Closed 1984-is-1984 closed 3 years ago
Hints:
firefox.profile
doesn't allow exec inside $HOME by default. However you don't need to use it since there profiles for tbb.globals.local
such as apparmor
will also make $HOME noexec. What's in your globals.local
?firefox.profile
, tor-browser*.profile
, torbrowser-launcher.profile
, start-tor-browser.profile
and start-tor-browser.desktop.profile
are all whitelisting profiles which do not whitelist ${HOME}/.firejailed-tor-browser
(or what ever).Wow, that's an incredibly quick response and I really admire that!
Ok, so, I anyway want to use the TB with your profile for the 0.9.62 firejail version, so, I'll list all the paths and contents of all files:
1st: firejailed-tor-browser.profile
under /home/userx/.config/firejail/
content:
# Persistent local customizations
include firejailed-tor-browser.local
# Persistent global definitions
include globals.local
# Note: PluggableTransports didn't work with this profile
ignore noexec ${HOME}
noblacklist ${HOME}/.firejailed-tor-browser
blacklist /opt
blacklist /srv
blacklist /usr/games
blacklist /usr/local
blacklist /usr/src
blacklist /var
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
whitelist ${RUNUSER}/pulse
whitelist ${HOME}/.firejailed-tor-browser
# Add the next line to firejailed-tor-browser.local to enable better desktop integration
#include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
#hostname host
# Cause some issues
#ipc-namespace
# Breaks sound; enable it if you don't need sound
#machine-id
netfilter
# Disable hardware acceleration
#no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
# Disable sound, enable if you don't need
#nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp !chroot,@memlock,@setuid,@timer,io_pgetevents
seccomp.block-secondary
shell none
# Cause some issues
#tracelog
disable-mnt
private ${HOME}/.firejailed-tor-browser
# These are the minimum required programms to start the TBB,
# you maybe need to add one or more programs from the commented private-bin line below.
# To get full support of the scripts start-tor-browser, execdesktop and firefox
# (this is a wrapper script, the firefox browser executable is firerfox.real) in the TBB,
# add the commented private-bin line to firejailed-tor-browser.local
private-bin bash,dirname,env,expr,file,grep,rm,sh,tclsh
#private-bin cat,cp,cut,getconf,id,kdialog,ln,mkdir,pwd,readlink,realpath,sed,tail,test,update-desktop-database,xmessage,xmessage,zenity
private-cache
private-dev
# This is a minimal private-etc, if there are breakages due it you need to add more files.
# To get ideas what maybe needs to be added look at the templates:
# https://github.com/netblue30/firejail/blob/28142bbc49ecc3246033cbc810d7f04027c87f4d/etc/templates/profile.template#L151-L162
private-etc machine-id
private-tmp
name firejailed-tor-browser
2nd: firejailed-tor-browser.local
under /home/userx/.config/firejail/
content:
# Add the next line to firejailed-tor-browser.local to enable better desktop integration
include whitelist-common.inc
private-bin cat,cp,cut,getconf,gpg,id,kdialog,ln,mkdir,pwd,readlink,realpath,sed,tail,test,update-desktop-database,xmessage,xmessage,zenity
3rd: globals.local
under /etc/firejail/
content:
blacklist ${HOME}/.firejailed-tor-browser
4th: disbale-programs.local
under /home/userx/.config/firejail/
content:
blacklist ${HOME}/.firejailed-tor-browser
Should I whitelist ${HOME}/.firejailed-tor-browser
in the globals.local
under /etc/firejail/
instead of blacklisting it?
With my profile you need use firejail --profile=firejailed-tor-browser ${HOME}/Browser/start-tor-browser
.
--profile
is required to use this profileprivate ${HOME}/.firejailed-tor-browser
the start-tor-browser is found inside the sandbox under Browser/start-tor-browser
instead of .firejailed-tor-browser/Browser/start-tor-browser
. (OT: and because of the private
has include whitelist-common.inc
no effect, I should update the comment)Should I whitelist ${HOME}/.firejailed-tor-browser in the globals.local under /etc/firejail/ instead of blacklisting it?
NO, adding a whitelist
in globals.local
would break all blacklisting-profiles. noblacklist ${HOME}/.firejailed-tor-browser
comes after include globals.local
, which means that the blacklist
from globals.local is applied. I'm not sure if the break because private
is used, but maybe it does.
I really appreciate your support @rusty-snake !!!
OK, I've tried your command and it actually worked in some sort of way but firejail still did quit.
So, the command is following: firejail --profile=firejailed-tor-browser ${HOME}/Browser/start-tor-browser
Result in the terminal:
userx@userx-mint:~$ firejail --profile=firejailed-tor-browser ${HOME}/Browser/start-tor-browser
Reading profile /home/userx/.config/firejail/firejailed-tor-browser.profile
Reading profile /home/userx/.config/firejail/firejailed-tor-browser.local
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 19271, child pid 19272
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Private /etc installed in 1.81 ms
27 programs installed in 59.49 ms
Warning: skipping private-cache: cannot find /home/userx/.cache
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Seccomp list in: !chroot,@memlock,@setuid,@timer,io_pgetevents, check list: @default-keep, prelist: unknown,mlock,mlock2,mlockall,munlock,munlockall,setgid,setgroups,setregid,setresgid,setresuid,setreuid,setuid,alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times,
Child process initialized in 172.66 ms
Parent is shutting down, bye...
So now, it's just quitting without a hint. Should I debug it?
Maybe there is something in the syslog, but if not you need to comment the profile line for line.
Any progress?
I think this is due to the default apparmor profile that comes with torbrowser-launcher. Any firejail profiles for torbrowser: comment apparmor
; do sudo aa-teardown
, then launch torbrowsr/torbrowser-launcher under firejail.
This is a personal profile (https://termbin.com/dk71, globals.local has hardened malloc) that I use for torbrowser-launcher or the tar.xz torbrowser downloaded separately and extracted to ${HOME}/.TorBrowser
. In either case apparmor creates problem specifically the one shipped with torbrowser-launcher.
I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.
Dear Guys, I have an issue, that TB, actually start-tor-browser won't start if I use any profile with firejail. At the end, I want to use @rusty-snake's profile, but the thing only starts if I use the option --noprofile. Operating system: Linux Mint Ulyana, Firejail version: 0.9.62 from the Mint repo TBB: 10.0.2 (but 10.0.1 didn't fly either)
Staring firejail with the firefox profile gives the following output:
Pretty similar, when trying to start with the normal global profile or with the firejailed-tor-browser profile (that gives a different output of course). Starting with --noprofile:
Do you have any hints, where to look, what to check? Thank you very much in advance!