Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ms teams not starting in firejail 0.9.64 Nvidia Card Detected #3795

Closed
tirasdude opened this issue Dec 7, 2020 · 13 comments · Fixed by #3807
Closed

ms teams not starting in firejail 0.9.64 Nvidia Card Detected #3795

tirasdude opened this issue Dec 7, 2020 · 13 comments · Fixed by #3807

Comments

@tirasdude
Copy link

Background:
Ubuntu 20.04 AMD64
Nvidia Quadro on Nvidia 450 Driver
Installed from deb package (firejail_0.9.64-apparmor_1_amd64.deb) from here: https://sourceforge.net/projects/firejail/files/firejail/
MS Teams: teams_1.3.00.30857_amd64
skype and zoom work fine

Issue:
During start get this message:
Reading profile /etc/firejail/teams.profile
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Parent pid 17948, child pid 17949
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 131.45 ms

Parent is shutting down, bye...

Syslog output:
Dec 7 20:55:11 linux systemd[1]: fwupd.service: Succeeded.
Dec 7 20:55:15 linux kernel: [10615.421160] audit: type=1326 audit(1607360115.564:51): auid=1000 uid=1000 gid=1000 ses=2 pid=18900 comm="teams" exe="/usr/share/teams/teams" sig=31 arch=c000003e syscall=161 compat=0 ip=0x7efe3eeca89d code=0x0
Dec 7 20:55:15 linux kernel: [10615.643281] traps: teams[18895] trap int3 ip:560a38ae97c5 sp:7ffd845749a0 error:0 in teams[560a357d7000+53c4000]

Any ideas what it could be?

Thanks
@rusty-snake
Copy link
Collaborator

Thanks for reportin, should be fixed.

OT: Should we move !chroot into electro.profile?

@tirasdude
Copy link
Author

Hi again,

Did not really get fixed :(

Reading profile /etc/firejail/teams.profile
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 12656, child pid 12657
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 135.05 ms

Parent is shutting down, bye...

Syslog:
Dec 8 18:28:31 linux kernel: [30811.423948] teams[12676]: segfault at 328 ip 00007f3ec53f0c6f sp 00007fff0a1bc398 error 4 in libpthread-2.31.so[7f3ec53e6000+11000]
Dec 8 18:28:31 linux kernel: [30811.423972] Code: 44 00 00 b8 16 00 00 00 c3 66 90 f3 0f 1e fa 83 ff 1f 77 3f 89 f8 48 83 c0 31 48 c1 e0 04 64 48 8b 14 25 10 00 00 00 48 01 d0 <4c> 8b 40 08 4d 85 c0 74 16 89 ff 48 8d 15 bf c6 00 00 48 8b 30 48
Dec 8 18:28:31 linux kernel: [30811.643259] traps: teams[12671] trap int3 ip:5573dca927c5 sp:7ffe3f182750 error:0 in teams[5573d9780000+53c4000]

@rusty-snake rusty-snake reopened this Dec 8, 2020
@rusty-snake
Copy link
Collaborator

New error, next issues. tracelog breaks chromium, I wonder why teams have set it, can you try firejail --ignore=tracelog teams. If this did not help, I've no idea what it could be. Either teams is badly programmed and fails on a blacklist (admittedly, it is from M$ written in javascript and uses electron), or it is seccomp, protocol, nonewprivs, noroot, nogroups, caps.drop all, dbus-user none. Try to comment them.

@micressor
Copy link

I am not sure if this has anything to do with the nvidia card. Maybe I have to open a separate issue for it?

It works for me this way (since teams 1.3.00.30857) on debian 10 with firejail 0.9.64:

# /etc/firejail/teams.local
ignore caps.drop all
ignore nonewprivs
ignore noroot
ignore protocol unix,inet,inet6,netlink
ignore seccomp

I was also not able to debug that better:

firejail --ignore=nonewprivs  --ignore=protocol --ignore=seccomp --ignore=caps.drop  --build=teams.profile /usr/bin/teams
Error fbuilder: invalid program
Firejail profile builder
Usage: firejail [--debug] --build[=profile-file] program-and-arguments

@jvonhoff
Copy link

jvonhoff commented Dec 9, 2020

FWIW, I applied change a37c7d4 to /etc/firejail/teams.profile -- adding seccomp !chroot -- and was still unable to start teams.

However, running it with firejail --ignore=tracelog /usr/bin/teams is working for me. Thanks!

@tirasdude
Copy link
Author

Hello Everyone!

Launching with --ignore=tracelog option [terminal command: firejail --ignore=tracelog teams] does indeed start it and it seems to work fine.

Guess that is the workaround for now.

Thank you for your help!

@rusty-snake
Copy link
Collaborator

I was also not able to debug that better:

FYI

  • as the error-message states, you can not use --ignore=quxqax if you uses --build.
  • it doesn't makes sense because --build uses no profile
  • --build implies nonewprivs and caps.drop all
  • --build uses --trace and both will break if tracelog breaks.

Guess that is the workaround for now.

It's the final solution. tracelog breaks firefox and chromium (=electron=teams).

@rusty-snake rusty-snake reopened this Dec 9, 2020
@rusty-snake
Copy link
Collaborator

What does sysctl kernel.unprivileged_userns_clone show?

@micressor: 0 because debian
@tirasdude: 1 on ubuntu?
@jvonhoff: ?

@tirasdude
Copy link
Author

kernel.unprivileged_userns_clone = 1

@rusty-snake
Copy link
Collaborator

Background: #2946 and #3688

@micressor firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/teams should work on debian. If so I add it.

@jvonhoff
Copy link

jvonhoff commented Dec 9, 2020 via email
edited
Loading

@micressor
Copy link

What does sysctl kernel.unprivileged_userns_clone show?
@micressor: 0 because debian

kernel.unprivileged_userns_clone = 0

@micressor
Copy link

firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/teams should work on debian. If so I add it.

@rusty-snake: That works for me - thanks!

@rusty-snake rusty-snake linked a pull request Dec 10, 2020 that will close this issue
profiles: refactor electron.profile and electron-based programs #3807
Merged
@rusty-snake rusty-snake mentioned this issue Dec 21, 2020
Closed
@matu3ba matu3ba mentioned this issue Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@micressor @jvonhoff @rusty-snake @tirasdude