Profile for signal-desktop fails!

[little-helper-001]

Description

I tried to launch signal-desktop after running firecfg and the program fails to start.

Steps to Reproduce

1. sudo pacman -S signal-desktop
2. sudo firecfg
3. signal-desktop'

Expected behavior

Signal should start.

Actual behavior

[sapiens@fuckup ~]$ signal-desktop
Reading profile /etc/firejail/signal-desktop.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 37899, child pid 37902
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 38.85 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 158.67 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

Behavior without a profile

LC_ALL=C firejail --noprofile /path/to/program

[user@computer ~]$ LC_ALL=C firejail --noprofile /bin/signal-desktop
Parent pid 44226, child pid 44227
Child process initialized in 15.86 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

Calling signal by running /bin/signal-desktop causes Signal to launch as expected.

Environment

• ArchLinux
• 5.15.21-hardened
• firejail version 0.9.68

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

[user@computer ~]$ LC_ALL=C firejail /bin/signal-desktop
Reading profile /etc/firejail/signal-desktop.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 46932, child pid 46935
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 41.64 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 156.23 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

---

EDIT by @rusty-snake: fix markdown checklist; fix details tag

[rusty-snake]

Did you set force-nonewprivs yes in firejail.config?

[little-helper-001]

Did you set force-nonewprivs yes in firejail.config?

Indeed I did. I followed the instructions to harden firejail. I suppose this is an issue. How should I handle the situation?

[rusty-snake]

You can not set nnp and disable userns if you want to use chromium* programs.

Either set force-nonewprivs no or sysctl kernel.unprivileged_userns_clone=1 (IMHO the right thing).

[little-helper-001]

From what I read sysctl kernel.unprivileged_userns_clone=1 is a security risk, while force-nonewprivs no disabled the general hardening for firejail. Can you tell me if there is a third option, that would be to set firecfg to exclude signal-desktop from profile generation or a setting I could put into the signal-desktop.local that disables restriction. I think under the circumstances I would exclude signal from being handeled by firejail

[rusty-snake]

or a setting I could put into the signal-desktop.local that disables restriction.

The idea behind force-nonewprivs is that you can not undo it, otherwise it wouldn't be a hardening option.

From what I read sysctl kernel.unprivileged_userns_clone=1 is a security risk

It's such a huge security risk that it is the default in mainline, Debian, Ubuntu, Mint, Fedora, ... kernels.

Did you know that firefox is a security risk?

that would be to set firecfg to exclude signal-desktop from profile generation

Yes you can #2097, #3665 (comment), #3016, ...

[little-helper-001]

Thank you for the links. I left the hardening in place.

I created a script to remove the links from applications I want to exclude.

#!/bin/bash
apps=(signal-desktop)
for app in "${apps[@]}"; do
	rm /usr/local/bin/$app
done

Then I modified the pacman hook accordingly to run the script everytime it runs firecfg.

  GNU nano 6.0                                                                            /etc/pacman.d/hooks/firejail.hook                                                                                      
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/local/bin/*
Target = usr/share/applications/*.desktop

[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh'

[rusty-snake]

Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh'

All this issue is about a problem caused by multiple hardening option to mitigate potential user2root exploits (which aren't much of an issue for the most desktop systems) that could be discovered in the future.. And to fix it you automatically execute a user writeable script as root? Think of your thread models.

[little-helper-001]

Thank you for your concern, but the script is not user writable.

-rwxr----- 1 root    root     91 Feb 13 11:47 firejail-disable-helper.sh

As long as some applications make problems with firejail, I will exclude them and let Apparmor handle them. It is a single application so far, so I think this is a good compromise.

[rusty-snake]

Is /home/user/scripts owned by you and writeable?

rm -f ~/scripts/firejail-disable-helper.sh
echo -e '#!/bin/bash\nrm -rf /' > ~/scripts/firejail-disable-helper.sh
chmod +x ~/scripts/firejail-disable-helper.sh

[little-helper-001]

Oh, I actually did not know that this works. Thanks for explaining. I moved the script to /root/scripts for now. I still think only excluding the few applications that make problems is the best way to go.