Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firefox: whitelisting in ${RUNUSER} breaks Wayland and portals #6317

Open
4 of 7 tasks
omega3 opened this issue Apr 20, 2024 · 2 comments
Open
4 of 7 tasks

firefox: whitelisting in ${RUNUSER} breaks Wayland and portals #6317

omega3 opened this issue Apr 20, 2024 · 2 comments

Comments

@omega3
Copy link

omega3 commented Apr 20, 2024

Description

I want to run local profile to be able to use Plasma file picker on Wayland.
I do have xdg-destop-portal and xdg-destop-portal-kde and xdg-destop-portal-gtk installed.

It works well when I have just:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot

but when I start adding other entries like:
whitelist ${RUNUSER}/pipewire-0
or
whitelist ${RUNUSER}/kpxc_server

it produces error:

firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 41875, child pid 41876
Child process initialized in 12.04 ms
[7] Wayland Proxy [0x7fd9b0f79120] Error: CheckWaylandDisplay(): Failed to connect to Wayland display '/run/user/1000/wayland-0' error: No such file or folder
Authorization required, but no authorization protocol specified

Error: we don't have any display, WAYLAND_DISPLAY='wayland-0' DISPLAY=':1'

Parent is shutting down, bye...

So such profile deosn't work:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot

whitelist ${RUNUSER}/pipewire-0
dbus-user.talk org.freedesktop.portal.*
whitelist /usr/share/pipewire/client.conf


noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
noblacklist ${RUNUSER}/*firefox*

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla

# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which

When I set profile like this:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot

#whitelist ${RUNUSER}/pipewire-0
dbus-user.talk org.freedesktop.portal.*
#whitelist /usr/share/pipewire/client.conf


noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
noblacklist ${RUNUSER}/*firefox*

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla

it shows:

firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 43306, child pid 43307
8 programs installed in 11.10 ms
Child process initialized in 19.95 ms
[Parent 15, Main Thread] WARNING: Server is missing xdg_foreign support: 'glib warning', file /usr/src/debug/firefox/firefox-125.0.1/toolkit/xre/nsSigHandlers.cpp:187

and it doesn't save files.

My about:config portals
https://i.imgur.com/mQXlUP0.png

Environment

Operating System: Manjaro Linux
KDE Plasma Version: 5.27.11
KDE Frameworks Version: 5.115.0
Qt Version: 5.15.12
Kernel Version: 6.6.26-1-MANJARO (64-bit)
Graphics Platform: Wayland

firejail version 0.9.72 from official repo
I wanted install from git but I get errors.

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

LC_ALL=C firejail --debug --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox

Building quoted command line: '/usr/lib/firefox/firefox' 
Command name #firefox#
Using the local network stack
Building quoted command line: '/usr/lib/firefox/firefox' 
Command name #firefox#
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
528 468 0:24 /@/etc /etc ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=528 fsname=/@/etc dir=/etc fstype=btrfs
Mounting noexec /etc
529 528 0:24 /@/etc /etc ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=529 fsname=/@/etc dir=/etc fstype=btrfs
Mounting read-only /var
530 468 0:24 /@/var /var ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=530 fsname=/@/var dir=/var fstype=btrfs
Mounting noexec /var
531 530 0:24 /@/var /var ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=531 fsname=/@/var dir=/var fstype=btrfs
Mounting read-only /usr
532 468 0:24 /@/usr /usr ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=532 fsname=/@/usr dir=/usr fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
573 525 0:62 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=573 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/user/.config/pulse
574 539 0:62 /pulse /home/user/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=574 fsname=/pulse dir=/home/user/.config/pulse fstype=tmpfs
Current directory: /home/user
Mounting read-only /run/firejail/mnt/seccomp
578 525 0:62 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=578 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             180 ..
-rw-r--r-- user   user           640 seccomp
-rw-r--r-- user   user           432 seccomp.32
-rw-r--r-- user   user             0 seccomp.postexec
-rw-r--r-- user   user             0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1001, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/lib/firefox/firefox
@rusty-snake
Copy link
Collaborator

include whitelist-runuser-common.inc

@omega3
Copy link
Author

omega3 commented Apr 20, 2024 

firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Reading profile /etc/firejail/whitelist-runuser-common.inc
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 9145, child pid 9146
8 programs installed in 11.16 ms
Child process initialized in 24.17 ms
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
ExceptionHandler::GenerateDump cloned child 23
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
malloc_consolidate(): unaligned fastbin chunk detected

Parent is shutting down, bye...

I added /home/user/.config/portals.conf

[preferred]
default=kde
org.freedesktop.impl.portal.Settings=kde;gtk;

and
/home/user/.local/share/xdg-desktop-portal/
with the same content but it doesn't help.

@kmk3 kmk3 changed the title whitelist from local profile conflicts with Wayland and portals firefox: whitelisting in ${RUNUSER} breaks Wayland and portals Sep 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@omega3 @rusty-snake