Closed CocoR55 closed 4 years ago
rusty-snake
commented
4 years ago saying tutanot doesn't work, but krita does, is useless because there are two different programs. Anyway krita has a profile, while tutanota-desktop has no profile. It is expected that apps w/o a profile may fail with the default profile. You can use firejail --noprofile --appimage tutanota-desktop-linux.AppImage to see whether there is a general issue with it.
CocoR55
commented
4 years ago Thank you rustysnake for your message $ firejail --noprofile --appimage tutanota-desktop-linux.AppImage Mounting appimage type 2 Parent pid 4409, child pid 4412
Warning: dropping all Linux capabilities Child process initialized in 48.55 ms
Parent is shutting down, bye... AppImage unmounted
It doesn't work with --noprofile either. Is this a general problem? Something is wrong but what? Regards, CocoR55
bbhtt
commented
4 years ago I don't know how useful is this if at all in terms of sandboxing (I'm new to the program and the repo).
Like you I tried with those options on the appimage; didn't work. So I extracted the appimage and tried to run the binary under firejail; again doesn't work; works only with `--
noprofile` which I guess doesn't provide any sandbox (?). So I made a custom profile and ran the binary with it and it works.
Still can't figure out the appimage thing, I need to take a look on appimage.c. I traced the calls and FUSE, whitelisting them doesn't seem to have any effect.
:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop
Audit and profile are attached.
I think there's a daemon to integrate appimages which works under sandbox, so maybe running via that will help.
CocoR55
commented
4 years ago Thank you kortewegdevries
Follwing your message, I tried that:
$ firejail --appimage --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile tutanota-desktop-linux.AppImage
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Mounting appimage type 2
Parent pid 11976, child pid 11979
Warning: dropping all Linux capabilities Child process initialized in 150.12 ms
Parent is shutting down, bye... AppImage unmounted
I would've thought that would've worked........ CocoR55
rusty-snake
commented
4 years ago As long as --noprofile is broken, additional hardening is not expected to change something. In theory options like --writeable-var can have a effect. @CocoR55 is force-nonewprivs set in /etc/firejail/firejail.config?
bbhtt
commented
4 years ago @CocoR55 The profile I gave was not for the appimage itself, it was for the executable inside it which I couldn't run with Firejail default profile. I changed the filename from tutanota-desktop-linux.Appimage to tutanota-desktop-linux.zip>extract>go to folder tutanota-desktop-linux> chmod the file tutanota-desktop to set as executable> Use that profile (you need to redownload, I updated it) to launch it like this:
:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop Since this is an executable no need to use --appimage
I can launch the appimage like this:
$ firejail --noprofile ./tutanota-desktop-linux.Appimage
The -appimage flag is creating the problem here, I think.
@rusty-snake Cannot mount either way:
$ firejail --writable-var --appimage ./tutanota-desktop-linux.Appimage
$ firejail --writable-var --appimage --noprofile ./tutanota-desktop-linux.Appimage
Works with this, again:
$ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage
with force-nonewprivs again above two doesn't work, with this:
$ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage
Parent pid 3710, child pid 3711
Child process initialized in 10.13 ms
fusermount: mount failed: Operation not permitted
Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage
if you run it with the --appimage-extract option.
See https://github.com/AppImage/AppImageKit/wiki/FUSE
for more information
open dir error: No such file or directory
Parent is shutting down, bye...
Edit. 1. Found a way to launch the appimage with the above profile:
$ firejail --profile=~/Downloads/tutanota-desktop.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
CocoR55
commented
4 years ago Bonjour, Thank you for your messages
@rusty-snake
$ cat firejail.config | grep -i force-nonewprivs
One remark: all the lines of firejail.config are in comments
@kortewegdevries
firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Error: cannot access profile file: whitelist-usr-share-common.in
CocoR55
commented
4 years ago @rusty-snake
I don't know why the result is so dilated. It's not my fault. Moreover, this a comment.
redo:
/etc/firejail $ cat firejail.config | grep -i force-nonewprivs
# force-nonewprivs no
rusty-snake
commented
4 years ago I don't know why the result is so dilated. It's not my fault. Moreover, this a comment.
GitHub uses markdown to format comments. In markdown headers are lines starting with #, ##, ... see https://guides.github.com/features/mastering-markdown/#syntax
Error: cannot access profile file: whitelist-usr-share-common.in
correct the typo to whitelist-usr-share-common.inc and try again.
bbhtt
commented
4 years ago correct the typo to whitelist-usr-share-common.inc and try again.
I checked it, there isn't a typo? Maybe @CocoR55 typed it wrong here, edited the profile or doesn't have that file in /etc/firejail. For the last case, commenting the line works too,I checked (insert a "#" in front of the line and save); or this My test environment (no changes were made to /etc/firejail/firejail.config):
$ firejail --version
firejail version 0.9.62
$
System:
Kernel: 5.4.0-40-generic x86_64 bits: 64 compiler: gcc v: 9.3.0
Desktop: Xfce 4.14.2 Distro: Ubuntu 20.04 LTS (Focal Fossa) @rusty-snake
$firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Error: cannot access profile file: whitelist-usr-share-common.inc
I had mistyped and forgotten the letter c on my previous message
@kortewegdevries I don't see anytutanota-desktop-linux.AppImage.profil in /etc/firejail
/etc/firejail $ ls | grep -i tutanota-desktop-linux.AppImage.profile
/etc/firejail $
I inserted a "#" in front of the line as you can see on second one below:
# include whitelist-common.inc
# include whitelist-usr-share-common.inc
include whitelist-var-common.incIf I give a look at /etc/firejail $ cat firejail.config all lines still start with a# (comment)
$firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5419, child pid 5420
Child process initialized in 142.11 ms
Error: no suitable ./tutanota-desktop-linux.appimage executable found
Parent is shutting down, bye...
$ firejail --version
firejail version 0.9.60
Compile time support:
bbhtt
commented
4 years ago
Error: no suitable ./tutanota-desktop-linux.appimage executable found
You should run this in the directory where the appimage is located, like for mine I had it in ~/Downloads. Also make sure the filename is exactly the same as yours; if not change it to yours.
Open a terminal there or cd /path/to/appimage/directory/ and run the command.
You don't have to search in firejail.config, I meant that I tested with all default options there. Also what is your distro? Looks like Firejail needs a update maybe? Also, just to make sure, if you didn't, you need to re-download the profile I gave from above because I had to change something in it :)
CocoR55
commented
4 years ago Now:
# firejail --version
firejail version 0.9.62
~/Documents/TutanotaAppimage $ ls
tuta tutanota-desktop-linux.AppImage
~/Documents/TutanotaAppimage $ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 18373, child pid 18374
Child process initialized in 197.92 ms
Error: no suitable ./tutanota-desktop-linux.AppImage executable found
Parent is shutting down, bye...
~/Documents/TutanotaAppimage $ cd ~/.config/firejail
~/.config/firejail $ lstutanota-desktop-linux.AppImage.profile
You can see that the file names are the same in the directory and in the command.
Without firejail that works.
~/Documents/TutanotaAppimage $ ./tutanota-desktop-linux.AppImage
[2020-07-03T18:05:36.179Z] the monkey has been patche.............
cat /etc/lsb-release
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=18.3
DISTRIB_CODENAME=sylvia
DISTRIB_DESCRIPTION="Linux Mint 18.3 Sylvia"
Cinnamon
Some remarks:
The line:noblacklist ${HOME}/.config/tutanota-desktop/ shouldn't it be something like
noblacklist ${HOME}/.config/tutanota-desktop-linux/ ?
The lines:
# **apparmor**
caps.drop all
ipc-namespace
machine-idare not inconsistent with: firejail version 0.9.62 Compile time support:
rusty-snake
commented
4 years ago Error: no suitable ./tutanota-desktop-linux.AppImage executable found
Do you have mounted /home with noexec?
~/Documents/TutanotaAppimage
include disable-xdg.inc contains blacklist ${DOCUMENTS}.
The line: noblacklist ${HOME}/.config/tutanota-desktop/ shouldn't it be something like noblacklist ${HOME}/.config/tutanota-desktop-linux/ ?
Yes, whitelist, blacklist, noblacklist should not have a trailing /.
The lines: …… are not inconsistent with: firejail version 0.9.62
Why? 0.9.62 supports these lines.
- AppArmor support is disabled....?
Linux Mint does not use AA by default, therefore they likely does not enable AA support in firejail.
glitsj16
commented
4 years ago Reading profile /etc/firejail/disable-xdg.inc
@CocoR55 The above line indicates your custom profile includes disable-xdg.inc. The latter blacklists ${DOCUMENTS} (amongst others). So when you put the appimage in a location like ${HOME}/Documents/TutanotaAppimage/tutanota-desktop-linux.AppImage firejail will not find it because that directory is blacklisted.
You can either add 'noblacklist ${DOCUMENTS}' to your ~/.config/firejail/tutanota-desktop-linux.AppImage.profile (by convention we put such an override above the line where you include disable-xdg.inc) or move the appimage somewhere else. In any case you'll need to make sure that the directory where you put it is not blacklisted in your profile.
CocoR55
commented
4 years ago Thank you all for your messages and helps
@glitsj16 Explanation is clear. The folder ${HOME}/Documents/TutanotaAppimage is replaced by ${HOME}/Tuta. From this last directory: $ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
Error: no suitable ./tutanota-desktop-linux.AppImage executable found
I did many tries. There, the summary:
$ firejail --noprofile ./tutanota-desktop-linux.AppImage is OK
$ firejail --noprofile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run is OK with huge quantity of comments.
Like kortewegdevries above, if the tutanota-desktop-linux.AppImage.profile file is movedin the ${HOME}/Tuta folder
and for the purpose of authorizing the execution of fusermount, the two lines below are added in this profile file:
noblacklist /bin/
noblacklist /usr/share/bash-completion/completions$ firejail --profile=tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
is OK
Remark:
On a site, I had read that the command should be
$ firejail --appimage ................ but if I add --appimage it does not work.
I don't understand why we have to move the profile to the Tuta directory. I searched in the blacklists and didn't see a
.config/firejail directory. I don't have an explanation.
To allow the execution of fusermount, I put an override in the profile for in the two files where I found it.
There may be a better method......
CocoR55
commented
4 years ago A last small issue:Error message: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop'
Stacktrace:
Error: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop'
Solved by chmod 555 tutanota-desktop.desktop
Thank you all for your help.
CocoR55
Bonjour,
I cannot inclure tutanota-desktop-linux.AppImage in a sandbox with firejail. I've read different articles on the Web that the applications included in Appimage couldn't work in a sandbox. The perfect counter-example, and the case of krita software. As you can see below: $ firejail --list 3446:michaou::/usr/bin/firejail /usr/bin/firefox 6556:michaou::firejail --appimage krita-4.3.0-x86_64.appimage $ firejail --tree 3446:michaou::/usr/bin/firejail /usr/bin/firefox 3449:michaou::/usr/bin/firejail /usr/bin/firefox 3459:michaou::/usr/lib/firefox/firefox 3527:michaou::/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab 3595:michaou::/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 6341 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab 6556:michaou::firejail --appimage krita-4.3.0-x86_64.appimage 6559:michaou::firejail --appimage krita-4.3.0-x86_64.appimage 6562:michaou::/run/firejail/appimage/.appimage-6556/AppRun
Nevertheless, with tutanota, that fails as you can see below: $ firejail --appimage tutanota-desktop-linux.AppImage Mounting appimage type 2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc
Note: you can use --noprofile to disable default.profile
Parent pid 5347, child pid 5350
Warning: dropping all Linux capabilities Child process initialized in 21.32 ms
Parent is shutting down, bye... AppImage unmounted
Question is: krita.appimage works in a sandbox. According to you, is it normal that tutanota.appimage can't work in a sandbox? Maybe there's something I missed. Maybe I should do something with firecfg?
All ideas are welcome.
Regards,
CocoR55