-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting rework of geekbench.profile #4576
Comments
That's curious. Does If not, what does |
|
Thanks! I think this is a bug. Probably the reason is that our helper |
Great, if it gets solved in the end all is well. What is the estimated timeframe for a fix to get merged to master? Is there any kind of manual workaround that can be applied in the meantime? |
|
For now, of my programs, only geekbench is affected. What would be the |
This will affect all program if their profile contains |
The geekbench binary is located at |
Does anyone know if |
|
firejail/src/firejail/fs_bin.c Lines 162 to 169 in 452916a
|
Does |
|
Do you have a |
Our current geekbench.profile has |
Ups, yes, I was in
|
🤦 was to obvious
Either use EDIT: Did not saw @glitsj16 comment until now. |
What should the geekbench.local look now?
Results in:
|
All 4 lines (2 |
|
And with |
With |
|
Just out of curiosity, did you create the |
https://wiki.archlinux.org/title/Firejail#Hardening_Firejail |
I still have some questions.
|
users, and fldd in particular, might have no read permission on the firejail executable, make that ok by running fldd as root
There is a fix in master for the |
That's what I want to findout first. My guess is |
With the above setting geekbench starts. With the above settings, including Without
|
While we are on the topic, geekbench does not seem to have permissions to save the registration key if you have bought a licence.
|
Where and how does it store the license key? Does it need additional edit: um, yes then it is clear what the problem is
edit2: adding |
I have no idea where it is trying to save the key. How would I go about finding that out? |
firejail/etc/templates/profile.template Lines 62 to 73 in 6988a80
|
Geekbench without any additonal parameters will not try to save the licence and Geekbench called via:
Geekbench is not an interactive program I can just leave running.
I might just write the support. |
|
I wrote the support, maybe they are willing to give us a shortcut to figuring this out. |
|
|
|
There it is! It's
|
Can you try this. (note the diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 60f2f338..4812e136 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
# Persistent global definitions
include globals.local
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
tracelog
disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
private-cache
private-dev
private-etc alternatives,group,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
private-tmp
dbus-user none
dbus-system none
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
read-only ${HOME}
+read-write ${HOME}/.geekbench5 |
I needed to modify the patch a little, since it seems the
Now geekbench runs smoothly! |
Description
Current profile for the crossplatform benchmarking utility Geekbench is not up-to-date and unusable.
Steps to Reproduce
Expected behavior
Geekbench should run confined to its jail.
Actual behavior
Denies execution during firejail start up procedure.
Behavior without a profile
Geekbench begins executing as expected.
Additional context
Geekbench exists in different versions. The current version is 5.x
Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
The text was updated successfully, but these errors were encountered: