Closed carloabelli closed 6 years ago
Can you try disabling options in evince profile until you find which one causes breakage?
Seems that the memory-deny-write-execute
option is causing the breakage.
Fixed with https://github.com/netblue30/firejail/commit/7272c524f700ca0b6b4e0552d2d10b73f29b3d11 . Thx for reporting!
I'm going to reopen this. mdwe seems to be causing many graphical programs to hang. @Fred-Barclay has mention that dda8b2dbaf85383c787b2e70982346779471a269 is causing crashes, but I've checked out to 45e044c275aab65c3f9c97a479733ab1db8f4ed2 and am still seeing this hanging issue. I also tested with and without Wayland, that doesn't change anything. I can reproduce on both Arch and Fedora.
Aside from evince (now fixed), many programs are affected as the following: eog, gnome-calculator, and file-roller, baobab, and any other graphical ones with mdwe.
There also seems to be a second issue on Fedora with private-lib causing gedit to hang (related to spell check plugin).
I'd rather not disable mdwe, as it is a powerful feature, but I'm also not sure which package updates or commit is causing this.
Honestly I would favor for disabling mdwe for most graphical apps. It's not feasible in linux desktop unless someone is building his own packages in Gentoo.
I wonder if firejail could print relevant violation to journal so it would be more obvious what's causing crash.
@SkewedZeppelin Just to satisfy my curiosity :laughing: can you do firejail --ignore=private-dev eog
and see if it works or not?
It breaks with private-dev, but works fine without, for me on Fedora 27 Cinnamon (so no Wayland here), even though mdwe is enabled in the profile.
@Vincent43 I would really rather not disable mdwe.
@Fred-Barclay on Arch with GNOME Wayland:
$ /usr/bin/gnome-calculator #works
$ firejail /usr/bin/gnome-calculator #hangs
$ firejail --ignore=private-dev /usr/bin/gnome-calculator #hangs
$ firejail --ignore=memory-deny-write-execute /usr/bin/gnome-calculator #works
$ /usr/bin/eog #works
$ firejail /usr/bin/eog #exits
$ firejail --ignore=private-dev /usr/bin/eog #exits
$ firejail --ignore=memory-deny-write-execute /usr/bin/eog #works
On Fedora 27 with GNOME Wayland, I'm am no longer able to reproduce either issue.
Okay, private-dev issue is fixed in b21763636adc4edd63b7991908fffcdb84a048c6 :tada:
As I recall Wayland and mdwe don't get along well. Maybe we should add a condition in the code to only use mdwe on X11?
@Fred-Barclay It happens under Xorg as well. I don't recall it ever being an issue, no3d and wayland are sometimes (see gnome-2048).
I don't think there's any point in leaving this bug open. We'll address mdwe issues as they come up.
mumble, galculator, pavucontrol also affected, see #2840
If the problem is specific to Arch (and mdwe works fine on other distros), it would be preferable to figure out how to make it work on Arch rather than disable it everywhere because it doesn't.
Since @glitsj16 has streamlined the comments (#2769, Thanks) it's eays to reenable mdwe if you are not on Arch.
#!/usr/bin/env bash
# Copyright © rusty-snake
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
[ -v SYSTEM_PROFILE_LOCATION ] || SYSTEM_PROFILE_LOCATION="/etc/firejail"
[ -v USER_PROFILE_LOCATION ] || USER_PROFILE_LOCATION="$HOME/.config/firejail"
mkdir -p "$USER_PROFILE_LOCATION"
for file in "$SYSTEM_PROFILE_LOCATION"/*.profile; do
if grep "#memory-deny-write-execute - breaks on Arch" "$file" >/dev/null; then
profile_name="$(basename "${file%.profile}")"
echo "memory-deny-write-execute" >> "$USER_PROFILE_LOCATION/$profile_name.local"
echo "Fixed: $profile_name"
fi
done
BTW: A better solutions is to implement ?ARCH:
(or simelar).
?ARCH: ignore mdwe
mdwe
@rusty-snake Great job. Would indeed be handy to have ?ARCH:
, ?DEBIAN:
and ?FEDORA:
(to name just 3) so we can deliver the best profile for users, instead of having to cripple something because it doesn't work on one/some.
/etc/os-release should be present on the most systems. (https://www.freedesktop.org/software/systemd/man/os-release.html) Something like ?OS(NAME=Fedora):
or ?OS(NAME="Debian GNU/Linux",VERSION="9 (stretch)"):
should be possible, but thats a new issue.
We still don't know the cause of those failures, it's possible that newer libs that Arch ships are the culprit and that means it's just matter of time when it will happen on older distros. I would leave mwde disabled.
Linux Distribution: Arch Linux
Launching
evince
hangs:This does not happen with
--noprofile
:This is also a recent issue and used to work in a previous version of firejail.