Closed CocoR55 closed 4 years ago
saying tutanot doesn't work, but krita does, is useless because there are two different programs. Anyway krita has a profile, while tutanota-desktop has no profile. It is expected that apps w/o a profile may fail with the default profile. You can use firejail --noprofile --appimage tutanota-desktop-linux.AppImage
to see whether there is a general issue with it.
Thank you rustysnake for your message $ firejail --noprofile --appimage tutanota-desktop-linux.AppImage Mounting appimage type 2 Parent pid 4409, child pid 4412
Warning: dropping all Linux capabilities Child process initialized in 48.55 ms
Parent is shutting down, bye... AppImage unmounted
It doesn't work with --noprofile either. Is this a general problem? Something is wrong but what? Regards, CocoR55
I don't know how useful is this if at all in terms of sandboxing (I'm new to the program and the repo).
Like you I tried with those options on the appimage; didn't work. So I extracted the appimage and tried to run the binary under firejail; again doesn't work; works only with `--
noprofile` which I guess doesn't provide any sandbox (?). So I made a custom profile and ran the binary with it and it works.
Still can't figure out the appimage thing, I need to take a look on appimage.c
. I traced the calls and FUSE, whitelisting them doesn't seem to have any effect.
:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop
Audit and profile are attached.
I think there's a daemon to integrate appimages which works under sandbox, so maybe running via that will help.
Thank you kortewegdevries
Follwing your message, I tried that:
$ firejail --appimage --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile tutanota-desktop-linux.AppImage
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Mounting appimage type 2
Parent pid 11976, child pid 11979
Warning: dropping all Linux capabilities Child process initialized in 150.12 ms
Parent is shutting down, bye... AppImage unmounted
I would've thought that would've worked........ CocoR55
As long as --noprofile
is broken, additional hardening is not expected to change something. In theory options like --writeable-var
can have a effect. @CocoR55 is force-nonewprivs
set in /etc/firejail/firejail.config?
@CocoR55 The profile I gave was not for the appimage itself, it was for the executable inside it which I couldn't run with Firejail default profile. I changed the filename from tutanota-desktop-linux.Appimage
to tutanota-desktop-linux.zip
>extract>go to folder tutanota-desktop-linux
> chmod the file tutanota-desktop
to set as executable> Use that profile (you need to redownload, I updated it) to launch it like this:
:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop
Since this is an executable no need to use --appimage
I can launch the appimage like this:
$ firejail --noprofile ./tutanota-desktop-linux.Appimage
The -appimage
flag is creating the problem here, I think.
@rusty-snake Cannot mount either way:
$ firejail --writable-var --appimage ./tutanota-desktop-linux.Appimage
$ firejail --writable-var --appimage --noprofile ./tutanota-desktop-linux.Appimage
Works with this, again:
$ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage
with force-nonewprivs
again above two doesn't work, with this:
$ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage
Parent pid 3710, child pid 3711
Child process initialized in 10.13 ms
fusermount: mount failed: Operation not permitted
Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage
if you run it with the --appimage-extract option.
See https://github.com/AppImage/AppImageKit/wiki/FUSE
for more information
open dir error: No such file or directory
Parent is shutting down, bye...
Edit. 1. Found a way to launch the appimage with the above profile:
$ firejail --profile=~/Downloads/tutanota-desktop.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Bonjour, Thank you for your messages
@rusty-snake
$ cat firejail.config | grep -i force-nonewprivs
One remark: all the lines of firejail.config are in comments
@kortewegdevries
firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Error: cannot access profile file: whitelist-usr-share-common.in
@rusty-snake
I don't know why the result is so dilated. It's not my fault. Moreover, this a comment.
redo:
/etc/firejail $ cat firejail.config | grep -i force-nonewprivs
# force-nonewprivs no
I don't know why the result is so dilated. It's not my fault. Moreover, this a comment.
GitHub uses markdown to format comments. In markdown headers are lines starting with #
, ##
, ... see https://guides.github.com/features/mastering-markdown/#syntax
Error: cannot access profile file: whitelist-usr-share-common.in
correct the typo to whitelist-usr-share-common.inc and try again.
correct the typo to whitelist-usr-share-common.inc and try again.
I checked it, there isn't a typo? Maybe @CocoR55 typed it wrong here, edited the profile or doesn't have that file in /etc/firejail
. For the last case, commenting the line works too,I checked (insert a "#" in front of the line and save); or this My test environment (no changes were made to /etc/firejail/firejail.config
):
$ firejail --version
firejail version 0.9.62
$
System:
Kernel: 5.4.0-40-generic x86_64 bits: 64 compiler: gcc v: 9.3.0
Desktop: Xfce 4.14.2 Distro: Ubuntu 20.04 LTS (Focal Fossa)
@rusty-snake
$firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Error: cannot access profile file: whitelist-usr-share-common.inc
I had mistyped and forgotten the letter c on my previous message
@kortewegdevries I don't see anytutanota-desktop-linux.AppImage.profil
in /etc/firejail
/etc/firejail $ ls | grep -i tutanota-desktop-linux.AppImage.profile
/etc/firejail $
I inserted a "#" in front of the line as you can see on second one below:
# include whitelist-common.inc
# include whitelist-usr-share-common.inc
include whitelist-var-common.inc
If I give a look at /etc/firejail $ cat firejail.config
all lines still start with a#
(comment)
$firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5419, child pid 5420
Child process initialized in 142.11 ms
Error: no suitable ./tutanota-desktop-linux.appimage executable found
Parent is shutting down, bye...
$ firejail --version
firejail version 0.9.60
Compile time support:
Error: no suitable ./tutanota-desktop-linux.appimage executable found
You should run this in the directory where the appimage is located, like for mine I had it in ~/Downloads
. Also make sure the filename is exactly the same as yours; if not change it to yours.
Open a terminal there or cd /path/to/appimage/directory/
and run the command.
You don't have to search in firejail.config
, I meant that I tested with all default options there. Also what is your distro? Looks like Firejail needs a update maybe? Also, just to make sure, if you didn't, you need to re-download the profile I gave from above because I had to change something in it :)
Now:
# firejail --version
firejail version 0.9.62
~/Documents/TutanotaAppimage $ ls
tuta tutanota-desktop-linux.AppImage
~/Documents/TutanotaAppimage $ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 18373, child pid 18374
Child process initialized in 197.92 ms
Error: no suitable ./tutanota-desktop-linux.AppImage executable found
Parent is shutting down, bye...
~/Documents/TutanotaAppimage $ cd ~/.config/firejail
~/.config/firejail $ ls
tutanota-desktop-linux.AppImage.profile
You can see that the file names are the same in the directory and in the command.
Without firejail that works.
~/Documents/TutanotaAppimage $ ./tutanota-desktop-linux.AppImage
[2020-07-03T18:05:36.179Z] the monkey has been patche.............
cat /etc/lsb-release
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=18.3
DISTRIB_CODENAME=sylvia
DISTRIB_DESCRIPTION="Linux Mint 18.3 Sylvia"
Cinnamon
Some remarks:
The line:noblacklist ${HOME}/.config/tutanota-desktop/
shouldn't it be something like
noblacklist ${HOME}/.config/tutanota-desktop-linux/
?
The lines:
# **apparmor**
caps.drop all
ipc-namespace
machine-id
are not inconsistent with: firejail version 0.9.62 Compile time support:
Error: no suitable ./tutanota-desktop-linux.AppImage executable found
Do you have mounted /home with noexec
?
~/Documents/TutanotaAppimage
include disable-xdg.inc
contains blacklist ${DOCUMENTS}
.
The line: noblacklist ${HOME}/.config/tutanota-desktop/ shouldn't it be something like noblacklist ${HOME}/.config/tutanota-desktop-linux/ ?
Yes, whitelist
, blacklist
, noblacklist
should not have a trailing /
.
The lines: …… are not inconsistent with: firejail version 0.9.62
Why? 0.9.62 supports these lines.
- AppArmor support is disabled....?
Linux Mint does not use AA by default, therefore they likely does not enable AA support in firejail.
Reading profile /etc/firejail/disable-xdg.inc
@CocoR55 The above line indicates your custom profile includes disable-xdg.inc. The latter blacklists ${DOCUMENTS} (amongst others). So when you put the appimage in a location like ${HOME}/Documents/TutanotaAppimage/tutanota-desktop-linux.AppImage firejail will not find it because that directory is blacklisted.
You can either add 'noblacklist ${DOCUMENTS}' to your ~/.config/firejail/tutanota-desktop-linux.AppImage.profile (by convention we put such an override above the line where you include disable-xdg.inc) or move the appimage somewhere else. In any case you'll need to make sure that the directory where you put it is not blacklisted in your profile.
Thank you all for your messages and helps
@glitsj16 Explanation is clear. The folder ${HOME}/Documents/TutanotaAppimage is replaced by ${HOME}/Tuta. From this last directory: $ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
Error: no suitable ./tutanota-desktop-linux.AppImage executable found
I did many tries. There, the summary:
$ firejail --noprofile ./tutanota-desktop-linux.AppImage
is OK
$ firejail --noprofile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
is OK with huge quantity of comments.
Like kortewegdevries above, if the tutanota-desktop-linux.AppImage.profile file is movedin the ${HOME}/Tuta folder
and for the purpose of authorizing the execution of fusermount, the two lines below are added in this profile file:
noblacklist /bin/
noblacklist /usr/share/bash-completion/completions
$ firejail --profile=tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
is OK
Remark:
On a site, I had read that the command should be
$ firejail --appimage ................ but if I add --appimage it does not work.
I don't understand why we have to move the profile to the Tuta directory. I searched in the blacklists and didn't see a
.config/firejail directory. I don't have an explanation.
To allow the execution of fusermount, I put an override in the profile for in the two files where I found it.
There may be a better method......
A last small issue:Error message: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop'
Stacktrace:
Error: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop'
Solved by chmod 555 tutanota-desktop.deskto
p
Thank you all for your help.
CocoR55
Bonjour,
I cannot inclure tutanota-desktop-linux.AppImage in a sandbox with firejail. I've read different articles on the Web that the applications included in Appimage couldn't work in a sandbox. The perfect counter-example, and the case of krita software. As you can see below: $ firejail --list 3446:michaou::/usr/bin/firejail /usr/bin/firefox 6556:michaou::firejail --appimage krita-4.3.0-x86_64.appimage $ firejail --tree 3446:michaou::/usr/bin/firejail /usr/bin/firefox 3449:michaou::/usr/bin/firejail /usr/bin/firefox 3459:michaou::/usr/lib/firefox/firefox 3527:michaou::/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab 3595:michaou::/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 6341 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab 6556:michaou::firejail --appimage krita-4.3.0-x86_64.appimage 6559:michaou::firejail --appimage krita-4.3.0-x86_64.appimage 6562:michaou::/run/firejail/appimage/.appimage-6556/AppRun
Nevertheless, with tutanota, that fails as you can see below: $ firejail --appimage tutanota-desktop-linux.AppImage Mounting appimage type 2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc
Note: you can use --noprofile to disable default.profile
Parent pid 5347, child pid 5350
Warning: dropping all Linux capabilities Child process initialized in 21.32 ms
Parent is shutting down, bye... AppImage unmounted
Question is: krita.appimage works in a sandbox. According to you, is it normal that tutanota.appimage can't work in a sandbox? Maybe there's something I missed. Maybe I should do something with firecfg?
All ideas are welcome.
Regards,
CocoR55