firefox: Error while opening directory: fs.c:442 fs_tmpfs: No such file or directory

houseofsuns commented 4 years ago

I use firejail to contain my firefox browser, but this unfortunately stopped working. I'm running Gentoo ~amd64 with a self-compiled kernel. I have the suspicion, that the problem is due to some interaction with another system component, but I was travelling a lot when the issue started and sadly can no longer reproduce any of the relevant configuration.

I tried to diagnose this, but was not very successful. Here come the observations:

firejail firefox -no-remote starts firefox which shows me a popup "Your Firefox profile cannot be loaded. It may be missing or inaccessible" and exits.
firejail --private firefox -no-remote gives up with "Error while opening directory: fs.c:450 fs_tmpfs: No such file or directory"
mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote gives up with "Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory"
firejail emacs seems to work fine, but the --private variants show the same behaviour as above

Everything happens exactly the same with --noprofile.

Finally firejail --version:

firejail version 0.9.62

Compile time support:
    - AppArmor support is disabled
    - AppImage support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - firetunnel support is disabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is disabled

smitsohu commented 4 years ago

If a user home directory doesn't exist, Firejail fails with these admittedly somewhat cryptic errors. What I don't understand right now is

mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote gives up with "Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory"

Is there something special about the home directory (symbolic links, file system)?

houseofsuns commented 4 years ago

If a user home directory doesn't exist, Firejail fails with these admittedly somewhat cryptic errors. What I don't understand right now is

mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote gives up with "Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory"

Is there something special about the home directory (symbolic links, file system)?

On /tmp a tmpfs is mounted and myhome is a simple directory so that should be a no.

However my real home directory /home/houseofsuns actually is behind a symlink /home -> /compat/home due to historic reasons. I hope this does not impact usage.

smitsohu commented 4 years ago

I hope this does not impact usage.

It should be possible to rule it out: The home directory path in /etc/passwd, is it the link or is it the resolved path? If it is the link you could replace it with the resolved path and try again.

But actually I don't think that's the primary cause here.

For some reason Firejail cannot see your home directory. We had similar issues with filesystems that impose restrictions on the root user (like FUSE), but then I would expect a Permission denied error rather than No such file or directory, so probably it is something else.

houseofsuns commented 4 years ago

I hope this does not impact usage.

It should be possible to rule it out: The home directory path in /etc/passwd, is it the link or is it the resolved path? If it is the link you could replace it with the resolved path and try again.

I just checked and /etc/passwd contains /compat/home/houseofsuns so this should be ruled out. (I dimly remember doing a quick search for this exact issue and finding something about symlinks and hence replacing this.)

For some reason Firejail cannot see your home directory. We had similar issues with filesystems that impose restrictions on the root user (like FUSE), but then I would expect a Permission denied error rather than No such file or directory, so probably it is something else.

I'm at a loss here. As it seems like it could be relevant I'll add the output of mount.

/dev/sda4 on / type btrfs (rw,relatime,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system)
devtmpfs on /dev type devtmpfs (rw,relatime,size=16373220k,nr_inodes=4093305,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
none on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev)
tmpfs on /var/tmp/portage type tmpfs (rw,relatime,size=31457280k)
/dev/sdb1 on /compat type ext4 (rw,relatime)
/dev/sdc1 on /archive type ext4 (rw,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/112 type tmpfs (rw,nosuid,nodev,relatime,size=3281720k,mode=700,uid=112,gid=237)
tmpfs on /run/user/1001 type tmpfs (rw,nosuid,nodev,relatime,size=3281720k,mode=700,uid=1001,gid=1001)
tmpfs on /sys/fs/cgroup/portage type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/portage/python3.8/cgroup-release-agent,name=portage)

smitsohu commented 4 years ago

That mount table looks fairly standard. For the moment I'm out of ideas. Somebody else?

Maybe if you could post the output of

mkdir /tmp/myhome
firejail --private=/tmp/myhome --noprofile --debug | grep Mount-bind

just to rule out that Firejail tries to do something stupid?

houseofsuns commented 4 years ago

Here you go:

$ mkdir /tmp/myhome ; firejail --private=/tmp/myhome --noprofile --debug | grep Mount-bind
DISPLAY=:1 parsed as 1
Parent pid 4388, child pid 4392
Error opening home directory: fs_home.c:265 fs_private_homedir: No such file or directory
Mount-bind /tmp/myhome on top of /compat/home/houseofsuns
Error: proc 4388 cannot sync with peer: unexpected EOF
Peer 4392 unexpectedly exited with status 1

glitsj16 commented 4 years ago

@houseofsuns Any progress? If not, and you have the time to git bisect, that would definately help to get to the bottom of this issue. We definately would like to see firejail working as expected on Gentoo.

houseofsuns commented 4 years ago

I did a git bisect and for the case firejail --private firefox -no-remote it returned 74e5911806d6f456819c65db37b0e29bc1f402d7 as the first bad commit.

houseofsuns commented 4 years ago

However for mkdir /tmp/myhome ; firejail --private=/tmp/myhome firefox -no-remote I went back to version 0.9.56 (which was one and a half years ago) and it shows the same error. Which means that it is some interaction problem as my setup definitely worked at that time (it stopped working at most six month ago).

glitsj16 commented 4 years ago

@houseofsuns Thanks for taking the time to git bisect. Hopefully @smitsohu can have another look at this.

smitsohu commented 4 years ago

@glitsj16 Failing hard was maybe always a bit excessive, at least in a number of places. What I can do right now, without understanding the underlying issue, is to fail softly with a warning where it is easy to do.

But of course this is not really going to solve the problems of @houseofsuns

smitsohu commented 4 years ago

@houseofsuns Does Firejail print the following warning message, maybe despite you updating /etc/passwd with a resolved path?

No full support for symbolic links in path of user directory.
Please provide resolved path in password database (/etc/passwd).

Or do you see something in the syslog?

glitsj16 commented 4 years ago

What I can do right now, without understanding the underlying issue, is to fail softly with a warning where it is easy to do.

@smitsohu I have full confidence you know what's the best way to deal with this :) I was doing a bit of issue triaging when I noticed this, so I took the liberty to ping you.

houseofsuns commented 4 years ago

@smitsohu I just had another go at it, but no different result.

Here my passwd-settings:

$ grep houseofsuns /etc/passwd
houseofsuns:x:1001:1001::/compat/home/houseofsuns:/bin/zsh

And here a full debug output:

$ firejail --debug --noprofile --private firefox -no-remote
Autoselecting /bin/zsh as shell
Building quoted command line: 'firefox' '-no-remote' 
Command name #firefox#
DISPLAY=:1 parsed as 1
Using the local network stack
Parent pid 2594539, child pid 2594540
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
537 508 0:19 /system/etc /etc ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/etc
mountid=537 fsname=/system/etc dir=/etc fstype=btrfs
Mounting noexec /etc
538 537 0:19 /system/etc /etc ro,nosuid,nodev,noexec,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/etc
mountid=538 fsname=/system/etc dir=/etc fstype=btrfs
Mounting read-only /var
599 597 0:39 / /var/lib/nfs/rpc_pipefs rw,relatime master:70 - rpc_pipefs sunrpc rw
mountid=599 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /var/tmp/portage
600 598 0:34 / /var/tmp/portage ro,relatime master:58 - tmpfs tmpfs rw,size=31457280k
mountid=600 fsname=/ dir=/var/tmp/portage fstype=tmpfs
Mounting read-only /var/lib/nfs/rpc_pipefs
601 599 0:39 / /var/lib/nfs/rpc_pipefs ro,relatime master:70 - rpc_pipefs sunrpc rw
mountid=601 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var
606 605 0:39 / /var/lib/nfs/rpc_pipefs ro,relatime master:70 - rpc_pipefs sunrpc rw
mountid=606 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var/tmp/portage
607 604 0:34 / /var/tmp/portage ro,nosuid,nodev,noexec,relatime master:58 - tmpfs tmpfs rw,size=31457280k
mountid=607 fsname=/ dir=/var/tmp/portage fstype=tmpfs
Mounting noexec /var/lib/nfs/rpc_pipefs
608 606 0:39 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:70 - rpc_pipefs sunrpc rw
mountid=608 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /usr
609 508 0:19 /system/usr /usr ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/usr
mountid=609 fsname=/system/usr dir=/usr fstype=btrfs
Mounting read-only /bin
610 508 0:19 /system/bin /bin ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/bin
mountid=610 fsname=/system/bin dir=/bin fstype=btrfs
Mounting read-only /sbin
611 508 0:19 /system/sbin /sbin ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/sbin
mountid=611 fsname=/system/sbin dir=/sbin fstype=btrfs
Mounting read-only /lib
612 508 0:19 /system/lib /lib ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/lib
mountid=612 fsname=/system/lib dir=/lib fstype=btrfs
Mounting read-only /lib64
613 508 0:19 /system/lib64 /lib64 ro,relatime master:1 - btrfs /dev/sda4 rw,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/system/lib64
mountid=613 fsname=/system/lib64 dir=/lib64 fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting a new /home directory
Mounting a new /root directory
Mounting tmpfs on /compat/home/houseofsuns
Error while opening directory: fs.c:442 fs_tmpfs: No such file or directory
Error: proc 2594539 cannot sync with peer: unexpected EOF
Peer 2594540 unexpectedly exited with status 1

I also did not see any messages in the log files originating from firejail.

matu3ba commented 4 years ago

@houseofsuns In fs.c:442 fs_tmpfs: // get a file descriptor for dir, fails if there is any symlink Not sure, if printing dir in line 441 would help. Did you try that to check the output?

The comment states that symlinks are not implemented yet, but I cant find the issue on that.

netblue30 / firejail

firefox: Error while opening directory: fs.c:442 fs_tmpfs: No such file or directory #3304