There are serveral issues with the chromium sandbox (see below) which is also used in electron. If firejail breaks a electron-based program (or any other program internaly using chromium) and the problem can be fixed by adding seccomp !chroot to PROFILE.local, post here which program is affected. Note: If you are not using firejail lastet git, you must add the following to PROFILE.local to get the same effect:
ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
If this doesn't work, but firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot PROGRAM works, say it here. Otherwise open a new issue.
If none of the commands works, open a new issue.
Some issues about the chromium-sandbox:
2933 - skypeforlinux 8.51.0.86 now requires SYS_ADMIN, SYS_CHROOT capabilities
2912 - Skypeforlinux 8.51.0.72 crashes on startup since it's not permitted to use the chroot syscall
2945 - Signal 1.27 Fails to Start
2866 - new version of Slack Desktop (4.0) not working
2854 - Standard notes not working
2901 - [Teamspeak 3] crashes on opening options window if seccomp is enabled
2821 - /usr/bin/riot-desktop: line 3: 8 Trace/breakpoint trap (core dumped) electron /usr/lib/riot/ "$@"
2943 - firejail - Ubuntu 19.10 snap chromium incompatibility
2944 - Firejail breaks Brave browser default sandboxing
Three new issues in 10 hours :scream: .
rusty-snake
All 14 comments
Hi,
I again have a problem with slack after upgrading it to 4.1.1 on Debian 9.
I use firejail version from Debian, and created a slack.local with the private-etc tip from #2866
I tried to add to it the parameters indicated above, without change.
update not sure about the following, it may be because i use fish as a shell
I tried also the command firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot slack without success.
daks
on 9 Oct 2019
Hi,
Visual Studio Code won't start up at all under Archlinux.
firejail version 0.9.60
Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
This is the output at startup:
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-passwdmgr.local
Reading profile /etc/firejail/disable-programs.inc
Parent pid 4538, child pid 4539
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 56.81 ms
Tried both commands recommended at the top.
StarPicard
on 13 Oct 2019
@daks @StarPicard Can you guys open own issues for that. This issue is to catch the chromium sandbox on program update (I update the OP).
@StarPicard can you also post your globals.local.
rusty-snake
on 13 Oct 2019
@rusty-snake done
daks
on 15 Oct 2019
All AppImages with chromium/electron programs are broken because --appimage force caps.drop=all but sys_admin,sys_chroot are needed.
rusty-snake
on 23 Dec 2019
Hi, wire-desktop (electron6) got the problem.
cyrinux
on 15 Jan 2020
@cyrinux thx, can you confirm that this(27eb40b) works.
rusty-snake
on 16 Jan 2020
Hi @rusty-snake it works like this with electron6 bin too in my case (under archlinux)
cyrinux
on 17 Jan 2020
Slack is broken, fixed when adding seccomp !chroot to ~/.config/firejail/slack.local
setpill
on 13 Mar 2020
I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the Creating Slack Application.
...
Child process initialized in 50.90 ms
Gtk-Message: 09:20:00.662: Failed to load module "unity-gtk-module"
Gtk-Message: 09:20:00.688: Failed to load module "unity-gtk-module"
Gtk-Message: 09:20:00.714: Failed to load module "unity-gtk-module"
Initializing local storage instance at path: /home/tiagohc/.config/Slack/local-settings.json
(slack:18): dconf-WARNING **: 09:20:00.807: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied
Creating Slack Application
tscolari
on 3 Apr 2020
How do you installed slack? snap isn't supported by firejail.
rusty-snake
on 3 Apr 2020
How do you installed slack? snap isn't supported by firejail.
I've installed it from the .deb file, not the snap store :(
tscolari
on 11 Apr 2020
Can you post your current profile.
rusty-snake
on 11 Apr 2020
I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the Creating Slack Application.
I don't know what the issue is with slack but this profile seems to work for me on Arch using the AUR slack-desktop package, the sign-in won't work because that is a redirect to firefox, so one time setup without firejail and subsequent sessions can be firejailed https://imgur.com/pWZjW6x
This is more hardened than in master.
bbhtt
on 17 Aug 2020
Related issues
nuxwin
路
3Comments
crass
路
3Comments
reinerh
路
3Comments
polyzen
路
4Comments
Fincer
路
4Comments