search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.58k stars 555 forks source link

Google-Chrome-Stable does not launch #176

Closed Fred-Barclay closed 8 years ago

Fred-Barclay commented 8 years ago

G'day guys! Google Chrome will not launch in firejail. If firejail google-chrome is used, it returns _[19:19:1130/061242:FATAL:setuid_sandboxhost.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755. Aborted This occurs even though /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.

If firejail google-chrome, then fred@aussie! ~ $ firejail google-chrome Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Parent pid 9309, child pid 9310 Child process initialized ...but a chrome window is not created/does not appear.

If firejail --no-profile google-chrome then it launches as normal. This is for firejail version 0.9.34 and Chrome Stable 46.0.2490.86. I'm running LMDE Betsy, but I've noticed the same behavior on Debian Sid and Devuan Jessie Alpha.

Additional info is here .

nick75e commented 8 years ago

Hi! Try this: firejail google-chrome -no-sandbox It'll disable chrome's sandbox and you should be able to launch it.

Fred-Barclay commented 8 years ago

Thanks nick75e! Unfortunately that didn't seem to work:

fred@aussie! ~ $ firejail google-chrome -no-sandbox Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Parent pid 3933, child pid 3934 Child process initialized [1:1:1130/081322:ERROR:browser_main_loop.cc(195)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on. [1:1:1130/081323:ERROR:simple_message_box_views.cc(228)] Unable to show a dialog outside the UI thread message loop: Failed To Create Data Directory - Google Chrome cannot read and write to its data directory: ` /home/fred/.config/google-chrome parent is shutting down, bye...`

On the other hand, if I use fred@aussie! ~ $ google-chrome -no-sandbox [3951:3951:1130/081329:ERROR:browser_main_loop.cc(195)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on. [3951:3974:1130/081343:ERROR:channel.cc(307)] RawChannel read error (connection broken) [1130/081344:ERROR:nacl_helper_linux.cc(314)] NaCl helper process running without a sandbox! Most likely you need to configure your SUID sandbox correctly

the chrome window does appear.

ghost commented 8 years ago

$ firejail google-chrome -no-sandbox [1:1:1130/081323:ERROR:simple_message_box_views.cc(228)] Unable to show a dialog outside the UI thread message loop: Failed To Create Data Directory - Google Chrome cannot read and write to its data directory:

/home/fred/.config/google-chrome

So then try $ firejail --whitelist=~/.config/google-chrome google-chrome -no-sandbox Actually, try $ firejail --whitelist=/opt/google/chrome/chrome-sandbox --whitelist=~/.config/google-chrome google-chrome, but it looks like /opt may be just mounted with the NOSUID flag on, in which case all you can do is wait for it to be fixed. And I hope I am correct with my statements.

Fred-Barclay commented 8 years ago

Both options: fred@aussie! ~ $ firejail --whitelist=~/.config/google-chrome google-chrome -no-sandbox Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Parent pid 10444, child pid 10445 Child process initialized [1:1:1130/115256:ERROR:browser_main_loop.cc(195)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on. [1:1:1130/115256:ERROR:process_singleton_posix.cc(419)] readlink failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(255)] readlink(/home/fred/.config/google-chrome/SingletonLock) failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(255)] readlink(/home/fred/.config/google-chrome/SingletonLock) failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(279)] Failed to create /home/fred/.config/google-chrome/SingletonLock: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(419)] readlink failed: Permission denied [1:1:1130/115256:ERROR:process_singleton_posix.cc(255)] readlink(/home/fred/.config/google-chrome/SingletonLock) failed: Permission denied [1:1:1130/115256:ERROR:chrome_browser_main.cc(1291)] Failed to create a ProcessSingleton for your profile directory. This means that running multiple instances would start multiple browser processes rather than opening a new window in the existing process. Aborting now to avoid profile corruption. [1130/115256:ERROR:nacl_helper_linux.cc(314)] NaCl helper process running without a sandbox! Most likely you need to configure your SUID sandbox correctly `` parent is shutting down, bye...

fred@aussie! ~ $ firejail --whitelist=/opt/google/chrome/chrome-sandbox --whitelist=~/.config/google-chrome google-chrome Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Parent pid 10510, child pid 10511 Error: file /opt/google/chrome/chrome-sandbox is not in user home directory, exiting... Error: cannot establish communication with the parent, exiting..

No success in either case.

netblue30 commented 8 years ago

I've found the problem. Use this profile file:

# Chromium browser profile
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/google-chrome
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc

# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#

netfilter
whitelist ~/Downloads
whitelist ~/.config/chromium
whitelist ~/.config/google-chrome

# common
whitelist ~/.fonts
whitelist ~/.fonts.d
whitelist ~/.fontconfig
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d

Cut & paste into /etc/firejail/chromium.profile. After that you can start chrome as usual:

$ firejail google-chrome
or
$ firejail google-chrome --no-sandbox

I'll have it fixed in the next release, thanks for the bug!

If you run into problems with chrome SUID binary, I would say you need to reinstall chrome.

Fred-Barclay commented 8 years ago

After commenting out the previous code and adding this, Chrome and Firejail are now playing nicely. :) Thanks!

netblue30 commented 8 years ago

Wow! It was an ugly bug, it disabled google-chrome configuration!

Fred-Barclay commented 8 years ago

Update: Using the new config, then "google-chrome-stable" fails to launch: fred@aussie! ~ $ firejail google-chrome-stable Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 19845, child pid 19846 Child process initialized [1:1:1130/174040:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.

parent is shutting down, bye...

However, firejail google-chrome does fine. This could be problematic for people who have multiple installs of chrome, i.e. Stable && Beta or Stable && Dev.

Sorry to be the bearer of bad news again!

netblue30 commented 8 years ago

What distribution are you running?

Fred-Barclay commented 8 years ago

LMDE Betsy. I've noticed the same effect in Debian Sid and Devuan Jessie Alpha, though

Fred-Barclay commented 8 years ago

Just as a summary: firejail google-chrome works

However, firejail google-chrome-stable or firejail google-chrome or firejail google-chrome-stable do not work.

Fred-Barclay commented 8 years ago

mkdir ~/.config/firejail touch ~/.config/firejail/google-chrome-stable.profile cp /etc/firejail/google-chrome.profile ~/.config/firejail/google-chrome-stable.profile

This works for firejail google-chrome && firejail google-chrome-stable (Thanks xenopeek! )

Looking at /etc/firejail/google-chrome.profile, it appears I could have copied the chromium profile to ~/.config/firejail/google-chrome-stable.profile as well.

ghost commented 8 years ago

I'll add a profile for google-chrome-stable. Does google-chrome-stable have his own ~/.config directory?

You can do

$ firejail
$ google-chrome

but you need to specify the --profile, else it will load the generic profile.

Fred-Barclay commented 8 years ago

Okay, let's see. Chrome Stable has it's own config directory, ~/.config/google-chrome. Chrome Beta's is ~/.config/google-chrome-beta and Unstable is at ~/.config/google-chrome-unstable

Fred-Barclay commented 8 years ago

@netblue30 I have it on good authority that the default /etc/firejail/chromium.profile worked for chromium before any of these changes were made (before adding noblacklist ${HOME}/.config/google-chrome and whitelist ~/.config/google-chrome.)

With this in mind, might I suggest that /etc/firejail/google-chrome.profile actually contain the changes rather than simply being a reference to /etc/firejail/chromium.profile? That way the chromium.profile won't contain whitelists that are only needed for google chrome?

I'd be happy to write the google-chrome.profile if you like.

ghost commented 8 years ago

With this in mind, might I suggest that /etc/firejail/google-chrome.profile actually contain the changes rather than simply being a reference to /etc/firejail/chromium.profile? That way the chromium.profile won't contain whitelists that are only needed for google chrome?

I would say that is a good idea. Won't hurt at least. Though, how many people use chromium and google-chrome at the same time? I'll add alias profiles for beta and unstable and dev and let netblue decide which ones he wants. No, fuck it. I'll do it properly.

ghost commented 8 years ago

Done.

netblue30 commented 8 years ago

All merged, thanks!

Fred-Barclay commented 8 years ago

Sounds good. Thanks!

I installed Chromium as well as Chrome Stable, Unstable, and Beta (hey, somebody'll probably do it!) and I notice a few problems launching chromium from firejail. If it persists after further testing I'll create a new report if that's okay.

netblue30 commented 8 years ago

Yes, put all the data here, thanks!