Firejail beta-testers wanted!
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
Additional information: I can open text files in Leafpad or LibreOffice Writer by right clicking on the file and selecting "Open with" from the context menu, but not by clicking "Open with Text Editor". I get the same behavior whether trying to open the files from Nemo or from Double Commander. pdf files can't be opened with Document Viewer, but will open with Image Magick or GIMP.
In theory, theory and practice are the same. In practice, they ain't.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
Hmmm... @slipstick, can you also run
firecfg --list
and post output?- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
Haha, and sorry for the super-late reply! Had a family member go in the hospital.Amii_Leigh wrote: ⤴Sun May 13, 2018 6:45 pmSure! It's not like I have a life or anything, lolFred Barclay wrote: ⤴Sun May 13, 2018 1:05 am
I'll try and get a firejail tor test for you to run within the next 8 hours or so, Amii, if you're willing.
Let's try this:
Code: Select all
cd /home/amii/.tor-browser-en/
firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser.desktop
If this doesn't work, can you post the output of
ls /home/amii/.tor-browser-en/
?- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
Fred Barclay wrote: ⤴Tue May 15, 2018 11:15 pm Hmmm... @slipstick, can you also runfirecfg --list
and post output?
Code: Select all
steve@steve-Z97X ~ $ firecfg --list
/usr/local/bin/xreader-previewer
/usr/local/bin/lofromtemplate
/usr/local/bin/keepassxc
/usr/local/bin/gimp-2.8
/usr/local/bin/localc
/usr/local/bin/loweb
/usr/local/bin/gucharmap
/usr/local/bin/lodraw
/usr/local/bin/display
/usr/local/bin/cvlc
/usr/local/bin/catfish
/usr/local/bin/pix
/usr/local/bin/loimpress
/usr/local/bin/gimp
/usr/local/bin/loffice
/usr/local/bin/lowriter
/usr/local/bin/thunderbird
/usr/local/bin/gnome-calculator
/usr/local/bin/xplayer
/usr/local/bin/baobab
/usr/local/bin/lobase
/usr/local/bin/rhythmbox
/usr/local/bin/xcalc
/usr/local/bin/simple-scan
/usr/local/bin/wget
/usr/local/bin/xviewer
/usr/local/bin/xplayer-video-thumbnailer
/usr/local/bin/mate-color-select
/usr/local/bin/soffice
/usr/local/bin/ebook-viewer
/usr/local/bin/xreader
/usr/local/bin/xfburn
/usr/local/bin/dnsmasq
/usr/local/bin/pdftotext
/usr/local/bin/vlc
/usr/local/bin/gnome-font-viewer
/usr/local/bin/firefox
/usr/local/bin/ssh
/usr/local/bin/hexchat
/usr/local/bin/pidgin
/usr/local/bin/strings
/usr/local/bin/xplayer-audio-preview
/usr/local/bin/file-roller
/usr/local/bin/leafpad
/usr/local/bin/lomath
/usr/local/bin/transmission-gtk
/usr/local/bin/enchant
/usr/local/bin/chromium-browser
/usr/local/bin/libreoffice
/usr/local/bin/xreader-thumbnailer
/usr/local/bin/calibre
/usr/local/bin/xed
/usr/local/bin/less
/usr/local/bin/enchant-lsmod
steve@steve-Z97X ~ $
Code: Select all
sudo apt-get purge firejail
In theory, theory and practice are the same. In practice, they ain't.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
Probably a good idea - but first, please runslipstick wrote: ⤴Tue May 15, 2018 11:38 pm By the way, I think when I installed this 0.9.54~rc2 version, I forgot to first delete the old 0.9.38.10 version. Should I doand then reinstall the latest version?Code: Select all
sudo apt-get purge firejail
sudo firecfg --clean
to remove the symbolic links in /usr/local/bin.Then after reinstalling firejail, you can run
sudo firecfg
to add them back if you want.- Amii_Leigh
- Level 5
- Posts: 724
- Joined: Fri Mar 25, 2016 10:58 pm
- Location: Somewhere in the middle of nowhere, Missouri
Re: Firejail beta-testers wanted!
This is the terminal output as Tor ran:
Then the result of the command you had me run:
Code: Select all
$ cd /home/amii/.tor-browser-en/
amii@Basically ~/.tor-browser-en $ firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser.desktop
Reading profile /etc/firejail/start-tor-browser.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 20638, child pid 20639
Warning: skipping crypto-policies for private /etc
Warning: skipping alsa for private /etc
Warning: skipping asound.conf for private /etc
Warning: skipping machine-id for private /etc
Private /etc installed in 298.57 ms
17 programs installed in 319.48 ms
Blacklist violations are logged to syslog
Child process initialized in 709.04 ms
Error: no suitable ./start-tor-browser.desktop executable found
Parent is shutting down, bye...
Code: Select all
ls /home/amii/.tor-browser-en/
BACKUP INSTALL LOG VERSION
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
I ranFred Barclay wrote: ⤴Tue May 15, 2018 11:47 pm Probably a good idea - but first, please runsudo firecfg --clean
to remove the symbolic links in /usr/local/bin.
Then after reinstalling firejail, you can runsudo firecfg
to add them back if you want.
Code: Select all
sudo firecfg --clean
Code: Select all
sudo apt-get purge firejail
I saw that this directory only had one six byte file "firejail.users" which contained only my user name, so I deleted the file and directory.
Then I ran
Code: Select all
cd Downloads
Code: Select all
sudo dpkg -i firejail_0.9.54~rc2_1_amd64.deb
Code: Select all
firecfg --fix-sound
Code: Select all
sudo firecfg
I then added the whitelist statements in firefox.cfg and thunderbird.cfg (because my FF and TB profiles are on another partition) so I could access email and FF.
So, in summary, that didn't fix the problem.
In theory, theory and practice are the same. In practice, they ain't.
-
- Level 1
- Posts: 46
- Joined: Wed Sep 17, 2014 6:17 am
Re: Firejail beta-testers wanted!
I seem to have become a(n unqualified) beta tester. I seem to have similar problems to slipstick. Running Firefox from a terminal and trying to open a .pdf file gives
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport
(gimp-2.8:249): LibGimpBase-WARNING **: gimp-2.8: gimp_wire_read(): err'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
(xreader:172): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported
Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
(xreader:181): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported
Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
Like slipstick, I can open the .pdf in Gimp using the open with dialogue although I get numerous warnings in the terminal, which I could list if desired.
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
(firefox:9): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport
(gimp-2.8:249): LibGimpBase-WARNING **: gimp-2.8: gimp_wire_read(): err'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
(xreader:172): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported
Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
(xreader:181): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported
Failed to get bus connection: Unknown or unsupported transport 'DBUS_SESSION_BUS_ADDRESS=unix' for address 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
Like slipstick, I can open the .pdf in Gimp using the open with dialogue although I get numerous warnings in the terminal, which I could list if desired.
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
I purged the rc2 version and installed the new firejail_0.9.54_1_amd64.deb which just became available and I had the same problem. So I removed the following symlinks from /usr/local/bin:
xed
xreader
xreader-previewer
xreader-thumbnailer
and now I can open text files and pdf files by clicking on them in Nemo. I don't know if it was necessary to delete those last two links, but just deleted every link with xreader to be sure. I haven't done enough testing to see if there are any other problems, but so far, so good. I may not be quite as "protected" this way, but at least my system isn't broken.
xed
xreader
xreader-previewer
xreader-thumbnailer
and now I can open text files and pdf files by clicking on them in Nemo. I don't know if it was necessary to delete those last two links, but just deleted every link with xreader to be sure. I haven't done enough testing to see if there are any other problems, but so far, so good. I may not be quite as "protected" this way, but at least my system isn't broken.
In theory, theory and practice are the same. In practice, they ain't.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
Hmm... yeah, sounds like something might be broken on our end. I'll set up a Mint VM and see what I get.slipstick wrote: ⤴Fri May 18, 2018 2:39 am I purged the rc2 version and installed the new firejail_0.9.54_1_amd64.deb which just became available and I had the same problem. So I removed the following symlinks from /usr/local/bin:
xed
xreader
xreader-previewer
xreader-thumbnailer
and now I can open text files and pdf files by clicking on them in Nemo. I don't know if it was necessary to delete those last two links, but just deleted every link with xreader to be sure. I haven't done enough testing to see if there are any other problems, but so far, so good. I may not be quite as "protected" this way, but at least my system isn't broken.
You're running Mint 18.3 Cinnamon, right?
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
Right - the output of my inxi -Fxz is about a dozen posts above. I'm surprised that there haven't been a lot of complaints about this. I don't think there's anything particularly unique about my system. After installing (separate /, /home, and Data partitions) I added the multimedia support package, HPLIP for my printer/scanner, xsane, apcupsd, Aptik, Back-in-time, catfish, double-commander, Gnome-calculator, p7-zip, Chromium, Grsync, Keepassxc, psensors, encfs manager, calibre, dconfEditor, xfburn, Zenmap - all pretty standard stuff. I'm not using any special themes or fancy eye-candy on the desktop.
In theory, theory and practice are the same. In practice, they ain't.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
@slipstick Duplicated and fixed on my VM, and I'll report this to upstream. Thanks!
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
Found another problem - can't play mp4 videos by clicking on them from Nemo. Removing all the xplayer symlinks from /usr/local/bin solved this one.
In theory, theory and practice are the same. In practice, they ain't.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
slipstick, thanks! These have been fixed as follows:
xreader: https://github.com/netblue30/firejail/c ... d31ef6e3ba
xed: https://github.com/netblue30/firejail/c ... 1dd2b19e3d
xplayer: https://github.com/netblue30/firejail/c ... 2b5ad63942
The xed and xplayer issues had the same root cause - we weren't aware that they required python and had blocked access to it.
xreader: https://github.com/netblue30/firejail/c ... d31ef6e3ba
xed: https://github.com/netblue30/firejail/c ... 1dd2b19e3d
xplayer: https://github.com/netblue30/firejail/c ... 2b5ad63942
The xed and xplayer issues had the same root cause - we weren't aware that they required python and had blocked access to it.
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
I ran "sudo firecfg --clean" and then "sudo firecfg" to restore all the symlinks that I had deleted. Then I decided to manually enter the changes you listed in your post above:
xplayer.profile - the change worked
xed.profile - change failed, but after I changed the line "noblacklist /usr/lib/python3" to "noblacklist /usr/lib/python3*" (wildcard added at end), it worked (uses python 3.5 ?)
xreader.profile - change failed, I have no solution
xplayer.profile - the change worked
xed.profile - change failed, but after I changed the line "noblacklist /usr/lib/python3" to "noblacklist /usr/lib/python3*" (wildcard added at end), it worked (uses python 3.5 ?)
xreader.profile - change failed, I have no solution
In theory, theory and practice are the same. In practice, they ain't.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
Good catch - it's a typo. I'll get that fixed.
What is the output ofxreader.profile - change failed, I have no solution
xreader
(if you have symlinks in /usr/local/bin from firecfg) or [/c]firejail xreader[/c] if you don't have symlinks (e.g. after running firecfg --clean)?- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: Firejail beta-testers wanted!
xplayer has the same typo, even though it works with the typo.
Output of xreader (with symlinks from firecfg, and change from 3 posts above applied)
and here is my modified xreader.profile
Output of xreader (with symlinks from firecfg, and change from 3 posts above applied)
Code: Select all
steve@steve-Z97X ~ $ xreader
Reading profile /etc/firejail/xreader.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 24346, child pid 24347
Private /etc installed in 8.37 ms
3 programs installed in 4.92 ms
Blacklist violations are logged to syslog
Child process initialized in 63.59 ms
Parent is shutting down, bye...
steve@steve-Z97X ~ $
Code: Select all
# Firejail profile for xreader
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/xreader.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ${HOME}/.cache/xreader
noblacklist ${HOME}/.config/xreader
# noblacklist ${HOME}/.local/share
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Breaks xreader on Mint 18.3
# include /etc/firejail/whitelist-var-common.inc
# apparmor
caps.drop all
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog
private-bin xreader,xreader-previewer,xreader-thumbnailer
private-dev
private-etc fonts,ld.so.cache
private-tmp
memory-deny-write-execute
noexec ${HOME}
noexec /tmp
In theory, theory and practice are the same. In practice, they ain't.
- absque fenestris
- Level 12
- Posts: 4124
- Joined: Sat Nov 12, 2016 8:42 pm
- Location: Confoederatio Helvetica
Re: Firejail beta-testers wanted!
32-bit/firejail_0.9.54_rc2_1_i386.deb
No problems with Vivaldi & Firefox 60.0.1
No problems with Vivaldi & Firefox 60.0.1
Re: Firejail beta-testers wanted!
@Fred Barclay
how do you uninstall firejail built from source. instruction on page is good for installation but if i want to try different version sources i need to quickly uninstall
how do you uninstall firejail built from source. instruction on page is good for installation but if i want to try different version sources i need to quickly uninstall
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Firejail beta-testers wanted!
Depends if you build a deb from source or did
make install
.If you did something like
./configure --prefix=/usr && make deb
and then installed the firejail*.deb, then you can just use
Code: Select all
sudo apt-get --purge autoremove firejail
./configure --prefix=/usr && make && make install
(or make install-strip
), then if you still have the source code lying around on your hard drive, just open a terminal in the source folder and run
Code: Select all
sudo make uninstall
Code: Select all
git clone https://github.com/netblue30/firejail.git && cd firejail
Code: Select all
./configure --prefix=/usr
make
sudo make uninstall
Fred