Update to 0.9.46-2~0ubuntu16.04.0 has broken all browsers...

[vtpoet]

Google-Chrome

Parent pid 25797, child pid 25798
Child process initialized in 50.71 ms
[0522/074508.654096:ERROR:nss_util.cc(94)] Failed to create /home/vtpoet/.pki/nssdb directory.
[0522/074508.745443:ERROR:nss_util.cc(94)] Failed to create /home/vtpoet/.pki/nssdb directory.
[1:1:0522/074508.817625:ERROR:nacl_fork_delegate_linux.cc(316)] Bad NaCl helper startup ack (0 bytes)

Parent is shutting down, bye...

Opera

Parent pid 25848, child pid 25849
Child process initialized in 55.61 ms
[0522/074541.767284:ERROR:nss_util.cc(94)] Failed to create /home/vtpoet/.pki/nssdb directory.
[0522/074541.932424:ERROR:nss_util.cc(94)] Failed to create /home/vtpoet/.pki/nssdb directory.
[0522/074542.026488:FATAL:zygote_host_impl_linux.cc(196)] Check failed: ReceiveFixedMessage(fds[0], kZygoteHelloMessage, sizeof(kZygoteHelloMessage), &real_pid). 
#0 0x000001c844e7 <unknown>
#1 0x000001c9a12b <unknown>
#2 0x000000af249c <unknown>
#3 0x000000af171e <unknown>
#4 0x000000af1cce <unknown>
#5 0x0000007c7986 <unknown>
#6 0x0000007cefae <unknown>
#7 0x00000197d44e <unknown>
#8 0x000001c7dbfc <unknown>
#9 0x000001c7e42c <unknown>
#10 0x000001c7cfb0 <unknown>
#11 0x000000459a91 OperaMain
#12 0x7f768d5e3830 __libc_start_main
#13 0x000000458c91 <unknown>

VIvaldi

Parent pid 25945, child pid 25946
Child process initialized in 38.12 ms
[0522/074701.193823:ERROR:nss_util.cc(94)] Failed to create /home/vtpoet/.pki/nssdb directory.
[0522/074701.287522:ERROR:nss_util.cc(94)] Failed to create /home/vtpoet/.pki/nssdb directory.

Parent is shutting down, bye...

Etc...

I've tried downgrading but the only version available is provided by Ubuntu's repositories and doesn't work with symlinked home directories. Can a downgradable version be made available at the PPA?

[nyancat18]

i've issues like it

at my experience

seamonkey = FAIL (without bad logs, but i get a bad screenshot) https://u.teknik.io/Vbcf0.png

chrome = works here (beta channel), but apng doesnt work :P

vivaldi = works

qupzilla = FAIL firejail --profile=qupzilla.profile qupzilla Reading profile qupzilla.profile Error: cannot access profile file

iridium = works

firefox = works

palemoon = works

[reinerh]

@vtpoet Can you please also post the lines from before? Which profiles is it loading? Have you also installed the firejail-profiles package (as recommended)?

[nyancat18]

@reinerh i use archlinux

[Fred-Barclay]

Why is there a ubuntu package in Arch? 😕 @nyancat18 If I understand https://www.archlinux.org/packages/community/x86_64/firejail/ correctly, you should have firejail-0.9.46-1, not 0.9.46-2~0ubuntu16.04.0. Did you maybe install firejail from the AUR?

[vtpoet]

@reinerh Don't confuse me with nyancat18. :) I'm using Linux Mint 18.x.

In response to your question :)

Chrome

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

Opera

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

VIvaldi

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

Just installed qupzilla, out of curiosity, and it's working.

[Fred-Barclay]

@vtpoet For each of your browsers, firejail is using the default profile instead of the specific profile for each browser. That's at least part of the problem (most likely it is the problem). 😄

Can you post the output of ls /etc/firejail/? How did you install firejail? What do firejail --version and apt-cache policy firejail say?

[vtpoet]

//For each of your browsers, firejail is using the default profile instead of the specific profile for each browser.//

Okay. Was that behavior introduced after the update, out of curiosity?

Anyway, contents of etc/firejail:

default.profile     disable-devel.inc      disable-programs.inc  firejail.config.dpkg-old  nolocal.net     webserver.net
disable-common.inc  disable-passwdmgr.inc  firejail.config       login.users               server.profile  whitelist-common.inc

Installed the firejail PPA because 0.9.38.10-0ubuntu0.16.04.1 doesn't work with symlinks in home folder, Then apt install firejail

firejail version 0.9.46

apt-cache policy

firejail:
  Installed: 0.9.46-2~0ubuntu16.04.0
  Candidate: 0.9.46-2~0ubuntu16.04.0
  Version table:
 *** 0.9.46-2~0ubuntu16.04.0 500
        500 http://ppa.launchpad.net/deki/firejail/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status
     0.9.38.10-0ubuntu0.16.04.1 500
        500 http://mirror.cc.vt.edu/pub2/ubuntu xenial-updates/universe amd64 Packages
     0.9.38-1ubuntu0.1 500
        500 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages
     0.9.38-1 500
        500 http://mirror.cc.vt.edu/pub2/ubuntu xenial/universe amd64 Packages

[Fred-Barclay]

Hmmm... that's @reinerh's PPA so I'll let him explain what to do. But, you should definitely have a lot more in /etc/firejail. We've had profiles for as long as I've been paying attention to firejail (since version 0.9.36, I think), so no, that behavior wasn't introduced in this update. 😄

[reinerh]

@vtpoet As mentioned, please install the firejail-profiles package (which is recommended by firejail, so in the default configuration your package manager should have installed that). Since 0.9.46-1 all the application profiles are contained there.

[vtpoet]

@Fred-Barclay

// so no, that behavior wasn't introduced in this update.//

Yes it was. I reviewed the update. You can see for yourself that the update cleaned out the pertinent files.

The following packages will be upgraded:
  adapta-gtk-theme firejail papirus-icon-theme
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 6,082 kB of archives.
After this operation, 14.3 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://ppa.launchpad.net/tista/adapta/ubuntu xenial/main amd64 adapta-gtk-theme all 3.90.1.44-0ubuntu1~xenial1 [769 kB]
Get:2 http://ppa.launchpad.net/deki/firejail/ubuntu xenial/main amd64 firejail amd64 0.9.46-2~0ubuntu16.04.0 [226 kB]
Get:3 http://ppa.launchpad.net/papirus/papirus/ubuntu xenial/main amd64 papirus-icon-theme all 20170520-967+pkg6~ubuntu16.04.1 [5,087 kB]
Fetched 6,082 kB in 36s (166 kB/s)                                                                                                  
(Reading database ... 843337 files and directories currently installed.)
Preparing to unpack .../adapta-gtk-theme_3.90.1.44-0ubuntu1~xenial1_all.deb ...
Unpacking adapta-gtk-theme (3.90.1.44-0ubuntu1~xenial1) over (3.90.1.35-0ubuntu1~xenial1) ...
Preparing to unpack .../firejail_0.9.46-2~0ubuntu16.04.0_amd64.deb ...
Unpacking firejail (0.9.46-2~0ubuntu16.04.0) over (0.9.44.10-1~0ubuntu16.04.0) ...
Preparing to unpack .../papirus-icon-theme_20170520-967+pkg6~ubuntu16.04.1_all.deb ...
Unpacking papirus-icon-theme (20170520-967+pkg6~ubuntu16.04.1) over (20170519-965+pkg6~ubuntu16.04.1) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up adapta-gtk-theme (3.90.1.44-0ubuntu1~xenial1) ...
Setting up firejail (0.9.46-2~0ubuntu16.04.0) ...
Installing new version of config file /etc/firejail/default.profile ...
Installing new version of config file /etc/firejail/disable-common.inc ...
Installing new version of config file /etc/firejail/disable-devel.inc ...
Installing new version of config file /etc/firejail/disable-passwdmgr.inc ...
Installing new version of config file /etc/firejail/disable-programs.inc ...
Installing new version of config file /etc/firejail/firejail.config ...
Installing new version of config file /etc/firejail/login.users ...
Installing new version of config file /etc/firejail/server.profile ...
Installing new version of config file /etc/firejail/whitelist-common.inc ...
Removing obsolete conffile /etc/firejail/0ad.profile ...
Removing obsolete conffile /etc/firejail/7z.profile ...
Removing obsolete conffile /etc/firejail/Cyberfox.profile ...
Removing obsolete conffile /etc/firejail/Mathematica.profile ...
Removing obsolete conffile /etc/firejail/Telegram.profile ...
Removing obsolete conffile /etc/firejail/abrowser.profile ...
Removing obsolete conffile /etc/firejail/atom-beta.profile ...
Removing obsolete conffile /etc/firejail/atom.profile ...
Removing obsolete conffile /etc/firejail/atril.profile ...
Removing obsolete conffile /etc/firejail/audacious.profile ...
Removing obsolete conffile /etc/firejail/audacity.profile ...
Removing obsolete conffile /etc/firejail/aweather.profile ...
Removing obsolete conffile /etc/firejail/bitlbee.profile ...
Removing obsolete conffile /etc/firejail/brave.profile ...
Removing obsolete conffile /etc/firejail/cherrytree.profile ...
Removing obsolete conffile /etc/firejail/chromium-browser.profile ...
Removing obsolete conffile /etc/firejail/chromium.profile ...
Removing obsolete conffile /etc/firejail/claws-mail.profile ...
Removing obsolete conffile /etc/firejail/clementine.profile ...
Removing obsolete conffile /etc/firejail/cmus.profile ...
Removing obsolete conffile /etc/firejail/conkeror.profile ...
Removing obsolete conffile /etc/firejail/corebird.profile ...
Removing obsolete conffile /etc/firejail/cpio.profile ...
Removing obsolete conffile /etc/firejail/cyberfox.profile ...
Removing obsolete conffile /etc/firejail/deadbeef.profile ...
Removing obsolete conffile /etc/firejail/deluge.profile ...
Removing obsolete conffile /etc/firejail/dillo.profile ...
Removing obsolete conffile /etc/firejail/dnscrypt-proxy.profile ...
Removing obsolete conffile /etc/firejail/dnsmasq.profile ...
Removing obsolete conffile /etc/firejail/dosbox.profile ...
Removing obsolete conffile /etc/firejail/dropbox.profile ...
Removing obsolete conffile /etc/firejail/emacs.profile ...
Removing obsolete conffile /etc/firejail/empathy.profile ...
Removing obsolete conffile /etc/firejail/eog.profile ...
Removing obsolete conffile /etc/firejail/eom.profile ...
Removing obsolete conffile /etc/firejail/epiphany.profile ...
Removing obsolete conffile /etc/firejail/evince.profile ...
Removing obsolete conffile /etc/firejail/evolution.profile ...
Removing obsolete conffile /etc/firejail/fbreader.profile ...
Removing obsolete conffile /etc/firejail/feh.profile ...
Removing obsolete conffile /etc/firejail/file.profile ...
Removing obsolete conffile /etc/firejail/filezilla.profile ...
Removing obsolete conffile /etc/firejail/firefox-esr.profile ...
Removing obsolete conffile /etc/firejail/firefox.profile ...
Removing obsolete conffile /etc/firejail/flashpeak-slimjet.profile ...
Removing obsolete conffile /etc/firejail/flowblade.profile ...
Removing obsolete conffile /etc/firejail/franz.profile ...
Removing obsolete conffile /etc/firejail/gajim.profile ...
Removing obsolete conffile /etc/firejail/gimp.profile ...
Removing obsolete conffile /etc/firejail/git.profile ...
Removing obsolete conffile /etc/firejail/gitter.profile ...
Removing obsolete conffile /etc/firejail/gnome-chess.profile ...
Removing obsolete conffile /etc/firejail/gnome-mplayer.profile ...
Removing obsolete conffile /etc/firejail/google-chrome-beta.profile ...
Removing obsolete conffile /etc/firejail/google-chrome-stable.profile ...
Removing obsolete conffile /etc/firejail/google-chrome-unstable.profile ...
Removing obsolete conffile /etc/firejail/google-chrome.profile ...
Removing obsolete conffile /etc/firejail/google-play-music-desktop-player.profile ...
Removing obsolete conffile /etc/firejail/gpredict.profile ...
Removing obsolete conffile /etc/firejail/gtar.profile ...
Removing obsolete conffile /etc/firejail/gthumb.profile ...
Removing obsolete conffile /etc/firejail/gwenview.profile ...
Removing obsolete conffile /etc/firejail/gzip.profile ...
Removing obsolete conffile /etc/firejail/hedgewars.profile ...
Removing obsolete conffile /etc/firejail/hexchat.profile ...
Removing obsolete conffile /etc/firejail/icecat.profile ...
Removing obsolete conffile /etc/firejail/icedove.profile ...
Removing obsolete conffile /etc/firejail/iceweasel.profile ...
Removing obsolete conffile /etc/firejail/inkscape.profile ...
Removing obsolete conffile /etc/firejail/inox.profile ...
Removing obsolete conffile /etc/firejail/jitsi.profile ...
Removing obsolete conffile /etc/firejail/keepass.profile ...
Removing obsolete conffile /etc/firejail/keepassx.profile ...
Removing obsolete conffile /etc/firejail/kmail.profile ...
Removing obsolete conffile /etc/firejail/konversation.profile ...
Removing obsolete conffile /etc/firejail/less.profile ...
Removing obsolete conffile /etc/firejail/libreoffice.profile ...
Removing obsolete conffile /etc/firejail/localc.profile ...
Removing obsolete conffile /etc/firejail/lodraw.profile ...
Removing obsolete conffile /etc/firejail/loffice.profile ...
Removing obsolete conffile /etc/firejail/lofromtemplate.profile ...
Removing obsolete conffile /etc/firejail/loimpress.profile ...
Removing obsolete conffile /etc/firejail/lomath.profile ...
Removing obsolete conffile /etc/firejail/loweb.profile ...
Removing obsolete conffile /etc/firejail/lowriter.profile ...
Removing obsolete conffile /etc/firejail/luminance-hdr.profile ...
Removing obsolete conffile /etc/firejail/lxterminal.profile ...
Removing obsolete conffile /etc/firejail/mathematica.profile ...
Removing obsolete conffile /etc/firejail/mcabber.profile ...
Removing obsolete conffile /etc/firejail/midori.profile ...
Removing obsolete conffile /etc/firejail/mpv.profile ...
Removing obsolete conffile /etc/firejail/mupdf.profile ...
Removing obsolete conffile /etc/firejail/mupen64plus.profile ...
Removing obsolete conffile /etc/firejail/mutt.profile ...
Removing obsolete conffile /etc/firejail/netsurf.profile ...
Removing obsolete conffile /etc/firejail/okular.profile ...
Removing obsolete conffile /etc/firejail/openbox.profile ...
Removing obsolete conffile /etc/firejail/openshot.profile ...
Removing obsolete conffile /etc/firejail/opera-beta.profile ...
Removing obsolete conffile /etc/firejail/opera.profile ...
Removing obsolete conffile /etc/firejail/palemoon.profile ...
Removing obsolete conffile /etc/firejail/parole.profile ...
Removing obsolete conffile /etc/firejail/pidgin.profile ...
Removing obsolete conffile /etc/firejail/pix.profile ...
Removing obsolete conffile /etc/firejail/polari.profile ...
Removing obsolete conffile /etc/firejail/psi-plus.profile ...
Removing obsolete conffile /etc/firejail/qbittorrent.profile ...
Removing obsolete conffile /etc/firejail/qpdfview.profile ...
Removing obsolete conffile /etc/firejail/qtox.profile ...
Removing obsolete conffile /etc/firejail/quassel.profile ...
Removing obsolete conffile /etc/firejail/quiterss.profile ...
Removing obsolete conffile /etc/firejail/qutebrowser.profile ...
Removing obsolete conffile /etc/firejail/ranger.profile ...
Removing obsolete conffile /etc/firejail/rhythmbox.profile ...
Removing obsolete conffile /etc/firejail/rtorrent.profile ...
Removing obsolete conffile /etc/firejail/seamonkey-bin.profile ...
Removing obsolete conffile /etc/firejail/seamonkey.profile ...
Removing obsolete conffile /etc/firejail/skype.profile ...
Removing obsolete conffile /etc/firejail/skypeforlinux.profile ...
Removing obsolete conffile /etc/firejail/slack.profile ...
Removing obsolete conffile /etc/firejail/snap.profile ...
Removing obsolete conffile /etc/firejail/soffice.profile ...
Removing obsolete conffile /etc/firejail/spotify.profile ...
Removing obsolete conffile /etc/firejail/ssh.profile ...
Removing obsolete conffile /etc/firejail/steam.profile ...
Removing obsolete conffile /etc/firejail/stellarium.profile ...
Removing obsolete conffile /etc/firejail/strings.profile ...
Removing obsolete conffile /etc/firejail/synfigstudio.profile ...
Removing obsolete conffile /etc/firejail/tar.profile ...
Removing obsolete conffile /etc/firejail/telegram.profile ...
Removing obsolete conffile /etc/firejail/thunderbird.profile ...
Removing obsolete conffile /etc/firejail/totem.profile ...
Removing obsolete conffile /etc/firejail/transmission-gtk.profile ...
Removing obsolete conffile /etc/firejail/transmission-qt.profile ...
Removing obsolete conffile /etc/firejail/uget-gtk.profile ...
Removing obsolete conffile /etc/firejail/unbound.profile ...
Removing obsolete conffile /etc/firejail/unrar.profile ...
Removing obsolete conffile /etc/firejail/unzip.profile ...
Removing obsolete conffile /etc/firejail/uudeview.profile ...
Removing obsolete conffile /etc/firejail/vim.profile ...
Removing obsolete conffile /etc/firejail/virtualbox.profile ...
Removing obsolete conffile /etc/firejail/vivaldi-beta.profile ...
Removing obsolete conffile /etc/firejail/vivaldi.profile ...
Removing obsolete conffile /etc/firejail/vlc.profile ...
Removing obsolete conffile /etc/firejail/warzone2100.profile ...
Removing obsolete conffile /etc/firejail/weechat-curses.profile ...
Removing obsolete conffile /etc/firejail/weechat.profile ...
Removing obsolete conffile /etc/firejail/wesnoth.profile ...
Removing obsolete conffile /etc/firejail/wine.profile ...
Removing obsolete conffile /etc/firejail/xchat.profile ...
Removing obsolete conffile /etc/firejail/xpdf.profile ...
Removing obsolete conffile /etc/firejail/xplayer.profile ...
Removing obsolete conffile /etc/firejail/xreader.profile ...
Removing obsolete conffile /etc/firejail/xviewer.profile ...
Removing obsolete conffile /etc/firejail/xz.profile ...
Removing obsolete conffile /etc/firejail/xzdec.profile ...
Removing obsolete conffile /etc/firejail/zathura.profile ...
Setting up papirus-icon-theme (20170520-967+pkg6~ubuntu16.04.1) ...

@ reinerh

Thank you. Installing firejail-profiles fixed the problem.

[Fred-Barclay]

@vtpoet Perhaps I should rephrase it. 😄 The actual firejail update (as in, the source code) didn't change this behavior.

The maintainer of the PPA ( @reinerh ) may have changed how the .deb files in the PPA are built. That very well could have removed all the profiles from /etc/firejail. Not being familiar with how @reinerh maintains his PPA, my guess is that he moved most profiles into the firejail-profile package. That's a downstream change, not any change in firejail itself.

Cheers! Fred