Open houseofsuns opened 4 years ago
If a user home directory doesn't exist, Firejail fails with these admittedly somewhat cryptic errors. What I don't understand right now is
mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote
gives up with "Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory"
Is there something special about the home directory (symbolic links, file system)?
If a user home directory doesn't exist, Firejail fails with these admittedly somewhat cryptic errors. What I don't understand right now is
mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote
gives up with "Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory"Is there something special about the home directory (symbolic links, file system)?
On /tmp a tmpfs is mounted and myhome
is a simple directory so that should be a no.
However my real home directory /home/houseofsuns actually is behind a symlink /home -> /compat/home due to historic reasons. I hope this does not impact usage.
I hope this does not impact usage.
It should be possible to rule it out: The home directory path in /etc/passwd
, is it the link or is it the resolved path? If it is the link you could replace it with the resolved path and try again.
But actually I don't think that's the primary cause here.
For some reason Firejail cannot see your home directory. We had similar issues with filesystems that impose restrictions on the root user (like FUSE), but then I would expect a Permission denied
error rather than No such file or directory
, so probably it is something else.
I hope this does not impact usage.
It should be possible to rule it out: The home directory path in
/etc/passwd
, is it the link or is it the resolved path? If it is the link you could replace it with the resolved path and try again.
I just checked and /etc/passwd
contains /compat/home/houseofsuns
so this should be ruled out. (I dimly remember doing a quick search for this exact issue and finding something about symlinks and hence replacing this.)
For some reason Firejail cannot see your home directory. We had similar issues with filesystems that impose restrictions on the root user (like FUSE), but then I would expect a
Permission denied
error rather thanNo such file or directory
, so probably it is something else.
I'm at a loss here. As it seems like it could be relevant I'll add the output of mount
.
/dev/sda4 on / type btrfs (rw,relatime,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system) devtmpfs on /dev type devtmpfs (rw,relatime,size=16373220k,nr_inodes=4093305,mode=755) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755) cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime) none on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M) mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime) nfsd on /proc/fs/nfsd type nfsd (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime) configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /tmp type tmpfs (rw,nosuid,nodev) tmpfs on /var/tmp/portage type tmpfs (rw,relatime,size=31457280k) /dev/sdb1 on /compat type ext4 (rw,relatime) /dev/sdc1 on /archive type ext4 (rw,relatime) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) tmpfs on /run/user/112 type tmpfs (rw,nosuid,nodev,relatime,size=3281720k,mode=700,uid=112,gid=237) tmpfs on /run/user/1001 type tmpfs (rw,nosuid,nodev,relatime,size=3281720k,mode=700,uid=1001,gid=1001) tmpfs on /sys/fs/cgroup/portage type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/portage/python3.8/cgroup-release-agent,name=portage)
That mount table looks fairly standard. For the moment I'm out of ideas. Somebody else?
Maybe if you could post the output of
mkdir /tmp/myhome
firejail --private=/tmp/myhome --noprofile --debug | grep Mount-bind
just to rule out that Firejail tries to do something stupid?
Here you go:
$ mkdir /tmp/myhome ; firejail --private=/tmp/myhome --noprofile --debug | grep Mount-bind DISPLAY=:1 parsed as 1 Parent pid 4388, child pid 4392 Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory Mount-bind /tmp/myhome on top of /compat/home/houseofsuns Error: proc 4388 cannot sync with peer: unexpected EOF Peer 4392 unexpectedly exited with status 1
@houseofsuns Any progress? If not, and you have the time to git bisect, that would definately help to get to the bottom of this issue. We definately would like to see firejail working as expected on Gentoo.
I did a git bisect and for the case firejail --private firefox -no-remote
it returned 74e5911806d6f456819c65db37b0e29bc1f402d7 as the first bad commit.
However for mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote
I went back to version 0.9.56 (which was one and a half years ago) and it shows the same error. Which means that it is some interaction problem as my setup definitely worked at that time (it stopped working at most six month ago).
@houseofsuns Thanks for taking the time to git bisect. Hopefully @smitsohu can have another look at this.
@glitsj16 Failing hard was maybe always a bit excessive, at least in a number of places. What I can do right now, without understanding the underlying issue, is to fail softly with a warning where it is easy to do.
But of course this is not really going to solve the problems of @houseofsuns
@houseofsuns
Does Firejail print the following warning message, maybe despite you updating /etc/passwd
with a resolved path?
No full support for symbolic links in path of user directory.
Please provide resolved path in password database (/etc/passwd).
Or do you see something in the syslog?
What I can do right now, without understanding the underlying issue, is to fail softly with a warning where it is easy to do.
@smitsohu I have full confidence you know what's the best way to deal with this :) I was doing a bit of issue triaging when I noticed this, so I took the liberty to ping you.
@smitsohu I just had another go at it, but no different result.
Here my passwd-settings:
$ grep houseofsuns /etc/passwd houseofsuns:x:1001:1001::/compat/home/houseofsuns:/bin/zsh
And here a full debug output:
$ firejail --debug --noprofile --private firefox -no-remote Autoselecting /bin/zsh as shell Building quoted command line: 'firefox' '-no-remote' Command name #firefox# DISPLAY=:1 parsed as 1 Using the local network stack Parent pid 2594539, child pid 2594540 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 537 508 0:19 /system/etc /etc ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/etc mountid=537 fsname=/system/etc dir=/etc fstype=btrfs Mounting noexec /etc 538 537 0:19 /system/etc /etc ro,nosuid,nodev,noexec,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/etc mountid=538 fsname=/system/etc dir=/etc fstype=btrfs Mounting read-only /var 599 597 0:39 / /var/lib/nfs/rpc_pipefs rw,relatime master:70 - rpc_pipefs sunrpc rw mountid=599 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting read-only /var/tmp/portage 600 598 0:34 / /var/tmp/portage ro,relatime master:58 - tmpfs tmpfs rw,size=31457280k mountid=600 fsname=/ dir=/var/tmp/portage fstype=tmpfs Mounting read-only /var/lib/nfs/rpc_pipefs 601 599 0:39 / /var/lib/nfs/rpc_pipefs ro,relatime master:70 - rpc_pipefs sunrpc rw mountid=601 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting noexec /var 606 605 0:39 / /var/lib/nfs/rpc_pipefs ro,relatime master:70 - rpc_pipefs sunrpc rw mountid=606 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting noexec /var/tmp/portage 607 604 0:34 / /var/tmp/portage ro,nosuid,nodev,noexec,relatime master:58 - tmpfs tmpfs rw,size=31457280k mountid=607 fsname=/ dir=/var/tmp/portage fstype=tmpfs Mounting noexec /var/lib/nfs/rpc_pipefs 608 606 0:39 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:70 - rpc_pipefs sunrpc rw mountid=608 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting read-only /usr 609 508 0:19 /system/usr /usr ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/usr mountid=609 fsname=/system/usr dir=/usr fstype=btrfs Mounting read-only /bin 610 508 0:19 /system/bin /bin ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/bin mountid=610 fsname=/system/bin dir=/bin fstype=btrfs Mounting read-only /sbin 611 508 0:19 /system/sbin /sbin ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/sbin mountid=611 fsname=/system/sbin dir=/sbin fstype=btrfs Mounting read-only /lib 612 508 0:19 /system/lib /lib ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/lib mountid=612 fsname=/system/lib dir=/lib fstype=btrfs Mounting read-only /lib64 613 508 0:19 /system/lib64 /lib64 ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/lib64 mountid=613 fsname=/system/lib64 dir=/lib64 fstype=btrfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting a new /home directory Mounting a new /root directory Mounting tmpfs on /compat/home/houseofsuns Error while opening directory: fs.c:442 fs_tmpfs: No such file or directory Error: proc 2594539 cannot sync with peer: unexpected EOF Peer 2594540 unexpectedly exited with status 1
I also did not see any messages in the log files originating from firejail.
@houseofsuns
In fs.c:442 fs_tmpfs
:
// get a file descriptor for dir, fails if there is any symlink
Not sure, if printing dir in line 441 would help.
Did you try that to check the output?
The comment states that symlinks are not implemented yet, but I cant find the issue on that.
I use firejail to contain my firefox browser, but this unfortunately stopped working. I'm running Gentoo ~amd64 with a self-compiled kernel. I have the suspicion, that the problem is due to some interaction with another system component, but I was travelling a lot when the issue started and sadly can no longer reproduce any of the relevant configuration.
I tried to diagnose this, but was not very successful. Here come the observations:
firejail firefox -no-remote
starts firefox which shows me a popup "Your Firefox profile cannot be loaded. It may be missing or inaccessible" and exits.firejail --private firefox -no-remote
gives up with "Error while opening directory: fs.c:450 fs_tmpfs: No such file or directory"mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote
gives up with "Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory"firejail emacs
seems to work fine, but the--private
variants show the same behaviour as aboveEverything happens exactly the same with
--noprofile
.Finally
firejail --version
: