Closed Fred-Barclay closed 8 years ago
Hi!
Try this: firejail google-chrome -no-sandbox
It'll disable chrome's sandbox and you should be able to launch it.
Thanks nick75e! Unfortunately that didn't seem to work:
fred@aussie! ~ $ firejail google-chrome -no-sandbox
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Parent pid 3933, child pid 3934
Child process initialized
[1:1:1130/081322:ERROR:browser_main_loop.cc(195)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on.
[1:1:1130/081323:ERROR:simple_message_box_views.cc(228)] Unable to show a dialog outside the UI thread message loop: Failed To Create Data Directory - Google Chrome cannot read and write to its data directory:
`
/home/fred/.config/google-chrome
parent is shutting down, bye...`
On the other hand, if I use
fred@aussie! ~ $ google-chrome -no-sandbox
[3951:3951:1130/081329:ERROR:browser_main_loop.cc(195)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on.
[3951:3974:1130/081343:ERROR:channel.cc(307)] RawChannel read error (connection broken) [1130/081344:ERROR:nacl_helper_linux.cc(314)] NaCl helper process running without a sandbox!
Most likely you need to configure your SUID sandbox correctly
the chrome window does appear.
$ firejail google-chrome -no-sandbox [1:1:1130/081323:ERROR:simple_message_box_views.cc(228)] Unable to show a dialog outside the UI thread message loop: Failed To Create Data Directory - Google Chrome cannot read and write to its data directory:
/home/fred/.config/google-chrome
So then try $ firejail --whitelist=~/.config/google-chrome google-chrome -no-sandbox
Actually, try $ firejail --whitelist=/opt/google/chrome/chrome-sandbox --whitelist=~/.config/google-chrome google-chrome
, but it looks like /opt may be just mounted with the NOSUID flag on, in which case all you can do is wait for it to be fixed. And I hope I am correct with my statements.
Both options:
fred@aussie! ~ $ firejail --whitelist=~/.config/google-chrome google-chrome -no-sandbox Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Parent pid 10444, child pid 10445 Child process initialized [1:1:1130/115256:ERROR:browser_main_loop.cc(195)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on. [1:1:1130/115256:ERROR:process_singleton_posix.cc(419)] readlink failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(255)] readlink(/home/fred/.config/google-chrome/SingletonLock) failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(255)] readlink(/home/fred/.config/google-chrome/SingletonLock) failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(279)] Failed to create /home/fred/.config/google-chrome/SingletonLock: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(419)] readlink failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(255)] readlink(/home/fred/.config/google-chrome/SingletonLock) failed: Permission denied [1:1:1130/115256:ERROR:chrome_browser_main.cc(1291)] Failed to create a ProcessSingleton for your profile directory. This means that running multiple instances would start multiple browser processes rather than opening a new window in the existing process. Aborting now to avoid profile corruption. [1130/115256:ERROR:nacl_helper_linux.cc(314)] NaCl helper process running without a sandbox! Most likely you need to configure your SUID sandbox correctly `` parent is shutting down, bye...
fred@aussie! ~ $ firejail --whitelist=/opt/google/chrome/chrome-sandbox --whitelist=~/.config/google-chrome google-chrome Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Parent pid 10510, child pid 10511 Error: file /opt/google/chrome/chrome-sandbox is not in user home directory, exiting... Error: cannot establish communication with the parent, exiting..
No success in either case.
I've found the problem. Use this profile file:
# Chromium browser profile
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/google-chrome
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
netfilter
whitelist ~/Downloads
whitelist ~/.config/chromium
whitelist ~/.config/google-chrome
# common
whitelist ~/.fonts
whitelist ~/.fonts.d
whitelist ~/.fontconfig
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d
Cut & paste into /etc/firejail/chromium.profile. After that you can start chrome as usual:
$ firejail google-chrome
or
$ firejail google-chrome --no-sandbox
I'll have it fixed in the next release, thanks for the bug!
If you run into problems with chrome SUID binary, I would say you need to reinstall chrome.
After commenting out the previous code and adding this, Chrome and Firejail are now playing nicely. :) Thanks!
Wow! It was an ugly bug, it disabled google-chrome configuration!
Update:
Using the new config, then "google-chrome-stable" fails to launch:
fred@aussie! ~ $ firejail google-chrome-stable
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
** Note: you can use --noprofile to disable generic.profile **
Parent pid 19845, child pid 19846 Child process initialized [1:1:1130/174040:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.
parent is shutting down, bye...
However, firejail google-chrome
does fine.
This could be problematic for people who have multiple installs of chrome, i.e. Stable && Beta or Stable && Dev.
Sorry to be the bearer of bad news again!
What distribution are you running?
LMDE Betsy. I've noticed the same effect in Debian Sid and Devuan Jessie Alpha, though
Just as a summary:
firejail google-chrome
works
However,
firejail google-chrome-stable
or
firejail
google-chrome
or
firejail
google-chrome-stable
do not work.
mkdir ~/.config/firejail
touch ~/.config/firejail/google-chrome-stable.profile
cp /etc/firejail/google-chrome.profile ~/.config/firejail/google-chrome-stable.profile
This works for
firejail google-chrome
&&
firejail google-chrome-stable
(Thanks xenopeek! )
Looking at /etc/firejail/google-chrome.profile, it appears I could have copied the chromium profile to ~/.config/firejail/google-chrome-stable.profile as well.
I'll add a profile for google-chrome-stable
.
Does google-chrome-stable
have his own ~/.config directory?
You can do
$ firejail
$ google-chrome
but you need to specify the --profile
, else it will load the generic profile.
Okay, let's see.
Chrome Stable has it's own config directory, ~/.config/google-chrome
.
Chrome Beta's is ~/.config/google-chrome-beta
and Unstable is at ~/.config/google-chrome-unstable
@netblue30 I have it on good authority that the default /etc/firejail/chromium.profile
worked for chromium before any of these changes were made (before adding noblacklist ${HOME}/.config/google-chrome
and whitelist ~/.config/google-chrome
.)
With this in mind, might I suggest that /etc/firejail/google-chrome.profile
actually contain the changes rather than simply being a reference to /etc/firejail/chromium.profile
? That way the chromium.profile won't contain whitelists that are only needed for google chrome?
I'd be happy to write the google-chrome.profile if you like.
With this in mind, might I suggest that /etc/firejail/google-chrome.profile actually contain the changes rather than simply being a reference to /etc/firejail/chromium.profile? That way the chromium.profile won't contain whitelists that are only needed for google chrome?
I would say that is a good idea. Won't hurt at least. Though, how many people use chromium and google-chrome at the same time? I'll add alias profiles for beta and unstable and dev and let netblue decide which ones he wants. No, fuck it. I'll do it properly.
Done.
All merged, thanks!
Sounds good. Thanks!
I installed Chromium as well as Chrome Stable, Unstable, and Beta (hey, somebody'll probably do it!) and I notice a few problems launching chromium from firejail. If it persists after further testing I'll create a new report if that's okay.
Yes, put all the data here, thanks!
G'day guys! Google Chrome will not launch in firejail. If
firejail
google-chrome
is used, it returns _[19:19:1130/061242:FATAL:setuid_sandboxhost.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755. Aborted This occurs even though /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.If
firejail google-chrome
, then fred@aussie! ~ $ firejail google-chrome Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Parent pid 9309, child pid 9310 Child process initialized ...but a chrome window is not created/does not appear.If
firejail --no-profile google-chrome
then it launches as normal. This is for firejail version 0.9.34 and Chrome Stable 46.0.2490.86. I'm running LMDE Betsy, but I've noticed the same behavior on Debian Sid and Devuan Jessie Alpha.Additional info is here .