Firejail beta-testers wanted!

Chat about just about anything else
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4156
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Wed May 30, 2018 10:56 pm

slipstick: no idea. Can you run xreader from terminal (or firejail xreader if there's not a symlink in /usr/local/bin), try to open a pdf, and post the output?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 795
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Thu May 31, 2018 12:22 am

With no symlink in /usr/local/bin:

Code: Select all

steve@steve-Z97X ~ $ firejail xreader
Reading profile /etc/firejail/xreader.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 18413, child pid 18414
Private /etc installed in 12.11 ms
3 programs installed in 4.75 ms
Blacklist violations are logged to syslog
Child process initialized in 69.96 ms

Parent is shutting down, bye...
With the symlink:

Code: Select all

steve@steve-Z97X ~ $ xreader
Reading profile /etc/firejail/xreader.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 18459, child pid 18460
Private /etc installed in 3.14 ms
3 programs installed in 1.99 ms
Blacklist violations are logged to syslog
Child process initialized in 43.32 ms

Parent is shutting down, bye...
steve@steve-Z97X ~ $ 
In both cases, I don't get the chance to try to open a pdf.


And here's my /etc/firejail/xreader.profile:

Code: Select all

# Firejail profile for xreader
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/xreader.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/xreader
noblacklist ${HOME}/.config/xreader
# noblacklist ${HOME}/.local/share

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

# Breaks xreader on Mint 18.3
# include /etc/firejail/whitelist-var-common.inc
 

# apparmor
caps.drop all
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog

private-bin xreader,xreader-previewer,xreader-thumbnailer
private-dev
private-etc fonts,ld.so.cache
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp
EDIT:
Here's some lines from the end of my syslog that may be of interest:

Code: Select all

May 30 23:09:38 steve-Z97X kernel: [44662.543651] audit: type=1326 audit(1527739778.317:30): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=18257 comm="xreader" exe="/usr/local/bin/xreader" sig=31 arch=c000003e syscall=10 compat=0 ip=0x7fac496a8777 code=0x0
May 30 23:10:25 steve-Z97X firejail[4]: blacklist violation - sandbox 18278, exe xed, syscall opendir, path /home/steve/.config/enchant
May 30 23:14:38 steve-Z97X kernel: [44962.675765] audit: type=1326 audit(1527740078.460:31): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=18422 comm="xreader" exe="/usr/local/bin/xreader" sig=31 arch=c000003e syscall=10 compat=0 ip=0x7f4e94c1f777 code=0x0
May 30 23:16:04 steve-Z97X kernel: [45048.737183] audit: type=1326 audit(1527740164.527:32): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=18468 comm="xreader" exe="/usr/bin/xreader" sig=31 arch=c000003e syscall=10 compat=0 ip=0x7f00980d9777 code=0x0
May 30 23:17:01 steve-Z97X CRON[18485]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
May 30 23:20:24 steve-Z97X firejail[4]: blacklist violation - sandbox 18521, exe xed, syscall opendir, path /home/steve/.config/enchant
In theory, theory and practice are the same. In practice, they ain't.

User avatar
slipstick
Level 5
Level 5
Posts: 795
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Mon Jun 04, 2018 12:34 am

Just found another "problem". I can't open some config files in my home directory with xed. For example, if I try (from Nemo) to open ~/.config/geany/geany.conf, I get a message "Could not open the file /home/steve/.config/geany/geany.conf "You do not have the permissions necessary to open the file". This is a file that I own in my home directory with permissions of -rw-rw-r--. Removing the symlink xed in /usr/local/bin allows me to open this. Maybe it's intentional for firejail to prevent opening these config files, but IMO, that's just too restrictive.
In theory, theory and practice are the same. In practice, they ain't.

User avatar
greerd
Level 5
Level 5
Posts: 986
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: Firejail beta-testers wanted!

Post by greerd » Tue Jun 05, 2018 4:24 pm

Hi Fred,
I know firejail 0.9.54 is out (I'm running it now), perhaps this'll help for 0.9.55?

Firejailing thunderbird stops my FireTray add-on and also my lightning calender, looks like a dbus issue.
...
(thunderbird:9): libunity-CRITICAL **: 17:15:05.537: unity-launcher.vala:157: Unable to connect to session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”
...

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4156
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Thu Jun 07, 2018 11:49 am

slipstick wrote:
Mon Jun 04, 2018 12:34 am
Maybe it's intentional for firejail to prevent opening these config files, but IMO, that's just too restrictive.
It's intentional in this case. I'll get a workaround posted. :)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 795
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Tue Jul 17, 2018 3:19 pm

Fred - your post today on FIrejail and Mint 19 reminded me of this thread. I'm still using LM18.3 (holding off on installing 19 until things settle down a bit and/or a new .iso is released) and firejail version 0.9.54. I'm still running with /usr/local/bin/xreader removed (because otherwise I can't read .pdf files) and with /usr/local/bin/xed removed (because otherwise I can't edit some config files in my home directory using xed). Any changes since your last post here?
In theory, theory and practice are the same. In practice, they ain't.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4156
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Firejail beta-testers wanted!

Post by Fred Barclay » Tue Jul 17, 2018 10:12 pm

Sorry, no change yet. There's an ugly work-around but I'm trying to figure out a better one. Let me scratch my brains a little on that...
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
slipstick
Level 5
Level 5
Posts: 795
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: Firejail beta-testers wanted!

Post by slipstick » Wed Jul 18, 2018 12:07 am

Thanks for your help. The problem with not being able to use xed to edit config files in my /home is not a big deal - I don't need to do that often and can work around it - really more of an attitude on my part that I should be able to do what I want to files I own. But I would like to get the xreader problem fixed - can't believe I'm the only one with that problem.
In theory, theory and practice are the same. In practice, they ain't.

Post Reply

Return to “Open chat”