search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.69k stars 557 forks source link

vmplayer: cannot work with firejail #5861

Closed MikeNavy closed 1 year ago

MikeNavy commented 1 year ago

Description

Describe the bug

Steps to Reproduce

Steps to reproduce the behavior

  1. Run in bash LC_ALL=C firejail vmplayer (LC_ALL=C to get a consistent output in English that can be understood by everybody)

Output:

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 11784, child pid 11785
Child process initialized in 91.13 ms
/usr/bin/vmware-modconfig: line 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied
Parent is shutting down, bye...

Expected behavior

VMware Worskstation Player can be launched with Firejail

Actual behavior

VMware Workstation Player cannot be launched with Firejail

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile vmplayer in a terminal?_

Terminal output:

$ LC_ALL=C firejail --noprofile vmplayer
Parent pid 11836, child pid 11837
Child process initialized in 16.33 ms

A VMware Kernel Module Updater window opens:

image

Additional context

Any other detail that may help to understand/debug the problem

Environment

Checklist

Log

Output of LC_ALL=C firejail vmplayer

``` Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 12092, child pid 12093 Child process initialized in 85.11 ms /usr/bin/vmware-modconfig: line 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied Parent is shutting down, bye... ```

Output of LC_ALL=C firejail --debug vmplayer

https://gist.github.com/MikeNavy/7bb73370626c8d6926b9f8d2340066fa

rusty-snake commented 1 year ago

No, it has no profile. And the default profile does not work with privileged programs.

kmk3 commented 1 year ago

(Offtopic)

@MikeNavy

Please see the following links for how to format code blocks in markdown:

kmk3 commented 1 year ago 
/usr/bin/vmware-modconfig: line 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied
Parent is shutting down, bye...

Does it work if you run that outside of firejail first (or manually installing the kernel modules yourself) and then try to run vmplayer in firejail later?

@rusty-snake on Jun 19:

No, it has no profile. And the default profile does not work with privileged programs.

There are a few vmware-related profiles, but not vmplayer.profile:

vmplayer may be the same thing as vmware-player, in which case it could be be added as a redirect to vmware.profile.

@MikeNavy What is the output of:

which -a vmplayer
which -a vmware-player vmware-view vmware-workstation vmware
MikeNavy commented 1 year ago 
/usr/bin/vmware-modconfig: line 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied
Parent is shutting down, bye...

Does it work if you run that outside of firejail first (or manually installing the kernel modules yourself) and then try to run vmplayer in firejail later?

@rusty-snake on Jun 19:

No, it has no profile. And the default profile does not work with privileged programs.

There are a few vmware-related profiles, but not vmplayer.profile:

  • vmware-player.profile -> vmware.profile
  • vmware-view.profile (remote VM client?)
  • vmware-workstation.profile -> vmware.profile
  • vmware.profile (runs VMs)

vmplayer may be the same thing as vmware-player, in which case it could be be added as a redirect to vmware.profile.

@MikeNavy What is the output of:

which -a vmplayer
which -a vmware-player vmware-view vmware-workstation vmware

Hi, Concerning profiles: "vmplayer" is the command that launches VMware Workstation Player.

"VMware Workstation Player" is the actual name of "VMware Player", it has been changed years ago by VMware (former products "VMware Player" and "VMware Workstation" have been merged in one, "VMware Workstation Player"; now existing products are "VMware Workstation Player" and "VMware Workstation Pro").

"VMware Workstation Player" Product page: https://www.vmware.com/content/vmware/vmware-published-sites/us/products/workstation-player/workstation-player-evaluation.html.html Revision 17.0.2 is the latest one.

Outputs: "shell": such a command does not exist in Ubuntu.

"which -a vmplayer" output: /usr/bin/vmplayer /bin/vmplayer

"which -a vmware-player vmware-view vmware-workstation vmware" output: no output

Concerning kernel: after each kernel change, VMware Workstation Player asks, at its first launch, to compile and install two vmnet modules in the kernel. Of course, this has been done for my latest 5.4.0-152 generic kernel, and VMware Workstation Player works when launched without firejail ("vmplayer" or "vmplayer %U" command). It is only when launched with "firejail --noprofile" that I see the "VMware Kernel Module Updater" window.

Regards,

MN

MikeNavy commented 1 year ago

Hi,

I have done the following test:

Here is the output:

$ firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/vmware.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 2650, child pid 2651
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Error fcopy: invalid ownership for file /etc/hosts
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 2650 cannot sync with peer: unexpected EOF
Peer 2651 unexpectedly exited with status 1

Now, "vmware.profile" is read, but there are errors.

image

$ ls -l /etc/hosts
-rw-rw-r-- 1 michel michel 817539 juin  15 17:12 /etc/hosts

"/etc/hosts" is owned by my username (michel), user with superuser rights. It is not owned by root, since I use hosts as an IP addresses filter and update it regularly using a bash (I update hosts in my home, then copy it to "/etc/hosts" with sudo mv hosts /etc/hosts command).

Regards,

MN

kmk3 commented 1 year ago 
Error fcopy: invalid ownership for file /etc/hosts
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 2650 cannot sync with peer: unexpected EOF
Peer 2651 unexpectedly exited with status 1
$ ls -l /etc/hosts
-rw-rw-r-- 1 michel michel 817539 juin  15 17:12 /etc/hosts

"/etc/hosts" is owned by my username (michel), user with superuser rights. It is not owned by root, since I use hosts as an IP addresses filter and update it regularly using a bash (I update hosts in my home, then copy it to "/etc/hosts" with sudo mv hosts /etc/hosts command).

Note that changing the ownership of system files may make it easier for malicious programs to modify them.

Since it is being modified in the user home and since sudo is being used anyway, I'd suggest to make it owned by root:root before copying it to /etc.

Example:

sudo chown root:root hosts
sudo mv hosts /etc/hosts

Does it run if you change the permissions?

MikeNavy commented 1 year ago

Hi, I have added sudo chown root:root hosts in my bash file, before the sudo mv hosts /etc/hosts, and now my "/etc/hosts" is owned by root.

I have done the following test:

Regards,

MN

PS: VMware Workstation Player does work without Firejail image

kmk3 commented 1 year ago
  • I have a new error: "VMware Kernel Module Updater" complains it does not find GCC: image

PS: VMware Workstation Player does work without Firejail

I'd try commenting parts of the profile until it works.

These includes might be related to the issue:

MikeNavy commented 1 year ago

Hi,

No, I think something prevents vmplayer to read / access its modules installed in the kernel: without Firejail, vmplayer wants to compile and install two modules in the kernel just once, after a new kernel has been installed. And it has been done.

Without Firejail, those "VMware Kernel Module Updater" windows do not appear at each launch and don't claim for Kernel Headers or for GCC. The application window (see capture above) opens directly.

I don't want to take the risk that enabling something would induce a new compiling of vmnet modules and might break the working installation (working without Firejail). So, I will not test the profile with comments before these "disable-..." lines: the existing vmware profile is just not designed nor tested for existing vmware applications...

Regards,

MN

rusty-snake commented 1 year ago

think something prevents vmplayer to read / access its modules installed in the kernel

Maybe the implicit blacklist of /sys/module

MikeNavy commented 1 year ago

Hi,

I have been using VMware Workstation Player for years on Linux Mint or Ubuntu (several versions before 17...) and it has always asked to compile and install modules in the kernel at the first launch after a kernel change. (And I think it is also the way WMware Workstation Pro works)

A firejail profile for VMware Workstation Player should so allow to read the kernel, but also to install modules in the kernel.

Regards,

MN

rusty-snake commented 1 year ago

TBH, if you allow to install own modules into the kernel, you do not need a sandbox.

You sandbox to limit privileges. The kernel is the most privileged part of your system after the firmware (BIOS/UEFI and ME/PSP).

kmk3 commented 1 year ago

@MikeNavy on Jun 20:

I have been using VMware Workstation Player for years on Linux Mint or Ubuntu (several versions before 17...) and it has always asked to compile and install modules in the kernel at the first launch after a kernel change. (And I think it is also the way WMware Workstation Pro works)

A firejail profile for VMware Workstation Player should so allow to read the kernel, but also to install modules in the kernel.

@rusty-snake on Jun 20:

TBH, if you allow to install own modules into the kernel, you do not need a sandbox.

You sandbox to limit privileges. The kernel is the most privileged part of your system after the firmware (BIOS/UEFI and ME/PSP).

Yes, if a program can run arbitrary code in the kernel, then sandboxing can't do much.

But if the goal is to sandbox VMs rather than vmware itself, then a way to do it might be to:

kmk3 commented 1 year ago

Also, installing kernel modules is not something that random programs should be doing on a whim, especially if that is intended to be done after installing a certain package.

That is usually done by creating one or more hook scripts inside of the package, which are then executed directly by the system package manager (such as apt) whenever the relevant package is upgraded.

I was going to suggest reporting it to them as a packaging bug, but it appears that vmware doesn't even provide a proper package for any distribution; the user is supposed to just download a random binary file from a third-party website and run it as root.

If security is a concern, then I'd try my best to avoid vmware and use something like qemu or virtualbox instead.

rusty-snake commented 1 year ago

the user is supposed to just download a random binary file from a third-party website and run it as root.

OT rant on VMware: Moreover this random 3p binary installs to /use/lib rather than /use/local or /opt. And fails to provide a function uninstall method. You can only install VMware products in a VM/Container/chroot if you want a stable system. And want to be able to unstinstall without OS reinstall.

MikeNavy commented 1 year ago

@ kmk3

But if the goal is to sandbox VMs rather than vmware itself, then a way to do it might be to:

  • Run vmware outside of firejail whenever it needs to compile and load the kernel modules and then exit afterwards
  • Run vmplayer inside of firejail to load the VMs Hi,

Yes, I agree with this. Of course, it prevents the use of firecfg (or firecfg whould not write symlink for vmplayer).

Regards,

MN

MikeNavy commented 1 year ago

Also, installing kernel modules is not something that random programs should be doing on a whim, especially if that is intended to be done after installing a certain package.

That is usually done by creating one or more hook scripts inside of the package, which are then executed directly by the system package manager (such as apt) whenever the relevant package is upgraded.

I was going to suggest reporting it to them as a packaging bug, but it appears that vmware doesn't even provide a proper package for any distribution; the user is supposed to just download a random binary file from a third-party website and run it as root.

If security is a concern, then I'd try my best to avoid vmware and use something like qemu or virtualbox instead.

Hi,

VMware has a long (20 years) and good reputation. I use VMware Workstation Player because I trust VMware. I have always a fresh system backup that I could use after a VMware update, or a VMware modules installation in the kernel, if something went wrong. I also use Tripwire, to check that changes are limited to what they should be.

VMware Workstation Player is provided as a large file, a Linux executable installer, which fits any Linux version. It is the way VMware solved the problem to avoid compiling one version for each existing distribution (other ways are flatpaks, snaps, AppImages...). At the opposite, VirtualBox provides 12 different packages, and each distribution provides its own.

I have compared VMware and VirtualBox to install a Windows 10 Pro guest in Linux Mint host:

Qemu is very difficult to set up, in command line mode only. It is much easier to use Gnome Boxes, a GUI for libvrt/qemu. And Gnome Boxes in its flatpak version offers great security.

Speaking of security, virtual machines programs, per se, offer an excellent isolation between host and guest operating system. Of course, they can have, as any program, vulnerabilities that could be used by guest to attack host. This is hypothetical, particularly if guest and host are different operating systems. Sandboxing is here to reduce this hypothetical risk. Updating regularly the virtual machine program is another way to reduce this risk.

At the opposite, "pseudo" virtual machines programs are dangerous: Windows 10 Pro and Windows 11 Pro offer WSL/WSL2 (Windows Subsystem Linux), with a great facility to use a Linux distribution such as Ubuntu directly on Windows. Operating systems isolation is poor, or non-existing, and there are attacks targeting Windows through the Linux operating system running in WSL/WSL2.

Regards,

MN

kmk3 commented 1 year ago

@MikeNavy on Jun 21:

Yes, I agree with this. Of course, it prevents the use of firecfg (or firecfg whould not write symlink for vmplayer).

Fixed in #5865.

@MikeNavy on Jun 21:

VMware Workstation Player is provided as a large file, a Linux executable installer, which fits any Linux version. It is the way VMware solved the problem to avoid compiling one version for each existing distribution (other ways are flatpaks, snaps, AppImages...). At the opposite, VirtualBox provides 12 different packages, and each distribution provides its own.

Creating one package per distribution is not really necessary in practice. In fact, there is no need to create any package at all; as long as a normal tar/zip archive (rather than an executable) is provided, the rest can generally be done by the packagers of each distribution. If that was fixed, it's more likely that someone would have created a PPA with a package containing proper hooks by now.

Which is why this is baffling, since even if the archive only contained binary files (so it's not even necessarily about being libre vs proprietary), as long as they were properly split (such as the main program from the module installer), it would be easier to package it properly.

Someone managed to do it in the AUR, but it seems to be much more complicated (why does it need to modify an sqlite database during packaging?) compared to virtualbox (and especially to other packages in general):

Qemu is very difficult to set up, in command line mode only. It is much easier to use Gnome Boxes, a GUI for libvrt/qemu. And Gnome Boxes in its flatpak version offers great security.

Yes, regardless of the interface, I'd consider using qemu to be an improvement.

As for the rest, it's good to know about the performance/usability differences, but to be clear I'm not a big fan of virtualbox either, it's just that is seems to be less proprietary overall compared to vmware and it is properly packaged in more distributions.

At the opposite, "pseudo" virtual machines programs are dangerous: Windows 10 Pro and Windows 11 Pro offer WSL/WSL2 (Windows Subsystem Linux), with a great facility to use a Linux distribution such as Ubuntu directly on Windows. Operating systems isolation is poor, or non-existing, and there are attacks targeting Windows through the Linux operating system running in WSL/WSL2.

Yeah, WSL seems like the worst of both worlds.

kmk3 commented 1 year ago

@Neo00001 @ra1nb0w

Hello, I see that you added/updated the vmware profiles in the following pull requests:

Do the profiles still work for you?

ra1nb0w commented 1 year ago

Yes, I am still using it.

kmk3 commented 1 year ago

Yes, I am still using it.

Nice, in what distribution do you use it?

Have you ever had issues with vmware compiling/installing kernel modules? Example:

ra1nb0w commented 1 year ago

Archlinux updated today and vmware-workstation from aur (vmware-workstation 17.0.2-1) No issue with kernel modules.

This is my actually .config/firejail/vmware.local

# use private binary folder
private-bin id,basename,grep,env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*

# vmware snapshot
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
kmk3 commented 1 year ago

Archlinux updated today and vmware-workstation from aur (vmware-workstation 17.0.2-1) No issue with kernel modules.

This is my actually .config/firejail/vmware.local

# use private binary folder
private-bin id,basename,grep,env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*

# vmware snapshot
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix

So it seems that indeed only the AUR has vmware properly packaged.

If anyone wants to package it for Debian/Ubuntu, that AUR package seems like a good starting point.

Misc: It would be kind of interesting to see that happen, as it's usually the other way around, in that the official package is a .deb and someone turns that into an Arch package (though it would still be preferable to have an official package of course).

Anyway, thanks for the details.

MikeNavy commented 1 year ago

@kmk3 Hi,

Reading this page, https://aur.archlinux.org/packages/vmware-workstation, shows that vmware modules need to be installed in kernel:

After the first installation, please:
1) install the appropriate headers package(s) for your installed kernel(s): linux-headers for default kernel, linux-lts-headers for LTS kernel...
2) reboot or load vmw_vmci and vmmon kernel modules (modprobe -a vmw_vmci vmmon)
3) Enable the services you need (using .service units to activate them during boot or .path units to activate them when a VM is started) :

And a user says in his comments that the bundle works, while it is not the case with the AUR package:

swiat_linuksaYT commented on [2023-05-31 19:11 (UTC)](https://aur.archlinux.org/packages/vmware-workstation#comment-917317)
Package is compiling correctly - no errors, but cant start any VM - VMMON error on start - VMMON installed 410, required 416. There's no also vmware.service. Tried compile vmmon from github dosent work too.
Downloaded bundle from official site VMware-Workstation-Full-17.0.2-21581411.x86_64.bundle working without any problem, and no issues like - keyboard lag error in many distros, terminals. 3D Acceleration works perfect in new version on Nidia 525.xx drivers.

Regards, MN

glitsj16 commented 1 year ago

@MikeNavy

Greetings

And a user says in his comments that the bundle works, while it is not the case with the AUR package

Please don't quote only half the story. One comment above is an explanation for what happened. In the mean time I've built the AUR package without any trouble. Due to the dependency on dkms the vmware kernel modules are built and installed via a pacman post-install hook. So that's BEFORE any firejailing comes into play. After modprobe'ing vmw_vmci & vmmon the application works with the vmplayer.profile from #5865 or when using --profile=vmware on CLI. All this confirms what @ra1nb0w already kindly stated: no problems on Arch Linux with sandboxing VWMare...

I don't want to take the risk that enabling something would induce a new compiling of vmnet modules and might break the working installation (working without Firejail). So, I will not test the profile with comments before these "disable-..." lines: the existing vmware profile is just not designed nor tested for existing vmware applications...

I can understand your point of view, up to a point. It's your decision to not try to debug the existing profile by commenting lines as suggested by @kmk3. Yet you do expect a tested/working firejail profile, which - I agree - is a reasonable expectation, no argument there. But these profiles don't come falling from the The Great SandBox Skies magically :)

Collaborators run the exact same 'risks' when creating/testing a profile. Let's reopen this issue and try to determine where the issue on Linux Mint stems from. Building the required gcc 12.2.0 right now on a Ubuntu machine I dusted off. Will report back.

kmk3 commented 1 year ago

One comment above is an explanation for what happened.

Quoting it here for reference:

jihem commented on 2023-06-03 17:01 (UTC)

@swiat_linuksaYT I don't know exactly what happened on your system, but it probably loads the vmmon module remaining from an old VMware installation. You can try to clean your current VMware installation before reinstalling this package:

  • Uninstall the bundle installation using the wiki instructions: https://wiki.archlinux.org/title/VMware#Removal
  • Check that there is no VMware module handled by DKMS: the output of dkms status should not display any line related to vmware-workstation
  • Remove the eventual remaining VMware modules in your filesystem: find /usr/lib/modules -name vmmon\* -exec rm {} \; and find /usr/lib/modules -name vmnet\* -exec rm {} \;
  • Reinstall this package
  • Reboot
  • Start your VM; you shouldn't have the error anymore

This package does not contain a service vmware.service. All the services provided by the package are listed and explained in the pin comment.

(For reference, the comment is by the current package maintainer)

MikeNavy commented 1 year ago

@glitsj16 Hi, OK, you have succeeded in building a package for AUR where "the vmware kernel modules are built and installed via a pacman post-install hook". What does arrive when kernel changes? With Ubuntu, after each kernel change, vmplayer requests at its first launch to compile and install vmmon and vmnet modules in the kernel; and it is mandatory to click on "install button" to have vmplayer working. How did you manage this?

Concerning testing: I could comment the four "disable-..." lines as suggested and test the modified profile. But I don't know how to cope with this @rusty-snake comment, the read access to kernel might be prevented by "Maybe the implicit blacklist of /sys/module". How to disable this implicit blacklist? Moreover, what would be the security improvement given by sandboxing without "disable-devel.inc", "disable-exec.inc", "disable-interpreters.inc", "disable-programs.inc" and with noblacklist of "/sys/module"? Finally, testing needs a lot of time: I have to test that vmplayer is launched; that, once launched, it can launch a virtual guest; that the virtual guest works correctly (display resizing, all display modes, files copy/paste, contents copy/paste, shared folders, hardware disconnecting from host and connecting to guest, using host printers...); that a new virtual guest can be created, and VMware tools installed in the guest... These are things I could do with a profile having some chances to work, and still giving an improved security.

Regards,

MN

kmk3 commented 1 year ago

Hi, OK, you have succeeded in building a package for AUR where "the vmware kernel modules are built and installed via a pacman post-install hook". What does arrive when kernel changes?

From a loose glance at the vmware-workstation AUR repository, this is more or less how it seems to happen:

It adds its own Makefile (to compile the modules) and dkms.conf files into /usr/src/vmware-workstation. Then it extracts and copies the vmware modules (from the vmware executable) into that directory as well.

Whenever pacman upgrades the kernel (or an adjacent package), it runs something to update the dkms, which looks into that directory and runs make to rebuild/install the kernel modules.

With Ubuntu, after each kernel change, vmplayer requests at its first launch to compile and install vmmon and vmnet modules in the kernel; and it is mandatory to click on "install button" to have vmplayer working. How did you manage this?

It likely tells vmware (through a config file) to not try to update the modules (or that they are always updated), so that only pacman gets to update the modules.

To have a better understanding, I'd suggest cloning the AUR repository and reading the files inside of it:

git clone https://aur.archlinux.org/vmware-workstation.git

Concerning testing: I could comment the four "disable-..." lines as suggested and test the modified profile. But I don't know how to cope with this @rusty-snake comment, the read access to kernel might be prevented by "Maybe the implicit blacklist of /sys/module". How to disable this implicit blacklist?

Try adding this to the profile:

noblacklist /sys/module

Though that might only be necessary if vmware tries to do something with the kernel modules itself (it shouldn't be needed if you update the modules before running vmware in firejail).

Moreover, what would be the security improvement given by sandboxing without "disable-devel.inc", "disable-exec.inc", "disable-interpreters.inc", "disable-programs.inc" and with noblacklist of "/sys/module"?

These includes are arguably not as important for security as the rest of the profile. Also, it likely isn't necessary to disable all of them for it to work, just to go and comment lines in the profile until you find exactly which line(s) are causing issues.

Finally, testing needs a lot of time: I have to test that vmplayer is launched; that, once launched, it can launch a virtual guest; that the virtual guest works correctly (display resizing, all display modes, files copy/paste, contents copy/paste, shared folders, hardware disconnecting from host and connecting to guest, using host printers...); that a new virtual guest can be created, and VMware tools installed in the guest... These are things I could do with a profile having some chances to work, and still giving an improved security.

Yes and the quality of the profiles ultimately depends on users testing and maintaining them. No one else can really make the profiles be as secure and as usable as possible other than the people that regularly use the programs that the profiles are for.

glitsj16 commented 1 year ago

From a loose glance at the vmware-workstation AUR repository, this is more or less how it seems to happen: It adds its own Makefile (to compile the modules) and dkms.conf files into /usr/src/vmware-workstation. Then it extracts and copies the vmware modules (from the vmware executable) into that directory as well. Whenever pacman upgrades the kernel (or an adjacent package), it runs something to update the dkms, which looks into that directory and runs make to rebuild/install the kernel modules.

The PKGBUILD only copies the source files for the kernel modules into /usr/src/vmware-workstation, not the built modules themselves. That part is left to dkms as usual. The actual modules are indeed built via a post-install hook that targets linux kernel headers. They end up in /usr/lib/modules/6.3.8-foo/updates/dkms/{vmmon,vmnet}.ko.zst, also as usual for dkms modules. There's nothing really special about this. Debian-based systems have similar apt/dpkg hooks. But that only works for regular .deb packages and not for the .bundle that VMWare offers.

I fully agree with @kmk3 that probably the only thing that needs checking is VMWare's ability to confirm those kernel modules are there from within the sandbox. This is the /sys/module part. You might use an extra whitelist /sys/module and read-only /sys/module to keep protecting this path. That's what blender.profile does for AMD GPU support: https://github.com/netblue30/firejail/blob/1003dee6ff0de20950511d50fa7ab184091e54af/etc/profile-a-l/blender.profile?#L21-L24

Still building gcc 12.3.0 on my old Ubuntu box to confirm all this. Should have more details later today.

MikeNavy commented 1 year ago

Hi, I have copied the "vmware.profile" from "/etc/firejail/" to "~/.config/firejail/" and renamed it "vmplayer.profile". Then I have done the following tests: 1) I have edited the profile and commented the four lines:

include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc

Then I launch "LC=ALL firejail vmplayer" in a terminal. VMware Kernel Module Updater asks for Kernel Headers. image

Terminal output:

$ LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5513, child pid 5514
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 96.62 ms
Private /usr/etc installed in 0.01 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 203.33 ms

2) I have added the following line at the beginning of the profile: whitelist /sys/module and kept the former four lines commented. No vmplayer window. Terminal output:

LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5719, child pid 5720
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 81.97 ms
Private /usr/etc installed in 0.00 ms
Error: invalid whitelist path /sys/module
Error: proc 5719 cannot sync with peer: unexpected EOF
Peer 5720 unexpectedly exited with status 1

3) I have removed the whitelist /sys/module and replaced it by read-only /sys/module, still keeping the former four lines commented. Result is the same as with test 1.

Regards,

MN

MikeNavy commented 1 year ago

@glitsj16

The PKGBUILD only copies the source files for the kernel modules into /usr/src/vmware-workstation, not the built modules themselves. That part is left to dkms as usual. The actual modules are indeed built via a post-install hook that targets linux kernel headers. They end up in /usr/lib/modules/6.3.8-foo/updates/dkms/{vmmon,vmnet}.ko.zst, also as usual for dkms modules. There's nothing really special about this. Debian-based systems have similar apt/dpkg hooks. But that only works for regular .deb packages and not for the .bundle that VMWare offers.

Hi, Concerning the deb packaging: it is not proposed by VMware, and it is not done by others (Ubuntu, PPAs...) since VMware is a proprietary software. If we put apart the technical problems, there is a licensing one: VMware does not license the right to diffuse or change its programs. (Some ones could argue that, since VMware officially uses software with GPL V2 or GPL V3, GPL has been propagated to all VMware code...) This explains why there is no deb available.

The solution to copy the sources of vmmon or vmnet at installation will not work when VMware updates their sources; it could arrive when a new revision is available (e.g., from 17.0.1 to 17.0.2) or when a new major version is available (e.g. from 16 to 17). I have just installed VMware Workstation Player bundle once on my Linux Mint 20.3, at version 15.5: all the updates between 15.5 and 17.0.2, including major versions changes, have been done from the application itself, with the "check for updates" function. Meanwhile, vmmon and vmnet sources may have changed. So, a packaging solution could work only if the version is a stable one, updated through package manager, and with check for updates function disabled.

Concerning vmmon and vmnet modules, they are used by VMware in order to build the network between host and guest (bridge, nat or host-only).

Regards,

MN

MikeNavy commented 1 year ago

Another test: I have written a very minimal restricting profile using Firetools, and pasted its content to "~/.config/firejail/vmplayer.profile":

# Custom profile for vmplayer

# file system
include /etc/firejail/disable-common.inc

# network
protocol unix,inet,inet6,netlink,packetbluetooth

# multimedia

# kernel

No VMware window opens. Here is terminal ouptut:

LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Parent pid 6796, child pid 6797
Child process initialized in 58.93 ms
/usr/bin/vmware-modconfig: ligne 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied

Parent is shutting down, bye...

So, could "disable-common.inc" be responsible ? New profile, without disable-common.inc:

# Custom profile for vmplayer

# file system
# include /etc/firejail/disable-common.inc

# network
protocol unix,inet,inet6,netlink,packetbluetooth

# multimedia

# kernel

When I launch LC=ALL firejail vmplayer, the usual VMware Kernel Module Updater asks for Kernel Headers: image

Here is terminal output:

$ LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Parent pid 6885, child pid 6886
Child process initialized in 22.21 ms

Is Firejail compatible with VMware Workstation Player?

Regards,

MN

kmk3 commented 1 year ago

@MikeNavy on Jun 22:

I have added the following line at the beginning of the profile: whitelist /sys/module

Did the profile include the noblacklist?

noblacklist /sys/module

You can ignore those whitelist/read-only commands until the profile works, as they are intended for hardening in this case.

@MikeNavy on Jun 22:

I have written a very minimal restricting profile using Firetools, and pasted its content to "~/.config/firejail/vmplayer.profile":

So, could "disable-common.inc" be responsible ?

That file blacklists /usr/lib/vmware, which is undone in vmware.profile, so no.

Does it work without disable-common.inc and with the following added?

noblacklist /sys/module
kmk3 commented 1 year ago

(Offtopic)

@MikeNavy on Jun 22:

Hi, Concerning the deb packaging: it is not proposed by VMware, and it is not done by others (Ubuntu, PPAs...) since VMware is a proprietary software.

As I mentioned before, the license is unrelated to the packaging format. Steam and Zoom are proprietary and both offer .deb packages, for example. Wine is libre and offers a PPA repository for Ubuntu.

If we put apart the technical problems, there is a licensing one: VMware does not license the right to diffuse or change its programs. (Some ones could argue that, since VMware officially uses software with GPL V2 or GPL V3, GPL has been propagated to all VMware code...) This explains why there is no deb available.

Unless shown otherwise, the only thing stopping vmware from providing a proper archive and/or package is themselves.

The solution to copy the sources of vmmon or vmnet at installation will not work when VMware updates their sources; it could arrive when a new revision is available (e.g., from 17.0.1 to 17.0.2) or when a new major version is available (e.g. from 16 to 17).

It will work because the AUR package is updated whenever a new version comes out and it always points to a specific version (that is, to a specific file and its checksum).

That is how basically all packaging on Linux works (except for packages intended to build in-development versions), regardless of whether the files downloaded during packaging are entirely source code or binaries.

I have just installed VMware Workstation Player bundle once on my Linux Mint 20.3, at version 15.5: all the updates between 15.5 and 17.0.2, including major versions changes, have been done from the application itself, with the "check for updates" function. Meanwhile, vmmon and vmnet sources may have changed. So, a packaging solution could work only if the version is a stable one, updated through package manager, and with check for updates function disabled.

Yes, updates through the program are disabled because the package manager is the one responsible for updating packages. That is usually done when packaging any program with a built-in update checker, including for things like Firefox.

You could think of the AUR package as a more "enterprise"/stable/IT-managed version of the installer.

MikeNavy commented 1 year ago

Hi,

Latest trial with the following "vmplayer.profile":

# Custom profile for vmplayer

# file system
noblacklist /sys/module
include /etc/firejail/disable-common.inc

# network
protocol unix,inet,inet6,netlink,

# multimedia

# kernel

When launching LC=ALL firejail vmplayer, no VMware window opens.

Terminal output:

$ LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Parent pid 3469, child pid 3470
Child process initialized in 70.91 ms
/usr/bin/vmware-modconfig: ligne 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied

Parent is shutting down, bye...

Note that "VMware Workstation Player" and "VMware Workstation Pro" may not work the same way as older products "VMware Player" and "VMware Workstation": they use "VMware Sphere" hypervisor virtualization technology, a recent technology, more recent than "VMware Player" and "VMware Workstation".

Regards,

MN

kmk3 commented 1 year ago

Latest trial with the following "vmplayer.profile":

# Custom profile for vmplayer

# file system
noblacklist /sys/module
include /etc/firejail/disable-common.inc

# network
protocol unix,inet,inet6,netlink,

# multimedia

# kernel

See this:

Does it work without disable-common.inc and with the following added?

MikeNavy commented 1 year ago

Hi, Trial with vmware.profile, copied to "~/.config/firejail", renamed vmplayer.profile, and modified as follows:

noblacklist /sys/module
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist /usr/lib/vmware

# include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

When I launch vmplayer with LC=ALL firejail vmplayer:


Regards,

MN
kmk3 commented 1 year ago

Hi, Trial with vmware.profile, copied to "~/.config/firejail", renamed vmplayer.profile, and modified as follows:

noblacklist /sys/module
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist /usr/lib/vmware

# include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

When I launch vmplayer with LC=ALL firejail vmplayer:

  • VMware player opens the usual VMware Kernel Module Updater requesting for Kernel Headers, image

Hmm that is surprising; I didn't think it would fail with only that.

Please try it with noprofile.profile, which is supposed to be as permissive as possible:

LC_ALL=C firejail --profile=noprofile vmplayer

Note: There is no need to modify any profile, just use that exact command line.

If that fails, then the issue is not with any profile but with firejail itself.

Sorry, I should have suggested it before.

kmk3 commented 1 year ago

Also, doesn't vmware write any logs?

They might contain more details about what exactly vmware is failing to access, so if you could find and post them it could make debugging much easier.

Note: If the log contains too many lines to put in a comment, you can upload the log file itself (drag and drop) in the comment.

MikeNavy commented 1 year ago

Hi,

Test with LC_ALL=C firejail --profile=noprofile vmplayer

Finally, the VMware Workstation Player opens: image

So, there is hope a working profile can be created!

Here is terminal output:

$ LC_ALL=C firejail --profile=noprofile vmplayer
Reading profile /etc/firejail/noprofile.profile
Parent pid 4606, child pid 4607
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 14.93 ms
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"

Here is vmplayer log: https://gist.github.com/MikeNavy/eb0153dbb042ae131a884f3d4ea0b2ed

Here is vmplayer latest failed trial (yesterday) log: https://gist.github.com/MikeNavy/45d8d0bb5a02dfb41d21768fa001841e

Here is vmplayer without firejail log: https://gist.github.com/MikeNavy/5bb55dcf0ec67c58e48a617187d47d38

NB: those logs are USB arbitrator logs, "vmware-usbarbxxxx.log", found in "/var/log/vmware". Other logs are found in virtual machines directories, and log the VM functionment.

Regards,

MN

kmk3 commented 1 year ago

Test with LC_ALL=C firejail --profile=noprofile vmplayer

Finally, the VMware Workstation Player opens:

So, there is hope a working profile can be created!

Nice.

Here is vmplayer log: https://gist.github.com/MikeNavy/eb0153dbb042ae131a884f3d4ea0b2ed

Here is vmplayer latest failed trial (yesterday) log: https://gist.github.com/MikeNavy/45d8d0bb5a02dfb41d21768fa001841e

Here is vmplayer without firejail log: https://gist.github.com/MikeNavy/5bb55dcf0ec67c58e48a617187d47d38

/var/run/vmware/usbarbitrator-socket

Interesting, this path seems to be missing in the profile.

Please try with only the following in the profile (for example, in vmplayer.profile):

# from noprofile.profile
noblacklist /sys/fs
noblacklist /sys/module

allow-debuggers
allusers
keep-config-pulse
keep-dev-shm
keep-fd all
keep-var-tmp
writable-etc
writable-run-user
writable-var
writable-var-log

# from vmware.profile
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist ${RUNUSER}/vmware
noblacklist /usr/lib/vmware

mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
mkdir ${RUNUSER}/vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
whitelist ${RUNUSER}/vmware
include whitelist-common.inc
include whitelist-runuser-common.inc

Then comment each line in the from noprofile section until it breaks to find the offending line.

If it still works after commenting the entire section, try adding more lines from vmware.profile into the from vmware section.

MikeNavy commented 1 year ago

Hi,

Using the proposed profile works.

Then I have tried to comments lines in the section "# from noprofile.profile"; I have commented them one at a time.

When this line is commented "# allow-debuggers", the VMware Kernel Module Updater opens, asking for kernel headers.

No other commented line in "# from noprofile.profile" breaks vmplayer launch.

Regards,

MN

MikeNavy commented 1 year ago

Hi,

VMware Player still opens with the following vmplayer.profile:

# from noprofile.profile
noblacklist /sys/fs
noblacklist /sys/module

allow-debuggers
allusers
keep-config-pulse
keep-dev-shm
keep-fd all
keep-var-tmp
writable-etc
writable-run-user
writable-var
writable-var-log

# from vmware.profile
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist ${RUNUSER}/vmware
noblacklist /usr/lib/vmware

#include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
mkdir ${RUNUSER}/vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
whitelist ${RUNUSER}/vmware
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.keep chown,net_raw,sys_nice
netfilter
nogroups
notv
tracelog

#disable-mnt
# Add the next line to your vmware.local to enable private-bin.
#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*

#private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
dbus-user none
dbus-system none

Note that I have not tested the full working, just that vmplayer window opens.

Regards,

MN

glitsj16 commented 1 year ago

Apologies for the later-than-planned report from my VMWare on Ubuntu testing. After a terrible ordeal to get the modules built I've got a working profile. Obviously that needs more extensive usage by someone that uses this app regularly and is familiar with it (which I'm not). Comments/questions/answers etcetera: later. This gave me a bit of a headache so I'm going out for a long stretch. Compared with the breeze it is on Arch Linux and its AUR package, well, enough said. Here goes:

# Firejail profile for vmware
# Description: VMWare Workstation Player, used for running virtual machines
# This file is overwritten after every install/update
# Persistent local customizations
include vmware.local
# Persistent global definitions
include globals.local

allow-debuggers

noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist /usr/lib/vmware

# disable-common.inc blacklists /sbin - minimize opening that up
noblacklist /sbin/depmod
noblacklist /sbin/insmod
noblacklist /sbin/lsmod
noblacklist /sbin/modinfo
noblacklist /sbin/modprobe
noblacklist /sbin/rmmod
noblacklist /sbin/sh
noblacklist /sbin/vmaf*
noblacklist /sbin/vmnet*
noblacklist /sbin/vmplayer
noblacklist /sbin/vmrest
noblacklist /sbin/vmrun
noblacklist /sbin/vmss2core
noblacklist /sbin/vmstat
noblacklist /sbin/vmware*
blacklist /sbin/*
ignore blacklist /sbin

include disable-common.inc
#include disable-devel.inc # gcc is used to compile kernel modules
# we can bring it back in...
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# VMWare scans /proc/ide for IDE CDROMs but that path is not
# blacklisted in our include file - can we bring it in?
#include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
# Add the next lines to your vmware.local if you need to use "shared VM".
#whitelist /var/lib/vmware
#writable-var
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.keep chown,net_raw,sys_nice
netfilter
nogroups
notv
tracelog

#disable-mnt
# Add the next line to your vmware.local to enable private-bin.
private-bin basename,bash,env,grep,id,modprobe,ovftool,sh,vmaf*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware*
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
# VMWare places logs in /tmp - can we protect these via
# private-tmp without breaking functionality?
#private-tmp

dbus-user none
dbus-system none
MikeNavy commented 1 year ago

Hi, Profile has been edited (see former message); there was a bug in copy/paste.

Rename attached file as "vmplayer.profile".

vmplayer.txt

MN

glitsj16 commented 1 year ago

@MikeNavy

We're pretty close IMO. Take the time you need to test things more thoroughly in your regular workflow with VMWare. We can polish things later. Have a nice weekend!

MikeNavy commented 1 year ago

Hi, Things are not so good. With the latest profile, vmplayer window opens but it can't see any file and I can't open existing virtual machine, in a subdirectory of my home. Terminal output:

firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 9046, child pid 9047
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 105.95 ms
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"

(vmplayer:5): dconf-WARNING **: 13:39:07.922: failed to commit changes to dconf: Could not connect: Permission denied

(vmplayer:5): dconf-WARNING **: 13:39:18.602: failed to commit changes to dconf: Could not connect: Permission denied

Parent is shutting down, bye...

I need to test more...

MikeNavy commented 1 year ago

Sorry, bad news. Even with this profile:

# from noprofile.profile
noblacklist /sys/fs
noblacklist /sys/module

allow-debuggers
allusers
keep-config-pulse
keep-dev-shm
keep-fd all
keep-var-tmp
writable-etc
writable-run-user
writable-var
writable-var-log

# from vmware.profile
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist ${RUNUSER}/vmware
noblacklist /usr/lib/vmware

mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
mkdir ${RUNUSER}/vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
whitelist ${RUNUSER}/vmware
include whitelist-common.inc
include whitelist-runuser-common.inc

Vmplayer window opens, but it cannot see any file and I cannot launch existing virtual machine. image (note that "Windows 10 x64" is not seen in the screen capture, while it was when I used LC_ALL=C firejail --profile=noprofile vmplayer; and "File / Open a virtual machine" does not see any file). Terminal output:

$ firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Parent pid 2543, child pid 2545
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 31.02 ms
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"

--> At the moment, vmplayer can work only with firejail withLC_ALL=C firejail --profile=noprofile vmplayer

MikeNavy commented 1 year ago

Latest testing:

allow-debuggers allusers keep-config-pulse keep-dev-shm keep-fd all keep-var-tmp writable-etc writable-run-user writable-var writable-var-log

from vmware.profile

noblacklist ${HOME}/.cache/vmware noblacklist ${HOME}/.vmware noblacklist ${RUNUSER}/vmware noblacklist /usr/lib/vmware

mkdir ${HOME}/.cache/vmware mkdir ${HOME}/.vmware mkdir ${RUNUSER}/vmware

whitelist ${HOME}/.cache/vmware

whitelist ${HOME}/.vmware

whitelist ${RUNUSER}/vmware

include whitelist-common.inc

include whitelist-runuser-common.inc

caps.keep chown,net_raw,sys_nice netfilter nogroups notv tracelog

disable-mnt

Add the next line to your vmware.local to enable private-bin.

private-bin basename,bash,env,grep,id,modprobe,ovftool,sh,vmaf,vmnet-,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware*

private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix

VMWare places logs in /tmp - can we protect these via

private-tmp without breaking functionality?

private-tmp

dbus-user none dbus-system none

- With `firejail vmplayer`, vmplayer opens, it displays "Windows 10 x64" VM.
- I can edit VM settings.
- I launch "Windows 10 x64"; at its launch, Windows 10 displays a message saying it looks for peripherals (!).
- Terminal output shows several GTK critical errors and warnings:

$ firejail vmplayer Reading profile /home/michel/.config/firejail/vmplayer.profile Reading profile /etc/firejail/whitelist-runuser-common.inc Parent pid 6213, child pid 6214 Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 23.00 ms I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml" (vmplayer:2): Gtk-CRITICAL : 14:13:37.993: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar (vmplayer:2): Gtk-CRITICAL : 14:13:37.993: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar (vmplayer:2): Gtk-CRITICAL : 14:13:43.771: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar (vmplayer:2): Gtk-CRITICAL : 14:13:43.771: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg". Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg". (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-0: missing action removable-device-0 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-1: missing action removable-device-1 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-2: missing action removable-device-2 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-3: missing action removable-device-3 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-0connect: missing action removable-device-0connect (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-0-edit: missing action removable-device-0-edit (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-connect: missing action removable-device-1-connect (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-nic-nat: missing action removable-device-1-nic-nat (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-edit: missing action removable-device-1-edit (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-2connect: missing action removable-device-2connect (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-2-edit: missing action removable-device-2-edit (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-3connect: missing action removable-device-3connect (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-3-edit: missing action removable-device-3-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-0: missing action removable-device-0 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1: missing action removable-device-1 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-2: missing action removable-device-2 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-3: missing action removable-device-3 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-0connect: missing action removable-device-0connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-0-edit: missing action removable-device-0-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-connect: missing action removable-device-1-connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-nic-nat: missing action removable-device-1-nic-nat (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-edit: missing action removable-device-1-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-2connect: missing action removable-device-2connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-2-edit: missing action removable-device-2-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-3connect: missing action removable-device-3connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-3-edit: missing action removable-device-3-edit Parent is shutting down, bye...


Since my Windows 10 VM can be damaged, I replace it with the backed up one.

Regards,

MN
MikeNavy commented 1 year ago

New test with LC_ALL=C firejail --profile=noprofile vmplayer:

Terminal output:

$ vmplayer
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"
Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg".
Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg".
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-0: missing action removable-device-0
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1: missing action removable-device-1
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-2: missing action removable-device-2
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-3: missing action removable-device-3
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-0connect: missing action removable-device-0connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-0-edit: missing action removable-device-0-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-connect: missing action removable-device-1-connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-nic-nat: missing action removable-device-1-nic-nat
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-edit: missing action removable-device-1-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-2connect: missing action removable-device-2connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-2-edit: missing action removable-device-2-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-3connect: missing action removable-device-3connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-3-edit: missing action removable-device-3-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-0: missing action removable-device-0
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1: missing action removable-device-1
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-2: missing action removable-device-2
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-3: missing action removable-device-3
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-0connect: missing action removable-device-0connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-0-edit: missing action removable-device-0-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-connect: missing action removable-device-1-connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-nic-nat: missing action removable-device-1-nic-nat
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-edit: missing action removable-device-1-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-2connect: missing action removable-device-2connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-2-edit: missing action removable-device-2-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-3connect: missing action removable-device-3connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-3-edit: missing action removable-device-3-edit

Both terminal logs are similar. The "Gtk-WARNING" occur during Windows shutdown.

At the moment, I would say that with "firejail --profile=noprofile vmplayer" command, vmplayer and Windows 10 seem to work the same way as vmplayer without firejail (note: I have not tested VM creation).

Regards, MN