netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.84k stars 568 forks source link

keepassxc: program does not start on BSPWM #3549

Open seniorm0ment opened 4 years ago

seniorm0ment commented 4 years ago

The profile firecfg grabbed for Keepassxc seems to not want to allow it to open? If I run ps aux | grep keepassxc I notice two entries relating to /usr/bin/keepassxc and one called [keepassxc] defunct, If I killall keepassxc they all go away.

I can't get keepassxc open and this is problematic for me lol. Would appreciate some help, am still new to using Firejail.

I'm running Artix x86_64, 5.7.8.a-1-hardened kernel, BSPWM, Firejail 0.9.62

rusty-snake commented 4 years ago

firejail version?

seniorm0ment commented 4 years ago

@rusty-snake 0.9.62

bbhtt commented 4 years ago

This is too obvious but have you configured the symlinks or tried with firejail --profile=name.profile /usr/bin/program,firejail --noprofile /usr/bin/program or its default profile on a terminal? If so are there any errors?

rusty-snake commented 4 years ago

firejail --profile=name.profile /usr/bin/program

firejail --profile=name /usr/bin/program

default profile

Why should it be tested with default.profile if it has a own profile?

[keepassxc] defunct

defunct is often caused by seccomp (seccomp, protocol, mdwe). If you use hardened-malloc it could also be private-etc.

seniorm0ment commented 4 years ago

@kortewegdevries Again, am new to Firejail so not too obvious my bad. firejail --noprofile /usr/bin/keepassxc did launch it no issues. If I run firejail --profile=keepassxc.profile, it gives me an error inaccessible profile file. I can see and read the profile no issues in /etc/firejail/keepassxc.profile. As for symlinks, I thought firecfg did this? I do see it under firecfg --list, /usr/local/bin/keepassxc so it seems to be linked.

And even if not, I did setup the hooks file as found in the Arch wiki which seemed it did this on install uograde and removal for anything. https://wiki.archlinux.org/index.php/Firejail#Using_Firejail_by_default

rusty-snake commented 4 years ago

Again, am new to Firejail so not too obvious my bad.

If you had followed the issue template ...

If I run firejail --profile=keepassxc.profile, it gives me an error inaccessible profile file. I can see and read the profile no issues in /etc/firejail/keepassxc.profile.

--profile=keepassxc.profile tells firejail to look for keepassxc.profile in the current working directory. --profile=keepassxc tells firejail to look for keepassxc in . then for keepassxc.profile in ~/.config/firejail and then in /etc/firejail.


So anything in the terminal / syslog?

bbhtt commented 4 years ago

Why should it be tested with default.profile if it has a own profile?

I meant to try with firejail --profile... with the profile it comes with, not the "default.profile". It was missing an "its" :) The pacman hook should work.

seniorm0ment commented 4 years ago

If you followed the issue template

I was not provided with an issue template when creating an issue.

--profile=keepassxc.profile tells firejail to look for keepassxc.profile in the current working directory. --profile=keepassxc tells firejail to look for keepassxc in . then for keepassxc.profile in ~/.config/firejail and then in /etc/firejail.

Oh, in that case, if I run firejail --profile=keepassxc It shows a list of reading profile commands which relate to the include commands in the /etc/firejail/keepassxc.profile, then says warning noroot option is not available, then gived an error: shell=none configured, but no program specified

rusty-snake commented 4 years ago

I was not provided with an issue template when creating an issue.

How do you opened the issue?

I meant to try with ……

To say "default profile" in firejail context is always confusing, best is "default.profile" or "foo.profile" or "its profile" (no default).

Oh, in that case, if I run firejail --profile=keepassxc

is lost somewher: full command is firejail --profile=keepassxc /usr/bin/keepassxc

seniorm0ment commented 4 years ago

@rusty-snake

How do you opened the issue? Fasthub-Libre, am on my phone. Usually when creating issues it has no problem grabbing templates, nothing showed when making an issue here.

full command is firejail --profile=keepassxc /usr/bin/keepassxc

Ah, my bad. It shows reading profile from /etc/firejail/keepassxc, and reading profile from all the includes like disable-common, disable-devel, etc as specified within the keepassxc profile. Then it shows the parent and child pid. Then says Skipping alternatives for private /etc. Then 3 programs installed in 29.70ms. Then warning /sbin dir link was not blacklisted. Then /usr/sbin dir link was not blacklisted. Then blacklist violations are logged to syslog. Child process initialized in 125ms.

Sorry I can't copy paste, am on my phone lol. I'm not seeing anything relating to keepassxc or firejail in /var/log/syslog, however in /var/log/messages.log I see

Kernel: audit: type=1326 audit(long number): auir=1000 uid=1000 gid=1000 ses=1 pid=8066 comm=keepassxc exe=/usr/bin/keepassxc sig=31 arch=c000003e syscall=303 compat=0 ip=longhex code=0x0
rusty-snake commented 4 years ago

Try to add seccomp !name_to_handle_at to keepassxc (replace seccomp).

seniorm0ment commented 4 years ago

@rusty-snake You're suggesting replacing to

seccomp !keepassxc

? Upon doing that, and running firejail --profile=keepassxc /usr/bin/keepassxc at the bottom of the previously stated output, I now see

post-exec seccomp protector enabled
Seccomp list in: !keepassxc, check list: @default-keep, child process initalized.

Still not opening keepassxc though.

rusty-snake commented 4 years ago

No, seccomp !name_to_handel_at.

seniorm0ment commented 4 years ago

Ah, it removed the seccomp line from output so seemed to work, but still not launching. The only notable error left I see is the

Error: --shell=none configured, but no program specified
rusty-snake commented 4 years ago

Start it with firejail --profile=keepassxc /usr/bin/keepassxc, firejail keepassxc or keepassxc (firecfg).

seniorm0ment commented 4 years ago

@rusty-snake

firejail --profile=keepassxc /usr/bin/keepassxc

Doesn't work, that's what gave the shell error.

firejail keepassxc

This worked, how come when just launching through Rofi it has issues? When launching other programs through Rofi, it uses firejail no issue if they have a profile. Also this doesn't follow my bspc (bspwmrc) rule to send keepassxc to desktop 10, no issues with other programs using firejail? bspc rule -a keepassxc desktop='^10' follow=on focus=on

keepassxx (firecfg)

Are you suggesting just keepassxc? If so it does the same as the previous.

rusty-snake commented 4 years ago

If you execute firecfg, all tree should do the same.

seniorm0ment commented 4 years ago

Ah, executing firecfg fixed the issue with rofi, and now keepassxx launches no issues.

But keepassxc still doesn't follow my bspc rule as it used to?

And lastly, does this mean there's an issue with the default profile for keepassxc I assume? Will this be fixed? Or is this just a "me issue" I had?

rusty-snake commented 4 years ago

Doesn't work, that's what gave the shell error.

What??

but keepassxc still doesn't follow my bspc rule as it used to?

Only if keepassxc is firejailed?

seniorm0ment commented 4 years ago

What??

Forget that, I think it fixed itself after rerunning firecfg. It seems to be working now.

but keepassxc still doesn't follow my bspc rule as it used to?

Only if keepassxc is firejailed?

Yeah it was having no issues moving Keepassxc to desktop 10 on launch, via the bspc rule I stated above, before setting up Firejail. Now it just launched on whatever display I'm currently on instead of going to desktop 10. Any ideas on how to fix so it follows my bspc rule?

rusty-snake commented 4 years ago

Looks like you need to try which option cause this behaviour. (Maybe one of machine-id, private-etc, net none, protocol?)

seniorm0ment commented 4 years ago

Hmm, disabling any of those plus the others didn't seem to fix it. I tried running firejail --noprofile /usr/bin/keepassxc and that isn't working either which makes no sense because that simply ignores firejail profile correct? I also notice that if I open keepassxc, then open a new window next to it, it ignores my rules about gaps. So it seems like keepassxc is now ignoring my bspwmrc?

Now BSPWM does use a script for it's config, it's in .config/bspwm/bwpsmrc and that is chmod +x so it's executable, I did try adding a noblacklist to that path in the firejail profile and that seemed to not work as well.

Either way, the issue seems to be keepassxc not reading my bspwmrc because it ignores the gaps, and that's where you set the rule to which window it opens on which would explain why it's not opening to desktop 10. But I can't figure out what is causing the issue.

seniorm0ment commented 4 years ago

Still was having issues with getting KeepassXC to be pushed to desktop 10.

But, I am having another issue. So, I just ran a full update, and all my Firecfg profiles reset. I have a hook added, to autograb the Firecfg profiles (as provided by the arch wiki), I figured it would preserve the profiles I edited, on updates if any changes were made, but it looks like it completely replaces them? Is there a way to get Firecfg profiles to auto apply to programs on install, or when they are newly added and found when updating a program, but don't overwrite profiles that are already there or have changed? Or warn if there's an update to one of the Firecfg profiles I have edited, or something idk..?

Anyways, the specific issue I'm having is the same as creating this thread, KeepassXC is not opening to GUI anymore. I can't even get the secocmp fix to work, or the noprofile or specifically specifying the profile. I added seccomp !name_to_handle_at, then rerunning sudo firecfg as previously fixed, it did not fix this time.

$ firejail --list
4387:gravity::/usr/bin/firejail /usr/bin/firefox
4746:gravity:keepassxc:/usr/bin/firejail /usr/bin/keepassxc
$ firejail --profile=keepassxc /usr/bin/keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 4747, the first child process inside the sandbox
Error: --shell=none configured, but no program specified
Warning: removing 1 bytes from stdin
$ firejail --noprofile /usr/bin/program
Parent pid 6725, child pid 6726
Child process initialized in 3.37 ms
zsh:1: no such file or directory: /usr/bin/program

Parent is shutting down, bye...

Not sure what's going on.

# Firejail profile for keepassxc
# Description: Cross Platform Password Manager
# This file is overwritten after every install/update
# Persistent local customizations
include keepassxc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.keepassxc
# 2.2.4 needs this path when compiled with "Native messaging browser extension"
noblacklist ${HOME}/.mozilla
noblacklist ${DOCUMENTS}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

whitelist /usr/share/keepassxc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
machine-id
net none
no3d
nodvd
# Breaks 'Lock database when session is locked or lid is closed' (#2899).
# Also breaks (Plasma) tray icon,
# you can safely uncomment it or add to keepassxc.local if you don't need these features.
#nodbus
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,netlink
seccomp !name_to_handle_at
shell none
tracelog

private-bin keepassxc,keepassxc-cli,keepassxc-proxy
private-dev
private-etc alternatives,fonts,ld.so.cache,machine-id
private-tmp

# Mutex is stored in /tmp by default, which is broken by private-tmp
join-or-start keepassxc
bbhtt commented 4 years ago

I have a hook added, to autograb the Firecfg profiles (as provided by the arch wiki), I figured it would preserve the profiles on updates if any changes were made, but it looks like it completely replaces them?

On Debian you get a Y/N/I/O option to preserve your current profile,install the updated one or compare side by side during a upgrade, I don't think there is something similar with pacman. It is always better to put your local changes in ~/.config/firejail/ since system-wide profiles will get replaced as it is written on top of each profile.

Is there a way to get Firecfg profiles to auto apply to programs on install,...

That's what the hook does?

This looks like a different error, are you on 0.9.62.4-1?

$ firejail --noprofile /usr/bin/program

Are you doing this with an actual program or as an example?

seniorm0ment commented 4 years ago

It is always better to put your local changes in ~/.config/firejail/ since system-wide profiles will get replaced as it is written on top of each profile.

Ah, ok this makes more sense.

This looks like a different error, are you on 0.9.62.4-1?

firejail version 0.9.62.4, just updated it when I ran the system update.

$ firejail --noprofile /usr/bin/program

Are you doing this with an actual program or as an example?

Oh, that's my mistake, my brain has been all over the place lately. firejail --noprofile /usr/bin/keepassxc launches it. Still doesn't actually solve the issue though ofc.

bbhtt commented 4 years ago

Runs fine for me on Arch with the profile you gave, did you change anything/does the original profile end in the same error?

seniorm0ment commented 4 years ago

Does the original profile end in the same error? Using the stock profile (just unedited my one edit, ignore the path being .config--and yes I ran sudo firecfg), I get the following

Reading profile /home/gravity/.config/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 4747, the first child process inside the sandbox
Error: --shell=none configured, but no program specified

Did you change anything

Running using the profile below (same as originally, which should be what you ran)

$ firejail --profile=/home/gravity/.config/firejail/keepassxc.profile /usr/bin/keepassxc
Reading profile /home/gravity/.config/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 4747, the first child process inside the sandbox
Error: --shell=none configured, but no program specified

The profile (the only edit from stock is changed seccomp to seccomp !name_to_handle_at):

# Firejail profile for keepassxc
# Description: Cross Platform Password Manager
# This file is overwritten after every install/update
# Persistent local customizations
include keepassxc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.keepassxc
# 2.2.4 needs this path when compiled with "Native messaging browser extension"
noblacklist ${HOME}/.mozilla
noblacklist ${DOCUMENTS}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

whitelist /usr/share/keepassxc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
machine-id
net none
no3d
nodvd
# Breaks 'Lock database when session is locked or lid is closed' (#2899).
# Also breaks (Plasma) tray icon,
# you can safely uncomment it or add to keepassxc.local if you don't need these features.
#nodbus
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,netlink
seccomp !name_to_handle_at
shell none
tracelog

private-bin keepassxc,keepassxc-cli,keepassxc-proxy
private-dev
private-etc alternatives,fonts,ld.so.cache,machine-id
private-tmp

# Mutex is stored in /tmp by default, which is broken by private-tmp
join-or-start keepassxc
bbhtt commented 4 years ago

No both runs okay for me. I was concerned about the second line more...

Try commenting shell none and append sh,zsh,bash,which in private bin. And run with firejail --profile=/path/to/changed/profile/ /usr/bin/keepassxc in a terminal. If this works, and you want to make this change permanent:

Create a keepassxc.profile in config/firejail, paste all the contents of /etc/firejail/keepassxc.profile to it and edit in your changes.Now assuming you have made the symlinks using sudo firecfg or in your case the hook, and it is in your path, type keepassxc on a terminal and it'll load the profile in config, check the output on terminal etc...

By the way, are you using a script to launch firejailed programs, what's "rofi"?

seniorm0ment commented 4 years ago

Try commenting shell none and append sh,zsh,bash,which in private bin. firejail --profile=/path/to/changed/profile/ /usr/bin/keepassxc

$ firejail --profile=/home/gravity/.config/firejail/keepassxc.profile /usr/bin/keepassxc
Reading profile /home/gravity/.config/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 4747, the first child process inside the sandbox
Child process initialized in 33.40 ms
execvp: No such file or directory

Shell error gone, new one though. Not sure where it's trying to pull execvp from. I don't see anything like that in the config unless I'm missing it. I searched vp and exec, nothing showed for vp, exec only resolved one line which seemed irrelevant.

By the way, are you using a script to launch firejailed programs, what's "rofi"?

rofi is a dmenu alternative (tiling wm). It is working perfectly fine with my other programs, I confirmed with firejail --list and they all show. Also previously above, when I had KeepassXC working with firejail rofi was launching it in firejail no issues, I believe it is irrelevant.

bbhtt commented 4 years ago

What shell are you using? zsh? Did you add them to private-bin? execvp is not a program but a system call...

seniorm0ment commented 4 years ago

What shell are you using? zsh?

zsh, correct.

Did you add them to private-bin?

Yes, unless I did it incorrectly? Just append too the private-bin line as done below, correct?

# Firejail profile for keepassxc
# Description: Cross Platform Password Manager
# This file is overwritten after every install/update
# Persistent local customizations
include keepassxc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.keepassxc
# 2.2.4 needs this path when compiled with "Native messaging browser extension"
noblacklist ${HOME}/.mozilla
noblacklist ${DOCUMENTS}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

whitelist /usr/share/keepassxc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
machine-id
net none
no3d
nodvd
# Breaks 'Lock database when session is locked or lid is closed' (#2899).
# Also breaks (Plasma) tray icon,
# you can safely uncomment it or add to keepassxc.local if you don't need these features.
#nodbus
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,netlink
seccomp !name_to_handle_at 
# shell none
tracelog

private-bin keepassxc,keepassxc-cli,keepassxc-proxy,zsh,bash,sh,which
private-dev
private-etc alternatives,fonts,ld.so.cache,machine-id
private-tmp

# Mutex is stored in /tmp by default, which is broken by private-tmp
join-or-start keepassxc
bbhtt commented 4 years ago

Commenting private-bin works?

seniorm0ment commented 4 years ago

Commenting private-bin works?

Nope :/, same execvp: No such file or directory issue.

bbhtt commented 4 years ago

Calling it from a terminal $ keepassxc has the same effect with/without the two changes I said? or keeping shell none and private-bin commented: firejail --shell=/bin/zsh (or /bin/bash) --profile=keepassxc /usr/bin/keepassxc ?

seniorm0ment commented 4 years ago

Calling it from a terminal $ keepassxc has the same effect with/without the two changes I said?

Correct, except one was the shell error, now it's just the execvp error after doing the changes.

firejail --shell=/bin/zsh (or /bin/bash) --profile=keepassxc /usr/bin/keepassxc

This give's me an invalid option --profile=firejailprofiledir after --join error

bbhtt commented 4 years ago

The execvp is caused because shell none is commented, it should've been gone if the shell (bash,sh,zsh etc) was allowed in private-bin or private-bin was commented, I don't know why it is still gives the same error.

Your first error "shell none but no program" happens when you try firejail --profile=abcd <> without specifying an executable in "<>", I still don't know why after specifying keepassxc there, it occurs.

This give's me an invalid option --profile=firejailprofiledir after --join error

How did you run that?

Try clearing up the symlinks sudo firecfg --clean, followed by sudo firecfg, remove the keppassxc profile in config, followed by $ keepassxc on a terminal. What happens?

seniorm0ment commented 4 years ago

How did you run that?

I tried both firejail --shell=/bin/zsh --profile=keepassxc /usr/bin/keepassxc & firejail --shell=/bin/zsh (or /bin/bash) --profile=/home/gravity/.config/firejail/keepassxc.profile /usr/bin/keepassxc

Try clearing up the symlinkssudo firecfg --clean, followed by sudo firecfg, remove the keepassxc profile in config, followed by $keepassxc on a terminal. What happens?

Ran sudo firtecfg --clean, sudo firecfg, removed keepassxc from .config/firejail..

$ keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 4747, the first child process inside the sandbox
Child process initialized in 34.06 ms
Another instance of KeePassXC is already running.

$ killall keepassxc
$ firejail --list
4746:gravity:keepassxc:/usr/bin/firejail /usr/bin/keepassxc
13945:gravity::/usr/bin/firejail /usr/bin/telegram-desktop
20536:gravity::/usr/bin/firejail /usr/bin/firefox

$ kill 4746
$ firejail --list
13945:gravity::/usr/bin/firejail /usr/bin/telegram-desktop
20536:gravity::/usr/bin/firejail /usr/bin/firefox

$ keepassxc

Now it works right there, although there are a ton of warnings and errors in the output.

$ keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 17162, child pid 17163
Warning: skipping alternatives for private /etc
Private /etc installed in 14.06 ms
3 programs installed in 506.51 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Post-exec seccomp protector enabled
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Child process initialized in 640.13 ms
libGL error: MESA-LOADER: failed to retrieve device information
libGL error: Version 4 or later of flush extension not found
libGL error: failed to load driver: i915
libGL error: failed to open /dev/dri/card0: No such file or directory
libGL error: failed to load driver: i965
bbhtt commented 4 years ago

The warnings are harmless,it's because 3d drivers are blocked by "no3d",you don't need 3d drivers unless it's a game or a video player etc.

seniorm0ment commented 4 years ago

Alright understood, not sure exactly what broke or what happened but seems to still be working. Thank you. That just brings me back to the previous issue I left off on, which was getting KeepassXC to follow my BSPC (BSPWM) rule to open to Desktop 10. Still haven't figured that out, if anyone ends up figuring it out please let me know.

bbhtt commented 4 years ago

Is it a shell script? I think,for a script to execute itself we need to add shell to private-bin,ignore noexec ${HOME},the program that executes the script(part of your WM) and how it is executed,a noblacklist and a whitelist (if needed). If noprofile fails it's hard.

An example program that follows the rule when firejailed?

seniorm0ment commented 4 years ago

Is it a shell script?

Yeah, the BSPWMRC is a shell script.

I think,for a script to execute itself we need to add shell to private-bin,ignore noexec ${HOME},the program that executes the script(part of your WM) and how it is executed,a noblacklist and a whitelist (if needed). If noprofile fails it's hard.

You lost me a bit,

If noprofile fails it's hard.

I'm confused what you mean by this?

An example program that follows the rule when firejailed?

What exactly are you asking for here?

# Firejail profile for keepassxc
# Description: Cross Platform Password Manager
# This file is overwritten after every install/update
# Persistent local customizations
include keepassxc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.keepassxc
# 2.2.4 needs this path when compiled with "Native messaging browser extension"
noblacklist ${HOME}/.mozilla
noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.config/bspwm

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

whitelist /usr/share/keepassxc
whitelist ${HOME}/.config/bspwm
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

ignore noexec ${HOME}/.config/bspwm/bspwmrc

caps.drop all
machine-id
net none
no3d
nodvd
# Breaks 'Lock database when session is locked or lid is closed' (#2899).
# Also breaks (Plasma) tray icon,
# you can safely uncomment it or add to keepassxc.local if you don't need these features.
#nodbus
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,netlink
seccomp !name_to_handle_at
shell none
tracelog

private-bin keepassxc,keepassxc-cli,keepassxc-proxy,zsh
private-dev
private-etc alternatives,fonts,ld.so.cache,machine-id
private-tmp

# Mutex is stored in /tmp by default, which is broken by private-tmp
join-or-start keepassxc
$ keepassxc
Reading profile /home/gravity/.config/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 24433, child pid 24434
Warning: skipping alternatives for private /etc
Private /etc installed in 12.33 ms
4 programs installed in 40.83 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Post-exec seccomp protector enabled
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Child process initialized in 153.59 ms
libGL error: MESA-LOADER: failed to retrieve device information
libGL error: Version 4 or later of flush extension not found
libGL error: failed to load driver: i915
libGL error: failed to open /dev/dri/card0: No such file or directory
libGL error: failed to load driver: i965

With this config, keepassxc opens, but it is not my keepassxc. It seems like a completely uncustomized fresh keepassxc. Also it does not follow the rule to send to desktop 10 still. Hmm..

bbhtt commented 4 years ago

If --noprofile fails it is hard to follow the config,I meant is there any program that follows the BSPWM rules when firejailed?

Two posts above it was reading the profile in /etc/firejail, how is it now reading /home/gravity/.config/firejail/keepassxc.profile?

Nevermind I saw the change you made: Don't add the whitelist bspwm else you would need to whitelist every directory in the noblacklist secition of the profile. Also this is not needed since there is no corresponding blacklist of it noblacklist ${HOME}/.config/bspwm...

seniorm0ment commented 4 years ago

If --noprofile fails it is hard to follow the config,I meant is there any program that follows the BSPWM rules when firejailed?

Ah, yeah Telegram and Firefox follow it no issue

# Firejail profile for telegram
# This file is overwritten after every install/update
# Persistent local customizations
include telegram.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.TelegramDesktop
noblacklist ${HOME}/.local/share/TelegramDesktop
noblacklist ${HOME}/documents
noblacklist ${HOME}/pictures
noblacklist ${HOME}/downloads

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc

caps.drop all
netfilter
nodvd
nonewprivs
noroot
notv
protocol unix,inet,inet6
seccomp

disable-mnt
private-cache
private-tmp

That's the telegram profile.

Don't add the whitelist bspwm else you would need to whitelist every directory in the noblacklist secition of the profile.

Ok, I removed the whitelist line, it fixed the issue with Keepassxc opening fresh, and now seems to be my config. It still does not seem to want to follow the bspwmrc rule though.

bbhtt commented 4 years ago

Comment out private-bin and check. Is bspc monitor an executable, meaning you can execute it in a terminal?

When you said

Hmm, disabling any of those plus the others didn't seem to fix it.

did you comment all options in the profile? If that's the case, there isn't much we can do to make it follow the desktop rule, sorry. You can try switching your shell to bash to see if anything changes...

Remove these: noblacklist ${HOME}/.config/bspwm,whitelist ${HOME}/.config/bspwm, ignore noexec ${HOME}/.config/bspwm/bspwmrc, (zsh from private-bin for now since shell none is set we don't need it) from your profile in config directory that's not how they work.

seniorm0ment commented 4 years ago

Comment out private-bin and check.

Is bspc monitor an executable, meaning you can execute it in a terminal? bspc rule (bspc rule -a keepassxc desktop='^10' follow=on focus=on ) is a rule for BSPWM. BSPWMRC is the actual executable shell script to configure BSPWM window manager.

Hmm, disabling any of those plus the others didn't seem to fix it. did you comment all options in the profile?

I assume you mean these?

machine-id, private-etc, net none, protocol

Just tried commenting them, did not fix it.

You can try switching your shell to bash to see if anything changes

Didn't do anything.

Remove these: noblacklist ${HOME}/.config/bspwm,whitelist ${HOME}/.config/bspwm, ignore noexec ${HOME}/.config/bspwm/bspwmrc, (zsh from private-bin for now since shell none is set we don't need it) from your profile in config directory that's not how they work.

Alright, removed. I thought you were suggesting to add them which is why I did. Now we're pretty much back where we were. Keepassxc still launches fine, just doesn't follow the bspwm rules ofc.

If that's the case, there isn't much we can do to make it follow the desktop rule, sorry.

Does it make any sense that I don't have issues with Telegram or Firefox following the rules? It just seems to be KeepassXC?

bbhtt commented 4 years ago

I assume you mean these?

Not only those three, when rusty-snake asked you to comment the profile, it was the whole profile, meaning each line, like brute force the line(s) that might cause the issue, those three were examples... Ideally you don't need to touch the noblacklist and include lines in this brute-force, the last-section of private-* (bin was most likely, but it was not) and the middle part.

Alright, removed. I thought you were suggesting to add them which is why I did. Now we're pretty much back where we were. Keepassxc still launches fine, just doesn't follow the bspwm rules ofc.

I meant it could be a possibility that we need to do those, that's why I asked you to show me another profile that's working under bspwm... since they were not needed anymore I told you to remove them. And not having shell is better than having it in private-bin security-wise

seniorm0ment commented 4 years ago

Not only those three, when rusty-snake asked you to comment the profile, it was the whole profile, meaning each line, like brute force the line(s) that might cause the issue, those three were examples... Ideally you don't need to touch the noblacklist and include lines in this brute-force, the last-section of private-* (bin was most likely, but it was not) and the middle part.

Ah okay, my misunderstanding. I'll try it when I get home in a bit and report back.

I meant it could be a possibility that we need to do those, that's why I asked you to show me another profile that's working under bspwm...

Which I did, I sent the Telegram profile above.

rusty-snake commented 4 years ago

still need help?

seniorm0ment commented 4 years ago

With KeepassXC working no, however getting the window to open on workspace number in bsowm still having issues, i can't remember if I tried the last method I left off here, think I forgot otherwise I would've responded. I'll try sometime this week.