mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #3726] zoom: program does not start (private-etc) #2348
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2348
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @hyiltiz on GitHub (Nov 5, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3726
Bug and expected behavior
Zoom insta crashes with profile, but succeeds without. The error message in a
firejail --debugcall is:Zoom opens and works as a video conference app.
No profile and disabling firejail
firejail --noprofile /path/to/programin a terminal?Zoom opens fine:
command line output
``` firejail --noprofile zoom Parent pid 183899, child pid 183900 Child process initialized in 6.29 ms Warning: an existing sandbox was detected. /usr/bin/zoom will run without any additional sandboxing features ```which <program>orfirejail --listwhile the sandbox is running)?command line output
``` $ /opt/zoom/zoom # works! ```Reproduce
Steps to reproduce the behavior:
firejail zoomcommand line output
``` zoom & Reading profile /etc/firejail/zoom.profile hyiltiz@iPhone ~/D/AdvStats2020> Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 183689, child pid 183712 Warning fcopy: skipping /etc/alternatives/wine.fr.1.gz, cannot find inode Error fcopy: size limit of 500 MB reached Warning: skipping crypto-policies for private /etc Private /etc installed in 41.95 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Blacklist violations are logged to syslog Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 302.50 msParent is shutting down, bye...
Job 1, 'zoom &' has ended
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux bullseye/sid
Release: testing
Codename: bullseye
firejail version 0.9.64
Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- SELinux support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
@rusty-snake commented on GitHub (Nov 6, 2020):
Can you try
firejail --private-etc=passwd /opt/zoom/zoom.@hyiltiz commented on GitHub (Nov 7, 2020):
@rusty-snake commented on GitHub (Nov 7, 2020):
No idea, maybe
--ignore=private-etchelps. If not you need to comment the profile line for line.@hyiltiz commented on GitHub (Nov 8, 2020):
--ignore=private-etcdoes allow zoom to start (no longer insta-crashes). Next step is to incrementally find which ones in the private-etc that is the culprit? Any guesses?@rusty-snake commented on GitHub (Nov 8, 2020):
It already contains
ld.so.cacheand the others. No Idea. Can you runfirejail --build zoom.@hyiltiz commented on GitHub (Nov 8, 2020):
@rusty-snake commented on GitHub (Nov 8, 2020):
Maybe
firejail --private-etc=passwd,drirc /opt/zoom/zoom. If not try the full linefirejail --private-etc=machine-id,fonts,drirc,hosts,dconf,ssl,os-release,timezone,login.defs,passwd,selinux /opt/zoom/zoom.@hyiltiz commented on GitHub (Nov 8, 2020):
--private-etc=passwd,drircquits with the same error. The full line:Syslog says:
About that
libGLfile:Adding
,alternativesto theprivate-etclist started(?) zoom, according to the text output, but crashed immediately with another error aboutlibqsvg:Now about that
svglibrary:Not sure how to further pursue though.
@rusty-snake commented on GitHub (Nov 8, 2020):
Actually we should disable private-etc now IMHO.
@hyiltiz commented on GitHub (Nov 8, 2020):
That does work. Can't there be a black listing based private-etc so we can disallow things like /etc/shadows and whatnot? Also, why the hell a program installed in
/opt/zoomever wants to visit anything in/etc/...@rusty-snake commented on GitHub (Nov 9, 2020):
I like that idea. I'll start aUPDATE: all paths which are worth to blacklist are already blacklisted in disable-common.inc.disable-etc-common.inc.I hope
/etc/shadowis not world readable on your system./etc/resolv.conf(the alternative would be to hardcode dns-server which is almost always google-dns)/etc/ld.so.cache,/etc/ld.so.preload/etc/crypto-policies,/etc/pki,/etc/ssl,/etc/ca-certificates/etc/passwd/etc/localtime/etc/machine-id/etc/networks/etc/fonts