search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.75k stars 562 forks source link

Can't open atril from within calibre #4414

Closed Boruch-Baum closed 3 years ago

Boruch-Baum commented 3 years ago

In debian, using firejail 0.9.64.4, calibre 5.16.1, and atril 1.20.3 and using the default firejail profiles: From within firejail /usr/bin/calibre, I can't open/view a document with atril.

What does work: 1) firejail atril foo.pdf 2) calibre (without firejail) and opening a pdf with atril 3) firejail calibre and opening a pdf with zathura or mupdf

In the following output from firejail --debug calibre, note that the first line spawned when askin to view a pdf is the line beginning "Error seteuid":

libGL error: failed to open drm device: No such file or directory
libGL error: failed to load driver: i965
DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused
Failed to check for plugin update: [Errno -3] Temporary failure in name resolution
Traceback (most recent call last):
  File "/usr/lib/calibre/calibre/gui2/notify.py", line 182, in get_notifier
    ans = get_dbus_notifier()
  File "/usr/lib/calibre/calibre/gui2/notify.py", line 110, in get_dbus_notifier
    session_bus = dbus.SessionBus()
  File "/usr/lib/python3/dist-packages/dbus/_dbus.py", line 212, in __new__
    return Bus.__new__(cls, Bus.TYPE_SESSION, private=private,
  File "/usr/lib/python3/dist-packages/dbus/_dbus.py", line 102, in __new__
    bus = BusConnection.__new__(subclass, bus_type, mainloop=mainloop)
  File "/usr/lib/python3/dist-packages/dbus/bus.py", line 124, in __new__
    bus = cls._new_for_bus(address_or_type, mainloop=mainloop)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused
Exception in thread Thread-7:
Traceback (most recent call last):
  File "/usr/lib/python3.9/threading.py", line 954, in _bootstrap_inner
    self.run()
  File "/usr/lib/calibre/calibre/utils/mdns.py", line 42, in run
    _all_ip_addresses = self.get_all_ips()
  File "/usr/lib/calibre/calibre/utils/mdns.py", line 26, in get_all_ips
    for x in netifaces.interfaces():
OSError: [Errno 95] Operation not supported
Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~

(atril:128): dbind-WARNING **: 20:57:58.021: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-wovbrEqM41: Connection refused

(atril:128): Gtk-WARNING **: 20:57:58.034: Theme parsing error: gtk.css:92:25: Failed to import: Error opening file /usr/share/themes/Boje-Night/gtk-3.0/unity.css: No such file or directory

Sandbox monitor: waitpid 8 retval 8 status 0
Warning: removing 1 bytes from stdin

Parent is shutting down, bye...

EDIT by @rusty-snake: Code-block

rusty-snake commented 3 years ago

Running program A in the sandbox made for program B is something that maybe works and maybe don't work.

profile diffs ```console $ fjp diff atril calibre The following commands are unique to atril.profile: include atril.local noblacklist ${HOME}/.cache/atril noblacklist ${HOME}/.config/atril include disable-interpreters.inc machine-id no3d protocol unix seccomp tracelog private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote private-etc alternatives,fonts,ld.so.cache The following commands are unique to calibre.profile: include calibre.local noblacklist ${HOME}/.cache/calibre noblacklist ${HOME}/.config/calibre apparmor netfilter protocol unix,inet,inet6,netlink seccomp !chroot $ fjp diff zathura calibre The following commands are unique to zathura.profile: include zathura.local noblacklist ${HOME}/.config/zathura noblacklist ${HOME}/.local/share/zathura include disable-interpreters.inc include disable-shell.inc include disable-write-mnt.inc mkdir ${HOME}/.config/zathura mkdir ${HOME}/.local/share/zathura whitelist /usr/share/doc whitelist /usr/share/zathura include whitelist-runuser-common.inc include whitelist-usr-share-common.inc machine-id net none protocol unix seccomp seccomp.block-secondary tracelog private-bin zathura private-cache private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id dbus-user none dbus-system none read-only ${HOME} read-write ${HOME}/.config/zathura read-write ${HOME}/.local/share/zathura The following commands are unique to calibre.profile: include calibre.local noblacklist ${HOME}/.cache/calibre noblacklist ${HOME}/.config/calibre netfilter protocol unix,inet,inet6,netlink seccomp !chroot $ fjp diff mupdf calibre The following commands are unique to mupdf.profile: include mupdf.local include disable-interpreters.inc machine-id net none protocol unix seccomp tracelog private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload dbus-user none dbus-system none The following commands are unique to calibre.profile: include calibre.local include globals.local noblacklist ${HOME}/.cache/calibre noblacklist ${HOME}/.config/calibre netfilter protocol unix,inet,inet6,netlink seccomp !chroot ```
Boruch-Baum commented 3 years ago

On 2021-08-01 00:41, rusty-snake wrote:

Running program A in the sandbox made for program B is something that maybe works and maybe don't work. profile diffs

$ fjp diff atril calibre $ fjp diff zathura calibre $ fjp diff mupdf calibre

I don't seem to have a local copy of the fjp tool installed (debian). Where / how can I get it so that I can see exactly what's happening locally?

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

rusty-snake commented 3 years ago

fjp is a unoffical tool from me. repo: https://github.com/rusty-snake/fjp website: https://rusty-snake.github.io/fjp/ latest release: https://github.com/rusty-snake/fjp/releases/tag/v0.2.0 (v0.3.0-rc1 will come soon)

Boruch-Baum commented 3 years ago

Thanks.

On 2021-08-01 02:45, rusty-snake wrote:

fjp is a unoffical tool from me. repo: [1]https://github.com/rusty-snake/fjp

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

rusty-snake commented 3 years ago

Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~

BTW this is a firejail error, if you remove the firecfg symlink, it might work. But why does mupdf work, it should have a firecfg symlink too.

Boruch-Baum commented 3 years ago

I think I have the calibre/atril problem solved.

What seems to have been breaking things is that setting 'net none' in my calibre.local file was disabling dbus (bug?, documented?). This is important to me because I'm frightened by calibre's demands for internet access (to places like amazon.com, etc) and can never be sure of its scope. For many users, such access may be desirable (eg. to search, sync, and purchase ebooks directly from calibre), but they probably are not the type of people who would be interested in firejail in the first place.

Based upon my re-reading of the firejail-profile man page, I have updated my calibre.local with two additional lines, so it looks like this:

net none dbus-user filter dbus-user.talk org.freedesktop.*

My tests indicate that this allows atril and disables internet.

Remaining questions for me:

1) Am I doing this correctly?

2) Should I be more restrictive somehow in the use of the dbus filters?

3) Should 'net none' really be killing dbus access?

On 2021-08-01 03:14, rusty-snake wrote:

 Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not
 permitted~

BTW that a firejail error, if you remove the firecfg symlink, it might work.

I'm not using symlinks. I modify my local copy of the *.desktop file. Doing so also allows me to do the following (very long line follows may show up as word-wrapped in your email viewer):

Exec=env CALIBRE_USE_DARK_PALETTE=0 CALIBRE_USE_SYSTEM_THEME=true QT_QPA_PLATFORMTHEME=qt5ct cpulimit -l 50 -- firejail /usr/bin/calibre %F

But why does mupdf work, it should have a firecfg symlink too.

Aaahh. In my local setup mupdf has no symlink and no modified *.desktop file (I have mupdf installed for its pdf manipulation tools, not for its viewer. It was just that while trying to figure out this problem I tried using it as an alternative).

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

rusty-snake commented 3 years ago

setting 'net none' in my calibre.local

If you have modified settings, you should say it already in OP. Even if they seem to be unrelated to the error message/behaviour as there can be strange side effects.

dbus-user.talk org.freedesktop.*

Why using D-Bus filtering at all with this rule? This allows (org.freedesktop.DBus), org.freedesktop.Flatpak, org.freedesktop.Notifications, org.freedesktop.PackageKit, org.freedesktop.ScreenSaver, org.freedesktop.Tracker3.Miner.Files.Control, org.freedesktop.impl.portal.PermissionStore, org.freedesktop.impl.portal.desktop.gtk, org.freedesktop.portal.Flatpak, org.freedesktop.secrets, org.freedesktop.systemd1.

Am I doing this correctly?

What's your goal? General: Adding command to .locals to make things work is right.

Should I be more restrictive somehow in the use of the dbus filters?

See above. btw from where did you got the org.freedesktop.*?

Should 'net none' really be killing dbus access?

If you use abstract sockets, yes.

Boruch-Baum commented 3 years ago

On 2021-08-01 06:16, rusty-snake wrote:

 setting 'net none' in my calibre.local

If you have modified settings, you should say it already in OP. Even if they seem to be unrelated to the error message/behaviour as there can be strange side effects.

Sorry. As soon as I realized that the file existed, I reported it.

 dbus-user.talk org.freedesktop.*

Why using D-Bus filtering at all with this rule?

In order to try to debug, I decided to launch firejail from a console in order to see what it was sending to STDERR. One message was: "DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused"

So I tried that dbus socket, ie.:

dbus-user.talk org.freedesktop.*

However, that caused firejail to send an error message to the console:

Ignoring "dbus-user.talk org.freedesktop.*".

So, I went back to the man page, and saw in the example given that the dbus.user-talk line was preceded by a line 'dbus filter' and the documentation seems to say that both are needed. Now I see that line 'dbus filter' alone is enough to enable atril.

This allows (org.freedesktop.DBus), org.freedesktop.Flatpak, org.freedesktop.Notifications, org.freedesktop.PackageKit, org.freedesktop.ScreenSaver, org.freedesktop.Tracker3.Miner.Files.Control, org.freedesktop.impl.portal.PermissionStore, org.freedesktop.impl.portal.desktop.gtk, org.freedesktop.portal.Flatpak, org.freedesktop.secrets, org.freedesktop.systemd1.

 Am I doing this correctly?

What's your goal?

1) Calibre should have no internet access. 2) Calibre should be able to launch atril. 3) The rules (dbus) should not be overly permissive.

General: Adding command to .locals to make things work is right.

 Should I be more restrictive somehow in the use of the dbus filters?

See above.

I went one-by-one and tested each of the items you listed above, using an ignore statement to eliminate the others, and it seems none of the org.freedesktop rules are necessary, and some other dbus feature is being white-listed by the general statement 'dbus filter'.

btw from where did you got the org.freedesktop.*?

I saw an error message on my console: "DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused"

Thanks for the support and time you've been giving me on this. I hope maybe something comes of it that can be useful for others, somehow.

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

rusty-snake commented 3 years ago
  1. org.freedesktop.DBus.Error.NoServer is the error type and not the name it tried to access. Unfortunately it does not say which name it tries to access
  2. Does it work with just dbus-user filter (no dbus-user.{own,talk})? And with dbus-user none? (<<The rules (dbus) should not be overly permissive.)
  3. net none is enough to disable internet access. As alternative you can set protocol unix,netlink+ignore protocol. If you only care about amazon connections (i.e. your goal is privacy) maybe eve dns 0.0.0.0 works. (<<Calibre should have no internet access.)
Boruch-Baum commented 3 years ago

On 2021-08-01 07:53, rusty-snake wrote:

  1. Does it work with just dbus-user filter (no dbus-user.{own,talk})?

Yes, it does launch atril that way.

And with dbus-user none? (<<The rules (dbus) should not be overly
permissive.)

No, it does not launch atril with that rule.

  1. net none is enough to disable internet access. As alternative you can set protocol unix,netlink+ignore protocol. If you only care about amazon connections (i.e. your goal is privacy) maybe eve dns 0.0.0.0 works. (<<Calibre should have no internet access.)

Do I need both protocol lines in my calibre.local file? In my testing it seems that line 'protocol unix,netlink' was sufficient to eliminate internet access even without the other line 'ignore protocol'. What I get on STDERR on the console with just the single line is:

Warning: networking feature is disabled in Firejail configuration file Warning: more than one protocol list is present, "unix,netlink" will be installed

Currently, my calibre.local file looks like this:

net none

protocol unix,netlink

ignore protocol

dbus-user filter

dbus-system none

This does cut off internet and allows atril. I then delayed responding to you because I thought it may be over-permissive in that allows any other program to launched. Ideally, it should be limited to (specific/common/known) document viewers.

So I ran some (many) tests (which could have been expedited with some kind of strace help probably) and I've come up with the following which is working for me for documents of type djvu, epub, and pdf. If it can be useful to you or to some firejail users, that would be great. Note that I've only been testing this for a matter of minutes, so if you think it has potential you may still want to wait and get back to me after further 'life' testing. Also, calibre is chock full of features that I don't use, so the following may need more permissiveness.

noblacklist /usr/bin/atril noblacklist /usr/bin/awk noblacklist /usr/bin/basename noblacklist /usr/bin/calibre noblacklist /usr/bin/cpulimit noblacklist /usr/bin/cut noblacklist /usr/bin/ebook- noblacklist /usr/bin/evince noblacklist /usr/bin/djview noblacklist /usr/bin/fail2ban noblacklist /usr/bin/faillog noblacklist /usr/bin/file noblacklist /usr/bin/firecfg noblacklist /usr/bin/firejail noblacklist /usr/bin/firejail-ui noblacklist /usr/bin/firemon noblacklist /usr/bin/firetools noblacklist /usr/bin/gawk noblacklist /usr/bin/mupdf noblacklist /usr/bin/okular noblacklist /usr/bin/pdf noblacklist /usr/bin/print noblacklist /usr/bin/python noblacklist /usr/bin/which noblacklist /usr/bin/www-browser noblacklist /usr/bin/xpdf noblacklist /usr/bin/x-www-browser noblacklist /usr/bin/xdg noblacklist /usr/bin/zathura blacklist /usr/bin/*

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

rusty-snake commented 3 years ago

dbus-user filter :+1:, dbus-user none :-1:

I know this behaviour from some Qt programs with File Open Dialogs (e.g. d0004b845d074d6a1bffa1b4212dd3782f4999c3) However, I think here it is something else (maybe).

Do I need both protocol lines in my calibre.local file? In my testing it seems that line 'protocol unix,netlink' was sufficient to eliminate internet access even without the other line 'ignore protocol'.

That changed in firejail 0.9.66

Warning: more than one protocol list is present, "unix,netlink" will be installed

See above

Warning: networking feature is disabled in Firejail configuration file

Debian package default, nothing to worry (only net <iface|bridge|tap>, net*, ip*, ... are disable but not net none)

I thought it may be over-permissive

It is. If you can, use 

net none
protocol unix,netlink
ignore protocol
dbus-user filter

allows any other program to launched. Ideally, it should be limited to (specific/common/known) document viewers.

Note that everything that can be done by other programs can be done by calibre too. (from a permission point of view)

blacklist /usr/bin/*

Boruch-Baum commented 3 years ago

On 2021-08-01 10:11, rusty-snake wrote:

 I thought it may be over-permissive

It is. If you can, use net none protocol unix,netlink ignore protocol dbus-user filter

OK. I'll do that.

Would it be helpful to also add dbus-system none? It doesn't seem to hurt.

 blacklist /usr/bin/*

 * If your system does not have a unified file-system, there is /bin
 * Why not simply use private-bin?

The first honest answer is that I didn't remember that it existed.

The more important second honest answer is that I just tried it and for it to work would require me to perform more work, ie. to discover and explicitly include the /bin executables needed by calibre.

---- pause as I do more work before hitting send ----

Below is what I have so far that works. It seems sufficient to add just shells, greps, readlink, and sed to the prior list. However, as I mentioned in my prior email, calibre has many features and plugins and my testing so far has been limited to opening, adding, and deleting ebooks.

private-bin atril,awk,basename,calibre,cpulimit,cut,ebook-,evince,djview,fail2ban,faillog,file,firecfg,firejail,firejail-ui,firemon,firetools,gawk,gv,mupdf,okular,pdf,print,python,which,www-browser,xpdf,x-www-browser,xdg,zathura,bash,dash,egrep,grep,readlink,sed,sh,sh.distrib

Some of the regexes there could be eliminated with some thought (eg. python stuff).

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

rusty-snake commented 3 years ago

Would it be helpful to also add dbus-system none? It doesn't seem to hurt.

Yes

and for it to work would require me to perform more work, ie. to discover and explicitly include the /bin executables needed by calibre.

You can generate one with firejail --build calibre.

rusty-snake commented 3 years ago

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.