mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #1940] White screen after upgrade to Firefox 60 #1297
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#1297
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @igor2x on GitHub (May 12, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1940
Hi,
up until now Firefox 59 on Ubuntu 16.04 on 32-bit hardware was working without a problem using firejail. Today Firefox has upgraded to Firefox 60 and it does not work under firejail anymore (terminal: firejail firefox). Using firejail Firefox starts up, then in URL I type in www.google.com and press enter and nothing happens. I tired with several web pages, but all are the same, just white screen, in status bar it is nothing like waiting or something, empty status bar. See attached print-screen what it looks like after entering URL and pressing enter. Please also see attached firejail debug log executed by: firejail --debug firefox &> firefox-debug.log
If I close down Firefox jailed with firejail and from terminal only start: firefox it works without a problem.
Regards
$ firejail --version
firejail version 0.9.52
Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- git install support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
$ uname -a
Linux tp 4.13.0-41-generic #46~16.04.1-Ubuntu SMP Thu May 3 10:06:03 UTC 2018 i686 i686 i686 GNU/Linux
Firefox print-screen after entering URL and pressing enter
Firefox debug log
firefox-debug.log
@thedaly commented on GitHub (May 12, 2018):
Same problem on fedora workstation after updating to version 60. No problems with firefox version 59.
@Queeq commented on GitHub (May 12, 2018):
I have isolated this to seccomp. If you comment it out in firefox.profile it starts to work fine. Or you could run it as
firejail --ignore=seccomp firefox.Should be narrowed down to specific syscalls FF needs, though. I believe this could be connected to some sandboxing improvements FF introduced in v. 60.
@SkewedZeppelin commented on GitHub (May 12, 2018):
The fix is to disable tracelog (#1935) and remove chroot from seccomp (https://github.com/netblue30/firejail/issues/1939#issuecomment-388358648) from
/etc/firejail/firefox-common.profile. It has already been fixed in master.@igor2x commented on GitHub (May 12, 2018):
@SkewedZeppelin, thanks for the info.
In my case there is no file /etc/firejail/firefox-common.profile and I have the latest Firejail 0.9.52 instaled. In /etc/firejail/ dir I have executed: ls firefox* and the output is
firefox-esr.profile firefox-nightly.profile firefox.profile
I did:
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
shell none
and now Firefox starts fine and jailed. Problem solved
Just wondering why isn't there new Firejail version released to fix just this one major problem and not waiting for new new major release.
@KaleviKolttonen commented on GitHub (May 12, 2018):
Yeah, I just updated from Fedora Linux workstation 27 to 28, and Firefox fails exactly like the earlier posters describe. In my opnion it would be the best thing to release a fixed firejail.
@Fred-Barclay commented on GitHub (May 13, 2018):
I tend to agree we should push out a quick fix to the 0.9.38, 0.9.48, and 0.9.52 branches at least (Ubuntu 14.04, Debian stable (I believe), plus latest stable release). There will be lots of users who want to stick with firejail from their distros' repos, but also would like to use it with firefox 60.
@netblue30 is this doable?
@Vincent43 commented on GitHub (May 13, 2018):
It's not obvious if those fixes will ever made it to distro repos. Debian stable is still on 0.9.44.8 even as 0.9.44.10 was released over a year ago. Ubuntu xenial is on 0.9.38.10 while 0.9.38.12 is the last release. If someone installs firejail outside official repos then they should install latest version available anyway and not just a old branch bump.
Probably the proper solution is to provide precompiled firejail packages for popular distros but this will be an additional burden.
@Fred-Barclay commented on GitHub (May 13, 2018):
@Vincent43 I agree, but I'd prefer that we at least provide the corrections. 😄 Then it's up to the package maintainers to provide the newer versions to their distros. Since @reinerh maintains firejail for Ubuntu and Debian we can hopefully get those distros covered at least; @reinerh is this possible?
@reinerh commented on GitHub (May 13, 2018):
@Vincent43 You can find newer versions for Debian stable in the stable-backports repository. stable itself will not get any updates (other than security fixes). Maybe when Firefox60 lands in stable (in September when FF52 is EOL) we can provide a fixed profile there.
If I see it correctly, firejail 0.9.54 will be released soon, this will then be timely available in stable-backports.
@Fred-Barclay If I understand it correctly, this is only relevant for releases shipping Firefox60?
I'll check which Ubuntu versions will be shipping this and get an updated profile there.
@Vincent43 commented on GitHub (May 13, 2018):
@reinerh
Backports provide latest firejail version so bumping old branches isn't relevant here.
All ubuntu distros provide latest fiefox version (they don't follow ESR like debian). 60 is already there.
@reinerh commented on GitHub (May 13, 2018):
Okay, thanks. I'm a bit surprised then that Ubuntu doesn't use ESR versions for their LTS branches...
@Vincent43 commented on GitHub (May 13, 2018):
I guess users won't be happy being several firefox versions behind the latest. Honestly I don't believe in the 'LTS/ESR' concept especially in terms of security. Much prefer the chrome/chromium policy - 'nothing is supported but latest stable'. This way we have latest chromium in every distro including debian.
@reinerh commented on GitHub (May 13, 2018):
A lot of users care about stability (not changing behavior/workflows every couple of weeks), at least the ones using the stable/LTS releases (otherwise they would be using unstable).
The LTS/ESR versions can provide this stability while also fixing security issues.
@Vincent43 commented on GitHub (May 13, 2018):
I know about theory and I know about practice 😄. In firejail there are hundreds of fixes and improvements and LTS users will never find them until next major distro upgrade.