start-tor-browser doesn't open with any profile

[1984-is-1984]

Dear Guys, I have an issue, that TB, actually start-tor-browser won't start if I use any profile with firejail. At the end, I want to use @rusty-snake's profile, but the thing only starts if I use the option --noprofile. Operating system: Linux Mint Ulyana, Firejail version: 0.9.62 from the Mint repo TBB: 10.0.2 (but 10.0.1 didn't fly either)

Staring firejail with the firefox profile gives the following output:

userx@userx-mint:~$ 'firejail --profile=/etc/firejail/firefox.profile "$HOME/.firejailed-tor-browser/Browser/start-tor-browser"' Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 55314, child pid 55315 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 141.64 ms Error: no suitable /home/userx/.firejailed-tor-browser/Browser/start-tor-browser executable found . Parent is shutting down, bye...

Pretty similar, when trying to start with the normal global profile or with the firejailed-tor-browser profile (that gives a different output of course). Starting with --noprofile:

userx@userx-mint:~$ sh -c 'firejail --noprofile "/home/userx/.firejailed-tor-browser/Browser/start-tor-browser"' Parent pid 28182, child pid 28183 Child process initialized in 13.12 ms

Do you have any hints, where to look, what to check? Thank you very much in advance!

[rusty-snake]

Hints:

1. firefox.profile doesn't allow exec inside $HOME by default. However you don't need to use it since there profiles for tbb.
2. Things in globals.local such as apparmor will also make $HOME noexec. What's in your globals.local?
3. firefox.profile, tor-browser*.profile, torbrowser-launcher.profile, start-tor-browser.profile and start-tor-browser.desktop.profile are all whitelisting profiles which do not whitelist ${HOME}/.firejailed-tor-browser (or what ever).

[1984-is-1984]

Wow, that's an incredibly quick response and I really admire that! Ok, so, I anyway want to use the TB with your profile for the 0.9.62 firejail version, so, I'll list all the paths and contents of all files: 1st: firejailed-tor-browser.profile under /home/userx/.config/firejail/ content:

# Persistent local customizations
include firejailed-tor-browser.local
# Persistent global definitions
include globals.local

# Note: PluggableTransports didn't work with this profile

ignore noexec ${HOME}

noblacklist ${HOME}/.firejailed-tor-browser

blacklist /opt
blacklist /srv
blacklist /usr/games
blacklist /usr/local
blacklist /usr/src
blacklist /var

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${RUNUSER}/pulse
whitelist ${HOME}/.firejailed-tor-browser
# Add the next line to firejailed-tor-browser.local to enable better desktop integration
#include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
#hostname host
# Cause some issues
#ipc-namespace
# Breaks sound; enable it if you don't need sound
#machine-id
netfilter
# Disable hardware acceleration
#no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
# Disable sound, enable if you don't need
#nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp !chroot,@memlock,@setuid,@timer,io_pgetevents
seccomp.block-secondary
shell none
# Cause some issues
#tracelog

disable-mnt
private ${HOME}/.firejailed-tor-browser
# These are the minimum required programms to start the TBB,
# you maybe need to add one or more programs from the commented private-bin line below.
# To get full support of the scripts start-tor-browser, execdesktop and firefox
# (this is a wrapper script, the firefox browser executable is firerfox.real) in the TBB,
# add the commented private-bin line to firejailed-tor-browser.local
private-bin bash,dirname,env,expr,file,grep,rm,sh,tclsh
#private-bin cat,cp,cut,getconf,id,kdialog,ln,mkdir,pwd,readlink,realpath,sed,tail,test,update-desktop-database,xmessage,xmessage,zenity
private-cache
private-dev
# This is a minimal private-etc, if there are breakages due it you need to add more files.
# To get ideas what maybe needs to be added look at the templates:
# https://github.com/netblue30/firejail/blob/28142bbc49ecc3246033cbc810d7f04027c87f4d/etc/templates/profile.template#L151-L162
private-etc machine-id
private-tmp

name firejailed-tor-browser

2nd: firejailed-tor-browser.local under /home/userx/.config/firejail/ content:

# Add the next line to firejailed-tor-browser.local to enable better desktop integration
include whitelist-common.inc

private-bin cat,cp,cut,getconf,gpg,id,kdialog,ln,mkdir,pwd,readlink,realpath,sed,tail,test,update-desktop-database,xmessage,xmessage,zenity

3rd: globals.local under /etc/firejail/ content: blacklist ${HOME}/.firejailed-tor-browser

4th: disbale-programs.local under /home/userx/.config/firejail/ content: blacklist ${HOME}/.firejailed-tor-browser

Should I whitelist ${HOME}/.firejailed-tor-browser in the globals.local under /etc/firejail/ instead of blacklisting it?

[rusty-snake]

With my profile you need use firejail --profile=firejailed-tor-browser ${HOME}/Browser/start-tor-browser.

1. a explicit --profile is required to use this profile
2. because of the private ${HOME}/.firejailed-tor-browser the start-tor-browser is found inside the sandbox under Browser/start-tor-browser instead of .firejailed-tor-browser/Browser/start-tor-browser. (OT: and because of the private has include whitelist-common.inc no effect, I should update the comment)

Should I whitelist ${HOME}/.firejailed-tor-browser in the globals.local under /etc/firejail/ instead of blacklisting it?

NO, adding a whitelist in globals.local would break all blacklisting-profiles. noblacklist ${HOME}/.firejailed-tor-browser comes after include globals.local, which means that the blacklist from globals.local is applied. I'm not sure if the break because private is used, but maybe it does.

[1984-is-1984]

I really appreciate your support @rusty-snake !!!

OK, I've tried your command and it actually worked in some sort of way but firejail still did quit.

So, the command is following: firejail --profile=firejailed-tor-browser ${HOME}/Browser/start-tor-browser

Result in the terminal:

userx@userx-mint:~$ firejail --profile=firejailed-tor-browser ${HOME}/Browser/start-tor-browser
Reading profile /home/userx/.config/firejail/firejailed-tor-browser.profile
Reading profile /home/userx/.config/firejail/firejailed-tor-browser.local
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 19271, child pid 19272
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Private /etc installed in 1.81 ms
27 programs installed in 59.49 ms
Warning: skipping private-cache: cannot find /home/userx/.cache
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Seccomp list in: !chroot,@memlock,@setuid,@timer,io_pgetevents, check list: @default-keep, prelist: unknown,mlock,mlock2,mlockall,munlock,munlockall,setgid,setgroups,setregid,setresgid,setresuid,setreuid,setuid,alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times,
Child process initialized in 172.66 ms

Parent is shutting down, bye...

So now, it's just quitting without a hint. Should I debug it?

[rusty-snake]

Maybe there is something in the syslog, but if not you need to comment the profile line for line.

[rusty-snake]

Any progress?

[bbhtt]

I think this is due to the default apparmor profile that comes with torbrowser-launcher. Any firejail profiles for torbrowser: comment apparmor; do sudo aa-teardown, then launch torbrowsr/torbrowser-launcher under firejail.

This is a personal profile (https://termbin.com/dk71, globals.local has hardened malloc) that I use for torbrowser-launcher or the tar.xz torbrowser downloaded separately and extracted to ${HOME}/.TorBrowser. In either case apparmor creates problem specifically the one shipped with torbrowser-launcher.

[rusty-snake]

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.