Firejail: Running firejail with --x11 as different user - how?

Created on 15 Jun 2019 · 2Comments · Source: netblue30/firejail

I'm trying to run a jailfire'ed GUI (thunderbird) as different user.
In this test scenario ACLs for Xorg are disabled (xhost +) so that shouldn't be the issue.
As far as I see the client can't connect to the supposed to be opened server instance.

Any pointers/hints on how to achieve that would be highly appreciated - thanks!

mirko@mai:~$ xhost +
access control disabled, clients can connect from any host
mirko@mai:~$ sudo -u x-mail -- firejail --x11 thunderbird
Reading profile /etc/firejail/xpra.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 22334, child pid 22335
Child process initialized in 126.36 ms
2019-06-15 18:06:00,263 cannot access python uinput module:
2019-06-15 18:06:00,263  No module named uinput
[config] failed to pre-init udev

X.Org X Server 1.20.4
X Protocol Version 11, Revision 0
Build Operating System: Linux 4.9.0-8-amd64 x86_64 Debian
Current Operating System: Linux mai 4.19.0-4-amd64 #1 SMP Debian 4.19.28-2 (2019-03-15) x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-4.19.0-4-amd64 root=/dev/mapper/nvme.mai-root ro quiet
Build Date: 05 March 2019  08:11:12PM
xorg-server 2:1.20.4-1 (https://www.debian.org/support) 
Current version of pixman: 0.36.0
    Before reporting problems, check http://wiki.x.org
    to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
    (++) from command line, (!!) notice, (II) informational,
    (WW) warning, (EE) error, xauth:  /home/x-mail/.Xauthority not writable, changes will be ignored
(NI) not implemented, (??) unknown.
(++) Log file: "/run/user/5003/xpra/Xorg.:336.log", Time: Sat Jun 15 18:06:00 2019
xauth:  /home/x-mail/.Xauthority not writable, changes ignored
(++) Using config file: "/etc/xpra/xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
No protocol specified
No protocol specified
2019-06-15 18:06:03,466 Error: failed to connect to display :336
2019-06-15 18:06:03,467  could not connect to X server on display ':336' after 3 seconds
Error in sys.exitfunc:
Xpra server pid 22334, xpra client pid 22367, jail 22368

*** Attaching to xpra display 336 ***

Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/xpra.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 22367, child pid 22369
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 22368, child pid 22372
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 115.04 ms
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 128.88 ms
Warning: an existing sandbox was detected. /usr/bin/thunderbird will run without any additional sandboxing features
No protocol specified
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :336

Parent is shutting down, bye...
Gtk-Message: 18:06:06.208: Failed to load module "canberra-gtk-module"
2019-06-15 18:06:06,350 Xpra gtk2 client version 2.4.3-r21350M 64-bit
2019-06-15 18:06:06,350  running on Linux Debian 10 buster
2019-06-15 18:06:06,351  window manager is 'GNOME Shell'
2019-06-15 18:06:06,367 Warning: failed to import opencv:
2019-06-15 18:06:06,367  No module named cv2
2019-06-15 18:06:06,367  webcam forwarding is disabled
Warning: failed to query pulseaudio using 'pactl info'
 socket(): Operation not supported
 socket(): Operation not supported
 Connection failure: Connection refused
Warning: failed to query pulseaudio using 'pactl info'
 socket(): Operation not supported
 socket(): Operation not supported
 Connection failure: Connection refused
2019-06-15 18:06:06,751 GStreamer version 1.14.4 for Python 2.7.16 64-bit
2019-06-15 18:06:06,774 Warning: failed to query pulseaudio using 'pactl info'
2019-06-15 18:06:06,774  socket(): Operation not supported
2019-06-15 18:06:06,774  socket(): Operation not supported
2019-06-15 18:06:06,774  Connection failure: Connection refused
Reading profile /etc/firejail/xpra.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 22446, child pid 22451
2019-06-15 18:06:06,796 failed to instantiate the dbus notification handler:
2019-06-15 18:06:06,796  you may need to start a notification service for 'org.freedesktop.Notifications'
2019-06-15 18:06:06,796  disable notifications to avoid this warning
2019-06-15 18:06:06,871 Warning: cannot import gtk OpenGL module
2019-06-15 18:06:06,871  ('Unable to load OpenGL library', 'GL: cannot open shared object file: No such file or directory', 'GL', None)
2019-06-15 18:06:06,880 Warning: cannot import native OpenGL module
2019-06-15 18:06:06,880  ('Unable to load OpenGL library', 'GL: cannot open shared object file: No such file or directory', 'GL', None)
2019-06-15 18:06:06,880 Warning: no OpenGL backends found
2019-06-15 18:06:06,880 Error setting up dbus signals:
2019-06-15 18:06:06,880  org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
Child process initialized in 118.48 ms
2019-06-15 18:06:07,160 Error: printing disabled:
2019-06-15 18:06:07,160  No module named cups
xpra initialization error:
 cannot find live server for display :336
xpra initialization error:
 cannot find live server for display :336

Parent is shutting down, bye...

Parent received signal 15, shutting down the child process...

Parent received signal 15, shutting down the child process...
mirko@mai:~$ 
Child received signal 15, shutting down the sandbox...

Child received signal 15, shutting down the sandbox...
(II) Server terminated successfully (0). Closing log file.

Parent is shutting down, bye...

Parent is shutting down, bye...

question

Source

mirko

Most helpful comment

Why are you trying to firejail thunderbird and using a different user? firejail is for sandboxing and can do that, I don't think it's necessary. If you want a stricter sandbox, you should tighten the firejail profile.