mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #1975] cannot open local profile file #1329
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#1329
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @omega3 on GitHub (Jun 1, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1975
I tried:
but I run wine on second user account. Does it make any difference? Is it permission issue?
Edit:
I loggin to first (sudo) user account and this also shows the same output
Is it a bug that firejail cannot read profiles in /etc/firejail/?
@Fred-Barclay commented on GitHub (Jun 4, 2018):
@omega3 Can I get some info from you?
firejail --versionsay?which firejail?ls /etc/firejail?Thanks!
Fred
@SkewedZeppelin commented on GitHub (Jun 4, 2018):
@Fred-Barclay see https://github.com/netblue30/firejail/issues/1972#issuecomment-393581528
@omega3 how did you install Firejail from the Sourceforge downloads?
@omega3 commented on GitHub (Jun 4, 2018):
It is on Kubuntu 14.04 64-bit.
I installed firejail_0.9.54_1_amd64.deb from using dpkg -i
https://sourceforge.net/projects/firejail/files/firejail/
No errors during instalation.
It is strange but firejail --version shows firejail version 0.9.18-rc1.
I did apt-get purge and installed it once again and the package name is the same.
After reboot I have another problem. Firefox and Opera installed from deb that I was able to use so far with custom profile shows error:
/etc/firejail/
@omega3 commented on GitHub (Jun 5, 2018):
I deleted firejail from /usr/local/bin and installed again and now it shows correct version 0.9.54.
Update:
I read release notes and I did:
sudo firecfgThen I added all my users to /etc/firejail/firejail.users
So it looks like:
On both accounts I am able to run
But take notice of this error:
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
What does it mean? Is firefox sandboxed by firejail or not?
I still cannot access local profile file.
I was able to run wine app. It failed to connect to internet. But it has the same warning.
Is it possible to sandbox all wine executable files with --net=none or only a specified application can be run like this. I am not familiar with wine details so I don't know if running PDFXCview.exe in firejail sandbox can prevent for example viruses or any dengerous files from running out of sandbox alongside when wine is active.
@chiraag-nataraj commented on GitHub (Jun 5, 2018):
Once you run
firecfg, don't run it asfirejail firefox. Just run it asfirefox. That will solve the warning you're seeing. This also means that any options you want forfirefoxshould be put in a profile, since I'm not sure if you can provide extra firejail arguments when running it from the symlink (@netblue30?).@omega3 commented on GitHub (Jun 5, 2018):
But if I don't run begining command from firejail how I will be able to point to local profile?
@chiraag-nataraj commented on GitHub (Jun 5, 2018):
It should automatically pick up the local profile. By default,
firejailreads profiles from~/.config/firejail/if they exist and/etc/firejailif there are no profiles (for that program) in~/.config/firejail.@omega3 commented on GitHub (Jun 5, 2018):
I started firefox in my second user account but I wanted it to read a firejail profile from different location than default
--profile=/media/data/backup/jailkonf/.config/jail.profile
and firefox settings located in /media/data/backup/jail/.mozilla/firefox/
with old version of firejail I was able to use local firejail profiles
@chiraag-nataraj commented on GitHub (Jun 5, 2018):
You can still do that, but you should remove
/usr/local/bin/firefoxif you want to do that. Fundamentally, there are a couple of things going on here:sudo firecfg.firecfgdoes), there is no way to provide extra command-line options to firejail.firecfg), everything has to go in standard locations (~/.config/firejail/for per-user configuration and/etc/firejailfor global configuration).firejail(e.g. non-standard profile locations, dynamically generated stuff, whatever), you cannot usefirecfgsymlinks (i.e. the links in/usr/local/bin). If you want to do this, you have to remove/usr/local/bin/<program>so that you can explicitly callfirejailwith the proper options.@omega3 commented on GitHub (Jun 5, 2018):
I deleted
/usr/local/bin/firefoxwhich firefoxshows/usr/bin/firefoxI also deleted firecfg because with firecfg the problem still existed. But this didn't change anything.
I still have:
@chiraag-nataraj commented on GitHub (Jun 5, 2018):
Ah. That would stem from the
disable-mntin thefirefox-commonprofile. You should create a personal profile which includesfirefox.profileand addsignore disable-mnt.@omega3 commented on GitHub (Jun 5, 2018):
Do you mean: I should change the content of /etc/firejail/firefox-common.profile or change the content of my local profile? I don't understand
My local profile looks like this
I blacklist
/media/data/firejailand/media/data/backup/jailkonfbacause local profile should not allow to change itself by accessing it from web browser.I blacklisted /HOME because I didn't want a browser to access my personal files at /home.
I also blacklisted some others folders in /media/data/ but I don't list them here as they have no connection to the issue.
Isn't this local profile somehow in conflict with
/etc/firejail/firefox-common.profile?https://firejail.wordpress.com/download-2/release-notes/
Update:
I uncommented the includes for
firefox-common-addons.incinfirefox-common.profilewith no result.I noticed that there are a few files in /etc/firejail that have some firefox configurations:
Are they used when I run firefox with local firejail config?
Please, tell me waht to do. With local profiles I was able to use two or whatever number of firejail profiles for the same browser. The new version doesn't allow this. Starting firejail with local profile should make fiejail ignore whatever is in /etc/firejail. But even when I deleted all those files /etc/firejail I am not able to access local profile file.
@chiraag-nataraj commented on GitHub (Jun 5, 2018):
It does. The error you're getting (probably) has nothing to do with the profiles installed by
firejail(also, you should probably re-install, since those are useful fall-back profiles!).Okay, in order for me to give you more help, I need to understand exactly what you're trying to do. You have profiles in
/media/backup/data/jailkonfthat you want to load. You don't want programs to be able to edit them while inside the jail, so you blacklist that directory in the profile. Is this understanding correct?Also, I'm confused, since you seem to be loading
/media/backup/data/jailconf/.config/jail.profile, butfirejailcomplains it can't find/media/orange/backup/jailkonf/.config/jail.profile. Why the different paths?@omega3 commented on GitHub (Jun 5, 2018):
Yes. This is how it worked with older firejail version. I assumed that it would be stupid if someone could compromise browser and be able to have access to profile files that sandbox browser strightaway and just change them to have full access to /home and other places with private things.
Let's assume the path is
/media/backup/data/jailconf/.config/jail.profile
I made a mistake.
@chiraag-nataraj commented on GitHub (Jun 5, 2018):
So if I do
firejail --blacklist=/mnt/new_boot/ --profile=/mnt/new_boot/x-terminal-emulator.profile x-terminal-emulator, it works: I get a new terminal emulator with access to/mnt/new_bootdenied. (For reference, myx-terminal-emulator.profiledidn't contain the blacklist). Adding the blacklist to the profile didn't break either - I was still able to load the profile.Can you post your firejail profile (the one you're trying to load) here so that I can do some experiments?
@omega3 commented on GitHub (Jun 5, 2018):
This is my firejail profile that I used so far successfully with old firejail version:
sorry I made mistake
the profile file is located in
/media/data/backup/jailconf/.config/jail.profile
not as I wrote above
/media/backup/data/jailconf/.config/jail.profile
but this is not acctually important because I start it always the same with correct path.
And
blacklist /media/data/firejailthat I had listed earlier can be ignored because I keep there another firejail profile, so I blacklisted it too, but for now it is not important.To sum up: I want to blacklist /home and the path that contains the local profile on /media/data/backup/jailconf/.
Even when I removed from profile
blacklist /media/data/backup/jailkonfprofile also could not be accessed.Even when I removed from profile
blacklist ${HOME}/ blacklist ${HOME}/.adobe blacklist ${HOME}/.macromedia blacklist ${HOME}/user_nameprofile also could not be accessed. And when I removed the above from profile and moved profile to /home/user2/Documents and pointed to this location when starting firejail I still have the same cannot access profile, this with no firecfg file and with
/usr/bin/firefoxand with now firefox.profile in/etc/firejail.Even when I deleted
blacklist ${HOME}/and moved profile to from profile andI copied
firefox.profilefrom/etc/firejailto/media/data/backup/jailkonf/.configand renamed it tojail.profileso that it matches the command I use and it also could not be accessed.But
firejail --noprofile firefoxstarts for this user2.Maybe it has something to do with users permissions for reading / accessing profiles?
I don't know if this is important but in my /home/user2 I have a file .profile with content:
Perhaps it would be good to test not mine but a sample firejail.profile for this user2.
@chiraag-nataraj commented on GitHub (Jun 5, 2018):
Can you try commenting out the
blacklist /media/data/backup/jailkonf? That is, let's get your existing profile in working condition and then we'll figure out why it's not working. If commenting that out doesn't help, try commenting out other things (it's probably one of theblacklistlines) until the profile launches with no issues.@omega3 commented on GitHub (Jun 6, 2018):
enabling
include /etc/firejail/disable-mgmt.incgives:enabling
include /etc/firejail/disable-secret.incgives:Actually I don't remember why I put it to my local profile and what is the meaning of them but with older version of firejail they were not a problem.
enabling
blacklist ${HOME}/gives:That's sad because I want to blacklist /home.
Even when only one of the above is active firefox doesn't start giving the above messages.
When I hashed those three above firefox runs ok.
has no effect, this meaning it runs ok. So blacklisting path to local firejail config is not a problem, blacklisting my /home/user2, account from which I start firefox isn't a problem, which is great to find out, but blacklisting only /home is a problem. This is something that needs fixing in firejail I think.
All the above tests where done with no firefox.profile in
/etc/firejailand with no firecfg - I deleted those files earlier.After this I reinstalled firejailed, and with
firefox.profilein/etc/firejailand after starting firecfg and adding user2 to/etc/firejail/firejail.usersthe result is the same, I mean firefox starts when the above entries are hashed but I get warningIt says about
/usr/bin/firefoxnot about/usr/local/bin/firefox.Hmm. In the end I would like to take advantage of new firejail features and use at least some of default profiles not for web browsers but for other programs.
Firefox with local profile should ignore firefox.profile in /etc/firejail.
Perhaps it would be good if firejail developer look into it and check if the new version of firejail with firecfg works correctly because firejail should work with
blacklist ${HOME}/option.This new version of firejail is a nightmare for me. I discovered that I can't open ..bash_history because when firejail is installed dolphin starts with firejail. Now I have to study default profiles to figure out what limits me. I would expect different behavior: user should consciously decide what he/she wants to limit and take action to limit.
@chiraag-nataraj commented on GitHub (Jun 6, 2018):
As I said earlier, you cannot provide options to firejail if you run it this way. So don't run
firecfgif you want to provide these kinds of command-line arguments to firejail. It just won't work.firecfgis useful for those who have a standard setup and can thus put everything they need in the profile files themselves.As an alternative to use the
blacklist=${HOME}/...statements, have you tried usingprivate? This will give you the same effect (the program can't access any of your personal data), but should work in cases whenblacklist=${HOME}won't. Also note that${HOME}refers to/home/user2and thatfirejail(by default) blocks access to the home directories of other users (souser1is banned from looking into/home/user2).As for the other issues, can you run with
firejail --debugorfirejail --trace --debugso that we can get a better error message (since I am unable to reproduce on my end) (add--debugor--trace --debugto whatever other messages you have.Also, please don't use firecfg - run
sudo firecfg --clean.firecfgis not for you (and that's okay!). If you can't put your profile files in a standard location (~/.config/firejail), you will just create more headaches by trying to use the links generated byfirecfg. It just won't work and you'll beat your head against the wall wondering what's broken and why none of your programs are being sandboxed properly.For right now, don't delete any files. You can bypass
firecfgby usingfirejail <options> /usr/bin/firefoxinstead offirejail <options> firefox. Please use this for all further testing.@omega3 commented on GitHub (Jun 6, 2018):
Does it mean that when I work on user2 account firejail by default will not have access to /home/user1?
Always.
--private=/media/data/backup/jail/I purged firejail. Installed again. Then I did:
sudo firecfg --cleanLogged in to user2
No items listed.
enabling
include /etc/firejail/disable-mgmt.incgives:enabling
include /etc/firejail/disable-secret.incgives:enabling
blacklist ${HOME}/gives:With this one below firefox sarted but Internet didn't worked. I could not connect to google.
This is interesting:
Mount-bind /media/data/backup/jail on top of /home/user2I also exported to output to txt but not entire output was exported. I don't know how to export it properly.
firejail --trace --debug --profile=/media/data/backup/jailkonf/.config/jail.profile --private=/media/data/backup/jail/ /usr/bin/firefox > 01.txtoutput of that file
https://pastebin.com/z3FqW4Nb
@chiraag-nataraj commented on GitHub (Jun 6, 2018):
Yes.
I feel like using both
--private=(which mounts that directory over${HOME}) andblacklist ${HOME}is counterproductive. Try not enablingblacklist ${HOME}- if you're mounting something else over it, you don't need to blacklist it (since only the contents of the directory passed to--privatewill be available)! I should have probably caught this earlier... 😜@omega3 commented on GitHub (Jun 6, 2018):
I don't understand.
Try not enabling blacklist ${HOME} - if you're mounting something else over it, you don't need to blacklist itTry not enabling
blacklist ${HOME}= it will be hashed or I can remove the whole entry from profile.you don't need to blacklist it = it means it can stay
It seems like two opposites.
When I removed
blacklist ${HOME}completely from profile firefox starts but with can't connect to internet.Than I changed profile and moved profile to
/home/user2/Downloadsthe output of
firejail --trace --debug --profile=/home/user2/Downloads/jail.profile /usr/bin/firefox > 03.txtI removed --private so that it can create default firefox profile/settings.
https://pastebin.com/266ppXJn
No internet connection, failed to show google.
Than I removed
blacklist ${HOME}/user2and the same result. It looks like it can't handle local --profile.It would be great if a developer of firejail could check with two user accounts how this new firejail version handles local --profile for user2.
firejail --trace --debug /usr/bin/firefoxon user2 account starts firefox and connetcs to google.
@chiraag-nataraj commented on GitHub (Jun 6, 2018):
You misunderstood. What I mean is that
--privatemeans that no files in the original home directory (/home/user2or whatever) will be visible or accessible.@omega3 commented on GitHub (Jun 6, 2018):
I see. I can keep firefox settings in home, no problem. But how can I make local
--profilework? Because now firefox starts but don't connect to internet.I think it is a bug that when I use
firejail --trace --debug --profile=/home/user2/Downloads/jail.profile /usr/bin/firefoxI have no connection to internet.
Only
firejail /usr/bin/firefoxworks for me. But it uses/etc/firejail/firefox.profilehttps://pastebin.com/tAnzqJtE
I can edit and use default
firefox.profilebut it will change with new firejail install. Doing this for many programs would not the best solution.I tested all possibilities. I think someone need to test usage of local
--profilefor user2.@chiraag-nataraj commented on GitHub (Jun 6, 2018):
Don't use
blacklistand only use--private. (you can also put it in the profile).@omega3 commented on GitHub (Jun 7, 2018):
With this local profile (no blacklist) I have no internet connection.
firejail --trace --debug --profile=/home/user2/Downloads/jail.profile /usr/bin/firefoxWith this local profile seccomp removed:
I have Internet connection.
I also tried
And I have Internet connection.
If you want me to attach
--trace --debugfrom those two above tests, please tell me what is the proper way to sent the output to a file so that the whole output will be written to file. Because before the process seen in terminal was so long that it wasn't written in full to a file.@chiraag-nataraj commented on GitHub (Jun 7, 2018):
If you are using Firefox 60, this is a known issue (see #1939, #1847). So yes,
seccompis the issue here.In other words, if this works with disabling
seccomp, this specific issue is solved.To solve the
seccompissue:From what I understand, since this should be fixed in the current dev edition of firejail, you could just go ahead and compile from source (instead of installing the deb package). If you want help with that, open a new issue and I'll help you there. Or, you could just not put seccomp in your own profile and call it a day.
@omega3 commented on GitHub (Jun 7, 2018):
Yes, I am sorry that I have not checked this earlier.
By the way, can you tell me what you think about this:
Is it possible to sandbox all wine executable files with --net=none or only a specified application can be run like this? I am not familiar with wine details so I don't know if running PDFXCview.exe in firejail sandbox can prevent for example viruses or any dengerous files from running out of sandbox alongside when wine is active. Is there any "main".exe for wine so that we can cut of internet access to wine with
--net=none, because if someone have a virus it will not be included in blacklist.@chiraag-nataraj commented on GitHub (Jun 7, 2018):
No worries!
From what I remember of
wineyou run a program aswine <program>, right? I would create a localwineprofile withnet none(as well asincludeing the upstreamwineprofile). Then, if a particular application breaks, just run it asfirejail --ignore=net wine <program>. This way, you're protected by default but can selectively allow internet access for Windows applications that need it.@omega3 commented on GitHub (Jun 7, 2018):
Ok. Thank you for explanation and for your patience.
I installed firejail version 0.9.55 and with seccomp in profile there is still no internet connection.
Should I first remove old version before compiling and installing a new one?
@chiraag-nataraj commented on GitHub (Jun 7, 2018):
Right, because
seccompitself hasn't changed. The change I was talking about was in the default profiles (afaik). As I said, you'd get the same effect by not includingseccompin your profile.Also note that the compiled version installs profiles to
/usr/local/etc/firejail, so the includes in your/media/<blah>profile are using the old profiles, not the ones that come with the development version of firejail (which are in/usr/local/etc/firejail).@omega3 commented on GitHub (Jun 7, 2018):
So, I can benefit from this
seccompfix in new development version if I decide to use default profile in/usr/local/etc/firejail?If I think correctly this will not change with next stable deb release. I will not be able to use
seccompoption in local--profile. I will be able to useseccompoption only with default profile from/usr/etc/firejail, correct?Why the bug fix is not "system wide" and doesn't allow including
seccompin local profiles.To me it looks like the new versions limit options available for local / custom profiles.
@chiraag-nataraj commented on GitHub (Jun 7, 2018):
Let me try to spell it out, since communication seems to keep getting mixed up 😂
seccompfilter (Firefox has its own built-inseccompfilter now, similar to Chrom[e/ium], and firejail'sseccompfilter interferes with Firefox's ability to set up its own filter).seccompworks just fine on thefirejailend. But due to the problem withfirefox, I believeseccompwas removed (by default) from thefirefoxprofile only (not any other profiles - again, the problem isn't with firejail - it's a problem with the interaction between firejail and firefox).I hope this clears things up. Communication over the internet is hard 😀
@omega3 commented on GitHub (Jun 7, 2018):
With local profile:
opera doesn't start correctly. Process ends with this line
monitoring pid 4and hangs. Opera window doesn't appear.https://pastebin.com/LwVXkE0W
When I remove
seccompfrom this profile opera runs ok.@chiraag-nataraj commented on GitHub (Jun 7, 2018):
Yes, I believe
operauses the Chromium sandbox and thus will not work withseccompenabled. Again, the seccomp feature is not broken. It so happens that these programs implement their own sandboxes, which they cannot do if firejail sandboxes them first. Instead of continuing, say, after a warning, they decide to just fail badly. That is not a problem with firejail.Regardless, the original problem in this thread seems to have been solved and I'm going to close it. If you have more questions about the way firejail works, please open a new issue. Thanks!