Firejail: Firefox and Thunderbird profiles broken

can confirm the recent sccomp commits are causing issues with a lot of other profiles than just firefox and thunderbird.

Yes, indeed: kate, quiterss, ...

It is weird, because at least for me it is intermittent. When I first boot up, it doesn't work, however, tor-browser profile works just fine, and then once that is opened, the firefox profile works fine too, even if tor-browser is closed first!

Teamspeak is broken anytime you try to change the options though...

Both problems are fixed by commenting out the seccomp lines.

Looks like the problem is @resources, if I replace @resources with what is supposed to be equal to (mbind,migrate_pages,move_pages,set_mempolicy), then both firefox and teamspeak work.

Looks like the problem is @resources, if I replace @resources with what is supposed to be equal to (mbind,migrate_pages,move_pages,set_mempolicy), then both firefox and teamspeak work.

I don't think that this explains the problem completely. The 2 other examples mentioned earlier (quiterss and kate) only contain the seccomp line in their profiles.

Sorry, don't think I was being clear. Writing seccomp in a profile is exactly the same as writing

seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice

in a profile. So I found that @resources is the problem. Writing mbind,migrate_pages,move_pages,set_mempolicy is supposed to be the same as writing @resources, but it seems that something in the most recent commits messed this up, and replacing @resources with the constituent parts fixes the problem.

So replace seccomp with

seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,mbind,migrate_pages,move_pages,set_mempolicy,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice

in your profiles and everything works fine. Just tested it with kate and quiterss and they work too.

EDIT: the guide for writing seccomp is here.

Diff of @resources in Add further seccomp groups: https://github.com/netblue30/firejail/commit/ce4a3231479a29aa3dff44722b15bc315f68141d#diff-d36eaba912802a78468359b7b05c8c2dL358-R1053

New syscalls in @resources:
ioprio_set, nice, sched_setaffinity, sched_setattr, sched_setparam, sched_setscheduler

@curiosity-seeker @corecontingency can you look in your joural with syscall is the issue.

BTW: syscalls.txt is now outdated, I will update it this weekend.

I just start firefox and close it (nothing tested, nothing broken). From my journal, the following should work. Can you guys confirm.
seccomp !chroot,!sched_setaffinity,!sched_setscheduler

Yup, although I don't think you need to remove sched_setaffinity. Firefox (and the other three programs) can work with it, at least on my system. Tried kate, teamspeak, and quiterss with their normal seccomp values but replaced @resources with

mbind,migrate_pages,move_pages,set_mempolicy,ioprio_set,nice,sched_setaffinity,sched_setattr,sched_setparam

and they worked fine. So, seems like sched_setscheduler is the culprit, at least for those three programs.

Also, will syntax like

seccomp !chroot,!sched_setaffinity,!sched_setscheduler

be implemented in the future? Seems like a much better way of doing things.

I don't think you need to remove sched_setaffinity

It was logged in the journal.

Also, will syntax like be implemented in the future?

It is implemented. Implementation in firejail: #2926, use in profiles: #2927.

It is implemented. Implementation in firejail: #2926, use in profiles: #2927.

Oh. Looks like I need to recompile firejail. I'll try it out!

So getting a weird error here. seccomp !chroot,!sched_setaffinity,!sched_setscheduler doesn't seem to work after recompiling firejail with firefox, the process just hangs after reporting monitoring pid 12, and nothing show up in sudo journalctl -f except for

Aug 30 13:43:34 ccarch firejail[1884]: firejail --debug firefox
Aug 30 13:43:34 ccarch firejail[1885]: monitoring pid 12

Tried running seccomp !sched_setscheduler with Kate, and seccomp !chroot,!sched_setscheduler with teamspeak and it works fine, no errors or messages in journalctl, so it seems to be just a problem with firefox.

Weirdly, I ran the exact same thing for firefox, except using seccomp.drop with defaults excluding chroot,sched_setaffinity,sched_setscheduler before recompiling and firefox worked fine. Now, whether I write it using the new syntax or the old, firefox doesn't work.

Okay, so I think something new added to @privileged is causing me trouble. Tried running firefox with

@cpu-emulation,@debug,@clock,@module,@raw-io,@reboot,@swap,acct,bpf,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,@obsolete,mbind,migrate_pages,move_pages,set_mempolicy,ioprio_set,nice,sched_setaffinity,sched_setattr,sched_setparam,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice

which is @default (including new version of @resources) with chroot, and sched_setscheduler removed, and @privileged replaced with

@clock,@module,@raw-io,@reboot,@swap,acct,bpf,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup

which is what it used to be equal to (except chroot). This seemed to run firefox fine, and no errors were logged in sudo journalctl -f.

Going to take a look at what was added to @privileged to try and narrow this down. For reference, am running Arch/KDE with wayland.

Got firefox to work with no errors in sudo journalctl -f, and played around with the settings and went to some websites, so I think it is working. Used

seccomp !chroot,!sched_setscheduler,!capset,!quotactl,!setuid,!setuid32

With capset enabled, it would start, but always thought it needed to reboot because of an update. With quotactl, setuid, and setuid32 enabled, it would just hang, and fail to start.

EDIT: Maybe we also want to disable sched_setaffinity if you were having trouble with it. What distro are you running?

There is the more generic issue that firejail firejail does not work because it wants to drop privileges (should be setresuid on most systems).

@corecontingency sched_setscheduler,sched_setaffinity are the only blocked syscalls on my system (fedora + firefox esr 60), but I see no breakage when they are blocked.

For better debuging I modify my script from #433

#!/usr/bin/env bash

# Copyright © 2019 rusty-snake
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

usage() {
    echo "Usage:"
        echo "        NOTIFY_TOOL=\"<ZENITY|KDIALOG|NOTIFY-SEND>\" bash $0"
}

if [ "$1" == "--help" ] || [ "$1" == "-h" ] || [ "$1" == "-?" ]; then
    usage "$@"
        exit 0
fi

if [ ! -v "NOTIFY_TOOL" ]; then
    printf "Error: \"NOTIFY_TOOL\" not set.\n"
    usage "$@"
    exit 1
fi

if [ "$NOTIFY_TOOL" == "ZENITY" ]; then
    notify_cmd="zenity"
    notify_args=(--title "Syscall violation" --warning --text)
elif [ "$NOTIFY_TOOL" == "KDIALOG" ]; then
    notify_cmd="kdialog"
    notify_args=(--title "Syscall violation" --sorry)
elif [ "$NOTIFY_TOOL" == "NOTIFY-SEND" ]; then
    notify_cmd="notify-send"
    notify_args=(--icon "dialog-warning" "Syscall violation")
else
    printf "Error: Invalid value for NOTIFY_TOOL.\n"
    usage "$@"
    exit 1
fi

tmpdir=$(mktemp -d)
cleanup() {
    kill %journalctl
    rm -rf "$tmpdir"
}
trap cleanup EXIT

FIREJAIL_DEBUG_SYSCALLS=$tmpdir/firejail_debug-syscalls
firejail --debug-syscalls > "$FIREJAIL_DEBUG_SYSCALLS"

SHOW_SYSCALL_PIPE=$tmpdir/pipe
mkfifo "$SHOW_SYSCALL_PIPE"

show_syscall() {
    grep --line-buffered -oE "syscall=[[:digit:]]{1,3}" | sed --unbuffered "s/syscall=//g" | xargs -L1 -I{} grep -E "^{}[[:space:]]" "$FIREJAIL_DEBUG_SYSCALLS" | sed --unbuffered -E "s/^[[:digit:]]{1,3}[[:space:]]+-[[:space:]]/syscall: /g"
}

journalctl --grep="SECCOMP" --output=json --follow | jq --unbuffered ".MESSAGE" | tee "$SHOW_SYSCALL_PIPE" | xargs -L1 -P0 --delimiter="\n" "$notify_cmd" "${notify_args[@]}" & show_syscall < "$SHOW_SYSCALL_PIPE"

mpv: seccomp !sched_setscheduler,!sched_setaffinity

mpv: seccomp !sched_setscheduler,!sched_setaffinity

Just tried it out and it is broken by default, but works fine with just seccomp !sched_setscheduler.

For some reason nothing was printed to sudo journalctl at all about firejail, or mpv when it failed to open using just seccomp. Now I am worried that my kernel isn't logging for some reason. I know it is logging some stuff, b/c sudo journalctl is constantly printing these messages every 5 or so seconds:

Sep 01 00:00:03 ccarch plasmashell[1159]: qt.qpa.wayland.backingstore: Delivering update request through fallback timer, may not be in sync with display
Sep 01 00:00:09 ccarch plasmashell[1159]: qt.qpa.wayland.backingstore: Delivering update request through fallback timer, may not be in sync with display
Sep 01 00:00:10 ccarch plasmashell[1159]: qt.qpa.wayland: Wayland does not support QWindow::requestActivate()

This might explain why I can run seccomp !sched_setscheduler and not include !sched_setaffinity for some stuff and not see any errors to sudo journalctl, b/c my journal isn't working. Alternatively, it could be some distro difference, and I actually don't need !sched_setaffinity.

I need to figure out what is going on with my kernel log levels.

Do you want me to add mpv to my pull request, or are you going to add it directly to the repository?

I think amount of breaks is too big and it's just tip of the iceberg as nobody tested most of the apps yet. If the new default seccomp filter needs so much exceptions then it's not suitable default and should be reverted.

@corecontingency,
Same for feedreader [EDIT] !sched_setaffinity,!sched_setscheduler,!fchown [/EDIT]

Do you want me to add mpv to my pull request, or are you going to add it directly to the repository?

Go ahead, but as @Vincent43 say: probably it is the best to revert some of the changes in seccomp.

I need to figure out what is going on with my kernel log levels.

Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag).

Draft for syscalls.txt update: https://gist.github.com/rusty-snake/3dd58fb2f0087c8b64dc306beadd612f
I will commit it until the double include (see #2928) and the potential partial-revert are clarified.

At minimum !sched_setscheduler,!sched_setaffinity should be removed from @resources, as that seems to be necessary for most programs to both actually work, and run with no errors to journalctl, respectively.

I am going to be leaving my pull request up until seccomp is fixed, for reference, in case someone is using a version compiled from github and wants to get some programs working again.

I think we are good to close this one, unless anyone else has problems. Firefox and thunderbird are fixed for me!

@corecontingency yes, should be fixed with #2939.