Firejail: Can't start google chrome with firejail in debian stretch

Is this google chrome or chromium? How do you run it? Please take a look at https://github.com/netblue30/firejail/blob/master/CONTRIBUTING.md

it's google chrome. When i try to launch without apparmor, it runs but this happens

Child process initialized
Redirecting symlink to /usr/bin/google-chrome-stable
Warning: cannot switch egid to root
Warning: cannot switch egid to root
Warning: an existing sandbox was detected. /usr/bin/google-chrome-stable will run without any additional sandboxing features
Child process initialized
Fontconfig warning: "/etc/fonts/fonts.conf", line 160: blank doesn't take any effect anymore. please remove it from your fonts.conf
[6:32:0312/180845.323093:ERROR:in_progress_cache_impl.cc(93)] Could not read download entries from file because there was a read failure.
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[6:6:0312/180845.418102:ERROR:background_mode_manager_aura.cc(13)] Not implemented reached in virtual void BackgroundModeManager::EnableLaunchOnStartup(bool)
[6:6:0312/180846.985125:ERROR:display_info_provider_aura.cc(31)] Not implemented reached in virtual void extensions::DisplayInfoProviderAura::UpdateDisplayUnitInfoForPlatform(const display::Display &, extensions::api::system_display::DisplayUnitInfo *)
[746:797:0312/180908.218087:ERROR:adm_helpers.cc(73)] Failed to query stereo recording.

Couple questions:

Does chrome work in firejail without apparmor beside above errors in logs?

Where chrome installs its files?

Do you have audit framework enabled? If yes you can tryjournalctl -r |grep DENIED to see what apparmor blocks. To enable audit you may have to add audit=1 to kernel cmdline (but it should be enabled when apparmor is used).

Did you tried chromium? Is there a reason for using chrome instead?

Redirecting symlink to /usr/bin/google-chrome-stable

Which version of firejail is this?

Bad news: DIsabling apparmor did not solve the problem; after testing it for a while, I came to the conclusion that the first time worked because it was the first time the browser was launched after bootup. if i close it and run it again, it crashes like before with the same error. But if i reboot the system and try again, the first time "works" while spitting out the warning i posted above. I use firefox as my primary browser and it works fine with firejail+apparmor but sometimes i need google chrome to run some apps specifically made for it. The weird thing is I KNOW it can be done because on another laptop running Parrot os home, a debian testing based security distro running mate and firejail+apparmor by default, everything works beautifully and chrome is NOT installed by default: i installed it via deb package just like i did on this laptop. I tried to investigate the firejail profiles on Parrot to replicate they way it works but i just can't get around that GPU error.

To asnwer your questions specifically:

• i run firejail 0.9.44.8-2 with chrome 65.0.3325.146
• Chrome has been installed via deb package and resides in /opt/google/chrome/
• I ran journalctl -r |grep DENIED as you asked even if i think it's not apparmor's issue and returned nothing.
  -If requested (and allowed, it's my first time posting on github)i can post profile file and include files from this machine as well as the one running Parrot OS.

Thank you all for the help.
A.

i run firejail 0.9.44.8-2

That is probably the issue. If you could install 0.9.52 that'll probably fix it.

I updated to 0.9.52_1 via deb package overwriting all the profiles in question (common-auth and google-chrome.profile: same GPU crash error. I then rebooted the system and tried again and "works" just like before..similar warning:

google-chrome
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 2900, child pid 2901
Child process initialized in 97.76 ms
/usr/bin/google-chrome: riga 45: /dev/fd/62: File o directory non esistente
/usr/bin/google-chrome: riga 46: /dev/fd/62: File o directory non esistente
Fontconfig warning: "/etc/fonts/fonts.conf", line 160: blank doesn't take any effect anymore. please remove it from your fonts.conf
[6:33:0312/202541.953021:ERROR:in_progress_cache_impl.cc(93)] Could not read download entries from file because there was a read failure.
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[6:6:0312/202542.040233:ERROR:background_mode_manager_aura.cc(13)] Not implemented reached in virtual void BackgroundModeManager::EnableLaunchOnStartup(bool)
[6:6:0312/202543.518689:ERROR:display_info_provider_aura.cc(31)] Not implemented reached in virtual void extensions::DisplayInfoProviderAura::UpdateDisplayUnitInfoForPlatform(const display::Display &, extensions::api::system_display::DisplayUnitInfo *)
[6:6:0312/202559.223133:ERROR:media_internals.cc(102)] Cannot get RenderProcessHost
[748:834:0312/202604.281705:ERROR:adm_helpers.cc(73)] Failed to query stereo recording.
[748:834:0312/202644.600246:ERROR:stunport.cc(88)] Binding request timed out from 0.0.0.x:45373 (any)
[6:6:0312/202659.649973:ERROR:media_internals.cc(102)] Cannot get RenderProcessHost
[6:6:0312/202759.997454:ERROR:media_internals.cc(102)] Cannot get RenderProcessHost

but if i close it and run it again, no firejail..

Sorry, the profiles overwritten were disable-common.inc and google-chrome.profile.

Can you try to run it with firejail --ignore=private-dev <program_name> (or comment out private-dev in profile?

Alternatively, can you try to install chromium from debian repos and check if it works?

Also when you open chrome for the first time (when it works) then close it - is chrome process still running in background?

BTW: you can upload profiles on github but they have to have .txt extension AFAIK

ok I partially solved the mistery: when i launched chrome fresh from the boot, no instaces of chrome are running. if i close it, it doesn't really shut down as it stays in the tray bar to run hangout and stuff. if i shut it down and run it again it works with the same warning as before:

$google-chrome
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 23220, child pid 23221
Child process initialized in 45.49 ms
/usr/bin/google-chrome: riga 45: /dev/fd/62: File o directory non esistente
/usr/bin/google-chrome: riga 46: /dev/fd/62: File o directory non esistente
Fontconfig warning: "/etc/fonts/fonts.conf", line 160: blank doesn't take any effect anymore. please remove it from your fonts.conf
[6:33:0312/210051.437657:ERROR:in_progress_cache_impl.cc(93)] Could not read download entries from file because there was a read failure.
[6:6:0312/210051.491022:ERROR:background_mode_manager_aura.cc(13)] Not implemented reached in virtual void BackgroundModeManager::EnableLaunchOnStartup(bool)
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[6:6:0312/210053.032359:ERROR:display_info_provider_aura.cc(31)] Not implemented reached in virtual void extensions::DisplayInfoProviderAura::UpdateDisplayUnitInfoForPlatform(const display::Display &, extensions::api::system_display::DisplayUnitInfo *)
[417:494:0312/210059.218099:ERROR:adm_helpers.cc(73)] Failed to query stereo recording.

Assuming we can call this "solved"(and me "dumb" for not getting this earlier), can anyone pitch in on the warnings? i mean..do you think it's something i can ignore? is the security of firejail still intact?

Thanks for the help everyone. I'm grateful and I apologize for not undestanding the problem earlier (since it was simply me not really closing chrome instances) and wasting your time.

Ah, can you try echo "join-or-start chrome" >> /etc/firejail/google-chrome.local as root, make sure no instances are running and try again?

As for the warnings, mostly all are harmless.

ERROR:in_progress_cache_impl.cc(93)] Could not read download entries from file because there was a read failure.

however might be an issue or it might just be a corrupted history file (try clearing your chrome history/cache)

i ran the command you posted and tried again. same results: if chrome is still running in the tray bar, the new instance will crash and run without firejail and not rejoin the previous still open one. I think i'll just set it to close completely when i close chrome and that will be it.

I'll try clearing the cache for the warning.

Thanks again to everyone for the help.

@mango1982
In Chrome preferences --> advanced --> system should be option "Continue running background tasks when Chrome is closed" or something like that. Try disabling it

I did..It works now.. Thanks again

Thanks @Vincent43 ! I never would have thought of that. :smile: