Firejail beta-testers wanted!

[trytip]

@ Fred Barclay
i used the README ./configure && make && sudo make install-strip trying on 2 different distros (mint/arch) and got them confused. ATM in arch linux and palemoon 27.9.2 i get

firejail palemoon
Reading profile /usr/local/etc/firejail/palemoon.profile
Reading profile /usr/local/etc/firejail/firefox-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 10333, child pid 10334
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 299.62 ms

palemoon 27.9.2 starts with 9.54 from your source but with with errors above; and not with 9.52 from arch repos but that's not your issue. is the warning in quote of any significance?

[all41]

I am getting an error when starting palemoon with firejail 0.9.54:

Code: Select all

uno@Labonline ~ $ firejail ~/Downloads/palemoon/palemoon
Reading profile /etc/firejail/palemoon.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 29349, child pid 29350
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 65.76 ms

(pale moon:8): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised

(pale moon:8): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised

(pale moon:8): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised

(pale moon:8): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised

(palemoon:8): GnomeUI-WARNING **: While connecting to session manager:
None of the authentication protocols specified are supported.

(palemoon:8): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")

(palemoon:8): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")

(palemoon:8): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")

(palemoon:8): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")

(palemoon:8): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")
/home/uno/.gtkrc-2.0:1: Unable to find include file: ".gtkrc-2.0-gnome-color-chooser"

(palemoon:8): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")

Also an error message:

palemoon error.png

Palemoon starts normally without firejail, and FF 60.0.1 runs fine either way.

Palemoon version 27.9.0
17.3 MATE 64 kernel 4.4.0.124
When I close out the error box palemoon seems to be running fine and is named in firejail --list
This palemoon is running standalone from ~/Downloads directory.
There is no .config/firejail directory
I also tried pm ver 27.9.2 with identical results, however that version of pm reports non-compatibility with noscript.

[martywd]

I am getting an error when starting palemoon with firejail 0.9.54:

...

Hey @all41 ,

I.e., that 'No D-BUS daemon running' message? Funny thing. I'm seeing that message when launching firejailed 'palemoon', too. But ONLY on 1 of four machines all running Linux Mint 18.3 MATE 64-bit and firejail 0.9.54-1 and steve pusser's palemoon 27.9.1~repack-1 .

On that one machine, I have to add the firejail --ignore=nodbus to the launcher -or- put an 'ignore nodbus' line in my '~/.config/firejail/palemoon.profile' file to prevent the error when launching palemoon via firejail. But as already typed, this is only necessary on the one machine.

The machine with this issue dual-boots and is majority used booted into Win 7. But Linux Mint on that dual-boot machine is setup identically to the other three machines that DO NOT display this issue when running firejailed palemoon. I can't figure why this is happening on that one machine?

Hmmmm?

Edit: to add that the dbus service is definitely running on the machine with the error...
... ~

Code: Select all

 # systemctl status dbus
\u25cf dbus.service - D-Bus System Message Bus
   Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
   Active: active (running) since Sun 2018-05-20 17:38:08 CDT; 10min ago
     Docs: man:dbus-daemon(1)
 Main PID: 1145 (dbus-daemon)
   CGroup: /system.slice/dbus.service
           \u2514\u25001145 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-

May 20 17:38:20 jupiter dbus[1145]: [system] Successfully activated service 'org.freedesktop.Conso
May 20 17:38:20 jupiter dbus[1145]: [system] Successfully activated service 'org.freedesktop.UDisk
May 20 17:38:22 jupiter dbus[1145]: [system] Activating via systemd: service name='org.bluez' unit
May 20 17:38:30 jupiter dbus[1145]: [system] Activating via systemd: service name='org.freedesktop
May 20 17:38:30 jupiter dbus[1145]: [system] Successfully activated service 'org.freedesktop.nm_di
May 20 17:38:41 jupiter dbus[1145]: [system] Activating via systemd: service name='org.freedesktop
May 20 17:38:42 jupiter dbus[1145]: [system] Successfully activated service 'org.freedesktop.Flatp
May 20 17:38:47 jupiter dbus[1145]: [system] Failed to activate service 'org.bluez': timed out
May 20 17:48:16 jupiter dbus[1145]: [system] Activating via systemd: service name='org.freedesktop
May 20 17:48:16 jupiter dbus[1145]: [system] Successfully activated service 'org.freedesktop.timed

.

[Fred Barclay]

Hey guys,
More info later if needed, but we have tried to block or limit dbus access whenever possible with this latest release. It's a huge security hole and has been a headache for a while (in certain circumstances it's possible to circumvent parts of the firejail sandbox with dbus). So... the messages are normal, nothing to worry about, unless you notice that something isn't actually working anymore.

Cheers!
Fred

[slipstick]

New problem - I don't know if this is related to the xreader not working or if xreader is just for pdf's. EDIT: Deleting the xreader.profile allows pdf's to be read, but does not affect this problem.

I can't open root-owned scripts (python or bash) in read-only mode by clicking on them in Nemo, unless I have opened the containing directory "as Root". If I do not have root privileges and click on the file, instead of opening it in read-only mode as it used to, now a window pops up as though to display the file, but the window contents are blank except for the title bar, menu bar and tool bar. When I try to close the window, I get asked if I want to save the changes, even though I have made no changes and shouldn't be able to make changes due to not having root privileges. I have been afraid to try to save them, fearing I might destroy the file, so I just elect to close without saving!

EDIT: This problem seems to be xed. I removed the symlink xed in /usr/local/bin and now the root-owned script files open in read-only mode as before. So it looks like allowing Python in the xed profile did not completely fix all the problems.

[Fred Barclay]

@slipstick, that's strange. I'm having no problems opening a root-owned python script with firejail-ed xed:


Are you using a customised xed profile? If so, can you post it here?

[slipstick]

The only thing I've changed is to incorporate your fix to allow python. Here's the xed.profile that I am using:

Code: Select all

# Firejail profile for xed
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/xed.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.config/xed

# Allow python (blacklisted by disable-interpreters.inc)
noblacklist ${PATH}/python2*
noblacklist ${PATH}/python3*
noblacklist /usr/lib/python2*
noblacklist /usr/lib/python3*

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

include /etc/firejail/whitelist-var-common.inc

# apparmor - makes settings immutable
caps.drop all
machine-id
# net none - makes settings immutable
no3d
# nodbus - makes settings immutable
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog

private-bin xed
private-dev
# private-etc fonts
private-tmp

# xed uses python plugins, memory-deny-write-execute breaks python
# memory-deny-write-execute
noexec ${HOME}
noexec /tmp

[slipstick]

I can use xed to open a plain text file owned by root in read-only mode (after making the change to allow python). I cannot open a root-owned script file with xed or leafpad, but they will open with LibreOffice Writer in read-only mode.

[slipstick]

Well, this is weird. I took a root-owned python script file /usr/local/bin/apt and made a duplicate of it, changing the name to apt_dup. Of course it wouldn't open with xed. I edited the file to remove the she-bang line so Nemo thinks it's a plain text file. It still wouldn't open even though Nemo now lists it as a plain text file. It won't open with leafpad either, but will open with LibreOffice Writer. ???

[slipstick]

It seems to be location dependent. I can't open my apt_dup file in /usr/local/bin, but if I copy that file to /usr/share/doc/ftp (chosen at random), it opens just fine!

[Fred Barclay]

Oh, that makes a lot more sense now! You can't open any files in any sort of /bin folder (/bin, /usr/bin, /usr/local/bin, and so on) besides the xed binary (which ordinarily wouldn't be opened in a text editor anyhow). This is because the private-bin xed filter in the profile blocks access to any other files.
Ditto for leafpad - it's got private-bin leafpad so you could only open the leafpad binary in it. Libreoffice doesn't use private-bin which is why you can open all these files in it.

The fact that they're root-owned is only nominally related; it's their location that matters.

TL; DR: It's not a bug, it's a feature. We didn't want xed or leafpad to have access to any random binary in those locations.

[slipstick]

Thanks for the explanation. I thought it was a bug because I used to be able to open script files like apt with the older version of firejail. So now the only problem I know of is not being able to open pdf files with xreader.

Re the photo:

[Amii_Leigh]

So this text opening issue isn't related to my problem opening a .txt file on my desktop?
I made a .txt file with random letters in it, and saved it to my desktop. I then tried to open it with gedit. As I'd grown accustumed to it doing, all my cursor did was to do a spinney for a little while, and then give up.

I then tried to open it with Leafpad, which had no problem opening it, it was open in less than a second. You can't tell me that isn't something of an inconvenience.

[slipstick]

For xed on LM 18.3, adding these lines shown in green to /etc/firejail/xed.profile works:
https://github.com/netblue30/firejail/c ... 1dd2b19e3d

If you are using gedit, maybe a similar fix will work. If not, you can try deleting the symbolic link gedit in /usr/local/bin, if it exists.

[Amii_Leigh]

For xed on LM 18.3, adding these lines shown in green to /etc/firejail/xed.profile works:
https://github.com/netblue30/firejail/c ... 1dd2b19e3d

Will this work on Mint Cinnamon 17.3?

I'm sorry if it's obvious, I'm really afraid to screw up my computer with what looks like simple commands. The last time I thought I was deleting files from my Trash and ended up deleting all of the contents of my Home folder.

[slipstick]

For xed on LM 18.3, adding these lines shown in green to /etc/firejail/xed.profile works:
https://github.com/netblue30/firejail/c ... 1dd2b19e3d

Will this work on Mint Cinnamon 17.3?

I'm sorry if it's obvious, I'm really afraid to screw up my computer with what looks like simple commands. The last time I thought I was deleting files from my Trash and ended up deleting all of the contents of my Home folder.

On 17.3, you'll have gedit instead of xed. I would assume that firejail on 17.3 has a /etc/firejail/gedit.profile, and if so, you could edit it to add those lines to allow python. Add the new lines in the same location in the file as the lines added in the xed file I linked to. I don't see how that would mess up anything, and it would be easy to reverse the change. First, make a copy of the gedit.profile file - call it gedit.profile.bak, then modify the original. To reverse the change, just delete the modified file and rename the .bak file to the original name. To make the changes, you need to open the /etc/firejail directory "as Root". Another, even easier method would be to see if you can find a symbolic link named gedit in the /usr/local/bin directory - if so, you could just rename that to gedit.bak to remove firejail protection for gedit - reversing this change would be really easy.
Of course, all of this assumes that firejail on 17.3 sets things up the same as on 18.3, which I don't know. You might prefer to wait to see if Fred will weigh in on this.

[trytip]

@Fred Barclay
first time using firecfg (9.54) , i thought cool most things work with default profile. but then tried to open a video file from different home user directory (same drive) and mpv,vlc,smplayer just closes saying can not access file. i noticed the same behaviour using external tools and other plugins in pluma editor , gedit , eom (eye of mate) gimp 2.10

so using firejail restricts you to the current login user and not able to open other files from different users or other linux partitions? i had to firecfg --clean it is useless if you dual boot with other linux and you want to watch some videos or open other files from my other downloads.

i have mint/arch dualboot and quite often i want access to files from my mint home directory if i'm in arch or vice versa. is it possible to make firejail mpv lets say to open a file from other home user?

[Fred Barclay]

Hi everyone, and sorry for the super-late reply.

@Amii - slipstick was almost right. Just add a final * to the end of the noblacklist /usr/lib/python3 line (so it should look like noblacklist /usr/lib/python3*).

@trytip can you post an example? We've got several similar reports floating around our bugtracker and I want to make sure that you're seeing the same thing.

[slipstick]

@Amii - slipstick was almost right. Just add a final * to the end of the noblacklist /usr/lib/python3 line (so it should look like noblacklist /usr/lib/python3*).

Oops! I can't believe I forgot that modification.

Fred - any idea why I can't open pdf files with xreader? I have this problem even with pdf files in my home directory.

[trytip]

@Fred Barclay
using firecfg in my arch or mint they are both configured the same (both share the same home partition). right now i'm in arch01 and i can open any video with any media player so i'll use mpv as example

if i open my file manager and go up to file system/home i can get to my linux mint user folder mint01 downloads or video and try to open a media file i get file can't be opened



when i copy the file that can't be played in the first snap, to the desktop or other folder it can be played