search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.72k stars 560 forks source link

firefox: cannot open new URLs into running instance #4670

Closed Lonniebiz closed 2 years ago

Lonniebiz commented 2 years ago

Firejail version: 0.9.62

Kubuntu 20.04 recently auto-updated to Firefox 94. Ever since, I can no longer launch URLs via the command line like this: firejail firefox https://github.com &

I posted this issue over at AskUbuntu : https://askubuntu.com/questions/1373963/

Actually, it will launch fine if Firefox is completely closed, but none of my hot keys that launch additional pages work anymore.

This may not be a firejail bug, but I was hoping that posting here might lead to me finding a good work around. Please check out the link above. I appreciate it!

kmk3 commented 2 years ago

@Lonniebiz commented on Nov 6:

Kubuntu 20.04 recently auto-updated to Firefox 94. Ever since, I can no longer launch URLs via the command line like this: firejail firefox https://github.com &

I posted this issue over at AskUbuntu : https://askubuntu.com/questions/1373963/

Actually, it will launch fine if Firefox is completely closed, but none of my hot keys that launch additional pages work anymore.

This may not be a firejail bug, but I was hoping that posting here might lead to me finding a good work around. Please check out the link above. I appreciate it!

Please follow the bug template:

Does it help if both invocations use the same sandbox? Example:

firejail --name=firefox1 firefox
firejail --join=firefox1 firefox https://github.com &
Lonniebiz commented 2 years ago

firejail version 0.9.62 Kubuntu 20.04 Firefox 94.0

@kmk3 First of all, I really appreciate your attention to the matter. This issue (no matter what is causing it) is pretty important to my workflow. You see, I'm accustom to launching websites I frequent with hotkeys facilitated by autokey.

So, I'm not typing these commands in directly, it is a python script within autokey that is sending the commands to the terminal. That script is only two lines:

import os
os.system("firejail firefox https://github.com/ &")

However, for the test you've requested, I'm going to copy and pasted those lines (one at a time) directly into the terminal:

firejail --name=firefox1 firefox
firejail --join=firefox1 firefox https://github.com &

Result: The first line launched the browser like normal. However, when I entered the second command, I got this error:

Firefox is already running, but is not responding. To use Firefox, you must first close the existing Firefox process, restart your device, or use a different profile.

errorFirefox

Output:

user@pc1:~$ firejail --name=firefox1 firefox &
[1] 8361
user@pc1:~$ Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 8361, child pid 8362
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 78.76 ms

** (firefox:9): WARNING **: 14:46:29.227: Unable to connect to dbus: Could not connect: Permission denied

(firefox:9): GLib-GIO-CRITICAL **: 14:46:29.316: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:29.316: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:29.316: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:30.267: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:30.267: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:30.267: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:31.238: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:31.238: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:31.238: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:31.937: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:31.937: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:9): GLib-GIO-CRITICAL **: 14:46:31.937: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

firejail --join=firefox1 firefox https://github.com
Switching to pid 8362, the first child process inside the sandbox
Child process initialized in 10.87 ms

** (firefox:468): WARNING **: 14:47:19.745: Unable to connect to dbus: Could not connect: Permission denied

(firefox:468): GLib-GIO-CRITICAL **: 14:47:19.858: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:19.859: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:19.859: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:19.863: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:19.863: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:19.863: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:20.784: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:20.784: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(firefox:468): GLib-GIO-CRITICAL **: 14:47:20.784: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
Lonniebiz commented 2 years ago

Submitted to Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1739919

kmk3 commented 2 years ago

@Lonniebiz commented on Nov 7:

firejail version 0.9.62

That version is old and potentially vulnerable to 3 CVEs; see:

Kubuntu 20.04

Firefox 94.0

There is more to the template than the environment section and I don't feel like copy pasting parts of it here.

The generic advice would be to try commenting parts of the relevant profiles to narrow down the issue.

Other than that, there are a few similar-looking issues that may be of help:

rusty-snake commented 2 years ago

firejail version 0.9.62

Does firefox 64 use the (native) Wayland backend? (context #3290)

RolKau commented 2 years ago

I had this exact problem using Firefox 94 under Ubuntu Focal 20.04. Firejail 0.9.62 is the version in the Ubuntu repository. Upgrading to Firejail 0.9.66 (through using the 'deki' PPA) seems to have fixed it.

ibhagwan commented 2 years ago

I'm having a similar issue, Firefox 94.0 and firejail 0.9.66:

~ ❯ firejail --version
firejail version 0.9.66

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

~ ❯ firejail --join=firefox firefox --new-tab https://hover.com
Switching to pid 1511, the first child process inside the sandbox
Child process initialized in 6.71 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.

^C

Resulting in the below popup inside firefox: screenshot-1637106556

RolKau commented 2 years ago

@ibhagwan Where do your Firejail profiles come from? For me, they are in a companion package named firejail-profiles that I also had to upgrade (if you are on a Debian-derivative system you can for instance see which version you have with a command like apt-cache policy $(dpkg -S /etc/firejail/firefox.profile | cut -d: -f1))

ibhagwan commented 2 years ago

@ibhagwan Where do your Firejail profiles come from? For me, they are in a companion package named firejail-profiles that I also had to upgrade (if you are on a Debian-derivative system you can for instance see which version you have with a command like apt-cache policy $(dpkg -S /etc/firejail/firefox.profile | cut -d: -f1))

@RolKau, my profiles came with the default firejail package on void linux:

~ ❯ xbps-query -l | grep firejail
ii firejail-0.9.66_1                       SUID security sandbox program
~ ❯ xbps-query -f firejail  | grep firefox
/etc/firejail/firefox-beta.profile
/etc/firejail/firefox-common-addons.profile
/etc/firejail/firefox-common.profile
/etc/firejail/firefox-developer-edition.profile
/etc/firejail/firefox-esr.profile
/etc/firejail/firefox-nightly.profile
/etc/firejail/firefox-wayland.profile
/etc/firejail/firefox-x11.profile
/etc/firejail/firefox.profile
RolKau commented 2 years ago

The profiles that are in the Void Linux repository are from this repository, and they match the ones that I have on my installation (from the 'deki' PPA) exactly, so that rules them out as the culprit.

RolKau commented 2 years ago

The options and version from firejail --version are the same, except that my version has the option "SELinux support is enabled" whereas yours (@ibhagwan, that is) has "SELinux support is disabled". I am not qualified to say if that is relevant.

Lonniebiz commented 2 years ago

Debian 11 Stable firejail-profiles version 0.9.64.4-2

@RolKau I'm having the exact same problem again, now with LibreWolf.

oo-san commented 2 years ago

You must be using an old firefox profile. I encountered the same erorr, but it works when using the firefox profile bundled with the latest release of firejail (0.9.66).

Adding ignore dbus-user none to an older profile also fixed this problem for me.

ibhagwan commented 2 years ago

You must be using an old firefox profile. I encountered the same erorr, but it works when using the firefox profile bundled with the latest release of firejail (0.9.66).

Adding ignore dbus-user none to an older profile also fixed this problem for me.

Unfortuntely that's not the case, I have firejail 0.9.66 and my firefox commands includes --dbus-user=none:

#!/bin/sh
GDK_DPI_SCALE=0.70 firejail --name=firefox --dbus-user=none --keep-config-pulse firefox
glitsj16 commented 2 years ago

Unfortuntely that's not the case, I have firejail 0.9.66 and my firefox commands includes --dbus-user=none: GDK_DPI_SCALE=0.70 firejail --name=firefox --dbus-user=none --keep-config-pulse firefox

@ibhagwan By using --dbus-user=none in a shell script or on the command line you are breaking the logic of our firefox profiles (aka @oo-san is correct). Let me explain. Firefox uses D-Bus to open URLs in a running instance (instead of starting a second one). Firejail takes this into account in two steps. To tighten the sandbox we first disallow access to both user and system bus by having dbus-user none and dbus-system none in firefox-common.profile. To keep things like URL processing working in a reasonable way we grant access only to a very limited and specific subset of options. Have a look inside your firefox.profile. Near the bottom you'll see:

[...]
dbus-user filter
dbus-user.own org.mozilla.Firefox.*
dbus-user.own org.mozilla.firefox.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
[...]
ignore dbus-user none

# Redirect
include firefox-common.profile

The first four lines define that we want to grant access to these specific adressess on the user bus only). The ignore dbus-user none just before the redirect is needed to compensate fully disabling all D-Bus access from inside the sandbox. I hope this clears things up a bit. What happens when you use the below in your shell script?

GDK_DPI_SCALE=0.70 firejail --name=firefox --keep-config-pulse firefox
ibhagwan commented 2 years ago

@glitsj16 tysm for the explnation, it does help clear things up a bit.

I just tried running without the --dbus-user=none and then ran the following command:

~ ❯ firejail --join=firefox firefox --new-tab https://hover.com
Switching to pid 1980, the first child process inside the sandbox
Child process initialized in 7.21 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
^C

And this is what I get inside firefox (basically same result): screenshot-1639727921

glitsj16 commented 2 years ago

@ibhagwan I don't have a straightforward do-this-and-it-will-work answer to your issue at the moment. IMO your firejail profiles are fine and you should keep avoiding --dbus-user=none as explained above. Two remarks for further consideration.

ibhagwan commented 2 years ago

The consecutive Error: Can't find profile directory messages are a bit unusual (at least to me). I assume your Firefox profile(s) setup is something you've already checked, but to rule this out you could do a quick test with a clean FF copy.

I will try that.

Something we haven't touched upon is your desktop environment. I'm specifically interested to know if you happen to use a mixed X11/Wayland setup. If so, you can try adding MOZ_DBUS_REMOTE=1 to the mix. See this short but very informative page from Firefox Guru Martin Stransky's blog. Either add --env=MOZ_DBUS_REMOTE=1 on the command line/in your shell script or set env MOZ_DBUS_REMOTE=1 in a firefox.local override file. Shouldn't take long to see if that does anything positive.

Not using wayland, X11/AwesomeWM straight forward setup.

It's worth noting the same setup worked for a long time and then one day stopped working, I can't pinpoint whether it was a firefox update or firejail update that caused this, since then I switched my xdg-open config to open in ungoogled-chromium instead which is also firejailed and works fine.

glitsj16 commented 2 years ago

@ibhagwan Thanks for informing us on your specific setup. I do recognize what you describe. The feeling of noticing something broke and not being able to pinpoint stuff. Been there many times, and it keeps happening, no matter how many things one keeps logs of :-). If no one tunes in here with the 'magic bullet' fix and you'd like to return to Firefox in your xdg-open, you could check if firejail-handler-http suits your needs. I wrote these shell scripts specifically to run Firefox in a firejail sandbox with full blocking of D-Bus before we integrated xdg-dbus-proxy into Firejail. They still work okay, if one can live with the usability/workflow impact...

Lonniebiz commented 2 years ago

Firejail, please fix this same issue as it pertains to the LibreWolf version 95 AppImage also.

cockytrumpet commented 2 years ago

So, I'm not typing these commands in directly, it is a python script within autokey that is sending the commands to the terminal. That script is only two lines:

import os
os.system("firejail firefox https://github.com/ &")

However, for the test you've requested, I'm going to copy and pasted those lines (one at a time) directly into the terminal:

firejail --name=firefox1 firefox
firejail --join=firefox1 firefox https://github.com &

Result: The first line launched the browser like normal. However, when I entered the second command, I got this error:

Firefox is already running, but is not responding. To use Firefox, you must first close the

does it work if you change your script to

firejail --join=firefox1 firefox --new-tab some-web-site &

I think I'm getting the behavior you are looking for. I don't know how to set this up in KDE, but maybe you can translate my gnome setup to your use.

~/.local/share/applications/Firejail-Firefox.desktop

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Icon=/home/username/Pictures/firejailed_firefox128.png
Exec=/home/username/bin/firefox.sh %u
Name=X11-Firejailed Firefox
Comment=X11-Firejailed Firefox
StartupWMClass=Xephyr
Terminal=false
MimeType=application/pdf;application/vnd.mozilla.xul+xml;application/xhtml+xml;text/html;text/mml;text/xml;x-scheme-handler/ftp;x-scheme-handler/http;x-scheme-handler/https;
StartupNotify=true
Categories=Network;WebBrowser;
Keywords=web;browser;internet;

~/bin/firefox.sh

#!/bin/sh

no_jail=$(firejail --list | grep "name=firefox")

if $no_jail; then
    /usr/bin/firejail --x11=xephyr --name=firefox --net=br10 --profile=/etc/firejail/firefox.profile openbox --startup "/usr/lib64/firefox/firefox $1"&
    sleep 5
    /usr/bin/firejail --join=firefox xmodmap -e 'keycode 64 = VoidSymbol VoidSymbol'
else
    /usr/bin/firejail --join=firefox /usr/lib64/firefox/firefox --new-tab $1
fi

Set Firejail-Firefox as the default application. xdg-open and right clicking a link in the terminal both work.

Druco commented 2 years ago

---------- EDITTED --------:

Sorry about being an idiot, but I forgot that I had made a custom profile for Thunderbird that added the following lines:

# Needed to use kdocker

dbus-user filter
dbus-user.own org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.Notifications

With the "dbus-user filter" line commented out, it works with FF95. Even so, it did work with FF93 even with these lines included, so something did happen between FF93 and FF95.

---------- END EDIT ----------

I am adding this here rather than opening a new bug report because I think it is pretty clearly the same problem.

Description

Attempting to open a URL in Firefox 95 from a link in an email message in Thunderbird causes the same error message as described above (Firefox is already running, but is not responding...) when Firefox and Thunderbird are in sand boxes. Running the identical setup with Firefox 93 works properly so something has changed between FF93 and FF95.

Steps to reproduce

1) firejail firefox 2) firejail thunderbird 3) In a message in thunderbird, click on a URL to open

Expected behavior

The link opens in the existing firefox instance

Actual behavior

Error message stating "Firefox is already running, but is not responding..."

Environment

OpenSuse Tumbleweed 20220109 Firejail 0.9.66 Firefox 95.02 Thunderbird 91.4.1

Behavior without a profile

Starting Firefox without a profile does not fix the problem, however starting Thunderbird without a profile does. As noted above however, if using Firefox 93 rather than Firefox 95 and the same Thunderbird, both with the same firejail profiles, everything works properly.

Checklist

Notes

sendToFirefox95FromFirejail.txt sendToFirefox93FromFirejail.txt

Druco commented 2 years ago

As a followup to my above comment, I have found a "fix"/kludge that works at least for now in my setup. Using wireshark to monitor the dbus when firefox and thunderbird were started both with and without firejail, I discovered that when a link was being opened from thunderbird it makes an OpenURL() call with a destination of "org.mozilla.firefox.ZGVmYXVsdA" so I tried putting: `dbus-user.talk org.mozilla.firefox.ZGVmYXVsdA` in my local firejail/thunderbird.profile and it worked with firejail.

Now I have no idea where the "ZGVmYXVsdA__" comes from, if it will remain constant across upgrades, or would be different for another user/machine, but for now it works.

I also did a wireshark monitor when using FF 93 (which works without the kludge) and I didn't find this call being made. In fact, I have no idea how FF 93 even got the URL it opened because I couldn't find it in any of the dbus messages in that case. So there was definitely a change between FF 93 and FF 95.

Hopefully this might give a hint to anyone who has a similar problem and more knowledge of dbus messaging than I do.

glitsj16 commented 2 years ago

dbus-user.talk org.mozilla.firefox.ZGVmYXVsdA Now I have no idea where the "ZGVmYXVsdA" comes from, if it will remain constant across upgrades, or would be different for another user/machine, but for now it works.

You can use globbing to make things persistent: dbus-user.talk org.mozilla.firefox.*

rusty-snake commented 2 years ago

dbus-user.talk org.mozilla.firefox.ZGVmYXVsdA__ in my local firejail/thunderbird.profile and it worked with firejail.

Did you set dbus-user filter? Or where does it come from?

  • [x] I can reproduce this without custom modifications

EDIT: just saw your edit above.

Now I have no idea where the "ZGVmYXVsdA__" comes from, if it will remain constant across upgrades, or would be different for another user/machine, but for now it works.

It's the hash of your profile (and possible firefox installation).

In fact, I have no idea how FF 93 even got the URL it opened because I couldn't find it in any of the dbus messages in that case.

System-V-IPC / X11-Magic

so something did happen between FF93 and FF95.

Traditionally FF used System-V-IPC/X11-Magic for it's IPC but this does not work with Wayland (MOZ_ENABLE_WAYLAND=1), that's why mozilla implemented an D-Bus based backed for FF's IPC (the are more backend like for windows). Maybe they cleand up the old code and now use always D-Bus.

Lonniebiz commented 2 years ago

@RolKau If you have time, please take a look at this related issue.

ibhagwan commented 2 years ago

Not really sure why the old versions of firefox were able to open links properly even with --dbus-user=none but after the explantion from @glitsj16 I started exploring the dbus angle and after reading #3769 I was able to solve this by removing --dbus-user=none and making sure that I have $DBUS_SESSION_BUS_ADDRESS properly set.

My dbus socket was located in ~/.dbus/session-bus/LONG-ID but I had two files there named <ID>-0 and <ID>-1 (0 being the correct session file) so I added the below to my firefox firejail starting script and now I can open links again in FF:

#!/bin/sh
. `ls ~/.dbus/session-bus/*-0`
export DBUS_SESSION_BUS_ADDRESS
GDK_DPI_SCALE=0.70 firejail --name=firefox --keep-config-pulse firefox