Page 3 of 5

Re: Firejail beta-testers wanted!

Posted: Tue May 15, 2018 4:21 am
by slipstick
Additional information: I can open text files in Leafpad or LibreOffice Writer by right clicking on the file and selecting "Open with" from the context menu, but not by clicking "Open with Text Editor". I get the same behavior whether trying to open the files from Nemo or from Double Commander. pdf files can't be opened with Document Viewer, but will open with Image Magick or GIMP.

Re: Firejail beta-testers wanted!

Posted: Tue May 15, 2018 11:15 pm
by Fred Barclay
Hmmm... @slipstick, can you also run firecfg --list and post output?

Re: Firejail beta-testers wanted!

Posted: Tue May 15, 2018 11:29 pm
by Fred Barclay
Amii_Leigh wrote:
Sun May 13, 2018 6:45 pm
Fred Barclay wrote:
Sun May 13, 2018 1:05 am


I'll try and get a firejail tor test for you to run within the next 8 hours or so, Amii, if you're willing.
Sure! It's not like I have a life or anything, lol :lol:
Haha, and sorry for the super-late reply! Had a family member go in the hospital. :(

Let's try this:

Code: Select all

cd /home/amii/.tor-browser-en/
firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser.desktop
The tor browser bundle looks to be kinda persnickity about how you run it and doesn't want to start (at least for me) unless I've first cd'ed into the tor directory.

If this doesn't work, can you post the output of ls /home/amii/.tor-browser-en/?

Re: Firejail beta-testers wanted!

Posted: Tue May 15, 2018 11:38 pm
by slipstick
Fred Barclay wrote:
Tue May 15, 2018 11:15 pm
Hmmm... @slipstick, can you also run firecfg --list and post output?

Code: Select all

steve@steve-Z97X ~ $ firecfg --list
/usr/local/bin/xreader-previewer
/usr/local/bin/lofromtemplate
/usr/local/bin/keepassxc
/usr/local/bin/gimp-2.8
/usr/local/bin/localc
/usr/local/bin/loweb
/usr/local/bin/gucharmap
/usr/local/bin/lodraw
/usr/local/bin/display
/usr/local/bin/cvlc
/usr/local/bin/catfish
/usr/local/bin/pix
/usr/local/bin/loimpress
/usr/local/bin/gimp
/usr/local/bin/loffice
/usr/local/bin/lowriter
/usr/local/bin/thunderbird
/usr/local/bin/gnome-calculator
/usr/local/bin/xplayer
/usr/local/bin/baobab
/usr/local/bin/lobase
/usr/local/bin/rhythmbox
/usr/local/bin/xcalc
/usr/local/bin/simple-scan
/usr/local/bin/wget
/usr/local/bin/xviewer
/usr/local/bin/xplayer-video-thumbnailer
/usr/local/bin/mate-color-select
/usr/local/bin/soffice
/usr/local/bin/ebook-viewer
/usr/local/bin/xreader
/usr/local/bin/xfburn
/usr/local/bin/dnsmasq
/usr/local/bin/pdftotext
/usr/local/bin/vlc
/usr/local/bin/gnome-font-viewer
/usr/local/bin/firefox
/usr/local/bin/ssh
/usr/local/bin/hexchat
/usr/local/bin/pidgin
/usr/local/bin/strings
/usr/local/bin/xplayer-audio-preview
/usr/local/bin/file-roller
/usr/local/bin/leafpad
/usr/local/bin/lomath
/usr/local/bin/transmission-gtk
/usr/local/bin/enchant
/usr/local/bin/chromium-browser
/usr/local/bin/libreoffice
/usr/local/bin/xreader-thumbnailer
/usr/local/bin/calibre
/usr/local/bin/xed
/usr/local/bin/less
/usr/local/bin/enchant-lsmod
steve@steve-Z97X ~ $ 
By the way, I think when I installed this 0.9.54~rc2 version, I forgot to first delete the old 0.9.38.10 version. Should I do

Code: Select all

sudo apt-get purge firejail
and then reinstall the latest version?

Re: Firejail beta-testers wanted!

Posted: Tue May 15, 2018 11:47 pm
by Fred Barclay
slipstick wrote:
Tue May 15, 2018 11:38 pm
By the way, I think when I installed this 0.9.54~rc2 version, I forgot to first delete the old 0.9.38.10 version. Should I do

Code: Select all

sudo apt-get purge firejail
and then reinstall the latest version?
Probably a good idea - but first, please run sudo firecfg --clean to remove the symbolic links in /usr/local/bin.
Then after reinstalling firejail, you can run sudo firecfgto add them back if you want.

Re: Firejail beta-testers wanted!

Posted: Wed May 16, 2018 12:11 am
by Amii_Leigh
This is the terminal output as Tor ran:

Code: Select all

$ cd /home/amii/.tor-browser-en/
amii@Basically ~/.tor-browser-en $ firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser.desktop
Reading profile /etc/firejail/start-tor-browser.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 20638, child pid 20639
Warning: skipping crypto-policies for private /etc
Warning: skipping alsa for private /etc
Warning: skipping asound.conf for private /etc
Warning: skipping machine-id for private /etc
Private /etc installed in 298.57 ms
17 programs installed in 319.48 ms
Blacklist violations are logged to syslog
Child process initialized in 709.04 ms
Error: no suitable ./start-tor-browser.desktop executable found

Parent is shutting down, bye...
Then the result of the command you had me run:

Code: Select all

 ls /home/amii/.tor-browser-en/
BACKUP  INSTALL  LOG  VERSION

Re: Firejail beta-testers wanted!

Posted: Wed May 16, 2018 12:16 am
by slipstick
Fred Barclay wrote:
Tue May 15, 2018 11:47 pm
Probably a good idea - but first, please run sudo firecfg --clean to remove the symbolic links in /usr/local/bin.
Then after reinstalling firejail, you can run sudo firecfgto add them back if you want.
I ran

Code: Select all

sudo firecfg --clean
, then ran

Code: Select all

sudo apt-get purge firejail
At the end, I got this message: "while removing firejail, directory /etc/firejail not empty, so not removed"
I saw that this directory only had one six byte file "firejail.users" which contained only my user name, so I deleted the file and directory.
Then I ran

Code: Select all

cd Downloads
to get into the directory where I have the firejail deb file, then

Code: Select all

sudo dpkg -i firejail_0.9.54~rc2_1_amd64.deb
then

Code: Select all

firecfg --fix-sound
then logged out and back in, then ran

Code: Select all

sudo firecfg
I checked to see if the problem persists, and it does - no change.
I then added the whitelist statements in firefox.cfg and thunderbird.cfg (because my FF and TB profiles are on another partition) so I could access email and FF.

So, in summary, that didn't fix the problem.

Re: Firejail beta-testers wanted!

Posted: Wed May 16, 2018 6:09 am
by Mintedfake
I seem to have become a(n unqualified) beta tester. I seem to have similar problems to slipstick. Running Firefox from a terminal and trying to open a .pdf file gives

Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport

(gimp-2.8:249): LibGimpBase-WARNING **: gimp-2.8: gimp_wire_read(): err'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

(xreader:172): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported

Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

(xreader:181): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported

Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'

Like slipstick, I can open the .pdf in Gimp using the open with dialogue although I get numerous warnings in the terminal, which I could list if desired.

Re: Firejail beta-testers wanted!

Posted: Fri May 18, 2018 2:39 am
by slipstick
I purged the rc2 version and installed the new firejail_0.9.54_1_amd64.deb which just became available and I had the same problem. So I removed the following symlinks from /usr/local/bin:
xed
xreader
xreader-previewer
xreader-thumbnailer
and now I can open text files and pdf files by clicking on them in Nemo. I don't know if it was necessary to delete those last two links, but just deleted every link with xreader to be sure. I haven't done enough testing to see if there are any other problems, but so far, so good. I may not be quite as "protected" this way, but at least my system isn't broken.

Re: Firejail beta-testers wanted!

Posted: Fri May 18, 2018 12:57 pm
by Fred Barclay
slipstick wrote:
Fri May 18, 2018 2:39 am
I purged the rc2 version and installed the new firejail_0.9.54_1_amd64.deb which just became available and I had the same problem. So I removed the following symlinks from /usr/local/bin:
xed
xreader
xreader-previewer
xreader-thumbnailer
and now I can open text files and pdf files by clicking on them in Nemo. I don't know if it was necessary to delete those last two links, but just deleted every link with xreader to be sure. I haven't done enough testing to see if there are any other problems, but so far, so good. I may not be quite as "protected" this way, but at least my system isn't broken.
Hmm... yeah, sounds like something might be broken on our end. I'll set up a Mint VM and see what I get.
You're running Mint 18.3 Cinnamon, right?

Re: Firejail beta-testers wanted!

Posted: Fri May 18, 2018 1:24 pm
by slipstick
Fred Barclay wrote:
Fri May 18, 2018 12:57 pm
You're running Mint 18.3 Cinnamon, right?
Right - the output of my inxi -Fxz is about a dozen posts above. I'm surprised that there haven't been a lot of complaints about this. I don't think there's anything particularly unique about my system. After installing (separate /, /home, and Data partitions) I added the multimedia support package, HPLIP for my printer/scanner, xsane, apcupsd, Aptik, Back-in-time, catfish, double-commander, Gnome-calculator, p7-zip, Chromium, Grsync, Keepassxc, psensors, encfs manager, calibre, dconfEditor, xfburn, Zenmap - all pretty standard stuff. I'm not using any special themes or fancy eye-candy on the desktop.

Re: Firejail beta-testers wanted!

Posted: Fri May 18, 2018 3:10 pm
by Fred Barclay
@slipstick Duplicated and fixed on my VM, and I'll report this to upstream. Thanks!

Re: Firejail beta-testers wanted!

Posted: Fri May 18, 2018 9:42 pm
by slipstick
Found another problem - can't play mp4 videos by clicking on them from Nemo. Removing all the xplayer symlinks from /usr/local/bin solved this one.

Re: Firejail beta-testers wanted!

Posted: Sat May 19, 2018 12:10 am
by Fred Barclay
slipstick, thanks! These have been fixed as follows:
xreader: https://github.com/netblue30/firejail/c ... d31ef6e3ba
xed: https://github.com/netblue30/firejail/c ... 1dd2b19e3d
xplayer: https://github.com/netblue30/firejail/c ... 2b5ad63942

The xed and xplayer issues had the same root cause - we weren't aware that they required python and had blocked access to it.

Re: Firejail beta-testers wanted!

Posted: Sat May 19, 2018 3:06 pm
by slipstick
I ran "sudo firecfg --clean" and then "sudo firecfg" to restore all the symlinks that I had deleted. Then I decided to manually enter the changes you listed in your post above:
xplayer.profile - the change worked
xed.profile - change failed, but after I changed the line "noblacklist /usr/lib/python3" to "noblacklist /usr/lib/python3*" (wildcard added at end), it worked (uses python 3.5 ?)
xreader.profile - change failed, I have no solution

Re: Firejail beta-testers wanted!

Posted: Sat May 19, 2018 4:01 pm
by Fred Barclay
slipstick wrote:
Sat May 19, 2018 3:06 pm
"noblacklist /usr/lib/python3*" (wildcard added at end), it worked (uses python 3.5 ?)
Good catch - it's a typo. I'll get that fixed. :)
xreader.profile - change failed, I have no solution
What is the output of xreader (if you have symlinks in /usr/local/bin from firecfg) or [/c]firejail xreader[/c] if you don't have symlinks (e.g. after running firecfg --clean)?

Re: Firejail beta-testers wanted!

Posted: Sat May 19, 2018 4:39 pm
by slipstick
xplayer has the same typo, even though it works with the typo.

Output of xreader (with symlinks from firecfg, and change from 3 posts above applied)

Code: Select all

steve@steve-Z97X ~ $ xreader
Reading profile /etc/firejail/xreader.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 24346, child pid 24347
Private /etc installed in 8.37 ms
3 programs installed in 4.92 ms
Blacklist violations are logged to syslog
Child process initialized in 63.59 ms

Parent is shutting down, bye...
steve@steve-Z97X ~ $ 
and here is my modified xreader.profile

Code: Select all

# Firejail profile for xreader
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/xreader.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/xreader
noblacklist ${HOME}/.config/xreader
# noblacklist ${HOME}/.local/share

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

# Breaks xreader on Mint 18.3
# include /etc/firejail/whitelist-var-common.inc
 

# apparmor
caps.drop all
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog

private-bin xreader,xreader-previewer,xreader-thumbnailer
private-dev
private-etc fonts,ld.so.cache
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

Re: Firejail beta-testers wanted!

Posted: Sat May 19, 2018 9:01 pm
by absque fenestris
32-bit/firejail_0.9.54_rc2_1_i386.deb

No problems with Vivaldi & Firefox 60.0.1

Re: Firejail beta-testers wanted!

Posted: Sat May 19, 2018 11:18 pm
by trytip
@Fred Barclay
how do you uninstall firejail built from source. instruction on page is good for installation but if i want to try different version sources i need to quickly uninstall

Re: Firejail beta-testers wanted!

Posted: Sun May 20, 2018 12:41 pm
by Fred Barclay
trytip wrote:
Sat May 19, 2018 11:18 pm
@Fred Barclay
how do you uninstall firejail built from source. instruction on page is good for installation but if i want to try different version sources i need to quickly uninstall
Depends if you build a deb from source or did make install.

If you did something like ./configure --prefix=/usr && make deb and then installed the firejail*.deb, then you can just use

Code: Select all

sudo apt-get --purge autoremove firejail
If you did something like ./configure --prefix=/usr && make && make install (or make install-strip), then if you still have the source code lying around on your hard drive, just open a terminal in the source folder and run

Code: Select all

sudo make uninstall
If you don't still have the source, it's a bit trickier as it depends on exactly what configuration options you used to build and install. Go ahead and get the latest source with

Code: Select all

git clone https://github.com/netblue30/firejail.git && cd firejail
Then the most likely commands for uninstall would be

Code: Select all

./configure --prefix=/usr
make
sudo make uninstall
Cheers!
Fred