Firejail: private-lib doesn't work with Palemoon & Firefox

Created on 16 Mar 2018  路  4Comments  路  Source: netblue30/firejail 
firejail palemoon

with private-lib profile option gives the following output, rendering the program unusable (it doesn't start):

Warning fldd: cannot find libmozalloc.so, skipping...
Warning fldd: cannot find libxul.so, skipping...
Warning fldd: cannot find libicui18n.so.58, skipping...
Warning fldd: cannot find libicuuc.so.58, skipping...
Warning fldd: cannot find libicudata.so.58, skipping...

Palemoon has these libraries in folder _/usr/lib/palemoon/_ which seems not to be copied to corresponding /run/firejail/mnt/lib/palemoon/ directory as far as I can see from the debug log.

I currently use a bit outdated version of Palemoon, version 27.8.1-1 (Arch Linux).

Full debug output:

firejail --debug palemoon                
Autoselecting /bin/bash as shell
Building quoted command line: 'palemoon' 
Command name #palemoon#
Found palemoon profile in /etc/firejail directory
Reading profile /etc/firejail/palemoon.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 10412, child pid 10413
Host network configured
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10416/fd
Dropping all capabilities
Username fincer, no supplementary groups
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
Create /dev/shm directory
Copying files in the new /etc directory:
copying /etc/passwd to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/passwd /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10418/fd
copying /etc/group to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/group /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10420/fd
copying /etc/hostname to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/hostname /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10422/fd
copying /etc/hosts to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/hosts /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10424/fd
copying /etc/localtime to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/localtime /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10426/fd
copying /etc/nsswitch.conf to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/nsswitch.conf /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10428/fd
copying /etc/resolv.conf to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/resolv.conf /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10430/fd
copying /etc/gtk-2.0 to private /etc
Creating empty /run/firejail/mnt/etc/gtk-2.0 directory
sbox run: /usr/lib/firejail/fcopy /etc/gtk-2.0 /run/firejail/mnt/etc/gtk-2.0 (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10432/fd
copying /etc/pango to private /etc
Creating empty /run/firejail/mnt/etc/pango directory
sbox run: /usr/lib/firejail/fcopy /etc/pango /run/firejail/mnt/etc/pango (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10434/fd
copying /etc/fonts to private /etc
Creating empty /run/firejail/mnt/etc/fonts directory
sbox run: /usr/lib/firejail/fcopy /etc/fonts /run/firejail/mnt/etc/fonts (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10436/fd
Warning: file /etc/iceweasel not found.
Warning: skipping iceweasel for private /etc
Warning: file /etc/firefox not found.
Warning: skipping firefox for private /etc
Warning: file /etc/adobe not found.
Warning: skipping adobe for private /etc
copying /etc/mime.types to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/mime.types /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10438/fd
Warning: file /etc/mailcap not found.
Warning: skipping mailcap for private /etc
copying /etc/asound.conf to private /etc
sbox run: /usr/lib/firejail/fcopy /etc/asound.conf /run/firejail/mnt/etc (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10440/fd
copying /etc/pulse to private /etc
Creating empty /run/firejail/mnt/etc/pulse directory
sbox run: /usr/lib/firejail/fcopy /etc/pulse /run/firejail/mnt/etc/pulse (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10442/fd
Mount-bind /run/firejail/mnt/etc on top of /etc
Private /etc installed in 116.13 ms
Creating an empty /etc/ld.so.preload file
Copying files in the new bin directory
Checking /usr/local/bin/palemoon
Checking /usr/bin/palemoon
file /usr/lib/palemoon/palemoon not found
sbox run: /usr/lib/firejail/fcopy /usr/bin/palemoon /run/firejail/mnt/bin (null) 
sbox file descriptors:
total 0
lrwx------ 1 fincer fincer 64 Mar 16 17:57 0 -> /dev/null
lrwx------ 1 fincer fincer 64 Mar 16 17:57 1 -> /dev/pts/8
lrwx------ 1 fincer fincer 64 Mar 16 17:57 2 -> /dev/pts/8
lr-x------ 1 fincer fincer 64 Mar 16 17:57 3 -> /proc/10444/fd
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Starting private-lib processing: program palemoon, shell none
copying /lib64/libnsl.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libnsl.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libc.so.6 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libc.so.6 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libnss_nis.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libnss_nis.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/ld-linux-x86-64.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/ld-linux-x86-64.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libmemusage.so to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libmemusage.so /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libnss_compat.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libnss_compat.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libnss_files.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libnss_files.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libdl.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libdl.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libnss_hesiod.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libnss_hesiod.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libmvec.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libmvec.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libresolv.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libresolv.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libcrypt.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libcrypt.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libm.so.6 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libm.so.6 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libcidn.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libcidn.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libnss_nisplus.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libnss_nisplus.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libanl.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libanl.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libpthread.so.0 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libpthread.so.0 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libthread_db.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libthread_db.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libutil.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libutil.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/librt.so.1 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/librt.so.1 /run/firejail/mnt/lib (null) 
sbox file descriptors:
copying /lib64/libnss_dns.so.2 to private /run/firejail/mnt/lib
sbox run: /usr/lib/firejail/fcopy --follow-link /lib64/libnss_dns.so.2 /run/firejail/mnt/lib (null) 
sbox file descriptors:
fslib_copy_dir /usr/lib/locale
Standard C library installed in 81.56 ms
fslib_copy_libs palemoon
cannot find palemoon for private-lib, skipping...
Copying extra files (palemoon) in the new lib directory
fslib_copy_dir /lib/palemoon
fslib_copy_libs /lib/palemoon
Creating empty /run/firejail/mnt/libfiles file
running fldd /lib/palemoon
sbox run: /usr/lib/firejail/fldd /lib/palemoon /run/firejail/mnt/libfiles (null) 
sbox file descriptors:
Dropping all capabilities
Username fincer, no supplementary groups
Warning fldd: cannot find libmozalloc.so, skipping...
Warning fldd: cannot find libxul.so, skipping...
Warning fldd: cannot find libicui18n.so.58, skipping...
Warning fldd: cannot find libicuuc.so.58, skipping...
Warning fldd: cannot find libicudata.so.58, skipping...
Error stat: main.c:286 walk_directory: No such file or directory
Error: failed to run /usr/lib/firejail/fldd
Error: proc 10412 cannot sync with peer: unexpected EOF
Peer 10413 unexpectedly exited with status 1

EDIT: According to @startx2017 , it seems that this issue (or very similar one) affects Firefox, too. Thus, adding Firefox to the title. Feel free to comment this change.

information
Source
picture Fincer

Most helpful comment

I tried something similar on Firefox, it won't work the way the code is today. We need to bring in some new functionality, it will take a one or two releases until we implement it and fix all the bugs.

picture startx2017 on 17 Mar 2018
👍3

All 4 comments

Forgot to mention. The firejail version I used was 0.9.52. I compiled the git version and I see the profile settings for Palemoon differ. Anyway, is there a proper way to run palemoon with 'private-lib' enabled? Are the profile settings compatible only with a newer version of Palemoon?

Fincer picture Fincer on 16 Mar 2018

I tried something similar on Firefox, it won't work the way the code is today. We need to bring in some new functionality, it will take a one or two releases until we implement it and fix all the bugs.

startx2017 picture startx2017 on 17 Mar 2018
👍3

Thanks for replying! I'd see private-lib quite important thing to work with web browsers. However, take your time to sort this out.

Fincer picture Fincer on 17 Mar 2018

May I ask the reason why this issue was closed? Is it fixed or is it WONTFIX?

Fincer picture Fincer on 25 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

HulaHoopWhonix picture HulaHoopWhonix  路  4Comments
bryce-lynch picture bryce-lynch  路  4Comments
fl-chris picture fl-chris  路  4Comments
francoism90 picture francoism90  路  4Comments
kruthe01 picture kruthe01  路  4Comments