Firejail beta-testers wanted!

Chat about just about anything else
User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Tue May 15, 2018 4:21 am

Additional information: I can open text files in Leafpad or LibreOffice Writer by right clicking on the file and selecting "Open with" from the context menu, but not by clicking "Open with Text Editor". I get the same behavior whether trying to open the files from Nemo or from Double Commander. pdf files can't be opened with Document Viewer, but will open with Image Magick or GIMP.
In theory, theory and practice are the same. In practice, they ain't.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Tue May 15, 2018 11:15 pm

Hmmm... @slipstick, can you also run firecfg --list and post output?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Tue May 15, 2018 11:29 pm

Amii_Leigh wrote:
Sun May 13, 2018 6:45 pm
Fred Barclay wrote:
Sun May 13, 2018 1:05 am


I'll try and get a firejail tor test for you to run within the next 8 hours or so, Amii, if you're willing.
Sure! It's not like I have a life or anything, lol :lol:
Haha, and sorry for the super-late reply! Had a family member go in the hospital. :(

Let's try this:

Code: Select all

cd /home/amii/.tor-browser-en/
firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser.desktop
The tor browser bundle looks to be kinda persnickity about how you run it and doesn't want to start (at least for me) unless I've first cd'ed into the tor directory.

If this doesn't work, can you post the output of ls /home/amii/.tor-browser-en/?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Tue May 15, 2018 11:38 pm

Fred Barclay wrote:
Tue May 15, 2018 11:15 pm
Hmmm... @slipstick, can you also run firecfg --list and post output?

Code: Select all

steve@steve-Z97X ~ $ firecfg --list
/usr/local/bin/xreader-previewer
/usr/local/bin/lofromtemplate
/usr/local/bin/keepassxc
/usr/local/bin/gimp-2.8
/usr/local/bin/localc
/usr/local/bin/loweb
/usr/local/bin/gucharmap
/usr/local/bin/lodraw
/usr/local/bin/display
/usr/local/bin/cvlc
/usr/local/bin/catfish
/usr/local/bin/pix
/usr/local/bin/loimpress
/usr/local/bin/gimp
/usr/local/bin/loffice
/usr/local/bin/lowriter
/usr/local/bin/thunderbird
/usr/local/bin/gnome-calculator
/usr/local/bin/xplayer
/usr/local/bin/baobab
/usr/local/bin/lobase
/usr/local/bin/rhythmbox
/usr/local/bin/xcalc
/usr/local/bin/simple-scan
/usr/local/bin/wget
/usr/local/bin/xviewer
/usr/local/bin/xplayer-video-thumbnailer
/usr/local/bin/mate-color-select
/usr/local/bin/soffice
/usr/local/bin/ebook-viewer
/usr/local/bin/xreader
/usr/local/bin/xfburn
/usr/local/bin/dnsmasq
/usr/local/bin/pdftotext
/usr/local/bin/vlc
/usr/local/bin/gnome-font-viewer
/usr/local/bin/firefox
/usr/local/bin/ssh
/usr/local/bin/hexchat
/usr/local/bin/pidgin
/usr/local/bin/strings
/usr/local/bin/xplayer-audio-preview
/usr/local/bin/file-roller
/usr/local/bin/leafpad
/usr/local/bin/lomath
/usr/local/bin/transmission-gtk
/usr/local/bin/enchant
/usr/local/bin/chromium-browser
/usr/local/bin/libreoffice
/usr/local/bin/xreader-thumbnailer
/usr/local/bin/calibre
/usr/local/bin/xed
/usr/local/bin/less
/usr/local/bin/enchant-lsmod
steve@steve-Z97X ~ $ 
By the way, I think when I installed this 0.9.54~rc2 version, I forgot to first delete the old 0.9.38.10 version. Should I do

Code: Select all

sudo apt-get purge firejail
and then reinstall the latest version?
In theory, theory and practice are the same. In practice, they ain't.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Tue May 15, 2018 11:47 pm

slipstick wrote:
Tue May 15, 2018 11:38 pm
By the way, I think when I installed this 0.9.54~rc2 version, I forgot to first delete the old 0.9.38.10 version. Should I do

Code: Select all

sudo apt-get purge firejail
and then reinstall the latest version?
Probably a good idea - but first, please run sudo firecfg --clean to remove the symbolic links in /usr/local/bin.
Then after reinstalling firejail, you can run sudo firecfgto add them back if you want.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Amii_Leigh
Level 5
Level 5
Posts: 635
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Firejail beta-testers wanted!

Post by Amii_Leigh » Wed May 16, 2018 12:11 am

This is the terminal output as Tor ran:

Code: Select all

$ cd /home/amii/.tor-browser-en/
amii@Basically ~/.tor-browser-en $ firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser.desktop
Reading profile /etc/firejail/start-tor-browser.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 20638, child pid 20639
Warning: skipping crypto-policies for private /etc
Warning: skipping alsa for private /etc
Warning: skipping asound.conf for private /etc
Warning: skipping machine-id for private /etc
Private /etc installed in 298.57 ms
17 programs installed in 319.48 ms
Blacklist violations are logged to syslog
Child process initialized in 709.04 ms
Error: no suitable ./start-tor-browser.desktop executable found

Parent is shutting down, bye...
Then the result of the command you had me run:

Code: Select all

 ls /home/amii/.tor-browser-en/
BACKUP  INSTALL  LOG  VERSION
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.

User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Wed May 16, 2018 12:16 am

Fred Barclay wrote:
Tue May 15, 2018 11:47 pm
Probably a good idea - but first, please run sudo firecfg --clean to remove the symbolic links in /usr/local/bin.
Then after reinstalling firejail, you can run sudo firecfgto add them back if you want.
I ran

Code: Select all

sudo firecfg --clean
, then ran

Code: Select all

sudo apt-get purge firejail
At the end, I got this message: "while removing firejail, directory /etc/firejail not empty, so not removed"
I saw that this directory only had one six byte file "firejail.users" which contained only my user name, so I deleted the file and directory.
Then I ran

Code: Select all

cd Downloads
to get into the directory where I have the firejail deb file, then

Code: Select all

sudo dpkg -i firejail_0.9.54~rc2_1_amd64.deb
then

Code: Select all

firecfg --fix-sound
then logged out and back in, then ran

Code: Select all

sudo firecfg
I checked to see if the problem persists, and it does - no change.
I then added the whitelist statements in firefox.cfg and thunderbird.cfg (because my FF and TB profiles are on another partition) so I could access email and FF.

So, in summary, that didn't fix the problem.
In theory, theory and practice are the same. In practice, they ain't.

Mintedfake
Level 1
Level 1
Posts: 25
Joined: Wed Sep 17, 2014 6:17 am

Re: Firejail beta-testers wanted!

Post by Mintedfake » Wed May 16, 2018 6:09 am

I seem to have become a(n unqualified) beta tester. I seem to have similar problems to slipstick. Running Firefox from a terminal and trying to open a .pdf file gives

Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport

(gimp-2.8:249): LibGimpBase-WARNING **: gimp-2.8: gimp_wire_read(): err'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

(xreader:172): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported

Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

(xreader:181): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported

Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

Like slipstick, I can open the .pdf in Gimp using the open with dialogue although I get numerous warnings in the terminal, which I could list if desired.

User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Fri May 18, 2018 2:39 am

I purged the rc2 version and installed the new firejail_0.9.54_1_amd64.deb which just became available and I had the same problem. So I removed the following symlinks from /usr/local/bin:
xed
xreader
xreader-previewer
xreader-thumbnailer
and now I can open text files and pdf files by clicking on them in Nemo. I don't know if it was necessary to delete those last two links, but just deleted every link with xreader to be sure. I haven't done enough testing to see if there are any other problems, but so far, so good. I may not be quite as "protected" this way, but at least my system isn't broken.
In theory, theory and practice are the same. In practice, they ain't.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Fri May 18, 2018 12:57 pm

slipstick wrote:
Fri May 18, 2018 2:39 am
I purged the rc2 version and installed the new firejail_0.9.54_1_amd64.deb which just became available and I had the same problem. So I removed the following symlinks from /usr/local/bin:
xed
xreader
xreader-previewer
xreader-thumbnailer
and now I can open text files and pdf files by clicking on them in Nemo. I don't know if it was necessary to delete those last two links, but just deleted every link with xreader to be sure. I haven't done enough testing to see if there are any other problems, but so far, so good. I may not be quite as "protected" this way, but at least my system isn't broken.
Hmm... yeah, sounds like something might be broken on our end. I'll set up a Mint VM and see what I get.
You're running Mint 18.3 Cinnamon, right?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Fri May 18, 2018 1:24 pm

Fred Barclay wrote:
Fri May 18, 2018 12:57 pm
You're running Mint 18.3 Cinnamon, right?
Right - the output of my inxi -Fxz is about a dozen posts above. I'm surprised that there haven't been a lot of complaints about this. I don't think there's anything particularly unique about my system. After installing (separate /, /home, and Data partitions) I added the multimedia support package, HPLIP for my printer/scanner, xsane, apcupsd, Aptik, Back-in-time, catfish, double-commander, Gnome-calculator, p7-zip, Chromium, Grsync, Keepassxc, psensors, encfs manager, calibre, dconfEditor, xfburn, Zenmap - all pretty standard stuff. I'm not using any special themes or fancy eye-candy on the desktop.
In theory, theory and practice are the same. In practice, they ain't.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Fri May 18, 2018 3:10 pm

@slipstick Duplicated and fixed on my VM, and I'll report this to upstream. Thanks!
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Fri May 18, 2018 9:42 pm

Found another problem - can't play mp4 videos by clicking on them from Nemo. Removing all the xplayer symlinks from /usr/local/bin solved this one.
In theory, theory and practice are the same. In practice, they ain't.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Sat May 19, 2018 12:10 am

slipstick, thanks! These have been fixed as follows:
xreader: https://github.com/netblue30/firejail/c ... d31ef6e3ba
xed: https://github.com/netblue30/firejail/c ... 1dd2b19e3d
xplayer: https://github.com/netblue30/firejail/c ... 2b5ad63942

The xed and xplayer issues had the same root cause - we weren't aware that they required python and had blocked access to it.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Sat May 19, 2018 3:06 pm

I ran "sudo firecfg --clean" and then "sudo firecfg" to restore all the symlinks that I had deleted. Then I decided to manually enter the changes you listed in your post above:
xplayer.profile - the change worked
xed.profile - change failed, but after I changed the line "noblacklist /usr/lib/python3" to "noblacklist /usr/lib/python3*" (wildcard added at end), it worked (uses python 3.5 ?)
xreader.profile - change failed, I have no solution
In theory, theory and practice are the same. In practice, they ain't.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Sat May 19, 2018 4:01 pm

slipstick wrote:
Sat May 19, 2018 3:06 pm
"noblacklist /usr/lib/python3*" (wildcard added at end), it worked (uses python 3.5 ?)
Good catch - it's a typo. I'll get that fixed. :)
xreader.profile - change failed, I have no solution
What is the output of xreader (if you have symlinks in /usr/local/bin from firecfg) or [/c]firejail xreader[/c] if you don't have symlinks (e.g. after running firecfg --clean)?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 774
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Sat May 19, 2018 4:39 pm

xplayer has the same typo, even though it works with the typo.

Output of xreader (with symlinks from firecfg, and change from 3 posts above applied)

Code: Select all

steve@steve-Z97X ~ $ xreader
Reading profile /etc/firejail/xreader.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 24346, child pid 24347
Private /etc installed in 8.37 ms
3 programs installed in 4.92 ms
Blacklist violations are logged to syslog
Child process initialized in 63.59 ms

Parent is shutting down, bye...
steve@steve-Z97X ~ $ 
and here is my modified xreader.profile

Code: Select all

# Firejail profile for xreader
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/xreader.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/xreader
noblacklist ${HOME}/.config/xreader
# noblacklist ${HOME}/.local/share

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

# Breaks xreader on Mint 18.3
# include /etc/firejail/whitelist-var-common.inc
 

# apparmor
caps.drop all
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog

private-bin xreader,xreader-previewer,xreader-thumbnailer
private-dev
private-etc fonts,ld.so.cache
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp
In theory, theory and practice are the same. In practice, they ain't.

User avatar
absque fenestris
Level 5
Level 5
Posts: 559
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Firejail beta-testers wanted!

Post by absque fenestris » Sat May 19, 2018 9:01 pm

32-bit/firejail_0.9.54_rc2_1_i386.deb

No problems with Vivaldi & Firefox 60.0.1
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)

User avatar
trytip
Level 8
Level 8
Posts: 2054
Joined: Tue Jul 05, 2016 1:20 pm

Re: Firejail beta-testers wanted!

Post by trytip » Sat May 19, 2018 11:18 pm

@Fred Barclay
how do you uninstall firejail built from source. instruction on page is good for installation but if i want to try different version sources i need to quickly uninstall
Image

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4147
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Sun May 20, 2018 12:41 pm

trytip wrote:
Sat May 19, 2018 11:18 pm
@Fred Barclay
how do you uninstall firejail built from source. instruction on page is good for installation but if i want to try different version sources i need to quickly uninstall
Depends if you build a deb from source or did make install.

If you did something like ./configure --prefix=/usr && make deb and then installed the firejail*.deb, then you can just use

Code: Select all

sudo apt-get --purge autoremove firejail
If you did something like ./configure --prefix=/usr && make && make install (or make install-strip), then if you still have the source code lying around on your hard drive, just open a terminal in the source folder and run

Code: Select all

sudo make uninstall
If you don't still have the source, it's a bit trickier as it depends on exactly what configuration options you used to build and install. Go ahead and get the latest source with

Code: Select all

git clone https://github.com/netblue30/firejail.git && cd firejail
Then the most likely commands for uninstall would be

Code: Select all

./configure --prefix=/usr
make
sudo make uninstall
Cheers!
Fred
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

Post Reply

Return to “Open chat”