Closed ericschdt closed 4 years ago
glitsj16
commented
4 years ago Reading profile /home/user/.config/firejail/simplescreenrecorder.profile
Can you post this file please? This looks like a duplicate of #3202, but we'll have a better view on that after seeing your current simplescreenrecorder profile.
ericschdt
commented
4 years ago The git profile
# Firejail profile for simplescreenrecorder
# Description: A feature-rich screen recorder that supports X11 and OpenGL
# This file is overwritten after every install/update
# Persistent local customizations
include simplescreenrecorder.local
# Persistent global definitions
include globals.local
noblacklist ${VIDEOS}
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
whitelist /usr/share/simplescreenrecorder
include whitelist-usr-share-common.inc
apparmor
caps.drop all
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
protocol unix
seccomp
shell none
tracelog
private-cache
private-dev
private-tmp
memory-deny-write-executefirejail --build=~/.config/firejail/simplescreenrecorder.profile simplescreenrecorder
############################################
# simplescreenrecorder profile
############################################
# Persistent global definitions
# include /etc/firejail/globals.local
### basic blacklisting
include /etc/firejail/disable-common.inc
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
# include /etc/firejail/disable-programs.inc
### home directory whitelisting
whitelist ~/.icons/breeze_cursors
whitelist ~/.icons/breeze_cursors/cursors
whitelist ~/.local/share/icons/breeze_cursors
whitelist ~/.local/share/icons/breeze_cursors/cursors
whitelist ~/.Xdefaults-es-pc
whitelist ~/.cache/mesa_shader_cache
whitelist ~/.drirc
whitelist ~/.ssr
whitelist ~/.pulse-cookie
whitelist ~/.asoundrc
whitelist ~/.fonts
whitelist ~/.local/share/fonts
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d
whitelist ~/.config/fontconfig
whitelist ~/.local/share/flatpak/exports/share/SimpleScreenRecorder/icons/hicolor
whitelist ~/.local/share/SimpleScreenRecorder/icons/hicolor
whitelist ~/.local/share/mime
include /etc/firejail/whitelist-common.inc
### filesystem
# private-tmp
# File accessed in /tmp directory:
# /tmp/firejail-strace.aomKwd,
# private-dev
# This is the list of devices accessed (on top of regular private-dev devices:
# /dev/aloadC31,/dev/snd/controlC31,/dev/aloadC30,/dev/snd/controlC30,/dev/aloadC29,/dev/snd/controlC29,/dev/aloadC28,/dev/snd/controlC28,/dev/aloadC27,/dev/snd/controlC27,/dev/aloadC26,/dev/snd/controlC26,/dev/aloadC25,/dev/snd/controlC25,/dev/aloadC24,/dev/snd/controlC24,/dev/aloadC23,/dev/snd/controlC23,/dev/aloadC22,/dev/snd/controlC22,/dev/aloadC21,/dev/snd/controlC21,/dev/aloadC20,/dev/snd/controlC20,/dev/aloadC19,/dev/snd/controlC19,/dev/aloadC18,/dev/snd/controlC18,/dev/aloadC17,/dev/snd/controlC17,/dev/aloadC16,/dev/snd/controlC16,/dev/aloadC15,/dev/snd/controlC15,/dev/aloadC14,/dev/snd/controlC14,/dev/aloadC13,/dev/snd/controlC13,/dev/aloadC12,/dev/snd/controlC12,/dev/aloadC11,/dev/snd/controlC11,/dev/aloadC10,/dev/snd/controlC10,/dev/aloadC9,/dev/snd/controlC9,/dev/aloadC8,/dev/snd/controlC8,/dev/aloadC7,/dev/snd/controlC7,/dev/aloadC6,/dev/snd/controlC6,/dev/aloadC5,/dev/snd/controlC5,/dev/aloadC4,/dev/snd/controlC4,/dev/aloadC3,/dev/snd/controlC3,/dev/aloadC2,/dev/snd/controlC2,/dev/aloadC1,/dev/snd/controlC1,/dev/snd/controlC0,
private-etc drirc,machine-id,asound.conf,alsa,fonts,xdg,kde5rc,login.defs,passwd,
whitelist /var/lib/dbus/machine-id
whitelist /var/lib/flatpak/exports/share/icons/hicolor/48x48/apps/simplescreenrecorder-idle.png
whitelist /var/lib/flatpak/exports/share/icons/hicolor/32x32/apps/simplescreenrecorder-idle.png
whitelist /var/lib/flatpak/exports/share/icons/hicolor/22x22/apps/simplescreenrecorder-idle.png
whitelist /var/lib/flatpak/exports/share/icons/hicolor/16x16/apps/simplescreenrecorder-idle.png
whitelist /var/lib/flatpak/exports/share/icons/hicolor/48x48/apps/simplescreenrecorder.png
whitelist /var/lib/flatpak/exports/share/icons/hicolor/32x32/apps/simplescreenrecorder.png
whitelist /var/lib/flatpak/exports/share/icons/hicolor/22x22/apps/simplescreenrecorder.png
whitelist /var/lib/flatpak/exports/share/icons/hicolor/16x16/apps/simplescreenrecorder.png
whitelist /var/lib/snapd/desktop/SimpleScreenRecorder/icons/hicolor/
whitelist /var/lib/flatpak/exports/share/SimpleScreenRecorder/icons/hicolor/
private-bin simplescreenrecorder,bash,firejail,
# private-lib
whitelist /usr/share/drirc.d
whitelist /usr/share/alsa
whitelist /usr/share/fonts
whitelist /usr/share/SimpleScreenRecorder
whitelist /usr/share/icons
whitelist /usr/share/mime
whitelist /usr/share/simplescreenrecorder
whitelist /usr/share/plasma
whitelist /usr/share/locale
whitelist /usr/share/X11
whitelist /usr/share/hwdata
whitelist /usr/share/qt
whitelist /usr/share/kpackage
### security filters
caps.drop all
nonewprivs
seccomp
# seccomp.keep futex,poll,write,mmap,munmap,statx,read,openat,recvmsg,writev,close,clone,mprotect,wait4,fstat,access,lstat,execve,stat,sendmsg,readlink,madvise,brk,lseek,fstatfs,connect,ioctl,getdents64,getuid,socket,getrandom,setresuid,setresgid,fcntl,shutdown,sendto,geteuid,getpid,rt_sigaction,arch_prctl,fdatasync,pipe2,fadvise64,getgid,mkdir,umask,recvfrom,ppoll,rt_sigprocmask,set_robust_list,set_tid_address,prlimit64,eventfd2,msync,uname,getsockname,getcwd,unlink,waitid,flock,getsockopt,prctl,rt_sigreturn,getresuid,getresgid,clock_getres,getpeername,shmget,shmat,shmctl,setsockopt,shmdt,ftruncate,rename,fchmod,sysinfo,getegid,getppid,getpgrp,sched_setscheduler,sched_setaffinity,sched_getaffinity,linkat,dup3
# 84 syscalls total
# Probably you will need to add more syscalls to seccomp.keep. Look for
# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
# running your sandbox.
### network
protocol unix,
net none
### environment
shell noneworks fine, but if I now try to start simplescreenrecorder it says
simplescreenrecorder
Reading profile /home/user/.config/firejail/simplescreenrecorder.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 7076, child pid 7077
Warning: skipping drirc for private /etc
Warning: skipping kde5rc for private /etc
Private /etc installed in 42.55 ms
3 programs installed in 29.03 ms
Error: invalid whitelist path /var/lib/dbus/machine-id
Error: proc 7076 cannot sync with peer: unexpected EOF
Peer 7077 unexpectedly exited with status 1Error: invalid whitelist path /var/lib/dbus/machine-id
The machine-id file under /var/lib/dbus could be a symlink (depending on your OS). Try with 'whitelist /var/lib/dbus' instead (which is what /etc/firejail/whitelist-var-common.inc does).
ericschdt
commented
4 years ago The machine-id file under /var/lib/dbus could be a symlink (depending on your OS). Try with 'whitelist /var/lib/dbus' instead (which is what /etc/firejail/whitelist-var-common.inc does).
whitelist /var/lib/dbus worked! Thanks!
it works however with
System
firejail 0.9.62 Manjaro KDE Kernel Version: 5.5.0-1-MANJARO simplescreenrecorder.profile from git master