mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #4430] Discord doesn't start #2670
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2670
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @DatAres37 on GitHub (Jul 31, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4430
I'm rather a newbie with firejail, so I hope it's not my own fault. I tried to read the docs first and looked for similar issues.
Bug and expected behavior
I tried to start Discord (Manjaro repository) and discord_arch_electron (AUR; preferably) with the default firejail profile, but non of them seem to work.
No profile and disabling firejail
firejail --noprofile /path/to/programin a terminal?/usr/bin/vlc)?The applications run without a problem
Reproduce
Steps to reproduce the behavior:
firejail discordDefault Discord
discord_arch_electron
When I whitelist /usr/bin/electron for discord_arch_electron it's
Cannot start application: Permission deniedEnvironment
Additional context
Apparently there is a symlink /usr/bin/discord -> /opt/discord/Discord for the default Discord installation.
Checklist
https://github.com/netblue30/firejail/issues/1139)--profile=PROFILENAMEis used to set the right profile.LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAMto get english error-messages.browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.debug output default discord
debug output discord_arch_electron
@rusty-snake commented on GitHub (Jul 31, 2021):
What does
sysctl kernel.unprivileged_userns_cloneshow?What's in it?
I'll add
private-bin electron,electron[0-9],electron[0-9][0-9]to all of them.So discord works then but discord_arch_electron not? If so try to run it with the noprofile.profile.
@DatAres37 commented on GitHub (Jul 31, 2021):
kernel.unprivileged_userns_clone = 1It only contains
blacklist /data, a partition of mine.No, both don't work with the output I posted.
Parent is shutting downis immediately shown when I run the default Discord.Every other app I've tried yet works with firejail.
@rusty-snake commented on GitHub (Jul 31, 2021):
Does it work with noprofile.profile?
@DatAres37 commented on GitHub (Jul 31, 2021):
Oh, I thought this was the same as --noprofile. No it doesn't work apparently
After creating a symlink from /usr/lib/firejail/seccomp.debug32 (not existing) to /usr/lib/firejail/seccomp.debug:
Again immediately shutting down 😕
I just wonder why I'm the first or the only one with the issue atm, I think discord is fairly popular.
Should it already work when I add
private-bin electron,electron[0-9],electron[0-9][0-9]to discord.local with discord_arch_electron? Since I still getCannot start application: Permission denied@rusty-snake commented on GitHub (Jul 31, 2021):
I'm wondering too but if noprofile.profile does not work there is little to no hope.
Sum up:
Is there any difference between
firejail --noprofile ls -l /opt/discordandls -l /opt/discord.Is there any non-default setting in
/etc/firejail/firejail.config.What does
firejail --noprofile --debug /opt/discord/Discordshow?Anyone else, ideas?
Don't do this. Never "fix" things by creating symlinks in /usr/lib.
@DatAres37 commented on GitHub (Jul 31, 2021):
Nope, same files and subfolders.
No differences. Just compared them to make sure.
I just tried the same thing on my laptop with an Arch install and it worked there 🤔 I haven't found a reason for this yet. I completely purged my Discord install with all config files.
@rusty-snake commented on GitHub (Jul 31, 2021):
I mainly focused on permissions/owners
If you add
--helpto discord, does it show something (if it show somwthing w/o firejail).IDK how you can set the log level in discord, but if you know try to set it to debug or so.
BTW is anything in the syslog? (watch
journalctl --boot --pager-end --followwhile starting discord)@DatAres37 commented on GitHub (Jul 31, 2021):
I just ran it with --apparmor and it works now. I don't really understand what this trigger does though. I'm using apparmor on my system, but the profiles for discord, chromium, electron etc. were not enforced. I even disabled apparmor completely and changed my boot parameters to disable it 😐
Does this make any sense?
@rusty-snake commented on GitHub (Jul 31, 2021):
😕
Not really however it can point us in the right direction.
@DatAres37 commented on GitHub (Aug 2, 2021):
It now works after disabling the discord apparmor profile with
aa-disableinstead ofaa-complain. Not sure how it survived the global deactivation of apparmor tho. I even deleted the discord apparmor profile at some point without success. Guess I have to read the manual again.One last question: Is it recommended to run firejail applications with --apparmor as a additional security layer or not? If I understand the docs correctly it just uses the firejail-default profile. I didn't notice any difference running Discord with or without it.
@rusty-snake commented on GitHub (Aug 2, 2021):
Yes. (If your system and firejail have AA)
What kind of difference did you expected?
@DatAres37 commented on GitHub (Aug 2, 2021):
Nothing specific. I just assumed there would be some kind of difference, but apparmor is probably just doing its things behind the scenes 🙂
So could I just add
apparmorto globals.local and every application would run with the firejail-default profile? I assume the firejail-default profile just provides everything firejail needs to run. I'd rather not use custom Apparmor profiles, since this probably generates a lot of headache.@rusty-snake commented on GitHub (Aug 2, 2021):
The most applications will run but some don't. For them you need to add
ignore apparmortoPROGRAM.local.tor-browser for example.
@kmk3 commented on GitHub (Aug 3, 2021):
@rusty-snake commented 13 hours ago:
I don't know much about this, but the wiki makes it sound closer to "it
depends"[1]:
[...]
Is the above still the case or is it safe to always use firejail with apparmor
now?
[1] https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions/fdcdff99b805dc34ecdf6f2c0f12c3444846fcdf#how-does-it-compare-with-apparmor
@rusty-snake commented on GitHub (Aug 3, 2021):
It's still the case. You should either use
firejail [--apparmor]or a AppArmor profile (e.g.usr.bin.firefox).--apparmorisn't the problem, the problem is with full AA profiles for special programs.@kmk3 commented on GitHub (Aug 3, 2021):
I see; I thought that apparmor was always either fully enforcing (i.e.: with
the app-specific profile) or off.
I didn't know that there were two different "security levels" (default profile
vs app-specific profile). From your reply and from reading the APPARMOR
section on the man page, this part makes sense now.
But the wiki and the man page talk about apparmor in very different ways, so it
still seems confusing. For example, the man page details what the default
profile does, but it does not mention app-specific profiles, nor that using
firejail + apparmor may cause issues. The wiki talks about configuring
app-specific profiles (but does not mention the default profile), that firejail
and apparmor may "cancel eachother out rather than be complementary" and that
there are "multiple reports about broken apps when AppArmor and Firejail are
used at the same time".
@DatAres37 commented on GitHub (Aug 4, 2021):
That's true, the documentation on this could be a bit better. I had to look in three different places to get all the info I needed (this wiki, the official website and some other blog).