Firejail: Spotify on Fedora fails to open (no sse2 support)

Created on 11 Jun 2019  路  16Comments  路  Source: netblue30/firejail

Hello,

I'm on Fedora 30, and when I run firejail spotify a window opens with the message "Cannot run on this CPU (no sse2 support)"

Versions :

$ firejail --version
firejail version 0.9.57

Compile time support:
    - AppArmor support is disabled
    - AppImage support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

Spotify from RPMFusion Spotify version 1.1.5.153.gf614956d, Copyright (c) 2019, Spotify Ltd

Execution output :

$ firejail spotify
Reading profile /etc/firejail/spotify.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 26974, child pid 26975
Warning: skipping ca-certificates for private /etc
Private /etc installed in 17.35 ms
Warning: skipping spotify for private /opt
Private /opt installed in 0.03 ms
5 programs installed in 6.04 ms
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 55.51 ms
/usr/share/Modules/init/bash: line 37: /usr/bin/tclsh: No such file or directory
/usr/local/bin/spotify: line 13: rm: command not found
/usr/local/bin/spotify: line 17: rm: command not found
/usr/local/bin/spotify: line 18: touch: command not found
/usr/local/bin/spotify: line 22: cat: command not found
/usr/local/bin/spotify: line 22: grep: command not found

Parent is shutting down, bye...

and the window with "Cannot run on this CPU (no sse2 support)"

firejail --noprofile spotify runs flawlessly though

bug
Source
picture jpeisenbarth

Most helpful comment

@jpeisenbarth can you try firejail --ignore=private-bin --ignore=private-etc spotify

picture rusty-snake on 11 Jun 2019
👍2

All 16 comments

@jpeisenbarth can you try firejail --ignore=private-bin --ignore=private-etc spotify

rusty-snake picture rusty-snake on 11 Jun 2019
👍2

@rusty-snake Yup it works ! I guess that if I add the commands (rm, touch, cat, grep) in the profile (private-bin line) it will also work right ?

jpeisenbarth picture jpeisenbarth on 11 Jun 2019

@jpeisenbarth yes, try firejail --private-bin=rm,touch,cat,grep,tclsh --private-etc=alsa,asound.conf,drirc,openal spotify.
If it works try only with --private-bin and onyl with --private-etc.

rusty-snake picture rusty-snake on 11 Jun 2019

@rusty-snake
firejail --private-bin=rm,touch,cat,grep,tclsh,find,head,dirname --private-etc=alsa,asound.conf,drirc,openal spotify works (i needed to add find,head,dirname in the private-bin)

With only --private-etc it doesn't work (same "command not found" as my first post)

With only --private-bin=rm,touch,cat,grep,tclsh,find,head,dirname it does work, I don't see any changes between --private-bin and --private-bin --private-etc though

But I noticed that even when it works (either --private-bin or --ignore=private-bin) I have this error rm: cannot remove '/home/jpe/.cache/spotify': Device or resource busy and the images in Spotify do not load (it may be related to the busy resource)

jpeisenbarth picture jpeisenbarth on 12 Jun 2019

But I noticed that even when it works (either --private-bin or --ignore=private-bin) I have this error rm: cannot remove '/home/jpe/.cache/spotify': Device or resource busy and the images in Spotify do not load (it may be related to the busy resource)

Reason: https://github.com/netblue30/firejail/blob/72494481b2cb958badbb49b118f76a5d795a62fb/etc/spotify.profile#L24
In general:

$ touch something
$ firejail --whitelist=~/something bash
% rm something
rm: cannot remove 'something': Device or resource busy

firejail --private-bin=rm,touch,cat,grep,tclsh,find,head,dirname spotify works

You are welcome to open a PR to add this to private-bin in spotify.profile

rusty-snake picture rusty-snake on 12 Jun 2019

Yes, I will open a PR :)

I just noticed another bug, the radio doesn't work with this profile.
If I comment the line private-etc in the profile it works, I guess something is missing here also but I don't know how to find it (I already tested by adding alsa,asound.conf,drirc,openal, but the radio is still not working)
The images load well also if I comment the private-etc line.

jpeisenbarth picture jpeisenbarth on 12 Jun 2019

firejail --trace spotify 2>&1 | grep "/etc"

rusty-snake picture rusty-snake on 12 Jun 2019

A window opens with You havn't write access to 48:head:exec /usr/local/bin/head:0 47:find:fopen /proc/filesystems:0x55b843402290, problems ahead. and firejail exits

jpeisenbarth picture jpeisenbarth on 12 Jun 2019

No Idea.
You add rm,touch,cat,grep,tclsh,find,head,dirname to spotify.profile?
firejail --trace spotify 2>&1 (without grep)
firejail --trace spotify (without merge stdout and stderr)
firejail --trace /bin/spotify (or where ever you install spotify)

rusty-snake picture rusty-snake on 12 Jun 2019

Yes, firejail spotify works, firejail --trace spotify does not (literally just adding --trace)

The 3 commands you suggest give the same error.

Maybe the execution outpout (stdout + stderr) would be interesting : firejail_spotify.log

Maybe these lines ?

/usr/share/Modules/init/bash: line 95: 37:tclsh:exec: command not found
/usr/share/Modules/init/bash: eval: line 96: syntax error near unexpected token `('
/usr/share/Modules/init/bash: eval: line 96: `37:tclsh:fopen /etc/passwd:(nil)'
jpeisenbarth picture jpeisenbarth on 12 Jun 2019

Maybe firejail --noprofile --trace spotify 2>&1 | grep "/etc" works, if not, I don't have any more ideas.

rusty-snake picture rusty-snake on 12 Jun 2019

Nope, it doesn't work :confused:

jpeisenbarth picture jpeisenbarth on 12 Jun 2019

@jpeisenbarth you can try firejail --build spotify, at the bottom of the output is a private-etc line, after starting with this command you must open the radio.

rusty-snake picture rusty-snake on 14 Jun 2019

@rusty-snake
This command fails with the same error message in a window (You havn't write access to 30:head:exec /usr/bin/head:0 29:find:fopen /proc/filesystems:0x5616b1343290, problems ahead.)

In the output logs there is indeed a private-etc line (private-etc fonts,xdg,gtk-3.0,selinux,system-fips,terminfo,). I added these elements in the private-etc line in the profile but the radio still doesn't work.
I'm not sure if I understood well what I should do with this line (from the --build command)

jpeisenbarth picture jpeisenbarth on 14 Jun 2019
  1. You done it right.
  2. Looks like spotify doesn't like it to be debugged.
  3. Check journalctl -r, if there is nothing helpfull about spotify do 4.
  4. Open the PR with private-bin and a comment like # comment the next line or put 'ignore private-etc' in your spotify.local if you want to use the radio.
rusty-snake picture rusty-snake on 14 Jun 2019

Nothing related to firejail/spotify in the journal :confused:

I will add the comment in the PR then
Thank you for your help !

jpeisenbarth picture jpeisenbarth on 14 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

semente picture semente  路  4Comments
crass picture crass  路  3Comments
dandelionred picture dandelionred  路  3Comments
reinerh picture reinerh  路  3Comments
yourcelf picture yourcelf  路  4Comments