Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Atom 1.48.0 breaks with Firejail 0.9.58.2 #3464

Closed
kmotoko opened this issue Jun 11, 2020 · 14 comments
Closed

Atom 1.48.0 breaks with Firejail 0.9.58.2 #3464

kmotoko opened this issue Jun 11, 2020 · 14 comments
Labels
bug Something isn't working

Comments

@kmotoko
Copy link

kmotoko commented Jun 11, 2020

Bug and expected behavior

  • Describe the bug.
    Upgrading from atom 1.46.0 to 1.48.0 breaks starting atom under firejail.
  • What did you expect to happen?
    atom to start normally.

No profile or disabling firejail

  • What changed calling firejail --noprofile PROGRAM in a shell?
    atom starts-up normally.
  • What changed calling the program by path=without firejail (check whereis PROGRAM, firejail --list, stat $programpath)?
    atom starts-up normally.

Reproduce
Steps to reproduce the behavior:

  1. Run in bash firejail atom
  2. See error:
Reading profile /etc/firejail/atom.profile
Reading profile /etc/firejail/atom.local
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 13545, child pid 13546
Child process initialized in 47.07 ms
/usr/bin/atom: line 190:    14 Trace/breakpoint trap   nohup "$ATOM_PATH" --executed-from="$(pwd)" --pid=$$ "$@" > "$ATOM_HOME/nohup.out" 2>&1
[14:0611/105406.114486:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/atom/chrome-sandbox is owned by root and has mode 4755.

Parent is shutting down, bye...

Environment

  • Linux distribution and version (ie output of lsb_release -a)
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
firejail version 0.9.58.2

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
  • What other programs interact with the affected program for the functionality?
    To my knowledge: git, GVFS Trash
  • Are these listed in the profile?
    Yes.

Additional context
I have a strong feeling that the issue is related to change in PR#20799, which fixes the Issue#20756.

My atom.profile:

# Firejail profile for atom
# Description: A hackable text editor for the 21st Century
# This file is overwritten after every install/update
# Persistent local customizations
include atom.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
noblacklist ${HOME}/.cargo/config
noblacklist ${HOME}/.cargo/registry

include disable-common.inc
include disable-passwdmgr.inc
include disable-programs.inc

caps.drop all
# net none
netfilter
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none

private-cache
private-dev
private-tmp

noexec ${HOME}
noexec /tmp

My atom.local:

# Bring the trash func back
noblacklist ${HOME}/.local/share/Trash

# Git/GitHub integration requires
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.git-credentials
ignore nodbus
ignore noexec /tmp

# Other fixes
noblacklist ${HOME}/.pythonrc.py

I gradually commented out certain entries in my atom.profile just to test, the following does not prevent atom from starting-up:

# Firejail profile for atom
# Description: A hackable text editor for the 21st Century
# This file is overwritten after every install/update
# Persistent local customizations
include atom.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
noblacklist ${HOME}/.cargo/config
noblacklist ${HOME}/.cargo/registry

include disable-common.inc
include disable-passwdmgr.inc
include disable-programs.inc

#caps.drop all
# net none
netfilter
nodbus
nodvd
nogroups
#nonewprivs
#noroot
nosound
notv
nou2f
novideo
#protocol unix,inet,inet6,netlink
#seccomp
shell none

private-cache
private-dev
private-tmp

noexec ${HOME}
noexec /tmp

Checklist

  • [ x] The upstream profile (and redirect profile if exists) have no changes fixing it.
  • [ x] The upstream profile exists (find / -name 'firejail' 2>/dev/null/fd firejail to locate profiles ie in /usr/local/etc/firejail/PROGRAM.profile)
  • [ x] Programs needed for interaction are listed.
  • [ x] Error was checked in search engine and on issue list without success.
debug output 
Autoselecting /bin/bash as shell
Building quoted command line: 'atom' 
Command name #atom#
Found atom.profile profile in /etc/firejail directory
Reading profile /etc/firejail/atom.profile
Found atom.local profile in /etc/firejail directory
Reading profile /etc/firejail/atom.local
Found globals.local profile in /etc/firejail directory
Reading profile /etc/firejail/globals.local
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 5338, child pid 5339
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1
No supplementary groups
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Mounting tmpfs on /home/motoko/.cache
1816 1791 0:99 / /home/motoko/.cache rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=700,uid=1000,gid=1000
mountid=1816 fsname=/ dir=/home/motoko/.cache fstype=tmpfs
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 398: new_name #/home/motoko/Documents/private#, nowhitelist
Storing nowhitelist /home/motoko/Documents/private
Debug 398: new_name #/tmp/.X11-unix#, whitelist
Debug 398: new_name #/tmp/pulse-PKdhtXMmr18n#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
1823 1822 254:2 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/sophies--vg-tmp rw
mountid=1823 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Whitelisting /tmp/pulse-PKdhtXMmr18n
1824 1822 254:2 /pulse-PKdhtXMmr18n /tmp/pulse-PKdhtXMmr18n rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/sophies--vg-tmp rw
mountid=1824 fsname=/pulse-PKdhtXMmr18n dir=/tmp/pulse-PKdhtXMmr18n fstype=ext4
Disable /home/motoko/Documents/private
Not blacklist /home/motoko/.local/share/Trash
Disable /home/motoko/.bash_history
Disable /home/motoko/.python_history
Disable /home/motoko/.config/autostart
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Disable /home/motoko/.local/share/gnome-shell
Disable /var/lib/systemd
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/upower
Disable /var/mail
Disable /var/opt
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/mail (requested /var/spool/mail)
Disable /etc/anacrontab
Disable /etc/cron.d
Disable /etc/cron.hourly
Disable /etc/cron.weekly
Disable /etc/cron.monthly
Disable /etc/crontab
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc5.d
Disable /etc/rc4.d
Disable /etc/rc0.d
Disable /etc/rc3.d
Disable /etc/rc6.d
Disable /etc/rc2.d
Disable /etc/rc1.d
Disable /etc/rcS.d
Disable /etc/kernel-img.conf
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/apparmor.d
Disable /etc/apparmor
Disable /etc/selinux
Disable /etc/modules-load.d
Disable /etc/modules
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/adduser.conf
Mounting read-only /home/motoko/.bash_logout
Mounting read-only /home/motoko/.bashrc
Mounting read-only /home/motoko/.profile
Mounting read-only /home/motoko/.gem
Mounting read-only /home/motoko/bin
Not blacklist /home/motoko/.cargo/registry
Not blacklist /home/motoko/.cargo/config
Mounting read-only /home/motoko/.local/share/applications
Disable /home/motoko/.cert
Disable /home/motoko/.gnupg
Disable /home/motoko/.local/share/keyrings
Disable /home/motoko/.pki
Disable /home/motoko/.local/share/pki
Disable /home/motoko/.ssh
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/crontab
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/nc.openbsd (requested /usr/bin/nc)
Disable /usr/bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g)
Disable /usr/bin/pkexec
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/su
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/gnome-terminal
Disable /usr/bin/gnome-terminal (requested /bin/gnome-terminal)
Disable /usr/bin/gnome-terminal.wrapper
Disable /usr/bin/gnome-terminal.wrapper (requested /bin/gnome-terminal.wrapper)
Disable /usr/bin/bwrap
Disable /usr/bin/bwrap (requested /bin/bwrap)
Disable /home/motoko/.config/keepassxc
Not blacklist /home/motoko/.atom
Not blacklist /home/motoko/.config/Atom
Disable /home/motoko/.config/GIMP
Disable /home/motoko/.config/Wire
Disable /home/motoko/.config/chromium
Disable /home/motoko/.config/enchant
Disable /home/motoko/.config/eog
Disable /home/motoko/.config/evolution
Disable /home/motoko/.config/gedit
Disable /home/motoko/.config/inkscape
Disable /home/motoko/.config/libreoffice
Disable /home/motoko/.config/nautilus
Not blacklist /home/motoko/.gitconfig
Disable /home/motoko/.local/share/TelegramDesktop
Disable /home/motoko/.local/share/evolution
Disable /home/motoko/.local/share/gitg
Disable /home/motoko/.local/share/gnome-chess
Disable /home/motoko/.local/share/nautilus
Disable /home/motoko/.mozilla
Disable /home/motoko/.wget-hsts
Mounting noexec /home/motoko
Mounting noexec /home/motoko/.cache
Mounting noexec /home/motoko/.bash_logout
Mounting noexec /home/motoko/.bashrc
Mounting noexec /home/motoko/.profile
Mounting noexec /home/motoko/.gem
Mounting noexec /home/motoko/bin
Mounting noexec /home/motoko/.local/share/applications
Disable /sys/fs
Disable /sys/module
disable pulseaudio
blacklist /home/motoko/.config/pulse
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse/native
blacklist /tmp/pulse-PKdhtXMmr18n
blacklist /dev/snd
blacklist /dev/dvb
blacklist /dev/sr0
blacklist /dev/hidraw0
blacklist /dev/hidraw1
blacklist /dev/hidraw2
blacklist /dev/hidraw3
blacklist /dev/hidraw4
blacklist /dev/hidraw5
blacklist /dev/hidraw6
blacklist /dev/hidraw7
blacklist /dev/hidraw8
blacklist /dev/hidraw9
blacklist /dev/usb
blacklist /dev/video0
blacklist /dev/video1
blacklist /dev/video2
blacklist /dev/video3
blacklist /dev/video4
blacklist /dev/video5
blacklist /dev/video6
blacklist /dev/video7
blacklist /dev/video8
blacklist /dev/video9
Current directory: /home/motoko
DISPLAY=:0 parsed as 0
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 15 00 01 00000010   jeq 10 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 06 00 00 0005005f   ret ERRNO(95)
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) 
Dropping all capabilities
Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00000000   ret KILL
Dual 32/64 bit seccomp filter configured
configuring 74 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
 0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
 0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
 000a: 15 3e 00 00000137   jeq process_vm_writev 0049 (false 000b)
 000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
 000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
 000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
 000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
 000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
 0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
 0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
 0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
 0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
 0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
 0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
 0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
 0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
 0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
 0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
 001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
 001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
 001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
 001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
 001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
 001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
 0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
 0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
 0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
 0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
 0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
 0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
 0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
 0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
 0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
 0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
 002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
 002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
 002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
 002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
 002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
 002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
 0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
 0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
 0034: 15 14 00 00000130   jeq open_by_handle_at 0049 (false 0035)
 0035: 15 13 00 0000012f   jeq name_to_handle_at 0049 (false 0036)
 0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
 0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
 0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
 0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
 003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
 003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
 003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
 003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
 003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
 003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
 0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
 0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
 0042: 15 06 00 000000d8   jeq remap_file_pages 0049 (false 0043)
 0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
 0044: 15 04 00 00000143   jeq userfaultfd 0049 (false 0045)
 0045: 15 03 00 00000065   jeq ptrace 0049 (false 0046)
 0046: 15 02 00 00000087   jeq personality 0049 (false 0047)
 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
 0048: 06 00 00 7fff0000   ret ALLOW
 0049: 06 00 01 00000000   ret KILL
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: atom
Child process initialized in 66.22 ms
Searching $PATH for atom
trying #/home/motoko/gems/bin/atom#
trying #/home/motoko/bin/atom#
trying #/usr/local/bin/atom#
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
Warning: an existing sandbox was detected. /usr/bin/atom will run without any additional sandboxing features
monitoring pid 6

Sandbox monitor: waitpid 6 retval 6 status 0
Sandbox monitor: monitoring 15
monitoring pid 15

/usr/bin/atom: line 190:    17 Trace/breakpoint trap   nohup "$ATOM_PATH" --executed-from="$(pwd)" --pid=$$ "$@" > "$ATOM_HOME/nohup.out" 2>&1
[17:0611/120932.377486:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/atom/chrome-sandbox is owned by root and has mode 4755.
Sandbox monitor: waitpid 15 retval 15 status 0

Parent is shutting down, bye...
@rusty-snake
Copy link
Collaborator

Can you try #2946 (comment).

@kmotoko
Copy link
Author

kmotoko commented Jun 11, 2020

@rusty-snake , adding the following returns the same error:

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

Running firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/atom changes the error to:

Child process initialized in 112.13 ms
/usr/bin/atom: line 190:    15 Trace/breakpoint trap   nohup "$ATOM_PATH" --executed-from="$(pwd)" --pid=$$ "$@" > "$ATOM_HOME/nohup.out" 2>&1
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

Is force-nonewprivs set in /etc/firejail/firejail.config?

@kmotoko
Copy link
Author

kmotoko commented Jun 11, 2020
edited
Loading

It was commented out, I tried both force-nonewprivs no and force-nonewprivs yes with no luck (the error did not change).

@rusty-snake
Copy link
Collaborator

What's in your globals.local?

@kmotoko
Copy link
Author

kmotoko commented Jun 11, 2020
edited
Loading

Nothing related actually:

blacklist ${HOME}/Documents/somefolder
nowhitelist ${HOME}/Documents/somefolder

@rusty-snake
Copy link
Collaborator

I'm out of ideas for now. Maybe you need to also ignore nogroups

firejail --ignore=nonewprivs --ignore=noroot --ignore=nogroups --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/atom

@kmotoko
Copy link
Author

kmotoko commented Jun 12, 2020

That didn't work either. I will keep playing with the rules and post if I find something.

@rusty-snake
Copy link
Collaborator

Because --noprofile works, we know that it is caused by one (or more) command in the profile. If you comment the full profile and then uncomment it line for line you will find it. However, I'm afraid, that it is a interaction between more commands, that is harder to debug.

@Fred-Barclay
Copy link
Collaborator

@rusty-snake I'm able to get it to work if I comment out
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

Naturally I want to tighten this down a bit but hopefully I can get a fix in within a day or so.

@Fred-Barclay Fred-Barclay added the bug Something isn't working label Jun 12, 2020
@Fred-Barclay
Copy link
Collaborator

@kmotoko can you try with the new profile https://github.com/netblue30/firejail/blob/cb6799523085ddc7caf57b235514e6865a4caeaa/etc/profile-a-l/atom.profile ?

Cheers!
Fred

@rusty-snake
Copy link
Collaborator

@kmotoko can you try with the new profile https://github.com/netblue30/firejail/blob/cb6799523085ddc7caf57b235514e6865a4caeaa/etc/profile-a-l/atom.profile ?

This profile does not work with 0.9.58.2

@Fred-Barclay
Copy link
Collaborator

@rusty-snake thanks for catching that! I'll put in a fix under etc-fixes for 0.9.58 and the other distro-supported releases (0.9.52, 0.9.58, and 0.9.60). This would skip 0.9.44, but since Debian 9 goes EOL in less than a month and 0.9.58 is in its backports, it may be better not to patch this one...

Fred-Barclay added a commit that referenced this issue Jun 13, 2020
@Fred-Barclay
More fixes for #3464
5590695 
Backporting fixes for Atom 1.48 to firejail 0.9.52, 0.9.58, and 0.9.60

Summary:
- remove nonewprivs, noroot, protocol, and seccomp
- update caps filter to keep sys_admin and sys_chroot

Without these changes Atom 1.48 breaks and refuses to start (due to
Electron sandboxing)
@Fred-Barclay
Copy link
Collaborator

@kmotoko please try with this one: https://github.com/netblue30/firejail/blob/55906959a9cbf6a9d53273c5bd875174ab1a6d51/etc-fixes/0.9.58/atom.profile

@matu3ba matu3ba mentioned this issue Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

luarocks matu3ba/firejail
3 participants
@Fred-Barclay @kmotoko @rusty-snake