Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firejail --appimage doesn't have supplementary groups required for device access #5748

Closed
7 tasks done
amano-kenji opened this issue Mar 23, 2023 · 6 comments
Closed
7 tasks done

firejail --appimage doesn't have supplementary groups required for device access #5748

amano-kenji opened this issue Mar 23, 2023 · 6 comments
Labels
duplicate This issue or pull request already exists

Comments

@amano-kenji
Copy link
Contributor

amano-kenji commented Mar 23, 2023
edited
Loading

Steps to Reproduce

  1. Download https://github.com/DCurrent/openbor/releases/download/v6391/OpenBOR.v3.0.Build.6391.7z
  2. Extract it
  3. Go to LINUX/OpenBOR
  4. Run LC_ALL=C firejail --appimage --noprofile ./OpenBOR_3.0_6391.AppImage
  5. (Optional) Insert any .pak file from https://openborgames.com/ into Paks folder
  6. (Optional) Open a game.
  7. (Optional) Close the game.

Expected behavior

ALSA should work. Input devices like game pads should be recognized.

Actual behavior

Device availability is random. Devices are sometimes accessible. Sometimes, they are not.

Parent pid 26782, child pid 26785

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Child process initialized in 17.45 ms
ALSA lib /path/to/alsa-lib-1.2.8/src/confmisc.c:165:(snd_config_get_card) Cannot get card index for D10s
ALSA lib /path/to/alsa-lib-1.2.8/src/confmisc.c:165:(snd_config_get_card) Cannot get card index for D10s

Game pads are sometimes recognized.

Additional context

I work around this issue by extracting files from appimage and executing the embedded executable directly with firejail.

Environment

  • Linux distribution and version: Gentoo Linux
  • Firejail version (firejail --version)
firejail version 0.9.72

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)
@amano-kenji amano-kenji changed the title firejail --appimage often fails to get access to ALSA hardwares. firejail --appimage often fails to get access to ALSA hardwares and input devices. Mar 23, 2023
@amano-kenji amano-kenji changed the title firejail --appimage often fails to get access to ALSA hardwares and input devices. firejail --appimage often fails to get access to ALSA devices and input devices. Mar 23, 2023
@amano-kenji amano-kenji changed the title firejail --appimage often fails to get access to ALSA devices and input devices. firejail --appimage fails to get access to ALSA devices and input devices. Mar 23, 2023
@amano-kenji
Copy link
Contributor Author

I finally found a way to get a shell inside appimage sandbox. I will figure out what went wrong.

@rusty-snake
Copy link
Collaborator

If ALSA requires permissions via supplementary groups, the usage of --appimagr is the cause.

@amano-kenji
Copy link
Contributor Author

I discovered that with --appimage, I do not belong in audio group.
Without --appimage, I belong in audio group.
ALSA requires membership in audio group.

@amano-kenji
Copy link
Contributor Author

amano-kenji commented Mar 28, 2023
edited
Loading

I still don't understand how OpenBOR still has access to ALSA without being in audio group.
However, its access to ALSA is random at best.

Weirdly, game pads are available randomly in appimage sandbox.

@amano-kenji
Copy link
Contributor Author

What can be done with --appimage, then?

@amano-kenji amano-kenji changed the title firejail --appimage fails to get access to ALSA devices and input devices. firejail --appimage doesn't have supplementary groups required for device access. Mar 28, 2023
@amano-kenji
Copy link
Contributor Author

This is a duplicate of #4951

@kmk3 kmk3 changed the title firejail --appimage doesn't have supplementary groups required for device access. firejail --appimage doesn't have supplementary groups required for device access Mar 30, 2023
@kmk3 kmk3 added the duplicate This issue or pull request already exists label Mar 30, 2023
@kmk3 kmk3 closed this as not planned Won't fix, can't repro, duplicate, stale Mar 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kmk3 @rusty-snake @amano-kenji