memory-deny-write-execute causing hangs and crashes on Arch and derivatives

[carloabelli]

$ firejail --version
firejail version 0.9.52

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - bind support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - git install support is disabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Linux Distribution: Arch Linux

Launching evince hangs:

$ firejail evince
Reading profile /etc/firejail/evince.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 10320, child pid 10322
Private /etc installed in 3.99 ms
Standard C library installed in 28.80 ms
Program libraries installed in 270.54 ms
GdkPixbuf installed in 9.10 ms
GTK3 installed in 21.09 ms
Pango installed in 0.00 ms
GIO installed in 6.41 ms
Installed 164 libraries and 5 directories
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 371.60 ms
(process never gets beyond this point)

This does not happen with --noprofile:

Parent pid 10766, child pid 10768
Child process initialized in 21.98 ms
Warning: an existing sandbox was detected. /usr/bin/evince will run without any additional sandboxing features
(evince loads fine)

This is also a recent issue and used to work in a previous version of firejail.

[Vincent43]

Can you try disabling options in evince profile until you find which one causes breakage?

[carloabelli]

Seems that the memory-deny-write-execute option is causing the breakage.

[Vincent43]

Fixed with https://github.com/netblue30/firejail/commit/7272c524f700ca0b6b4e0552d2d10b73f29b3d11 . Thx for reporting!

[SkewedZeppelin]

I'm going to reopen this. mdwe seems to be causing many graphical programs to hang. @Fred-Barclay has mention that dda8b2dbaf85383c787b2e70982346779471a269 is causing crashes, but I've checked out to 45e044c275aab65c3f9c97a479733ab1db8f4ed2 and am still seeing this hanging issue. I also tested with and without Wayland, that doesn't change anything. I can reproduce on both Arch and Fedora.

Aside from evince (now fixed), many programs are affected as the following: eog, gnome-calculator, and file-roller, baobab, and any other graphical ones with mdwe.

There also seems to be a second issue on Fedora with private-lib causing gedit to hang (related to spell check plugin).

I'd rather not disable mdwe, as it is a powerful feature, but I'm also not sure which package updates or commit is causing this.

1804 is also a dupe of this, and they confirm https://github.com/netblue30/firejail/issues/1804#issuecomment-372038784 that it is happening on other programs as well. Assuming that they are also actually running 0.9.52 and not 0.9.53, then this is probably caused by a recent package update. Hopefully it is something that can be worked around in firejail.

[Vincent43]

Honestly I would favor for disabling mdwe for most graphical apps. It's not feasible in linux desktop unless someone is building his own packages in Gentoo.

I wonder if firejail could print relevant violation to journal so it would be more obvious what's causing crash.

[Fred-Barclay]

@SkewedZeppelin Just to satisfy my curiosity :laughing: can you do firejail --ignore=private-dev eog and see if it works or not? It breaks with private-dev, but works fine without, for me on Fedora 27 Cinnamon (so no Wayland here), even though mdwe is enabled in the profile.

[SkewedZeppelin]

@Vincent43 I would really rather not disable mdwe.

@Fred-Barclay on Arch with GNOME Wayland:

$ /usr/bin/gnome-calculator #works
$ firejail /usr/bin/gnome-calculator #hangs
$ firejail --ignore=private-dev /usr/bin/gnome-calculator #hangs
$ firejail --ignore=memory-deny-write-execute /usr/bin/gnome-calculator #works
$ /usr/bin/eog #works
$ firejail /usr/bin/eog #exits
$ firejail --ignore=private-dev /usr/bin/eog #exits
$ firejail --ignore=memory-deny-write-execute /usr/bin/eog #works

On Fedora 27 with GNOME Wayland, I'm am no longer able to reproduce either issue.

[Fred-Barclay]

Okay, private-dev issue is fixed in b21763636adc4edd63b7991908fffcdb84a048c6 :tada:

As I recall Wayland and mdwe don't get along well. Maybe we should add a condition in the code to only use mdwe on X11?

[SkewedZeppelin]

@Fred-Barclay It happens under Xorg as well. I don't recall it ever being an issue, no3d and wayland are sometimes (see gnome-2048).

[chiraag-nataraj]

I don't think there's any point in leaving this bug open. We'll address mdwe issues as they come up.

[setpill]

mumble, galculator, pavucontrol also affected, see #2840

[setpill]

If the problem is specific to Arch (and mdwe works fine on other distros), it would be preferable to figure out how to make it work on Arch rather than disable it everywhere because it doesn't.

[rusty-snake]

Since @glitsj16 has streamlined the comments (#2769, Thanks) it's eays to reenable mdwe if you are not on Arch.

#!/usr/bin/env bash

# Copyright © rusty-snake
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
#    list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
#    this list of conditions and the following disclaimer in the documentation
#    and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

[ -v SYSTEM_PROFILE_LOCATION ] || SYSTEM_PROFILE_LOCATION="/etc/firejail"
[ -v USER_PROFILE_LOCATION ] || USER_PROFILE_LOCATION="$HOME/.config/firejail"

mkdir -p "$USER_PROFILE_LOCATION"
for file in "$SYSTEM_PROFILE_LOCATION"/*.profile; do
        if grep "#memory-deny-write-execute - breaks on Arch" "$file" >/dev/null; then
                profile_name="$(basename "${file%.profile}")"
                echo "memory-deny-write-execute" >> "$USER_PROFILE_LOCATION/$profile_name.local"
                echo "Fixed: $profile_name"
        fi
done

BTW: A better solutions is to implement ?ARCH: (or simelar).

?ARCH: ignore mdwe
mdwe

[glitsj16]

@rusty-snake Great job. Would indeed be handy to have ?ARCH:, ?DEBIAN: and ?FEDORA: (to name just 3) so we can deliver the best profile for users, instead of having to cripple something because it doesn't work on one/some.

[rusty-snake]

/etc/os-release should be present on the most systems. (https://www.freedesktop.org/software/systemd/man/os-release.html) Something like ?OS(NAME=Fedora): or ?OS(NAME="Debian GNU/Linux",VERSION="9 (stretch)"): should be possible, but thats a new issue.

[Vincent43]

We still don't know the cause of those failures, it's possible that newer libs that Arch ships are the culprit and that means it's just matter of time when it will happen on older distros. I would leave mwde disabled.