Firejail: Firejail breaks Gnome Shell connector
I was unable to check for extension updates via https://extensions.gnome.org as both Firefox and Chromium couldn't find a Gnome connector (Firefox: "native host connector is not detected", Chromium: "native host has exited").
Since chrome-gnome-shell (the connector) is already installed, I tried to run chromium from the terminal and I saw this:
LaunchProcess: failed to execvp:
/usr/bin/chrome-gnome-shell
If I delete the browser's symlink to firejail from /usr/local/bin the connector is detected and everything works.
I'm using firejail 0.9.54-1 on arch linux.
bryce-lynch
All 9 comments
Hmm, is there an active (not commented out) private-bin in your profile? The error would suggest that /usr/bin/chrome-gnome-shell isn't available in the sandbox (which would suggest that private-bin is active). Another possibility is that something like the seccomp filter is breaking it.
Since I don't use Gnome, I can't test this for you, but the easiest way of debugging this is to use --ignore=<blah> on the terminal or comment stuff out in the profile (maybe copy the system profile to ~/.config/firejail and modify that file so that you don't mess with the installed files) and see what breaks the connector.
chiraag-nataraj
on 4 Jul 2018
Ok, some progress: if I comment out BOTH nodbus and the line include /etc/firejail/disable-interpreters.inc in firefox-common.profile and chromium-common.profile the problem goes away.
The above change also solved a problem I've been having recently (perhaps after an update), where my default browser, Firefox, kept warning it wasn't set as default, every single time I started it.
BTW, no private-bin is active anywhere in the profile files.
bryce-lynch
on 4 Jul 2018
Ok, so the offending code is the python3 block in disable-interpreters.inc (which makes sense because chome-gnome-shell uses python3), plus nodbus.
This problem is probably common to all Gnome users, but I guess users should decide whether take the risk and manually disable the extra protections provided by firejail. Feel free to close this issue if you agree.
bryce-lynch
on 7 Jul 2018
Hmmm, maybe we can leave a note in the profile so that affected users will know what to do?
chiraag-nataraj
on 8 Jul 2018
Seems reasonable to me.
bryce-lynch
on 11 Jul 2018
Since Firefox supports multiple user profiles, I was wondering if there is a way to make firejail use a different .profile file somehow, perhaps depending on command line parameters or something else?
That way one could have a secure browser instance for everyday use, and a "less secure" one for exceptions like gnome.
bryce-lynch
on 21 Jul 2018
I would just set up scripts for that. You can use --profile= to tell firejail to use a specific profile file. If you created two profile files, one blacklisting dbus and python3 (say, firefox.profile) and without those blacklists (firefox-insecure.profile), then you could use firejail firefox as your regular command and firejail --profile=~/.config/firejail/firefox-insecure.profile firefox as your insecure version.
chiraag-nataraj
on 21 Jul 2018
Much simpler than I though. Thank you.
bryce-lynch
on 22 Jul 2018
Hi all,
Thanks for the pointers on how to work-around this so Gnome Extensions works again.
I followed the firefox-insecure.profile suggestion (modified copy of firefox.profile), but found that the nodbus line was in the firefox-common.profile so rather than duplicate that too or edit it, I used ignore in my new profile instead. Had to add a few extra python3 noblacklist lines in as well. I'm not very familiar with correct practice of when to use ignore so hopefully this was acceptable and was the best approach :)
RedAtRareCandy
on 19 Nov 2018
Related issues
ghost
路
3Comments
kmotoko
路
3Comments
thiswillbeyourgithub
路
3Comments
semente
路
4Comments
HulaHoopWhonix
路
4Comments