Firejail: Signal 1.27 Fails to Start

~At least chroot is requiered, firejail-git: seccomp !chroot.~

@ilikenwf can you try this: firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot signal (#2933)

That did indeed work.

On 9/6/19 6:18 PM, rusty-snake wrote:

|firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol
--ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot
signal|

I don't think that signal has moved to the full chromium sandbox of skype yet, as it seemed to work fine on my system just replacing seccomp with seccomp !chroot. No errors showed up in journal or using firejail --debug signal-desktop.

I'm not sure how future proof this will be for future versions, if the signal devs do expand the sandbox, but for now I think just the seccomp !chroot will do, unless we want to do some future-proofing at the expense of security. (Disabling seccomp entirely should be a last resort, IMHO)

@ilikenwf can you confirm that addintg this to signal.local works.
firejail-git: seccomp !chroot
firejail 0.9.60 and previous:

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

That does not work.

On Sat, Sep 7, 2019 at 9:44 AM rusty-snake notifications@github.com wrote:

@ilikenwf https://github.com/ilikenwf can you confirm that addintg this
to signal.local works.
firejail-git: seccomp !chroot
firejail 0.9.60 and previous:

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,ioprio_set,io_setup,io_submit,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2945?email_source=notifications&email_token=AADFIORRVRBVSGSKPTPKAA3QINZYFA5CNFSM4IUN33I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6EU3FA#issuecomment-529091988,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AADFIOXHN6PCAVEB4SHRCSTQINZYFANCNFSM4IUN33IQ
.

@ilikenwf

You probably did, but just want to confirm: You named the new file signal-desktop.local, not signal.local, correct, putting it in either ~/.config/firejail/ or /etc/firejail/?

signal.local will not work.

The issue is also known upstream. They updated electron, which now tries to start with a sandbox.
You can still start it with --no-sandbox.

See also: https://github.com/signalapp/Signal-Desktop/issues/3573

I just updated to the new profile and Signal wouldn't launch:

Searching $PATH for signal-desktop trying #/home/user/.local/bin/signal-desktop# trying #/home/user/bin/signal-desktop# trying #/usr/local/bin/signal-desktop# Error getpwuid: main.c:325 init_cfg: No such file or directory
I passed the Signal location in the firejail command and now it launches as before.
firejail --noroot --caps.drop=all --cpu=1 /usr/bin/signal-desktop --use-tray-icon

Incidentally I include --noroot and --caps.drop=all without issue. I also limit it to one core as it's a CPU hog and this tames it.

Sounds like https://github.com/netblue30/firejail/issues/2877. Try to add private-etc passwd.