MHz 2: 2000 MHz
Graphics:  Card: NVIDIA GK208 [GeForce GT 710B] bus-ID: 01:00.0
           Display Server: X.Org 1.17.1 drivers: nvidia (unloaded: fbdev,vesa,nouveau)
           Resolution: 1280x1024@60.0hz
           GLX Renderer: GeForce GT 710/PCIe/SSE2
           GLX Version: 4.5.0 NVIDIA 384.111 Direct Rendering: Yes
Audio:     Card-1 Intel NM10/ICH7 Family High Definition Audio Controller
           driver: snd_hda_intel bus-ID: 00:1b.0
           Card-2 NVIDIA GK208 HDMI/DP Audio Controller
           driver: snd_hda_intel bus-ID: 01:00.1
           Sound: Advanced Linux Sound Architecture v: k4.4.0-124-generic
Network:   Card: Qualcomm Atheros AR8121/AR8113/AR8114 Gigabit or Fast Ethernet
           driver: ATL1E port: ec00 bus-ID: 02:00.0
           IF: eth1 state: up speed: 100 Mbps duplex: full mac: <filter>
Drives:    HDD Total Size: 1070.2GB (28.6% used)
           ID-1: /dev/sda model: WDC_WD2500JB size: 250.1GB
           ID-2: /dev/sdb model: ST3500312CS size: 500.1GB
           ID-3: USB /dev/sdc model: Storage_Device size: 320.1GB
Partition: ID-1: / size: 226G used: 92G (43%) fs: ext4 dev: /dev/sda1
           ID-2: swap-1 size: 4.29GB used: 0.00GB (0%) fs: swap dev: /dev/sda5
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 41.0C mobo: 34.0C gpu: 0.0:36C
           Fan Speeds (in rpm): cpu: 2205 sys-1: 2410
Info:      Processes: 202 Uptime: 1 day Memory: 1914.1/3951.1MB
           Init: Upstart runlevel: 2 Gcc sys: 4.8.4
           Client: Shell (bash 4.3.111) inxi: 2.2.28 
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.

User avatar
all41
Level 13
Level 13
Posts: 4720
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Firejail beta-testers wanted!

Post by all41 » Thu May 10, 2018 12:49 am

Hi Fred,
Will this overwrite the current firejail 9.52 installation including ~/.config/firejail
Proud to be a supporter and monthly contributor to Mint.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Thu May 10, 2018 12:53 am

all41 wrote:
Thu May 10, 2018 12:49 am
Hi Fred,
Will this overwrite the current firejail 9.52 installation including ~/.config/firejail
It will overwrite any files in /etc/firejail and other installed files, but ~/.config/firejail will be untouched. :)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Thu May 10, 2018 12:55 am

Amii_Leigh wrote:
Thu May 10, 2018 12:45 am
Waterfox 56.1.0 works!
Seamonkey 2.49.3 works!
Tor 7.5.4 Won't Start, Does not show up in System Monitor
Palemoon:
Thanks Amii! Could I get you to try starting Tor and Palemoon with the --ignore=tracelog flag? For palemoon this would look like firejail --ignore=tracelog palemoon. Tor will be similar, just replace "palemoon" with whatever your tor launcher is called.

Thanks!
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Amii_Leigh
Level 5
Level 5
Posts: 635
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Firejail beta-testers wanted!

Post by Amii_Leigh » Thu May 10, 2018 1:04 am

Palemoon:

Code: Select all

An error occurred while loading or saving configuration information for palemoon. Some of your configuration settings may not work properly.
"No D-BUS daemon running" in separate box.

I'll try to figure out how to start Tor in the terminal.
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.

User avatar
all41
Level 13
Level 13
Posts: 4720
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Firejail beta-testers wanted!

Post by all41 » Thu May 10, 2018 1:27 am

I've got a niggle with this version
$ firejail firefox
Reading profile /home/uno/.config/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Error: line 29 in /etc/firejail/firefox-common.profile is invalid

Code: Select all

 ~ $ inxi -Fxz
System:
  Host: Labonline Kernel: 4.4.0-124-generic x86_64 bits: 64 compiler: gcc 
  v: 4.8.4 Desktop: MATE 1.12.0 Distro: Linux Mint 17.3 Rosa   
Machine:
  Type: Desktop System: LENOVO product: 4157D51 v: ThinkStation S20 
  serial: N/A 
  Mobo: LENOVO model: LENOVO serial: N/A BIOS: LENOVO v: 60KT47AUS 
  date: 01/15/2014 
CPU:
  Topology: Quad Core model: Intel Xeon W3550 bits: 64 type: MT MCP 
  arch: Nehalem rev: 5 L2 cache: 8192 KiB 
  flags: lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx bogomips: 48948 
  Speed: 1596 MHz min/max: 1596/3060 MHz Core speeds (MHz): 1: 1596 2: 1729 
  3: 1596 4: 1729 5: 1596 6: 1596 7: 1596 8: 1596 
Graphics:
  Card-1: NVIDIA G96GL [Quadro FX 580] driver: nouveau v: kernel 
  bus ID: 02:00.0 
  Display: server: X.Org 1.17.1 driver: none 
  unloaded: fbdev,modesetting,nouveau,nvidia,vesa resolution: 1920x1080~60Hz 
  OpenGL: renderer: Gallium 0.4 on NV96 v: 3.3 Mesa 10.5.9 
  direct render: Yes 
Audio:
  Card-1: Intel 82801JI HD Audio driver: snd_hda_intel v: kernel 
  bus ID: 00:1b.0 
  Sound Server: ALSA v: k4.4.0-124-generic 
Network:
  Card-1: Intel 82574L Gigabit Network Connection driver: e1000e v: 3.2.6-k 
  port: 3000 bus ID: 04:00.0 
  IF: eth1 state: down mac: <filter> 
  Card-2: Broadcom NetXtreme BCM5755 Gigabit Ethernet PCI Express 
  driver: tg3 v: 3.137 port: N/A bus ID: 05:00.0 
  IF: eth2 state: up speed: 1000 Mbps duplex: full mac: <filter> 
Drives:
  HDD Total Size: 614.73 GiB used: 23.54 GiB (3.8%) 
  ID-1: /dev/sda model: WDC_WD1600HLFS-7 size: 149.01 GiB 
  ID-2: /dev/sdb model: WDC_WD2500AAJS-7 size: 232.83 GiB 
  ID-3: /dev/sdc model: Samsung_SSD_860 size: 232.89 GiB 
Partition:
  ID-1: / size: 71.22 GiB used: 23.54 GiB (33.0%) fs: ext4 dev: /dev/sda5 
Sensors:
  System Temperatures: cpu: 36.0 C mobo: 25.0 C gpu: nouveau temp: 55 C 
  Fan Speeds (RPM): cpu: 1196 fan-1: 0 fan-3: 0 fan-4: 1004 fan-5: 0 
  gpu: nouveau fan: 0 
Info:
  Processes: 230 Uptime: 6m Memory: 15.66 GiB used: 576.1 MiB (3.6%) 
  Init: Upstart runlevel: 2 Compilers: gcc: 4.8.4 Shell: bash v: 4.3.11 
  inxi: 3.0.07  
I am getting the same line 29 error when I try firejail palemoon.
I will work with it more tomorrow.
Proud to be a supporter and monthly contributor to Mint.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Thu May 10, 2018 1:53 am

Can you post .config/firejail/firefox.profile? I suspect something is wrong with it. Those imports should only be occurring once.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Amii_Leigh
Level 5
Level 5
Posts: 635
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Firejail beta-testers wanted!

Post by Amii_Leigh » Thu May 10, 2018 1:54 am

I can't figure out where to place the --ignore=tracelog line in the start code for Tor.

Code: Select all

sh -c '"/home/amii/.tor-browser-en/INSTALL/Browser/start-tor-browser" --detach || ([ !  -x "/home/amii/.tor-browser-en/INSTALL/Browser/start-tor-browser" ] && "$(dirname "$*")"/Browser/start-tor-browser --detach)' dummy %k
BUT I will tell you that the Iridium browser starts and runs just fine!
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Thu May 10, 2018 1:57 am

Hi Amii, don't put it in the starting code for tor, but immediately after 'firejail' in the command you use to start it.
So for example, if you do something like firejail /usr/bin/tor-browser-en, just change it to firejail --ignore=tracelog /usr/bin/tor-browerser-en.

Great news for iridium, thanks!
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Amii_Leigh
Level 5
Level 5
Posts: 635
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Firejail beta-testers wanted!

Post by Amii_Leigh » Thu May 10, 2018 2:29 am

The launch code for Tor won't work like that.

Code: Select all

$ firejail --ignore=tracelog sh -c '"/home/amii/.tor-browser-en/INSTALL/Browser/start-tor-browser" --detach || ([ !  -x "/home/amii/.tor-browser-en/INSTALL/Browser/start-tor-browser" ] && "$(dirname "$*")"/Browser/start-tor-browser --detach)' dummy %k
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 11924, child pid 11925
Warning: cleaning all supplementary groups
Child process initialized in 47.02 ms
dummy: 1: dummy: /home/amii/.tor-browser-en/INSTALL/Browser/start-tor-browser: Permission denied
dummy: 1: dummy: ./Browser/start-tor-browser: not found

Parent is shutting down, bye...
This code will actually start it:

Code: Select all

$ sh -c '"/home/amii/.tor-browser-en/INSTALL/Browser/start-tor-browser" --detach || ([ !  -x "/home/amii/.tor-browser-en/INSTALL/Browser/start-tor-browser" ] && "$(dirname "$*")"/Browser/start-tor-browser --detach)' dummy %k
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.

User avatar
all41
Level 13
Level 13
Posts: 4720
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Firejail beta-testers wanted!

Post by all41 » Thu May 10, 2018 11:00 am

Fred Barclay wrote:
Thu May 10, 2018 1:53 am
Can you post .config/firejail/firefox.profile? I suspect something is wrong with it. Those imports should only be occurring once.
Yes--it seems to be a .profile issue.
I moved ~/.config/firejail to another location and that took care of FF, but PM is still problematic. If I run firejail --noprofile <path> PM opens and is reported by firejail --list.
This has something to do with PM running entirely from /home.
I chose to not use an installer but just extracted the tarball there.
The path is ~/palemoon and the launch path is ~/palemoon/palemoon.
I remember having to whitelist something in the original version to accomodate this, but don't remember what or where.
So running with no ~/.config/firejail directory this is the terminal results:

Code: Select all

 $ firejail ~/palemoon/palemoon
Reading profile /usr/local/etc/firejail/palemoon.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Parent pid 19350, child pid 19351
TESTING warning: noblacklist /home/uno/.moonchild productions/pale moon not matched by a proper blacklist command in disable*.inc
Blacklist violations are logged to syslog
Child process initialized in 60.90 ms
Error: no suitable /home/uno/palemoon/palemoon executable found

Parent is shutting down, bye...
I am using PM for this response via terminal with the --noprofile flag.

Code: Select all

$ firejail --noprofile /home/uno/palemoon/palemoon
Parent pid 19205, child pid 19206
Child process initialized in 17.66 ms

(pale moon:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised

(pale moon:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised

(pale moon:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised

(pale moon:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
Hey Fred---Thanks for your help.
Proud to be a supporter and monthly contributor to Mint.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Thu May 10, 2018 11:23 am

Try this profile for palemoon (save in ~/.config/firejail/palemoon.profile):

Code: Select all

# Firejail profile for palemoon
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/palemoon.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/moonchild productions/pale moon
noblacklist ${HOME}/.moonchild productions/pale moon

mkdir ${HOME}/palemoon
mkdir ${HOME}/.cache/moonchild productions/pale moon
mkdir ${HOME}/.moonchild productions
mkdir ${HOME}/palemoon
whitelist ${HOME}/.cache/moonchild productions/pale moon
whitelist ${HOME}/.moonchild productions

# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
ignore seccomp.drop
seccomp

#private-bin palemoon
# private-etc must first be enabled in firefox-common.profile
#private-etc palemoon
#private-opt palemoon

# Redirect
include /etc/firejail/firefox-common.profile
The only difference from the default palemoon profile is the addition of the mkdir ${HOME}/palemoon and mkdir ${HOME}/palemoon lines - they just allow firejail to see the path to your palemoon executable.

If it still fails, then try adding --ignore=tracelog, like firejail --ignore=tracelog ~/palemoon/palemoon.

Do you have a lot of profiles in ~.config/firejail? I'd look them over and toss out any that you don't need to be customized.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
all41
Level 13
Level 13
Posts: 4720
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Firejail beta-testers wanted!

Post by all41 » Thu May 10, 2018 12:14 pm

no joy with that profile even with ignore=tracelog,
and even when your suggested profile is the only resident in ~/.config/firejail directory.

My impression is there is something about the PM executable being in a directory firejail is trying to sandbox.
So I worked around this by removing ~/.config/firejail directory completely and moved ~/palemoon to ~/Downloads.
Firejail launches PM fine with the PM directory there (because the parent directory is not sandboxed?--- not sure).

When I get a little more time I will search out how we mitigated this originally. I have it somewhere. I think it was a whitelist entry.
When this is squared away I will recreate the ~/.config/firejail profiles
Thanks again--good luck with the project.
Proud to be a supporter and monthly contributor to Mint.

User avatar
martywd
Level 3
Level 3
Posts: 146
Joined: Sun May 08, 2011 10:35 am
Location: TX

Re: Firejail beta-testers wanted!

Post by martywd » Thu May 10, 2018 12:21 pm

Linux Mint 18.3 MATE 64-bit
4.15.0-20-generic #21~16.04.1-Ubuntu SMP Wed Apr 25 02:42:04 UTC 2018 x86_64
Firejail 0.9.54~rc1-1
Pale Moon 27.9.1 (27.9.1~repack-1 amd64) [steve pusser's build]
tor 7.5.4 (based on Mozilla Firefox 52.8.0) (64-bit) [direct download tor's website]
firefox-esr 52.7.3esr-1~16.04.york (64-bit) [PPA: Jonathon F]
vivaldi-stable 1.15.1147.36-1 (64-bit) [.deb package initially downloaded from https://vivaldi.com/download/]

In summary:
Pale Moon
'firejail palemoon' from the command line fails. (no surprise)
'firejail --ignore=tracelog palemoon' from the command line succeeds .
Or adding 'ignore tracelog' to a modified '~/.config/firejail/palemoon.profile' file also works. I.e.

Code: Select all


...
ignore tracelog

# Redirect
include /etc/firejail/firefox-common.profile

...
Also to note:
With 'private-bin palemoon' un-commented in the modified '~/.config/firejail/palemoon.profile', 'firejail palemoon' from the command line (or launched from a modified 'Exec=firejail palemoon' line in a *.desktop file, also succeeds.

Code: Select all

...
private-bin palemoon
# private-etc must first be enabled in firefox-common.profile
#private-etc palemoon
#private-opt palemoon
...
tor (no modified profile file)
No issues running either of these commands from the command line:

Code: Select all

firejail ~/.local/opt/tor-browser_en-US/Browser/start-tor-browser
--or--

Code: Select all

firejail sh -c '"/home/marty/.local/opt/tor-browser_en-US/Browser/start-tor-browser" --detach || ([ !  -x "/home/marty/.local/opt/tor-browser_en-US/Browser/start-tor-browser" ] && "$(dirname "$*")"/Browser/start-tor-browser --detach)' dummy %k
Also tor launches if I add 'firejail' to the 'Exec" line in the 'start-tor-browser.desktop' file:

Code: Select all

Exec=firejail sh -c '"/home/marty/.local/opt/tor-browser_en-US/Browser/start-tor-browser" --detach || ([ !  -x "/home/marty/.local/opt/tor-browser_en-US/Browser/start-tor-browser" ] && "$(dirname "$*")"/Browser/start-tor-browser --detach)' dummy %k
firefox-esr (no modified profile file)
Seems to run ok. I don't use this very much.

vivaldi-stable (no modified profile file)
Sync functionality, while experimental, _was_syncing_ without issues using 'firejail' install from [Reiner Herrmann's PPA] (0.9.52-2~0ubuntu16.04.1)

NOW, with this latest firejail, syncing in vivaldi-stable is disabled! .... Workaround?
Output from the command line:

Code: Select all

firejail vivaldi-stable 
Reading profile /etc/firejail/vivaldi-stable.profile
Reading profile /etc/firejail/vivaldi.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 22837, child pid 22838
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 78.22 ms
/usr/bin/vivaldi-stable: line 87: /dev/fd/62: No such file or directory
/usr/bin/vivaldi-stable: line 88: /dev/fd/62: No such file or directory
[6:25:0510/104623.129006:ERROR:address_tracker_linux.cc(174)] Could not bind NETLINK socket: Address already in use (98)
[6:67:0510/104623.180816:ERROR:bus.cc(394)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")
[6:32:0510/104623.180933:ERROR:in_progress_cache_impl.cc(93)] Could not read download entries from file because there was a read failure.
Gkr-Message: couldn't connect to dbus session bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[6:198:0510/104624.811417:ERROR:leveldb_database.cc(311)] Failed to open LevelDB database from /home/marty/.config/vivaldi/Default/Storage/ext/mpognobbkildjkofajifpdfhcoklimli/def/IndexedDB/chrome-extension_mpognobbkildjkofajifpdfhcoklimli_0.indexeddb.leveldb,IO error: /home/marty/.config/vivaldi/Default/Storage/ext/mpognobbkildjkofajifpdfhcoklimli/def/IndexedDB/chrome-extension_mpognobbkildjkofajifpdfhcoklimli_0.indexeddb.leveldb/LOCK: No further details. (ChromeMethodBFE: 15::LockFile::1)
[6:198:0510/104624.811706:ERROR:indexed_db_backing_store.cc(951)] Unable to open backing store, not trying to recover - IO error: /home/marty/.config/vivaldi/Default/Storage/ext/mpognobbkildjkofajifpdfhcoklimli/def/IndexedDB/chrome-extension_mpognobbkildjkofajifpdfhcoklimli_0.indexeddb.leveldb/LOCK: No further details. (ChromeMethodBFE: 15::LockFile::1)
[6:198:0510/104625.821382:ERROR:leveldb_database.cc(311)] Failed to open LevelDB database from /home/marty/.config/vivaldi/Default/Storage/ext/mpognobbkildjkofajifpdfhcoklimli/def/IndexedDB/chrome-extension_mpognobbkildjkofajifpdfhcoklimli_0.indexeddb.leveldb,IO error: /home/marty/.config/vivaldi/Default/Storage/ext/mpognobbkildjkofajifpdfhcoklimli/def/IndexedDB/chrome-extension_mpognobbkildjkofajifpdfhcoklimli_0.indexeddb.leveldb/LOCK: No further details. (ChromeMethodBFE: 15::LockFile::1)
[6:198:0510/104625.821827:ERROR:indexed_db_backing_store.cc(951)] Unable to open backing store, not trying to recover - IO error: /home/marty/.config/vivaldi/Default/Storage/ext/mpognobbkildjkofajifpdfhcoklimli/def/IndexedDB/chrome-extension_mpognobbkildjkofajifpdfhcoklimli_0.indexeddb.leveldb/LOCK: No further details. (ChromeMethodBFE: 15::LockFile::1)
^C
Parent received signal 2, shutting down the child process...

Parent is shutting down, bye...

Child received signal 15, shutting down the sandbox...
marty@phobos ~ $ [6:6:0510/104628.518275:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.524910:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.525904:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.526685:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.527582:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.528278:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.529245:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.530058:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.530726:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.531398:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.534472:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:6:0510/104628.535517:ERROR:zygote_communication_linux.cc(281)] Failed to send GetTerminationStatus message to zygote
[6:45:0510/104628.579998:ERROR:browser_gpu_channel_host_factory.cc(120)] Failed to launch GPU process.
^C

I guess that's all I got?

................................

Edit to add...
I notice now, that after quitting/exiting 'vivaldi-stable', processes are still showing up

Code: Select all

firejail --tree
4412:marty::firejail vivaldi-stable 
  4413:marty::firejail vivaldi-stable 
    4419:marty::/opt/vivaldi/vivaldi-bin
      4428: (zombie)
      4429: (zombie)
      4430: (zombie)
      4431: (zombie)
      4434:marty::/opt/vivaldi/vivaldi-bin --type=zygote 
        4436:marty::/opt/vivaldi/vivaldi-bin --type=zygote 
          4562: (zombie)
          4588: (zombie)
.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Thu May 10, 2018 1:24 pm

@martywd Thanks for the detailed report! Does sync work with Vivaldi if you use firejail --ignore=nodbus vivaldi-stable?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
martywd
Level 3
Level 3
Posts: 146
Joined: Sun May 08, 2011 10:35 am
Location: TX

Re: Firejail beta-testers wanted!

Post by martywd » Thu May 10, 2018 2:17 pm

Fred Barclay wrote:
Thu May 10, 2018 1:24 pm
@martywd Thanks for the detailed report! Does sync work with Vivaldi if you use firejail --ignore=nodbus vivaldi-stable?
Yes! 'vivaldi-stable' syncing does work using your suggested command.

And FWIW the command line output start to quit:
$ firejail --ignore=nodbus vivaldi-stable
Reading profile /etc/firejail/vivaldi-stable.profile
Reading profile /etc/firejail/vivaldi.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 16649, child pid 16650
Child process initialized in 59.53 ms
/usr/bin/vivaldi-stable: line 87: /dev/fd/62: No such file or directory
/usr/bin/vivaldi-stable: line 88: /dev/fd/62: No such file or directory
[6:34:0510/131039.631001:ERROR:in_progress_cache_impl.cc(93)] Could not read download entries from file because there was a read failure.
ATTENTION: default value of option force_s3tc_enable overridden by environment.

Parent is shutting down, bye...


.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4152
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Fri May 11, 2018 11:42 am

Amii_Leigh, how do you normally start tor with firejail?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Flemur
Level 16
Level 16
Posts: 6118
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Firejail beta-testers wanted!

Post by Flemur » Fri May 11, 2018 1:47 pm

Making it easier to download would be nice. Auto-download didn't work and the "direct link" resulted in a file named firejail_0.9.54~rc1_1_amd64.deb?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Ffirejail%2Ffiles%2Ffirejail%2Ffirejail_0.9.54%7Erc1_1_amd64.deb%2Fdownload%3Fuse_mirror%3Dcytranet
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Mint 18.3 Xfce/fluxbox/pulse-less
Xubuntu 17.10/fluxbox/pulse-less

Post Reply

Return to “Open chat”