Firejail: Chrome cannot get the timezone correctly breaking many websites

What distro are you running?
Is the output of ls -lha /etc/localtime your correct timezone?

@SkewedZeppelin running Ubuntu 16.04 Xenial.

My timezone is set correctly

$ ls -lha /etc/localtime
lrwxrwxrwx 1 root root 36 Jan  7 11:40 /etc/localtime -> /usr/share/zoneinfo/America/Tijuana

Can you try commenting apparmor and nodbus in /etc/firejail/chromium-common.profile?

@nitrocode Is this still an issue?

I haven't checked in a while but I'll check again by the end of the week.

Seeing the same thing when using private-etc in google-chrome.local using 0.9.56-1~0ubuntu18.10.0.

For some reason, specifying private-etc ...,localtime,... causes /etc/localtime to point at the wrong file (seen by joining chrome's namespace):

bash-4.4$ ls -l /etc/localtime 
lrwxrwxrwx 1 root root 30 Jan 20 04:34 /etc/localtime -> /usr/share/zoneinfo/posixrules

However, my actual filesystem has this:

matt@aquos:~$ ls -l /etc/localtime 
lrwxrwxrwx 1 root root 36 Jan  1 22:31 /etc/localtime -> /usr/share/zoneinfo/America/New_York

I poked around but I'm kind of stumped. Running with --debug shows:

...
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fcopy /etc/hosts /run/firejail/mnt/etc (null) 
copying /etc/localtime to private /etc
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fcopy /etc/localtime /run/firejail/mnt/etc (null) 
copying /etc/nsswitch.conf to private /etc
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fcopy /etc/nsswitch.conf /run/firejail/mnt/etc (null) 
copying /etc/resolv.conf to private /etc
...

The only reference I saw to localtime was here: https://github.com/netblue30/firejail/blob/97eed29370b91f54caac7d150c09a681a1763317/src/firejail/fs_whitelist.c#L601-L615

As a workaround for the time being, removing localtime from private-etc and adding env TZ=America/New_York to google-chrome.local seems to fix it.

Seems that it might have to do with fcopy resolving the final file, rather than the intermediate symlink:

matt@aquos:~$ ls -l /etc/localtime 
lrwxrwxrwx 1 root root 36 Jan  1 22:31 /etc/localtime -> /usr/share/zoneinfo/America/New_York
matt@aquos:~$ ls -l /usr/share/zoneinfo/America/New_York
lrwxrwxrwx 1 root root 13 Jan  1 00:05 /usr/share/zoneinfo/America/New_York -> ../posixrules

If copy_link() is the function in question, I guess readlink() could be used there instead of realpath(), but that would be a major change in behavior:
https://github.com/netblue30/firejail/blob/012dd9faeb2c994731d77808f83265c90072f809/src/fcopy/main.c#L117-L134

Is this still an issue?

Is this still an issue?

yes, and will continue to be until copy_link() includes all intermediate symlinks.

The thing is that this doesn't seem to affect Firefox's ability to get the system time right (or any other program's, for that matter)...that's why this is so odd.

it might have to do with chrome's extra sandboxing, not sure.

Does this profile work for you? I don't get the error you're getting.
~/.config/firejail/chromium.profile

ignore noroot
ignore seccomp
ignore seccomp.block-secondary
ignore nonewprivs
ignore caps.drop
ignore net
ignore memory-deny-write-execute
ignore private-dev
ignore nou2f

include ${HOME}/.config/firejail/common.inc

mkdir ${HOME}/.config/chromium

whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.themes
whitelist ${HOME}/.config/gtk-3.0

whitelist ${DOWNLOADS}

# private-bin seems to only work with firejail /usr/lib/chromium/chromium on
# Debian... Kept it enabled since other platforms may be different
private-bin chromium,bash,readlink,dirname,cat,uname,mktemp,sed,man,grep,expr
private-etc fonts,alternatives,X11,pulse,resolv.conf,localtime,chromium.d

caps.keep sys_chroot,sys_admin
blacklist /usr/share/fonts/truetype/unifont

~/.config/firejail/common.inc

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
read-only /tmp/.X11-unix
private-dev
disable-mnt
private-opt emp
private-srv emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nou2f
nogroups
net none
netfilter
memory-deny-write-execute

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}

I don't have google-chrome installed, but I can try that to see if chromium versus google-chrome makes a difference.

you can see what timezone the browser is using @ https://browserspy.dk/date.php

So it thinks I'm in GMT (come to think of it, I got the same result when I used the Date object in the Dev console...). I guess I never noticed this because I enabled fingerprinting resistance in Firefox, which _also_ spoofs the timezone to GMT :stuck_out_tongue_winking_eye:

@tofurky why /usr/share/zoneinfo/America/New_York is a symlink to posixrules on your system?

It is on mine as well @Vincent43. From exploring a bit, it seems that (I think) the chosen timezone file is symlinked to posixrules for some reason...

Interesting. On Arch Linux I don't have such symlink.

Hmm, I see.

@tofurky why /usr/share/zoneinfo/America/New_York is a symlink to posixrules on your system?

it's the standard way of doing it on debian/ubuntu, at least.