Strange issue with xonotic.profile on Arch

[jose1711]

Can't wrap my head around this 😞 Updated Arch Linux, xonotic installed from community repo, latest firejail from master. There are 3 binaries in /usr/bin:

/usr/bin/xonotic-dedicated: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7d9e228eb4389da867dbcb6d5c02674c2a375c0b, for GNU/Linux 3.2.0, stripped
/usr/bin/xonotic-glx:       ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e2f4d1533ef8c2b67aa6103485b12e42cbf9e9c2, for GNU/Linux 3.2.0, stripped
/usr/bin/xonotic-sdl:       ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1726aef21639cca734120f22a8cfe094b46911d3, for GNU/Linux 3.2.0, stripped

The profile defines a private-bin as follows:

private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic*

If I run the game I get:

$ xonotic-sdl
Error: cannot find the program in the path

This is odd so I change xonotic* to xonotic-sdl. Now the game starts. I revert the change and run a bash inside the profile. Inside it I can see that all 3 files were copied as expected

$ firejail --profile=xonotic-sdl bash
bash-5.1$ echo /usr/bin/*xonotic*
/usr/bin/xonotic-dedicated /usr/bin/xonotic-glx /usr/bin/xonotic-sdl

So it looks like the globbing worked. Any idea where is this coming from?

[rusty-snake]

Any idea where is this coming from?

$ git grep "cannot find the program in the path"
src/firejail/run_symlink.c:             fprintf(stderr, "Error: cannot find the program in the path\n");

void run_symlink(int argc, char **argv, int run_as_is) {
    ...
    char *p = find_in_path(program);
    if (!p) {
        fprintf(stderr, "Error: cannot find the program in the path\n");
        exit(1);
    }
    ...

Can you run firejail --debug /usr/bin/xonotic-sdl.

What does which -a xonotic-sdl show?
Maybe 7a1dd38 broke it? cc @smitsohu

[SkewedZeppelin]

I noticed this a few months ago on Fedora 34. Had to revert the wildcard. ``` -rw-r--r--. 1 root root 1.4K Aug 20 11:31 /etc/firejail/xonotic.profile ```

[jose1711]

Tried to revert 7a1dd38 but it's still the same. Maybe we want to go back from xonotic* to explicitly naming the files? (partially revert 41f69f7)

[rusty-snake]

firejail --debug --private /usr/bin/xonotic-sdl works for me ...

Can you try with --debug.

[jose1711]

firejail --debug --private /usr/bin/xonotic-sdl works for me ...

Can you try with --debug.

Same. Are you on Arch as well? Also which part of the output should I paste (it's massive).

[rusty-snake]

Fedora 34.

The lines before "cannot find the program in the path" e.g. where tries to search.

[jose1711]

..
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Create the new ld.so.preload file
Blacklist violations are logged to syslog
Mount the new ld.so.preload file
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 0
Supplementary groups: 92 91 50 
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/xonotic-sdl
Child process initialized in 124.10 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
Error: cannot find the program in the path
monitoring pid 48

[smitsohu]

In the debug log there might be a section like this

Searching $PATH for bla
trying #/usr/local/bin/bla#
trying #/usr/bin/bla#
trying #/bin/bla#
trying #/usr/local/sbin/bla#
trying #/usr/sbin/bla#

You may also want to compare the output of firejail --profile=xonotic --quiet sh -c "echo $PATH" to echo $PATH outside the sandbox.

Inside the sandbox, after private-bin was processed, there should be no Firejail symbolic links at all. Because private-bin mounts a tmpfs on /usr/local/bin, which is where these links normally go.

[jose1711]

There is no such section/lines:

$ firejail --debug --private /usr/bin/xonotic-sdl 2>&1 | grep -e Search -e trying
$

You may also want to compare the output of

PATH is the same inside and outside the sandbox.

there should be no Firejail symbolic links

OK then I think that is probably the issue, b/c:

$ firejail --profile=xonotic --quiet sh -c 'ls -l /usr/local/bin/xonotic*'
-rwxr-xr-x 1 nobody nobody 3410952 okt 21 13:59 /usr/local/bin/xonotic-dedicated
lrwxrwxrwx 1 nobody nobody      17 okt 21 13:59 /usr/local/bin/xonotic-glx -> /usr/bin/firejail
lrwxrwxrwx 1 nobody nobody      17 okt 21 13:59 /usr/local/bin/xonotic-sdl -> /usr/bin/firejail

[smitsohu]

Ok, that's strange.
You didn't by chance enable private-bin-no-local in the Firejail configuration file (/etc/firejail/firejail.config)?

firejail --private-bin=ls --profile=xonotic --quiet ls -l /usr/bin
Does that show all of /usr/bin, or do you have a restricted view?

[jose1711]

firejail.config is stock (all entries are commented out).

$ firejail --private-bin=ls --profile=xonotic --quiet ls -l /usr/bin
total 13420
-rwxr-xr-x 1 nobody nobody   39072 Oct 22 10:07 basename
-rwxr-xr-x 1 nobody nobody  952720 Oct 22 10:07 bash
-rwxr-xr-x 1 nobody nobody   47296 Oct 22 10:07 cut
-rwxr-xr-x 1 nobody nobody 3781264 Oct 22 10:07 darkplaces-glx
-rwxr-xr-x 1 nobody nobody 3765776 Oct 22 10:07 darkplaces-sdl
-rwxr-xr-x 1 nobody nobody   39072 Oct 22 10:07 dirname
-rwsr-xr-x 1 nobody nobody  478664 Oct 22 10:07 firejail
-rwxr-xr-x 1 nobody nobody   63464 Oct 22 10:07 glxinfo
-rwxr-xr-x 1 nobody nobody  235824 Oct 22 10:07 grep
-rwxr-xr-x 1 nobody nobody   47296 Oct 22 10:07 head
-rwxr-xr-x 1 nobody nobody    5443 Oct 22 10:07 ldd
-rwxr-xr-x 1 nobody nobody  146056 Oct 22 10:07 ls
-rwxr-xr-x 1 nobody nobody  153848 Oct 22 10:07 netstat
-rwxr-xr-x 1 nobody nobody  137504 Oct 22 10:07 ps
-rwxr-xr-x 1 nobody nobody   47264 Oct 22 10:07 readlink
-rwxr-xr-x 1 nobody nobody  186712 Oct 22 10:07 sed
lrwxrwxrwx 1 nobody nobody      13 Oct 22 10:07 sh -> /usr/bin/bash
-rwxr-xr-x 1 nobody nobody   39104 Oct 22 10:07 uname
-rwxr-xr-x 1 nobody nobody 3410952 Oct 22 10:07 xonotic-dedicated
lrwxrwxrwx 1 nobody nobody      17 Oct 22 10:07 xonotic-glx -> /usr/bin/firejail
lrwxrwxrwx 1 nobody nobody      17 Oct 22 10:07 xonotic-sdl -> /usr/bin/firejail
-rwxr-xr-x 1 nobody nobody  127368 Oct 22 10:07 zenity

[smitsohu]

Thanks, I think it's clear now. We are skipping these Firejail symbolic links when there is no globbing, but with globbing we need to do the same thing. It's a bug!