vscodium: cannot use sudo nor ssh

[g4njawizard]

Hi, I am still a noob in terms of firejail configuration. I have Apparmor and Firejail enabled and I can use it with firefox or thunderbird, but when I try to use codium, I have some problems. When I run codium and use the default profile, codium is way too restricted. I can't sudo, nor access .ssh or different directories that are important for my test's or pushing for github etc. So I've build a custom profile with whitelistings. Unfortunately I cannot start codium with my custom profile.

my profile:

# Save this file as "application.profile" (change "application" with the
# program name) in ~/.config/firejail directory. Firejail will find it
# automatically every time you sandbox your application.
#
# Run "firejail application" to test it. In the file there are
# some other commands you can try. Enable them by removing the "#".

# Firejail profile for codium
# Persistent local customizations
include codium.local
# Persistent global definitions
include globals.local

### Basic Blacklisting ###
### Enable as many of them as you can! A very important one is
### "disable-exec.inc". This will make among other things your home
### and /tmp directories non-executable.
#include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg
#include disable-devel.inc  # development tools such as gcc and gdb
#include disable-exec.inc   # non-executable directories such as /var, /tmp, and /home
#include disable-interpreters.inc   # perl, python, lua etc.
include disable-programs.inc    # user configuration for programs such as firefox, vlc etc.
#include disable-shell.inc  # sh, bash, zsh etc.
#include disable-xdg.inc    # standard user directories: Documents, Pictures, Videos, Music

### Home Directory Whitelisting ###
### If something goes wrong, this section is the first one to comment out.
### Instead, you'll have to relay on the basic blacklisting above.
whitelist ${HOME}/.zsh_history
whitelist ${HOME}/.local/bin
whitelist ${HOME}/.zcompdump-mjolnir-5.9.zwc
whitelist ${HOME}/.zcompdump-mjolnir-5.9
whitelist ${HOME}/.oh-my-zsh
whitelist ${HOME}/.zshrc
whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git
whitelist ${HOME}/git
whitelist ${HOME}/.ssh
whitelist ${HOME}/.pki/nssdb
whitelist ${HOME}/.local/share//mime
whitelist ${HOME}/git/.vscode
whitelist ${HOME}/.ssh/.vscode
whitelist ${HOME}/.cache/mesa_shader_cache
whitelist ${HOME}/.Xdefaults-mjolnir
whitelist ${HOME}/.config/VSCodium
whitelist ${HOME}/.vscode-oss
include whitelist-common.inc

### Filesystem Whitelisting ###
whitelist /run/systemd/resolve/io.systemd.Resolve
whitelist /run/udev/control
include whitelist-run-common.inc
whitelist ${RUNUSER}/vscode-ipc-a5c72f62-960e-4857-a8fa-c6a2c097b54d.sock
whitelist ${RUNUSER}/at-spi/bus_0
include whitelist-runuser-common.inc
whitelist /usr/share/zsh
whitelist /usr/share/xfce4
whitelist /usr/share/codium
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

#apparmor   # if you have AppArmor running, try this one!
caps.drop all
ipc-namespace
netfilter
#no3d   # disable 3D acceleration
#nodvd  # disable DVD and CD devices
#nogroups   # disable supplementary user groups
#noinput    # disable input devices
nonewprivs
#noroot
#notv   # disable DVB TV devices
#nou2f  # disable U2F devices
#novideo    # disable video capture devices
protocol unix,inet,inet6,netlink,
#net eth0
netfilter
seccomp !chroot # allowing chroot, just in case this is an Electron app
shell none
#tracelog   # send blacklist violations to syslog

#disable-mnt    # no access to /mnt, /media, /run/mount and /run/media
private-bin sleep,cat,sed,bash,ps,ssh-add,diff,ls,wc,rm,mkdir,zsh,git,dirname,readlink,id,grep,dash,env,
#private-cache  # run with an empty ~/.cache directory
private-dev
private-etc ssl,zsh,terminfo,gitconfig,passwd,alpine-release,shells,resolv.conf,os-release,debian_version,libva.conf,drirc,nsswitch.conf,hosts,xdg,gtk-3.0,fonts,login.defs,selinux,
#private-lib
#private-tmp
# File accessed in /tmp directory:
# /tmp/ssh-XXXXXXxN7FIE/agent.2530278,/tmp/odin-codium-zsh/.zlogin,/tmp/odin-codium-zsh/.zshenv,/tmp/odin-codium-zsh/.zprofile,/tmp/odin-codium-zsh/.zshrc,/tmp/.org.chromium.Chromium.Kp0z5c,/tmp/.org.chromium.Chromium.UZUvmQ,
#dbus-user none
#dbus-system none

#memory-deny-write-execute

When I try to run codium

user@notebook# codium
Reading profile /home/odin/.config/firejail/codium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 2517658, child pid 2517659
19 programs installed in 42.63 ms
Warning: skipping gitconfig for private /etc
Warning: skipping alpine-release for private /etc
Warning: skipping libva.conf for private /etc
Warning: skipping drirc for private /etc
Private /etc installed in 33.17 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 198.91 ms
Error: no suitable /usr/bin/codium executable found

Parent is shutting down, bye...

ll /usr/bin/codium lrwxrwxrwx 1 root root 28 Nov 11 05:17 /usr/bin/codium -> /usr/share/codium/bin/codium

Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses?

firejail version 0.9.70

[smitsohu]

Your profile has a commented line #include disable-common.inc, but when you run Firejail it reports Reading profile /etc/firejail/disable-common.inc. So we have a mismatch here. Can you please verify the pasted profile is correct?

It might be easier to adapt the codium profile shipped by Firejail to your needs, rather than build a new profile from scratch (even though that's admittedly more fun). To enable ssh, you probably will need to add include allow-ssh.inc. Maybe it helps to take a look at the other rules in ssh.profile?

Allowing sudo inside a sandbox is quite painful; it is possible to get this running, but you will need to water down the sandbox very significantly. If you are ok with this, add to the profile:

ignore caps.drop all  # from your pasted profile
ignore caps.keep  # capability list from electron.profile is not sufficient for sudo
ignore nonewprivs
ignore protocol  # implemented using seccomp
ignore seccomp
ignore private-bin  # nosuid mount
ignore private-lib  # without private-bin, private-lib is not as automagical, so this needs more tuning

[smitsohu]

Is there something like a learning mode for profile building? So I can run codium and firejail tracks everything the application uses?

--build, --trace and --tracelog options do this. But it doesn't work with all applications.

[g4njawizard]

odin@mjolnir:~/git/ansible|⇒  codium
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 129439, child pid 129440
Child process initialized in 126.27 ms

Still have the same error despite the fact that it is reading the "allow-ssh.inc"

2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features
Error: no suitable /usr/bin/ssh executable found
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

The profiles that has been loaded:

user@workstation:~/git/ansible|⇒  cat /etc/firejail/codium.profile 
# Firejail profile alias for VSCodium
# This file is overwritten after every install/update
# Persistent local customizations
include codium.local
# Persistent global definitions
# added by included profile
#include globals.local

# Redirect
include vscodium.profile
user@workstation:~/git/ansible|⇒  cat /etc/firejail/vscodium.profile
# Firejail profile alias for VSCodium
# This file is overwritten after every install/update
# Persistent local customizations
include vscodium.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.VSCodium
noblacklist ${HOME}/.config/VSCodium

# Redirect
include code.profile
include allow-ssh.inc
user@workstation:~/git/ansible|⇒  cat /etc/firejail/code.profile 
# Firejail profile for Visual Studio Code
# This file is overwritten after every install/update
# Persistent local customizations
include code.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt
ignore dbus-user none
ignore dbus-system none

noblacklist ${HOME}/.config/Code
noblacklist ${HOME}/.config/Code - OSS
noblacklist ${HOME}/.vscode
noblacklist ${HOME}/.vscode-oss

# Allows files commonly used by IDEs
include allow-common-devel.inc

nosound

# Disabling noexec ${HOME} for now since it will
# probably interfere with running some programmes
# in VS Code
# noexec ${HOME}
noexec /tmp

# Redirect
include electron.profile
user@workstation:~/git/ansible|⇒  

[glitsj16]

2023-02-08 08:45:52.976 [info] Warning: an existing sandbox was detected. /usr/bin/ssh will run without any additional sandboxing features

This warning might be important to double-check. It usually means that you're using firecfg, which creates symlinks under /usr/local/bin/foo to the firejail binary, usually located at /usr/bin/firejail. Or you've created similar symlinks yourself. Either way, if you have a /usr/local/bin/ssh, try to move it out of the way for testing (temporarily rename it) and post the output from the below command here please:

$ firejail --ignore=quiet /usr/bin/codium

[g4njawizard]

codium now has lost it's connection to the internet, but I haven't changed the config.

When I move the ssh file and run codium, I see the following:

odin@mjolnir:~|⇒  firejail --ignore=quiet /usr/bin/codium           
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 156435, child pid 156436
Child process initialized in 122.72 ms

Parent is shutting down, bye...

Inside Codium:

> git pull --tags origin main
error: cannot run ssh: No such file or directory
fatal: unable to fork

[kmk3]

@g4njawizard on Feb 9:

codium now has lost it's connection to the internet, but I haven't changed the config.

When I move the ssh file and run codium, I see the following:

odin@mjolnir:~|⇒  firejail --ignore=quiet /usr/bin/codium           
Reading profile /etc/firejail/codium.profile
Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/allow-ssh.inc
Parent pid 156435, child pid 156436
Child process initialized in 122.72 ms

Parent is shutting down, bye...

Inside Codium:

> git pull --tags origin main
error: cannot run ssh: No such file or directory
fatal: unable to fork

The issue appears to be that allow-ssh.inc is being included after (rather than before) disable- .inc files. See also profile.template.

Unless you intend to override an entire profile, it's recommended to put the changes in a .local file instead of overriding .profile files.

This also makes it easier to see what exactly was changed.

Try this: Remove all modifications from related .profile files in /etc/firejail and add the following to ~/.config/firejail/code.local:

include allow-ssh.inc

[g4njawizard]

Thanks for that! SSH works now. Do you know what setting I need to enable network connection for plugins?

[kmk3]

@g4njawizard on Feb 9:

Thanks for that! SSH works now.

No problem.

Do you know what setting I need to enable network connection for plugins?

Warning: networking feature is disabled in Firejail configuration file

Did you change the network option in /etc/firejail/firejail.config?

[g4njawizard]

I dont remember if I've set it, or it is default:

firejail.config:

#network yes
restricted-network yes

Do I have to create a namespace and allow for specific programms in that namespace network access?

[kmk3]

@g4njawizard on Feb 9:

I dont remember if I've set it, or it is default:

firejail.config:

#network yes
restricted-network yes

See the description:

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

Do I have to create a namespace and allow for specific programms in that namespace network access?

I don't think so, unless you are doing something firewall-related.

[g4njawizard]

You're right. I've done it in the past with the idea of allowing single applications to access the network. But I never configured something in that way and forgot about it. Thanks for the support!