Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Musixmatch can not run under firejail #4518

Closed
GreatBigWhiteWorld opened this issue Sep 8, 2021 · 2 comments
Closed

Musixmatch can not run under firejail #4518

GreatBigWhiteWorld opened this issue Sep 8, 2021 · 2 comments

Comments

@GreatBigWhiteWorld
Copy link

Any idea what's the problem for musixmatch here?
firejail version 0.9.66

firejail /opt/Musixmatch/musixmatch %U
Reading profile /etc/firejail/musixmatch.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Parent pid 23668, child pid 23669
Warning fcopy: skipping /etc/alternatives/libjavaplugin.so.x86_64, cannot find inode
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 9.20 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 523.84 ms
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...
@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 8, 2021
edited
Loading

Check failed: sys_chroot("/proc/self/fdinfo/") == 0

seccomp -> seccomp !chroot

Maybe more: ignore caps.drop all ignore nonewprivs ignore noroot ignore protocol ignore seccomp

@GreatBigWhiteWorld
Copy link
Author

Check failed: sys_chroot("/proc/self/fdinfo/") == 0

seccomp -> seccomp !chroot

Maybe more: ignore caps.drop all ignore nonewprivs ignore noroot ignore protocol ignore seccomp

Hey, just 'seccomp !chroot' is good enough! Many thanks !
Not sure why it needs chroot though.

rusty-snake added a commit to rusty-snake/firejail that referenced this issue Sep 30, 2021
@rusty-snake
Profile fixes and hardening
f391291 
 * cheese
   - fix: dbus-user.own org.gnome.Cheese
   - fix: whitelist /usr/share/gstreamer-1.0
   - fix: include allow-python3.inc
   - hardening: include disable-shell.inc
   - hardening: include whitelist-run-common.inc and whitelist /run/udev/data
   - hardening: whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
   - hardening: noinput
   - hardening: nosound
   - hardening: seccomp.block-secondary
   - hardening: private-dev
 * geekbench (closes netblue30#4576)
   - fix: noblacklist /sbin and noblacklist /usr/sbin
   - fix: noblacklist, blacklist, mkdir, whitelist, read-write ${HOME}/.geekbench5
   - fix: comment/remove private-bin, private-lib, private-opt
 * inkscape
   - add quiet for cli usage
 * musixmatch (netblue30#4518)
   - allow chroot
 * pandoc
   - fix: include allow-bin-sh.inc
   - fix: drop private-bin
   - hardening: include whitelist-runuser-common.inc
   - hardening: seccomp.block-secondary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GreatBigWhiteWorld @rusty-snake