Firejail: Zeal profile not working

Created on 29 Apr 2020  路  7Comments  路  Source: netblue30/firejail

Describe the bug
firejail zeal does not display window or anything

Behavior change on disabling firejail
Zeal show up. But doesnot remember docsets

$ firejail --noprofile zeal
Parent pid 17556, child pid 17557
Child process initialized in 9.53 ms
qt5ct: using qt5ct plugin
Qt: Session management error: None of the authentication protocols specified are supported
zeal.core.applicationsingleton: Singleton ID: GNxAletmknejwIs_KXZiYaAzw9OzTsTq2ggd_l64LPQ
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 6)
qt5ct: D-Bus global menu: no
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
qt5ct: D-Bus system tray: no
inotify_add_watch("/home/malekon/.config/qt5ct") failed: "No such file or directory"

Parent is shutting down, bye...

To Reproduce
firejail zeal

Desktop (please complete the following information):

$ lsb_release -a && echo "" && firejail --version
No LSB modules are available.
Distributor ID: LinuxMint
Description:    Linux Mint 19 Tara
Release:    19
Codename:   tara

firejail version 0.9.62

Compile time support:
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - firetunnel support is enabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

Additional context

$ apt show zeal
Package: zeal
Version: 1:0.6.1-3ppa1~bionic1

Checklist

  • [x] The upstream profile (and redirect profile if exists) have no changes fixing it.

debug output 

23:22:26 malekon@malekon:~
$ firejail --debug zeal > zeal.debug
Reading profile /etc/firejail/zeal.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
DISPLAY=:0 parsed as 0
Parent pid 17770, child pid 17771
Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Warning: file /etc/crypto-policies not found.
Warning: skipping crypto-policies for private /etc
Warning: file /etc/locale not found.
Warning: skipping locale for private /etc
Warning: file /etc/locale.conf not found.
Warning: skipping locale.conf for private /etc
Warning: file /etc/pango not found.
Warning: skipping pango for private /etc
Warning: file /etc/Trolltech.conf not found.
Warning: skipping Trolltech.conf for private /etc
Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode
Warning fcopy: skipping /etc/xdg/menus/debian-menu.menu, cannot find inode
Private /etc installed in 41.60 ms
1 program installed in 2.81 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Debug 423: new_name #/home/malekon/.config/firejail#, whitelist
Debug 531: fname #/home/malekon/.config/firejail#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.config/Zeal#, whitelist
Debug 531: fname #/home/malekon/.config/Zeal#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.cache/Zeal#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.local/share/Zeal#, whitelist
Debug 531: fname #/home/malekon/.local/share/Zeal#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.XCompose#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.asoundrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/ibus#, whitelist
Debug 531: fname #/home/malekon/.config/ibus#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.config/mimeapps.list#, whitelist
Debug 531: fname #/home/malekon/.config/mimeapps.list#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.config/pkcs11#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/user-dirs.dirs#, whitelist
Debug 531: fname #/home/malekon/.config/user-dirs.dirs#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.drirc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.icons#, whitelist
Debug 531: fname #/home/malekon/.icons#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.local/share/applications#, whitelist
Debug 531: fname #/home/malekon/.local/share/applications#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.local/share/icons#, whitelist
Debug 531: fname #/home/malekon/.local/share/icons#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.local/share/mime#, whitelist
Debug 531: fname #/home/malekon/.local/share/mime#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.mime.types#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/dconf#, whitelist
Debug 531: fname #/home/malekon/.config/dconf#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.cache/fontconfig#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/fontconfig#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.fontconfig#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.fonts#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.fonts.conf#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.fonts.conf.d#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.fonts.d#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.local/share/fonts#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.pangorc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/gtk-2.0#, whitelist
Debug 531: fname #/home/malekon/.config/gtk-2.0#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.config/gtk-3.0#, whitelist
Debug 531: fname #/home/malekon/.config/gtk-3.0#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.config/gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/gtkrc-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.gnome2#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.gnome2-private#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.gtk-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.gtkrc-2.0#, whitelist
Debug 531: fname #/home/malekon/.gtkrc-2.0#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.kde/share/config/gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde/share/config/gtkrc-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/config/gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/config/gtkrc-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.local/share/themes#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.themes#, whitelist
Debug 531: fname #/home/malekon/.themes#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.cache/kioexec/krun#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/Kvantum#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/Trolltech.conf#, whitelist
Debug 531: fname #/home/malekon/.config/Trolltech.conf#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.config/kdeglobals#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/kio_httprc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/kioslaverc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/ksslcablacklist#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.config/qt5ct#, whitelist
Debug 531: fname #/home/malekon/.config/qt5ct#, cfg.homedir #/home/malekon#
Debug 423: new_name #/home/malekon/.kde/share/config/kdeglobals#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde/share/config/kio_httprc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde/share/config/kioslaverc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde/share/config/ksslcablacklist#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde/share/config/oxygenrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde/share/icons#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/config/kdeglobals#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/config/kio_httprc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/config/kioslaverc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/config/ksslcablacklist#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/config/oxygenrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.kde4/share/icons#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/malekon/.local/share/qt5ct#, whitelist
realpath: No such file or directory
Debug 423: new_name #/var/lib/dbus#, whitelist
Debug 423: new_name #/var/lib/menu-xdg#, whitelist
realpath: No such file or directory
Debug 423: new_name #/var/cache/fontconfig#, whitelist
Debug 423: new_name #/var/tmp#, whitelist
Debug 423: new_name #/var/run#, whitelist
Debug 423: new_name #/var/lock#, whitelist
Debug 423: new_name #/tmp/.X11-unix#, whitelist
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
DISPLAY=:0 parsed as 0
Child process initialized in 113.19 ms
qt5ct: using qt5ct plugin
Qt: Session management error: None of the authentication protocols specified are supported
/home/malekon/.gtkrc-2.0:1: Unable to find include file: ".gtkrc-xfce"
zeal.core.applicationsingleton: Singleton ID: GNxAletmknejwIs_KXZiYaAzw9OzTsTq2ggd_l64LPQ
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 33)
qt5ct: D-Bus global menu: no
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
qt5ct: D-Bus system tray: no
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

I have tried 

firejail \
--whitelist=/home/malekon/.gtkrc-2.0 \
--whitelist=/home/malekon/.gtkrc-xfce \
--whitelist=/home/malekon/.config/qt5ct \
--whitelist=/home/malekon/.cache/Zeal \
--whitelist=/home/malekon/.config/Zeal \
--whitelist=/home/malekon/.cache/Zeal/Zeal \
--whitelist=/home/malekon/.local/share/Zeal \
--whitelist=/home/malekon/.local/share/Zeal/Zeal \
--debug zeal

still no UI
firejail_zeal_whitelist_zeal_paths.txt

question
Source
picture OndrejMalek

All 7 comments

This works:

firejail \
--whitelist=${HOME}/.config/qt5ct \
--whitelist=${HOME}/.cache/Zeal \
--whitelist=${HOME}/.config/Zeal \
--whitelist=${HOME}/.local/share/Zeal \
--debug \
--noprofile zeal
OndrejMalek picture OndrejMalek on 30 Apr 2020

Anything in the syslog?

rusty-snake picture rusty-snake on 30 Apr 2020

I just installed zeal on Arch and briefly tested the profile. Zeal needs _netlink_ and _mdwe_ breaks it. Also, ${HOME}/.config/qt5ct and ${HOME}/.local/share/qt5ct are already whitelisted in whitelist-common.inc, which gets included, so those shouldn't be an issue. Downloading docsets worked just fine and they were still there after a restart.

Try adding the below options to your local override ${HOME}/.config/firejail/zeal.profile and try again please. Depending on your workflow/preferences there could be other options that need to be added, but let's start out by trying to get basic functionality working okay?

mkdir ${HOME}/.config/qt5ct

protocol unix,inet,inet6,netlink

ignore memory-deny-write-execute
glitsj16 picture glitsj16 on 30 Apr 2020
👍1

@rusty-snake I am grepping but nothing relevant? How should I grep. I do sudo rg -C 5 firejail /var/log/kern*
@glitsj16 Thx, That almost works but still need to whitelist dirs by my self

mkdir ${HOME}/.config/qt5ct

protocol unix,inet,inet6,netlink

ignore memory-deny-write-execute

whitelist ${HOME}/.cache/Zeal
whitelist ${HOME}/.config/Zeal
whitelist ${HOME}/.local/share/Zeal # without this I can not see already stored docsets or perserve anything between app restarts.

whitelist ${HOME}/.config/qt5ct # without this there is different font size in UI - all Qt apps do this

I have tried uncomment all in /etc/firejail/zeal.profile, but still with no avail. It is whitelisted in /etc/firejail/whitelist-common.inc as you mentioned, But still fails. I don't use any symlinks in config paths. Seems like firejail bug.

OndrejMalek picture OndrejMalek on 19 May 2020

OK installed from master 76127399a5811a0b5ae3fffbd999bf22fba032e1
And it works out of the box without any local zeal.profile needed.

OndrejMalek picture OndrejMalek on 19 May 2020

@OndrejMalek I see now where I tripped up. Instead of ${HOME}/.config/firejail/zeal.profile I should have stated ${HOME}/.config/firejail/zeal.local. Glad to hear you got things working as expected. Thanks for bringing this to our attention!

glitsj16 picture glitsj16 on 19 May 2020
👍1

FWIW:

I am grepping but nothing relevant? How should I grep. I do sudo rg -C 5 firejail /var/log/kern*

(assuming your using systemd)

Open a terminal and start journalctl --follow, then start zeal and watch for messages.

seccomp violation are not logged by firejail, they are logged by auditd. Therefore you would need to grep at least for SECCOMP and firejail, but watching --follow is easier.

rusty-snake picture rusty-snake on 21 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thiswillbeyourgithub picture thiswillbeyourgithub  路  3Comments
bryce-lynch picture bryce-lynch  路  4Comments
ghost picture ghost  路  3Comments
Vincent43 picture Vincent43  路  3Comments
francoism90 picture francoism90  路  4Comments