Firejail: Standard notes not working

Created on 12 Jul 2019  路  18Comments  路  Source: netblue30/firejail

I'm trying to run standardnotes-desktop from ArchLinux and I got:

sechacklabs@SecHackLabs ~> standardnotes-desktop 
Reading profile /etc/firejail/standardnotes-desktop.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 22575, child pid 22576
Warning: skipping alternatives for private /etc
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 22.47 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 114.61 ms

Parent is shutting down, bye...

I tried removing unix from https://github.com/netblue30/firejail/blob/master/etc/standardnotes-desktop.profile#L36 but doesn't worked:

sechacklabs@SecHackLabs ~> standardnotes-desktop 
Reading profile /etc/firejail/standardnotes-desktop.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 22535, child pid 22536
Warning: skipping alternatives for private /etc
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 20.54 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 105.03 ms

Parent is shutting down, bye...
picture Edu4rdSHL

Most helpful comment

can confirm those changes are working for me; now just to wait for @Edu4rdSHL and make a pr with the changes if that's the fix needed.

picture veloute on 12 Jul 2019
👍2

All 18 comments

@Edu4rdSHL What is in your globals.local?

removing unix

That will fully break standart-notes.

rusty-snake picture rusty-snake on 12 Jul 2019

experiencing the same problem.
after a few minutes of playing around, seccomp and apparmor seem to have something to do with it.
try commenting both options out and see if that works for you (as a temp solution).

veloute picture veloute on 12 Jul 2019
👍2

Related to #2821:

riot-desktop and standartnotes-desktop use both electron, right?

electron recently had an update with fixes of his own sandbox [[1], [2], [3]].

Maybe all electron-apps now need the chroot syscall.

@Edu4rdSHL try commet apparmor and seccomp as @veloute proposed and add the following:

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
rusty-snake picture rusty-snake on 12 Jul 2019
👍2

we should probably add an include line for the electron profile in standardnotes-desktop's profile, right?

veloute picture veloute on 12 Jul 2019

electron.profile also still have seccomp.

But Streamlineing all electron-app-profile would may good. (But there are more than only standartnotes-desktop. e.g. teams-for-linux, telegram-desktop, ...)

I think the most *-desktop and some more.

rusty-snake picture rusty-snake on 12 Jul 2019

can confirm those changes are working for me; now just to wait for @Edu4rdSHL and make a pr with the changes if that's the fix needed.

veloute picture veloute on 12 Jul 2019
👍2

Related to #2821:

riot-desktop and standartnotes-desktop use both electron, right?

electron recently had an update with fixes of his own sandbox [1, 2, 3].

Maybe all electron-apps now need the chroot syscall.

@Edu4rdSHL try commet apparmor and seccomp as @veloute proposed and add the following:

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

I tried it and worked, but now I've a question. In globals.local I had apparmor to enable it globally, now I need to remove it to get standard notes working.

Is not possible to have standard notes working with apparmor?

Edu4rdSHL picture Edu4rdSHL on 13 Jul 2019

create a standardnotes-desktop.local file in either /etc/firejail/ or /home/$USER/.config/firejail/ with the line'ignore apparmor

veloute picture veloute on 13 Jul 2019

@veloute thanks, I know that, but my question is if denitively isn't possible to have the standard notes app with apparmor.

Edu4rdSHL picture Edu4rdSHL on 13 Jul 2019

@Edu4rdSHL firejail-default is the apparmor profile that is used by firejail. Site-specific additions and overrides: local/firejail-local
Maybe this line in firejail-default causing the issue capability sys_chroot,.
I can' tell you more since I do not use AA.

EDIT: Why can I add reactions to my own posts :question: :thinking:

rusty-snake picture rusty-snake on 13 Jul 2019
👀1

fixed with https://github.com/netblue30/firejail/commit/dae5a6175109d7f48c4d9e2cfec0d183fb068e44

veloute picture veloute on 13 Jul 2019

@Edu4rdSHL Please post journalctl --grep=DENIED after failed attempt with apparmor enabled.

Maybe this line in firejail-default causing the issue capability sys_chroot,

This line only allows sys_chroot capability so it can't really break anything.

Vincent43 picture Vincent43 on 13 Jul 2019
👍1

Hello, @Vincent43 I got it:

Jul 13 13:58:42 SecHackLabs audit[3764]: AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/15/comm" pid=3764 comm="electron" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 13 13:58:42 SecHackLabs kernel: audit: type=1400 audit(1563044322.022:195): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/15/comm" pid=3764 comm="electron" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Edu4rdSHL picture Edu4rdSHL on 13 Jul 2019

@Edu4rdSHL Ok, try adding /proc/@{PID}/comm w, in /etc/apparmor.d/local/firejail-local and see if that helps.

You have to run apparmor_parser -r /etc/apparmor.d/firejail-default afterwards.

Vincent43 picture Vincent43 on 13 Jul 2019

Worked, thanks.

Edu4rdSHL picture Edu4rdSHL on 13 Jul 2019

@Edu4rdSHL I will add it in default apparmor profile and re-enable apparmor in standard-notes then.

Vincent43 picture Vincent43 on 14 Jul 2019
👍1

Fixed with https://github.com/netblue30/firejail/commit/2eca1252e3491f098f036483855e3402882ebc54 . I think everything is covered now.

Vincent43 picture Vincent43 on 14 Jul 2019
👍1

Thanks for the fix.

Edu4rdSHL picture Edu4rdSHL on 14 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

semente picture semente  路  4Comments
HulaHoopWhonix picture HulaHoopWhonix  路  4Comments
dandelionred picture dandelionred  路  3Comments
kmotoko picture kmotoko  路  3Comments
thiswillbeyourgithub picture thiswillbeyourgithub  路  3Comments