mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #3744] zoom: program does not start (missing whitelist) #2362
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2362
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @educanorama on GitHub (Nov 12, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3744
Zoom loads in firejail with:
firejail --noprofile /usr/bin/zoomandfirejail --noprofile zoom, but crashes withfirejail zoomalthough 'firejail zoom' ran perfectly only a week ago.I am now on openSUSE Tumbleweed snapshot 20201110. The zoom.profile file date is 11/8/2020.
The problem looks similar to: 3726. Unfortunately, I'm not nearly as sophisticated as the users who contributed to this thread, and have no idea what troubleshooting steps to take next.
Attached are my /etc/firejail/zoom.profile, zoom.local, zoous.conf and the output of firejail --debug zoom.
[firejail_debug_educanorama.txt](https://github.com/netblue30/firejail/files/5531
zoom.local.txt
zoom.profile.txt
zoomus.conf.txt
@educanorama commented on GitHub (Nov 12, 2020):
The output of firejail --debug zoom didn't come through. I'll cut and paste:
@ghost commented on GitHub (Nov 12, 2020):
Discussion in #3726 resulted in disabling private-etc in our zoom.profile, see
796b4cf335. Your firejail version probably still comes with an older version of that file, so you'll need to create ${HOME}/.config/firejail/zoom.local and addignore private-etcto it.@educanorama commented on GitHub (Nov 12, 2020):
Still crashes, unfortunately. With your addition, my zoom.local file now reads:
@ghost commented on GitHub (Nov 12, 2020):
@educanorama Your attached zoom.profile shows it already has:
Better take those out of your zoom.local and only keep
ignore private-etcwhile trying to debug further. Not seeing anything obvious I'm afraid, so you will have to experiment with commenting every line until something useful turns up.@educanorama commented on GitHub (Nov 12, 2020):
Progress. Firejail zoom worked after I commented out the line:
include whitelist-runuser-common.incas root while editing /etc/firejail/zoom.profile.
I undid this edit, and then looked at whitelist-runuser-common.inc. It reads:
I tried commenting out the seven whitelist lines above individually as root, without success. However, when I commented out all seven at the same time, firejail zoom again worked.
I undid these edits, and added the lines below as non-root user to ~/.config/firejail/zoom.local .
Firejail zoom works again. I also added back the lines you suggested I delete while troubleshooting, and commented out ignore private-etc. The current zoom.local reads:
Firejail zoom works properly with this configuration.
Is it safe to presume the problem to be fixed? I don't know what these parameters mean, how much (if any) firejail functionality I have disabled through these edits.
FWIW: I run X, rather than Wayland, with the nvidia driver.
And before I forget: thanks very much for helping me troubleshoot this issue.
@rusty-snake commented on GitHub (Nov 12, 2020):
Can you post
ls -la /run/user/$UID.This line is in zoom.profile too
This disables all seccomp filtering.
ignore include whitelist-runuser-common.incshould workBecause whitelisting in /run/user/UID is then not enabled.
@educanorama commented on GitHub (Nov 12, 2020):
Happily:
If i understand the rest of your message, it sounds like
protocol unix,inet,inet6,netlinkin zoom.local is redundant/unnecessary, and that my system is more secure withoutignore seccompandseccomp !chrootin zoom.local. Is that correct?@educanorama commented on GitHub (Nov 12, 2020):
Rusty-snake, I just saw the edit to your message above:
ignore include whitelist-runuser-common.incin place of the seven specific 'ignore whitelist' lines did not work. My current zoom.local reads:I'm running KDE Plasma 5.20.2.
@rusty-snake commented on GitHub (Nov 12, 2020):
Remove all the ignore wruc lines in your zoom.local. Then add
whitelist ${RUNUSER}/xauth_*.Beside, is anything in the syslog (
journcalctl --boot --pager-end --follow)?Yes, see zoom.profile (
cat /etc/firejail/zoom.profile)it's more secure w/o
ignore seccomp.seccomp !chrootis redundant as it is in zoom.profile.@educanorama commented on GitHub (Nov 12, 2020):
Success.
whitelist ${RUNUSER}/xauth_*is now the only line in zoom.local.Firejail zoomworks.A lot! I have attached a log.
journalctl_boot_pager-end_follow.txt
Thanks for responding to my other questions, and for all your help with troubleshooting.
It's getting late here (I'm in Europe), so I'm about to disappear for the night, but will return to this thread in the morning.
@educanorama commented on GitHub (Nov 13, 2020):
Please let me know if there are any other troubleshooting steps you'd like me to try, either for my benefit or to help with firejail.
I will be hosting two Zoom meetings this weekend. If all goes well, I will close this thread on Monday.
@rusty-snake commented on GitHub (Nov 13, 2020):
bd539da@educanorama commented on GitHub (Nov 15, 2020):
I just wrapped up the second meeting while running Zoom in firejail, with
whitelist ${RUNUSER}/xauth_*as the only line in zoom.local and no other changes to standard configuration.No problems at all! Thanks again very much for your help.