rusty-snake
commented
3 years ago I've no idea, looks like you need to comment the profile and uncomment it like for line.
disable-common.local
What's in it.
Closed mYnDstrEAm closed 3 years ago
rusty-snake
commented
3 years ago I've no idea, looks like you need to comment the profile and uncomment it like for line.
disable-common.local
What's in it.
mYnDstrEAm
commented
3 years ago a few blacklist ${HOME}/... and caps.drop all. I'll try removing the latter even though I don't know why it worked earlier in that case.
Edit: Commenting out caps.drop all didn't make the profile work and I think it should probably not be removed.
rusty-snake
commented
3 years ago
caps.drop all[…] I think it should probably not be removed.
well
$ grep -L "^caps.drop all$" $(grep -l "^include disable-common.inc$" /etc/firejail/*.profile)
/etc/firejail/bitlbee.profile
/etc/firejail/chromium-common.profile
/etc/firejail/dnscrypt-proxy.profile
/etc/firejail/dnsmasq.profile
/etc/firejail/electron.profile
/etc/firejail/fdns.profile
/etc/firejail/gnome-nettool.profile
/etc/firejail/gnome-schedule.profile
/etc/firejail/k3b.profile
/etc/firejail/ping.profile
/etc/firejail/qupzilla.profile
/etc/firejail/server.profile
/etc/firejail/spectre-meltdown-checker.profile
/etc/firejail/tcpdump.profile
/etc/firejail/tor.profile
/etc/firejail/unbound.profile
/etc/firejail/virtualbox.profile
/etc/firejail/vmware.profile
/etc/firejail/wireshark.profileI added noblacklist ${HOME}/.config/VSCodium to code.local but it still doesn't start with no error message getting displayed that's useful for solving it.
rusty-snake
commented
3 years ago I've no idea, looks like you need to comment the profile and uncomment it like for line.
mYnDstrEAm
commented
3 years ago What's the point of sandboxing if you have to disable all of it at least once to get things working? Also I had to comment out so many things this can't be fine. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted? Furthermore, there probably should / could be error messages which provide some info about why something is failing / which sandboxing rules are causing the shutdown.
I could get it to work by commenting out these:
#caps.drop all
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccompin code.profile and #caps.drop all in disable-common.local
mYnDstrEAm
commented
3 years ago Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik.
There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start.
rusty-snake
commented
3 years ago I could get it to work by commenting out these:
#caps.drop all #nonewprivs #noroot #protocol unix,inet,inet6,netlink #seccompin code.profile and
#caps.drop allindisable-common.local
Duplicate of #4408. Fixed by 8f867d029a6ae7b757190d9f273886d4bbc1344b
- [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
8f867d029a6ae7b757190d9f273886d4bbc1344b
Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik.
See above
There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start.
Nope.
Read #3754, #2946, #2933, #4087, #3871.
Summary: The electron sandbox requires the chroot syscall. And if you disable unprivileged userns it also needs to execute a SUID => you can not use seccomp and nnp. And you need to keep some caps.
It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?
Looks like VsCodium has updated the electron version they use.
What's the point of sandboxing if you have to disable all of it at least once to get things working?
What's the reason you do sandboxing?
rusty-snake
commented
3 years ago What's the point of sandboxing if you have to disable all of it at least once to get things working? Also I had to comment out so many things this can't be fine. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?
TBH code.profile does to have whitelist ${HOME}/.../read-only ${HOME}/private nor does it have dbus-{user,system} (filter|none). It's already a weak profile that can be escaped easily. Furthermore it has no net IFACE/net none and it also to execute program from ${HOME}. You only need to drop "advanced" sandbox features that protect kernel/root/system in a sandbox that already lacks escape protection.
I recommend to set sysctl kernel.unprivileged_userns_clone=1
mYnDstrEAm
commented
3 years ago So the weak sandboxing profile for Codium and its further weakening are due to Electron and changes to Electron and the solution you propose for that would be setting sysctl kernel.unprivileged_userns_clone=1. Did I understand that right? After setting that would all Electron-using packages run fine?
rusty-snake
commented
3 years ago With kernel.unprivileged_userns_clone=1 you can include chromium-common-hardened.inc (Attention: In firejail 0.9.66 and above it is include chromium-common-hardened.inc.profile) in electron.local and chromium-common.local.
https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/electron.profile#L21-L23
https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/chromium-common.profile#L33-L35
Which will set
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroothttps://github.com/netblue30/firejail/blob/0.9.64.4/etc/inc/chromium-common-hardened.inc
And you can remove the sudi bit from chrome-sandbox and bwrap.
Codium (v1.58.2) doesn't run with firejail anymore.
When I run
firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codiumI get:with the only thing in syslog being this:
kernel: [...] traps: codium[...] trap int3 ip:... sp:... error:0 in codium[...]Furthermore, the profile should be renamed to codium.profile as vscodium has been renamed: #3871.
Bug and expected behavior I expected it to start VsCodium like it used to but it didn't.
No profile and disabling firejail
Reproduce Steps to reproduce the behavior:
firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codiumEnvironment
Additional context
Checklist
https://github.com/netblue30/firejail/issues/1139)--profile=PROFILENAMEis used to set the right profile.LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAMto get english error-messages.browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.debug output
``` [...] Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/codium Child process initialized in ... ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 6 Sandbox monitor: waitpid 6 retval 6 status 0 Sandbox monitor: monitoring 23 monitoring pid 23 Sandbox monitor: waitpid 23 retval 23 status 5 Sandbox monitor: monitoring 25 monitoring pid 25 Sandbox monitor: waitpid 25 retval 25 status 0 Parent is shutting down, bye... ```