Closed MikeNavy closed 1 year ago
- [x ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
No, it has no profile. And the default profile does not work with privileged programs.
(Offtopic)
@MikeNavy
Please see the following links for how to format code blocks in markdown:
/usr/bin/vmware-modconfig: line 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied Parent is shutting down, bye...
Does it work if you run that outside of firejail first (or manually installing
the kernel modules yourself) and then try to run vmplayer
in firejail later?
@rusty-snake on Jun 19:
- [x ] The program has a profile. (If not, request one in Profile requests #1139)
No, it has no profile. And the default profile does not work with privileged programs.
There are a few vmware-related profiles, but not vmplayer.profile:
vmplayer
may be the same thing as vmware-player
, in which case it could be
be added as a redirect to vmware.profile.
@MikeNavy What is the output of:
which -a vmplayer
which -a vmware-player vmware-view vmware-workstation vmware
/usr/bin/vmware-modconfig: line 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied Parent is shutting down, bye...
Does it work if you run that outside of firejail first (or manually installing the kernel modules yourself) and then try to run
vmplayer
in firejail later?@rusty-snake on Jun 19:
- [x ] The program has a profile. (If not, request one in Profile requests #1139)
No, it has no profile. And the default profile does not work with privileged programs.
There are a few vmware-related profiles, but not vmplayer.profile:
- vmware-player.profile -> vmware.profile
- vmware-view.profile (remote VM client?)
- vmware-workstation.profile -> vmware.profile
- vmware.profile (runs VMs)
vmplayer
may be the same thing asvmware-player
, in which case it could be be added as a redirect to vmware.profile.@MikeNavy What is the output of:
which -a vmplayer which -a vmware-player vmware-view vmware-workstation vmware
Hi, Concerning profiles: "vmplayer" is the command that launches VMware Workstation Player.
"VMware Workstation Player" is the actual name of "VMware Player", it has been changed years ago by VMware (former products "VMware Player" and "VMware Workstation" have been merged in one, "VMware Workstation Player"; now existing products are "VMware Workstation Player" and "VMware Workstation Pro").
"VMware Workstation Player" Product page: https://www.vmware.com/content/vmware/vmware-published-sites/us/products/workstation-player/workstation-player-evaluation.html.html Revision 17.0.2 is the latest one.
Outputs: "shell": such a command does not exist in Ubuntu.
"which -a vmplayer" output: /usr/bin/vmplayer /bin/vmplayer
"which -a vmware-player vmware-view vmware-workstation vmware" output: no output
Concerning kernel: after each kernel change, VMware Workstation Player asks, at its first launch, to compile and install two vmnet modules in the kernel. Of course, this has been done for my latest 5.4.0-152 generic kernel, and VMware Workstation Player works when launched without firejail ("vmplayer" or "vmplayer %U" command). It is only when launched with "firejail --noprofile" that I see the "VMware Kernel Module Updater" window.
Regards,
MN
Hi,
I have done the following test:
I have copied "/etc/firejail/vmware-player.profile" to my home "/.config/firejail/" directory, then renamed "/.config/firejail/vmware-player.profile" to "/.config/firejail/vmplayer.profile".
I have then launched VMware Workstation Player with the following command in a terminal: firejail vmplayer
.
Here is the output:
$ firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/vmware.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 2650, child pid 2651
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Error fcopy: invalid ownership for file /etc/hosts
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 2650 cannot sync with peer: unexpected EOF
Peer 2651 unexpectedly exited with status 1
Now, "vmware.profile" is read, but there are errors.
Here is the output of LC_ALL=C firejail --debug vmplayer
:
https://gist.github.com/MikeNavy/d7d794334eea6d5f65543ddeb934143e
Here is "/etc/hosts" ownership:
$ ls -l /etc/hosts
-rw-rw-r-- 1 michel michel 817539 juin 15 17:12 /etc/hosts
"/etc/hosts" is owned by my username (michel), user with superuser rights. It is not owned by root, since I use hosts as an IP addresses filter and update it regularly using a bash (I update hosts in my home, then copy it to "/etc/hosts" with sudo mv hosts /etc/hosts
command).
Regards,
MN
Error fcopy: invalid ownership for file /etc/hosts Error: failed to run /run/firejail/lib/fcopy, exiting... Error: proc 2650 cannot sync with peer: unexpected EOF Peer 2651 unexpectedly exited with status 1
$ ls -l /etc/hosts -rw-rw-r-- 1 michel michel 817539 juin 15 17:12 /etc/hosts
"/etc/hosts" is owned by my username (michel), user with superuser rights. It is not owned by root, since I use hosts as an IP addresses filter and update it regularly using a bash (I update hosts in my home, then copy it to "/etc/hosts" with
sudo mv hosts /etc/hosts
command).
Note that changing the ownership of system files may make it easier for malicious programs to modify them.
Since it is being modified in the user home and since sudo
is being used
anyway, I'd suggest to make it owned by root:root
before copying it to /etc.
Example:
sudo chown root:root hosts
sudo mv hosts /etc/hosts
Does it run if you change the permissions?
Hi,
I have added sudo chown root:root hosts
in my bash file, before the sudo mv hosts /etc/hosts
, and now my "/etc/hosts" is owned by root.
I have done the following test:
firejail vmplayer
.Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/vmware.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 11008, child pid 11009
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 146.98 ms
Private /usr/etc installed in 0.01 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 335.40 ms
Terminal output in debug mode is here: https://gist.github.com/MikeNavy/7d006729b482568dcf3f20eaaafd14f8
Regards,
MN
PS: VMware Workstation Player does work without Firejail
- I have a new error: "VMware Kernel Module Updater" complains it does not find GCC:
PS: VMware Workstation Player does work without Firejail
I'd try commenting parts of the profile until it works.
These includes might be related to the issue:
Hi,
No, I think something prevents vmplayer
to read / access its modules installed in the kernel: without Firejail, vmplayer
wants to compile and install two modules in the kernel just once, after a new kernel has been installed.
And it has been done.
Without Firejail, those "VMware Kernel Module Updater" windows do not appear at each launch and don't claim for Kernel Headers or for GCC. The application window (see capture above) opens directly.
I don't want to take the risk that enabling something would induce a new compiling of vmnet modules and might break the working installation (working without Firejail). So, I will not test the profile with comments before these "disable-..." lines: the existing vmware profile is just not designed nor tested for existing vmware applications...
Regards,
MN
think something prevents vmplayer to read / access its modules installed in the kernel
Maybe the implicit blacklist of /sys/module
Hi,
I have been using VMware Workstation Player for years on Linux Mint or Ubuntu (several versions before 17...) and it has always asked to compile and install modules in the kernel at the first launch after a kernel change. (And I think it is also the way WMware Workstation Pro works)
A firejail profile for VMware Workstation Player should so allow to read the kernel, but also to install modules in the kernel.
Regards,
MN
TBH, if you allow to install own modules into the kernel, you do not need a sandbox.
You sandbox to limit privileges. The kernel is the most privileged part of your system after the firmware (BIOS/UEFI and ME/PSP).
@MikeNavy on Jun 20:
I have been using VMware Workstation Player for years on Linux Mint or Ubuntu (several versions before 17...) and it has always asked to compile and install modules in the kernel at the first launch after a kernel change. (And I think it is also the way WMware Workstation Pro works)
A firejail profile for VMware Workstation Player should so allow to read the kernel, but also to install modules in the kernel.
@rusty-snake on Jun 20:
TBH, if you allow to install own modules into the kernel, you do not need a sandbox.
You sandbox to limit privileges. The kernel is the most privileged part of your system after the firmware (BIOS/UEFI and ME/PSP).
Yes, if a program can run arbitrary code in the kernel, then sandboxing can't do much.
But if the goal is to sandbox VMs rather than vmware itself, then a way to do it might be to:
Also, installing kernel modules is not something that random programs should be doing on a whim, especially if that is intended to be done after installing a certain package.
That is usually done by creating one or more hook scripts inside of the
package, which are then executed directly by the system package manager (such
as apt
) whenever the relevant package is upgraded.
I was going to suggest reporting it to them as a packaging bug, but it appears that vmware doesn't even provide a proper package for any distribution; the user is supposed to just download a random binary file from a third-party website and run it as root.
If security is a concern, then I'd try my best to avoid vmware and use something like qemu or virtualbox instead.
the user is supposed to just download a random binary file from a third-party website and run it as root.
OT rant on VMware: Moreover this random 3p binary installs to /use/lib rather than /use/local or /opt. And fails to provide a function uninstall method. You can only install VMware products in a VM/Container/chroot if you want a stable system. And want to be able to unstinstall without OS reinstall.
@ kmk3
But if the goal is to sandbox VMs rather than vmware itself, then a way to do it might be to:
- Run vmware outside of firejail whenever it needs to compile and load the kernel modules and then exit afterwards
- Run vmplayer inside of firejail to load the VMs Hi,
Yes, I agree with this. Of course, it prevents the use of firecfg (or firecfg whould not write symlink for vmplayer).
Regards,
MN
Also, installing kernel modules is not something that random programs should be doing on a whim, especially if that is intended to be done after installing a certain package.
That is usually done by creating one or more hook scripts inside of the package, which are then executed directly by the system package manager (such as
apt
) whenever the relevant package is upgraded.I was going to suggest reporting it to them as a packaging bug, but it appears that vmware doesn't even provide a proper package for any distribution; the user is supposed to just download a random binary file from a third-party website and run it as root.
If security is a concern, then I'd try my best to avoid vmware and use something like qemu or virtualbox instead.
Hi,
VMware has a long (20 years) and good reputation. I use VMware Workstation Player because I trust VMware. I have always a fresh system backup that I could use after a VMware update, or a VMware modules installation in the kernel, if something went wrong. I also use Tripwire, to check that changes are limited to what they should be.
VMware Workstation Player is provided as a large file, a Linux executable installer, which fits any Linux version. It is the way VMware solved the problem to avoid compiling one version for each existing distribution (other ways are flatpaks, snaps, AppImages...). At the opposite, VirtualBox provides 12 different packages, and each distribution provides its own.
I have compared VMware and VirtualBox to install a Windows 10 Pro guest in Linux Mint host:
Qemu is very difficult to set up, in command line mode only. It is much easier to use Gnome Boxes, a GUI for libvrt/qemu. And Gnome Boxes in its flatpak version offers great security.
Speaking of security, virtual machines programs, per se, offer an excellent isolation between host and guest operating system. Of course, they can have, as any program, vulnerabilities that could be used by guest to attack host. This is hypothetical, particularly if guest and host are different operating systems. Sandboxing is here to reduce this hypothetical risk. Updating regularly the virtual machine program is another way to reduce this risk.
At the opposite, "pseudo" virtual machines programs are dangerous: Windows 10 Pro and Windows 11 Pro offer WSL/WSL2 (Windows Subsystem Linux), with a great facility to use a Linux distribution such as Ubuntu directly on Windows. Operating systems isolation is poor, or non-existing, and there are attacks targeting Windows through the Linux operating system running in WSL/WSL2.
Regards,
MN
@MikeNavy on Jun 21:
Yes, I agree with this. Of course, it prevents the use of firecfg (or firecfg whould not write symlink for vmplayer).
Fixed in #5865.
@MikeNavy on Jun 21:
VMware Workstation Player is provided as a large file, a Linux executable installer, which fits any Linux version. It is the way VMware solved the problem to avoid compiling one version for each existing distribution (other ways are flatpaks, snaps, AppImages...). At the opposite, VirtualBox provides 12 different packages, and each distribution provides its own.
Creating one package per distribution is not really necessary in practice. In fact, there is no need to create any package at all; as long as a normal tar/zip archive (rather than an executable) is provided, the rest can generally be done by the packagers of each distribution. If that was fixed, it's more likely that someone would have created a PPA with a package containing proper hooks by now.
Which is why this is baffling, since even if the archive only contained binary files (so it's not even necessarily about being libre vs proprietary), as long as they were properly split (such as the main program from the module installer), it would be easier to package it properly.
Someone managed to do it in the AUR, but it seems to be much more complicated (why does it need to modify an sqlite database during packaging?) compared to virtualbox (and especially to other packages in general):
Qemu is very difficult to set up, in command line mode only. It is much easier to use Gnome Boxes, a GUI for libvrt/qemu. And Gnome Boxes in its flatpak version offers great security.
Yes, regardless of the interface, I'd consider using qemu to be an improvement.
As for the rest, it's good to know about the performance/usability differences, but to be clear I'm not a big fan of virtualbox either, it's just that is seems to be less proprietary overall compared to vmware and it is properly packaged in more distributions.
At the opposite, "pseudo" virtual machines programs are dangerous: Windows 10 Pro and Windows 11 Pro offer WSL/WSL2 (Windows Subsystem Linux), with a great facility to use a Linux distribution such as Ubuntu directly on Windows. Operating systems isolation is poor, or non-existing, and there are attacks targeting Windows through the Linux operating system running in WSL/WSL2.
Yeah, WSL seems like the worst of both worlds.
@Neo00001 @ra1nb0w
Hello, I see that you added/updated the vmware profiles in the following pull requests:
Do the profiles still work for you?
Yes, I am still using it.
Yes, I am still using it.
Nice, in what distribution do you use it?
Have you ever had issues with vmware compiling/installing kernel modules? Example:
Archlinux updated today and vmware-workstation from aur (vmware-workstation 17.0.2-1
)
No issue with kernel modules.
This is my actually .config/firejail/vmware.local
# use private binary folder
private-bin id,basename,grep,env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
# vmware snapshot
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
Archlinux updated today and vmware-workstation from aur (
vmware-workstation 17.0.2-1
) No issue with kernel modules.This is my actually
.config/firejail/vmware.local
# use private binary folder private-bin id,basename,grep,env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* # vmware snapshot private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
So it seems that indeed only the AUR has vmware properly packaged.
If anyone wants to package it for Debian/Ubuntu, that AUR package seems like a good starting point.
Misc: It would be kind of interesting to see that happen, as it's usually the other way around, in that the official package is a .deb and someone turns that into an Arch package (though it would still be preferable to have an official package of course).
Anyway, thanks for the details.
@kmk3 Hi,
Reading this page, https://aur.archlinux.org/packages/vmware-workstation, shows that vmware modules need to be installed in kernel:
After the first installation, please:
1) install the appropriate headers package(s) for your installed kernel(s): linux-headers for default kernel, linux-lts-headers for LTS kernel...
2) reboot or load vmw_vmci and vmmon kernel modules (modprobe -a vmw_vmci vmmon)
3) Enable the services you need (using .service units to activate them during boot or .path units to activate them when a VM is started) :
And a user says in his comments that the bundle works, while it is not the case with the AUR package:
swiat_linuksaYT commented on [2023-05-31 19:11 (UTC)](https://aur.archlinux.org/packages/vmware-workstation#comment-917317)
Package is compiling correctly - no errors, but cant start any VM - VMMON error on start - VMMON installed 410, required 416. There's no also vmware.service. Tried compile vmmon from github dosent work too.
Downloaded bundle from official site VMware-Workstation-Full-17.0.2-21581411.x86_64.bundle working without any problem, and no issues like - keyboard lag error in many distros, terminals. 3D Acceleration works perfect in new version on Nidia 525.xx drivers.
Regards, MN
@MikeNavy
Greetings
And a user says in his comments that the bundle works, while it is not the case with the AUR package
Please don't quote only half the story. One comment above is an explanation for what happened. In the mean time I've built the AUR package without any trouble. Due to the dependency on dkms
the vmware kernel modules are built and installed via a pacman post-install hook. So that's BEFORE any firejailing comes into play. After modprobe'ing vmw_vmci & vmmon the application works with the vmplayer.profile from #5865 or when using --profile=vmware on CLI. All this confirms what @ra1nb0w already kindly stated: no problems on Arch Linux with sandboxing VWMare...
I don't want to take the risk that enabling something would induce a new compiling of vmnet modules and might break the working installation (working without Firejail). So, I will not test the profile with comments before these "disable-..." lines: the existing vmware profile is just not designed nor tested for existing vmware applications...
I can understand your point of view, up to a point. It's your decision to not try to debug the existing profile by commenting lines as suggested by @kmk3. Yet you do expect a tested/working firejail profile, which - I agree - is a reasonable expectation, no argument there. But these profiles don't come falling from the The Great SandBox Skies magically :)
Collaborators run the exact same 'risks' when creating/testing a profile. Let's reopen this issue and try to determine where the issue on Linux Mint stems from. Building the required gcc 12.2.0 right now on a Ubuntu machine I dusted off. Will report back.
One comment above is an explanation for what happened.
Quoting it here for reference:
jihem commented on 2023-06-03 17:01 (UTC)
@swiat_linuksaYT
I don't know exactly what happened on your system, but it probably loads the vmmon module remaining from an old VMware installation. You can try to clean your current VMware installation before reinstalling this package:
- Uninstall the bundle installation using the wiki instructions: https://wiki.archlinux.org/title/VMware#Removal
- Check that there is no VMware module handled by DKMS: the output of
dkms status
should not display any line related to vmware-workstation- Remove the eventual remaining VMware modules in your filesystem:
find /usr/lib/modules -name vmmon\* -exec rm {} \;
andfind /usr/lib/modules -name vmnet\* -exec rm {} \;
- Reinstall this package
- Reboot
- Start your VM; you shouldn't have the error anymore
This package does not contain a service vmware.service. All the services provided by the package are listed and explained in the pin comment.
(For reference, the comment is by the current package maintainer)
@glitsj16 Hi, OK, you have succeeded in building a package for AUR where "the vmware kernel modules are built and installed via a pacman post-install hook". What does arrive when kernel changes? With Ubuntu, after each kernel change, vmplayer requests at its first launch to compile and install vmmon and vmnet modules in the kernel; and it is mandatory to click on "install button" to have vmplayer working. How did you manage this?
Concerning testing: I could comment the four "disable-..." lines as suggested and test the modified profile. But I don't know how to cope with this @rusty-snake comment, the read access to kernel might be prevented by "Maybe the implicit blacklist of /sys/module". How to disable this implicit blacklist? Moreover, what would be the security improvement given by sandboxing without "disable-devel.inc", "disable-exec.inc", "disable-interpreters.inc", "disable-programs.inc" and with noblacklist of "/sys/module"? Finally, testing needs a lot of time: I have to test that vmplayer is launched; that, once launched, it can launch a virtual guest; that the virtual guest works correctly (display resizing, all display modes, files copy/paste, contents copy/paste, shared folders, hardware disconnecting from host and connecting to guest, using host printers...); that a new virtual guest can be created, and VMware tools installed in the guest... These are things I could do with a profile having some chances to work, and still giving an improved security.
Regards,
MN
Hi, OK, you have succeeded in building a package for AUR where "the vmware kernel modules are built and installed via a pacman post-install hook". What does arrive when kernel changes?
From a loose glance at the vmware-workstation AUR repository, this is more or less how it seems to happen:
It adds its own Makefile (to compile the modules) and dkms.conf files into /usr/src/vmware-workstation. Then it extracts and copies the vmware modules (from the vmware executable) into that directory as well.
Whenever pacman upgrades the kernel (or an adjacent package), it runs something
to update the dkms, which looks into that directory and runs make
to
rebuild/install the kernel modules.
With Ubuntu, after each kernel change, vmplayer requests at its first launch to compile and install vmmon and vmnet modules in the kernel; and it is mandatory to click on "install button" to have vmplayer working. How did you manage this?
It likely tells vmware (through a config file) to not try to update the modules (or that they are always updated), so that only pacman gets to update the modules.
To have a better understanding, I'd suggest cloning the AUR repository and reading the files inside of it:
git clone https://aur.archlinux.org/vmware-workstation.git
Concerning testing: I could comment the four "disable-..." lines as suggested and test the modified profile. But I don't know how to cope with this @rusty-snake comment, the read access to kernel might be prevented by "Maybe the implicit blacklist of /sys/module". How to disable this implicit blacklist?
Try adding this to the profile:
noblacklist /sys/module
Though that might only be necessary if vmware tries to do something with the kernel modules itself (it shouldn't be needed if you update the modules before running vmware in firejail).
Moreover, what would be the security improvement given by sandboxing without "disable-devel.inc", "disable-exec.inc", "disable-interpreters.inc", "disable-programs.inc" and with noblacklist of "/sys/module"?
These includes are arguably not as important for security as the rest of the profile. Also, it likely isn't necessary to disable all of them for it to work, just to go and comment lines in the profile until you find exactly which line(s) are causing issues.
Finally, testing needs a lot of time: I have to test that vmplayer is launched; that, once launched, it can launch a virtual guest; that the virtual guest works correctly (display resizing, all display modes, files copy/paste, contents copy/paste, shared folders, hardware disconnecting from host and connecting to guest, using host printers...); that a new virtual guest can be created, and VMware tools installed in the guest... These are things I could do with a profile having some chances to work, and still giving an improved security.
Yes and the quality of the profiles ultimately depends on users testing and maintaining them. No one else can really make the profiles be as secure and as usable as possible other than the people that regularly use the programs that the profiles are for.
From a loose glance at the vmware-workstation AUR repository, this is more or less how it seems to happen: It adds its own Makefile (to compile the modules) and dkms.conf files into /usr/src/vmware-workstation. Then it extracts and copies the vmware modules (from the vmware executable) into that directory as well. Whenever pacman upgrades the kernel (or an adjacent package), it runs something to update the dkms, which looks into that directory and runs make to rebuild/install the kernel modules.
The PKGBUILD only copies the source
files for the kernel modules into /usr/src/vmware-workstation, not the built modules themselves. That part is left to dkms
as usual. The actual modules are indeed built via a post-install hook that targets linux kernel headers. They end up in /usr/lib/modules/6.3.8-foo/updates/dkms/{vmmon,vmnet}.ko.zst, also as usual for dkms modules. There's nothing really special about this. Debian-based systems have similar apt/dpkg hooks. But that only works for regular .deb
packages and not for the .bundle
that VMWare offers.
I fully agree with @kmk3 that probably the only thing that needs checking is VMWare's ability to confirm those kernel modules are there from within the sandbox. This is the /sys/module
part. You might use an extra whitelist /sys/module
and read-only /sys/module
to keep protecting this path. That's what blender.profile does for AMD GPU support: https://github.com/netblue30/firejail/blob/1003dee6ff0de20950511d50fa7ab184091e54af/etc/profile-a-l/blender.profile?#L21-L24
Still building gcc 12.3.0 on my old Ubuntu box to confirm all this. Should have more details later today.
Hi, I have copied the "vmware.profile" from "/etc/firejail/" to "~/.config/firejail/" and renamed it "vmplayer.profile". Then I have done the following tests: 1) I have edited the profile and commented the four lines:
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
Then I launch "LC=ALL firejail vmplayer" in a terminal. VMware Kernel Module Updater asks for Kernel Headers.
Terminal output:
$ LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5513, child pid 5514
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 96.62 ms
Private /usr/etc installed in 0.01 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 203.33 ms
2) I have added the following line at the beginning of the profile:
whitelist /sys/module
and kept the former four lines commented.
No vmplayer window.
Terminal output:
LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5719, child pid 5720
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 81.97 ms
Private /usr/etc installed in 0.00 ms
Error: invalid whitelist path /sys/module
Error: proc 5719 cannot sync with peer: unexpected EOF
Peer 5720 unexpectedly exited with status 1
3) I have removed the whitelist /sys/module
and replaced it by read-only /sys/module
, still keeping the former four lines commented.
Result is the same as with test 1.
Regards,
MN
@glitsj16
The PKGBUILD only copies the
source
files for the kernel modules into /usr/src/vmware-workstation, not the built modules themselves. That part is left todkms
as usual. The actual modules are indeed built via a post-install hook that targets linux kernel headers. They end up in /usr/lib/modules/6.3.8-foo/updates/dkms/{vmmon,vmnet}.ko.zst, also as usual for dkms modules. There's nothing really special about this. Debian-based systems have similar apt/dpkg hooks. But that only works for regular.deb
packages and not for the.bundle
that VMWare offers.Hi, Concerning the deb packaging: it is not proposed by VMware, and it is not done by others (Ubuntu, PPAs...) since VMware is a proprietary software. If we put apart the technical problems, there is a licensing one: VMware does not license the right to diffuse or change its programs. (Some ones could argue that, since VMware officially uses software with GPL V2 or GPL V3, GPL has been propagated to all VMware code...) This explains why there is no deb available.
The solution to copy the sources of vmmon or vmnet at installation will not work when VMware updates their sources; it could arrive when a new revision is available (e.g., from 17.0.1 to 17.0.2) or when a new major version is available (e.g. from 16 to 17). I have just installed VMware Workstation Player bundle once on my Linux Mint 20.3, at version 15.5: all the updates between 15.5 and 17.0.2, including major versions changes, have been done from the application itself, with the "check for updates" function. Meanwhile, vmmon and vmnet sources may have changed. So, a packaging solution could work only if the version is a stable one, updated through package manager, and with check for updates function disabled.
Concerning vmmon and vmnet modules, they are used by VMware in order to build the network between host and guest (bridge, nat or host-only).
Regards,
MN
Another test: I have written a very minimal restricting profile using Firetools, and pasted its content to "~/.config/firejail/vmplayer.profile":
# Custom profile for vmplayer
# file system
include /etc/firejail/disable-common.inc
# network
protocol unix,inet,inet6,netlink,packetbluetooth
# multimedia
# kernel
No VMware window opens. Here is terminal ouptut:
LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Parent pid 6796, child pid 6797
Child process initialized in 58.93 ms
/usr/bin/vmware-modconfig: ligne 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied
Parent is shutting down, bye...
So, could "disable-common.inc" be responsible ? New profile, without disable-common.inc:
# Custom profile for vmplayer
# file system
# include /etc/firejail/disable-common.inc
# network
protocol unix,inet,inet6,netlink,packetbluetooth
# multimedia
# kernel
When I launch LC=ALL firejail vmplayer
, the usual VMware Kernel Module Updater asks for Kernel Headers:
Here is terminal output:
$ LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Parent pid 6885, child pid 6886
Child process initialized in 22.21 ms
Is Firejail compatible with VMware Workstation Player?
Regards,
MN
@MikeNavy on Jun 22:
I have added the following line at the beginning of the profile:
whitelist /sys/module
Did the profile include the noblacklist
?
noblacklist /sys/module
You can ignore those whitelist
/read-only
commands until the profile works,
as they are intended for hardening in this case.
@MikeNavy on Jun 22:
I have written a very minimal restricting profile using Firetools, and pasted its content to "~/.config/firejail/vmplayer.profile":
So, could "disable-common.inc" be responsible ?
That file blacklists /usr/lib/vmware, which is undone in vmware.profile, so no.
Does it work without disable-common.inc and with the following added?
noblacklist /sys/module
(Offtopic)
@MikeNavy on Jun 22:
Hi, Concerning the deb packaging: it is not proposed by VMware, and it is not done by others (Ubuntu, PPAs...) since VMware is a proprietary software.
As I mentioned before, the license is unrelated to the packaging format. Steam and Zoom are proprietary and both offer .deb packages, for example. Wine is libre and offers a PPA repository for Ubuntu.
If we put apart the technical problems, there is a licensing one: VMware does not license the right to diffuse or change its programs. (Some ones could argue that, since VMware officially uses software with GPL V2 or GPL V3, GPL has been propagated to all VMware code...) This explains why there is no deb available.
Unless shown otherwise, the only thing stopping vmware from providing a proper archive and/or package is themselves.
The solution to copy the sources of vmmon or vmnet at installation will not work when VMware updates their sources; it could arrive when a new revision is available (e.g., from 17.0.1 to 17.0.2) or when a new major version is available (e.g. from 16 to 17).
It will work because the AUR package is updated whenever a new version comes out and it always points to a specific version (that is, to a specific file and its checksum).
That is how basically all packaging on Linux works (except for packages intended to build in-development versions), regardless of whether the files downloaded during packaging are entirely source code or binaries.
I have just installed VMware Workstation Player bundle once on my Linux Mint 20.3, at version 15.5: all the updates between 15.5 and 17.0.2, including major versions changes, have been done from the application itself, with the "check for updates" function. Meanwhile, vmmon and vmnet sources may have changed. So, a packaging solution could work only if the version is a stable one, updated through package manager, and with check for updates function disabled.
Yes, updates through the program are disabled because the package manager is the one responsible for updating packages. That is usually done when packaging any program with a built-in update checker, including for things like Firefox.
You could think of the AUR package as a more "enterprise"/stable/IT-managed version of the installer.
Hi,
Latest trial with the following "vmplayer.profile":
# Custom profile for vmplayer
# file system
noblacklist /sys/module
include /etc/firejail/disable-common.inc
# network
protocol unix,inet,inet6,netlink,
# multimedia
# kernel
When launching LC=ALL firejail vmplayer
, no VMware window opens.
Terminal output:
$ LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-common.inc
Parent pid 3469, child pid 3470
Child process initialized in 70.91 ms
/usr/bin/vmware-modconfig: ligne 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied
Parent is shutting down, bye...
Note that "VMware Workstation Player" and "VMware Workstation Pro" may not work the same way as older products "VMware Player" and "VMware Workstation": they use "VMware Sphere" hypervisor virtualization technology, a recent technology, more recent than "VMware Player" and "VMware Workstation".
Regards,
MN
Latest trial with the following "vmplayer.profile":
# Custom profile for vmplayer # file system noblacklist /sys/module include /etc/firejail/disable-common.inc # network protocol unix,inet,inet6,netlink, # multimedia # kernel
See this:
Does it work without disable-common.inc and with the following added?
Hi,
Trial with vmware.profile
, copied to "~/.config/firejail", renamed vmplayer.profile
, and modified as follows:
noblacklist /sys/module
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist /usr/lib/vmware
# include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
When I launch vmplayer with LC=ALL firejail vmplayer
:
VMware player opens the usual VMware Kernel Module Updater requesting for Kernel Headers,
Terminal output:
LC=ALL firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 7870, child pid 7871
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping conf.d for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 88.02 ms
Private /usr/etc installed in 0.00 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 178.60 ms
Regards,
MN
Hi, Trial with
vmware.profile
, copied to "~/.config/firejail", renamedvmplayer.profile
, and modified as follows:noblacklist /sys/module noblacklist ${HOME}/.cache/vmware noblacklist ${HOME}/.vmware noblacklist /usr/lib/vmware # include disable-common.inc # include disable-devel.inc # include disable-exec.inc # include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc
When I launch vmplayer with
LC=ALL firejail vmplayer
:
- VMware player opens the usual VMware Kernel Module Updater requesting for Kernel Headers,
Hmm that is surprising; I didn't think it would fail with only that.
Please try it with noprofile.profile, which is supposed to be as permissive as possible:
LC_ALL=C firejail --profile=noprofile vmplayer
Note: There is no need to modify any profile, just use that exact command line.
If that fails, then the issue is not with any profile but with firejail itself.
Sorry, I should have suggested it before.
Also, doesn't vmware write any logs?
They might contain more details about what exactly vmware is failing to access, so if you could find and post them it could make debugging much easier.
Note: If the log contains too many lines to put in a comment, you can upload the log file itself (drag and drop) in the comment.
Hi,
Test with LC_ALL=C firejail --profile=noprofile vmplayer
Finally, the VMware Workstation Player opens:
So, there is hope a working profile can be created!
Here is terminal output:
$ LC_ALL=C firejail --profile=noprofile vmplayer
Reading profile /etc/firejail/noprofile.profile
Parent pid 4606, child pid 4607
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 14.93 ms
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"
Here is vmplayer log: https://gist.github.com/MikeNavy/eb0153dbb042ae131a884f3d4ea0b2ed
Here is vmplayer latest failed trial (yesterday) log: https://gist.github.com/MikeNavy/45d8d0bb5a02dfb41d21768fa001841e
Here is vmplayer without firejail log: https://gist.github.com/MikeNavy/5bb55dcf0ec67c58e48a617187d47d38
NB: those logs are USB arbitrator logs, "vmware-usbarbxxxx.log", found in "/var/log/vmware". Other logs are found in virtual machines directories, and log the VM functionment.
Regards,
MN
Test with
LC_ALL=C firejail --profile=noprofile vmplayer
Finally, the VMware Workstation Player opens:
So, there is hope a working profile can be created!
Nice.
Here is vmplayer log: https://gist.github.com/MikeNavy/eb0153dbb042ae131a884f3d4ea0b2ed
Here is vmplayer latest failed trial (yesterday) log: https://gist.github.com/MikeNavy/45d8d0bb5a02dfb41d21768fa001841e
Here is vmplayer without firejail log: https://gist.github.com/MikeNavy/5bb55dcf0ec67c58e48a617187d47d38
/var/run/vmware/usbarbitrator-socket
Interesting, this path seems to be missing in the profile.
Please try with only the following in the profile (for example, in vmplayer.profile):
# from noprofile.profile
noblacklist /sys/fs
noblacklist /sys/module
allow-debuggers
allusers
keep-config-pulse
keep-dev-shm
keep-fd all
keep-var-tmp
writable-etc
writable-run-user
writable-var
writable-var-log
# from vmware.profile
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist ${RUNUSER}/vmware
noblacklist /usr/lib/vmware
mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
mkdir ${RUNUSER}/vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
whitelist ${RUNUSER}/vmware
include whitelist-common.inc
include whitelist-runuser-common.inc
Then comment each line in the from noprofile
section until it breaks to find
the offending line.
If it still works after commenting the entire section, try adding more lines
from vmware.profile
into the from vmware
section.
Hi,
Using the proposed profile works.
Then I have tried to comments lines in the section "# from noprofile.profile"; I have commented them one at a time.
When this line is commented "# allow-debuggers", the VMware Kernel Module Updater opens, asking for kernel headers.
No other commented line in "# from noprofile.profile" breaks vmplayer launch.
Regards,
MN
Hi,
VMware Player still opens with the following vmplayer.profile
:
# from noprofile.profile
noblacklist /sys/fs
noblacklist /sys/module
allow-debuggers
allusers
keep-config-pulse
keep-dev-shm
keep-fd all
keep-var-tmp
writable-etc
writable-run-user
writable-var
writable-var-log
# from vmware.profile
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist ${RUNUSER}/vmware
noblacklist /usr/lib/vmware
#include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
mkdir ${RUNUSER}/vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
whitelist ${RUNUSER}/vmware
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
caps.keep chown,net_raw,sys_nice
netfilter
nogroups
notv
tracelog
#disable-mnt
# Add the next line to your vmware.local to enable private-bin.
#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
#private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
dbus-user none
dbus-system none
Note that I have not tested the full working, just that vmplayer window opens.
Regards,
MN
Apologies for the later-than-planned report from my VMWare on Ubuntu
testing. After a terrible ordeal to get the modules built I've got a working profile. Obviously that needs more extensive usage by someone that uses this app regularly and is familiar with it (which I'm not). Comments/questions/answers etcetera: later. This gave me a bit of a headache so I'm going out for a long stretch. Compared with the breeze it is on Arch Linux and its AUR package, well, enough said. Here goes:
# Firejail profile for vmware
# Description: VMWare Workstation Player, used for running virtual machines
# This file is overwritten after every install/update
# Persistent local customizations
include vmware.local
# Persistent global definitions
include globals.local
allow-debuggers
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist /usr/lib/vmware
# disable-common.inc blacklists /sbin - minimize opening that up
noblacklist /sbin/depmod
noblacklist /sbin/insmod
noblacklist /sbin/lsmod
noblacklist /sbin/modinfo
noblacklist /sbin/modprobe
noblacklist /sbin/rmmod
noblacklist /sbin/sh
noblacklist /sbin/vmaf*
noblacklist /sbin/vmnet*
noblacklist /sbin/vmplayer
noblacklist /sbin/vmrest
noblacklist /sbin/vmrun
noblacklist /sbin/vmss2core
noblacklist /sbin/vmstat
noblacklist /sbin/vmware*
blacklist /sbin/*
ignore blacklist /sbin
include disable-common.inc
#include disable-devel.inc # gcc is used to compile kernel modules
# we can bring it back in...
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# VMWare scans /proc/ide for IDE CDROMs but that path is not
# blacklisted in our include file - can we bring it in?
#include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
# Add the next lines to your vmware.local if you need to use "shared VM".
#whitelist /var/lib/vmware
#writable-var
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
caps.keep chown,net_raw,sys_nice
netfilter
nogroups
notv
tracelog
#disable-mnt
# Add the next line to your vmware.local to enable private-bin.
private-bin basename,bash,env,grep,id,modprobe,ovftool,sh,vmaf*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware*
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
# VMWare places logs in /tmp - can we protect these via
# private-tmp without breaking functionality?
#private-tmp
dbus-user none
dbus-system none
Hi, Profile has been edited (see former message); there was a bug in copy/paste.
Rename attached file as "vmplayer.profile".
MN
@MikeNavy
We're pretty close IMO. Take the time you need to test things more thoroughly in your regular workflow with VMWare. We can polish things later. Have a nice weekend!
Hi, Things are not so good. With the latest profile, vmplayer window opens but it can't see any file and I can't open existing virtual machine, in a subdirectory of my home. Terminal output:
firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 9046, child pid 9047
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 105.95 ms
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"
(vmplayer:5): dconf-WARNING **: 13:39:07.922: failed to commit changes to dconf: Could not connect: Permission denied
(vmplayer:5): dconf-WARNING **: 13:39:18.602: failed to commit changes to dconf: Could not connect: Permission denied
Parent is shutting down, bye...
I need to test more...
Sorry, bad news. Even with this profile:
# from noprofile.profile
noblacklist /sys/fs
noblacklist /sys/module
allow-debuggers
allusers
keep-config-pulse
keep-dev-shm
keep-fd all
keep-var-tmp
writable-etc
writable-run-user
writable-var
writable-var-log
# from vmware.profile
noblacklist ${HOME}/.cache/vmware
noblacklist ${HOME}/.vmware
noblacklist ${RUNUSER}/vmware
noblacklist /usr/lib/vmware
mkdir ${HOME}/.cache/vmware
mkdir ${HOME}/.vmware
mkdir ${RUNUSER}/vmware
whitelist ${HOME}/.cache/vmware
whitelist ${HOME}/.vmware
whitelist ${RUNUSER}/vmware
include whitelist-common.inc
include whitelist-runuser-common.inc
Vmplayer window opens, but it cannot see any file and I cannot launch existing virtual machine.
(note that "Windows 10 x64" is not seen in the screen capture, while it was when I used LC_ALL=C firejail --profile=noprofile vmplayer
; and "File / Open a virtual machine" does not see any file).
Terminal output:
$ firejail vmplayer
Reading profile /home/michel/.config/firejail/vmplayer.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Parent pid 2543, child pid 2545
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 31.02 ms
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"
--> At the moment, vmplayer can work only with firejail withLC_ALL=C firejail --profile=noprofile vmplayer
Latest testing:
# from noprofile.profile
noblacklist /sys/fs
noblacklist /sys/module
allow-debuggers allusers keep-config-pulse keep-dev-shm keep-fd all keep-var-tmp writable-etc writable-run-user writable-var writable-var-log
noblacklist ${HOME}/.cache/vmware noblacklist ${HOME}/.vmware noblacklist ${RUNUSER}/vmware noblacklist /usr/lib/vmware
mkdir ${HOME}/.cache/vmware mkdir ${HOME}/.vmware mkdir ${RUNUSER}/vmware
whitelist ${RUNUSER}/vmware
include whitelist-runuser-common.inc
caps.keep chown,net_raw,sys_nice netfilter nogroups notv tracelog
dbus-user none dbus-system none
- With `firejail vmplayer`, vmplayer opens, it displays "Windows 10 x64" VM.
- I can edit VM settings.
- I launch "Windows 10 x64"; at its launch, Windows 10 displays a message saying it looks for peripherals (!).
- Terminal output shows several GTK critical errors and warnings:
$ firejail vmplayer Reading profile /home/michel/.config/firejail/vmplayer.profile Reading profile /etc/firejail/whitelist-runuser-common.inc Parent pid 6213, child pid 6214 Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 23.00 ms I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml" (vmplayer:2): Gtk-CRITICAL : 14:13:37.993: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar (vmplayer:2): Gtk-CRITICAL : 14:13:37.993: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar (vmplayer:2): Gtk-CRITICAL : 14:13:43.771: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar (vmplayer:2): Gtk-CRITICAL : 14:13:43.771: gtk_box_gadget_distribute: assertion 'size >= 0' failed in GtkScrollbar Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg". Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg". (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-0: missing action removable-device-0 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-1: missing action removable-device-1 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-2: missing action removable-device-2 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-3: missing action removable-device-3 (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-0connect: missing action removable-device-0connect (vmplayer:2): Gtk-WARNING : 14:17:55.646: removable-device-0-edit: missing action removable-device-0-edit (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-connect: missing action removable-device-1-connect (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-nic-nat: missing action removable-device-1-nic-nat (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-1-edit: missing action removable-device-1-edit (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-2connect: missing action removable-device-2connect (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-2-edit: missing action removable-device-2-edit (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-3connect: missing action removable-device-3connect (vmplayer:2): Gtk-WARNING : 14:17:55.647: removable-device-3-edit: missing action removable-device-3-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-0: missing action removable-device-0 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1: missing action removable-device-1 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-2: missing action removable-device-2 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-3: missing action removable-device-3 (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-0connect: missing action removable-device-0connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-0-edit: missing action removable-device-0-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-connect: missing action removable-device-1-connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-nic-nat: missing action removable-device-1-nic-nat (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-1-edit: missing action removable-device-1-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-2connect: missing action removable-device-2connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-2-edit: missing action removable-device-2-edit (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-3connect: missing action removable-device-3connect (vmplayer:2): Gtk-WARNING : 14:17:55.648: removable-device-3-edit: missing action removable-device-3-edit Parent is shutting down, bye...
Since my Windows 10 VM can be damaged, I replace it with the backed up one.
Regards,
MN
New test with LC_ALL=C firejail --profile=noprofile vmplayer
:
Vmplayer window opens, I can launch "Windows 10 x64 VM"; shared folders work, file copy/paste works, content copy/paste works, Gimp (demanding on GPU) works, Windows Update works.
In terminal output, no GTK critical error, but warnings:
LC_ALL=C firejail --profile=noprofile vmplayer
Reading profile /etc/firejail/noprofile.profile
Parent pid 7294, child pid 7295
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 19.26 ms
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"
Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg".
Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg".
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-0: missing action removable-device-0
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-1: missing action removable-device-1
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-2: missing action removable-device-2
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-3: missing action removable-device-3
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-0connect: missing action removable-device-0connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-0-edit: missing action removable-device-0-edit
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-1-connect: missing action removable-device-1-connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-1-nic-nat: missing action removable-device-1-nic-nat
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-1-edit: missing action removable-device-1-edit
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-2connect: missing action removable-device-2connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.698: removable-device-2-edit: missing action removable-device-2-edit
(vmplayer:2): Gtk-WARNING **: 14:40:00.699: removable-device-3connect: missing action removable-device-3connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.699: removable-device-3-edit: missing action removable-device-3-edit
(vmplayer:2): Gtk-WARNING **: 14:40:00.699: removable-device-0: missing action removable-device-0
(vmplayer:2): Gtk-WARNING **: 14:40:00.699: removable-device-1: missing action removable-device-1
(vmplayer:2): Gtk-WARNING **: 14:40:00.699: removable-device-2: missing action removable-device-2
(vmplayer:2): Gtk-WARNING **: 14:40:00.699: removable-device-3: missing action removable-device-3
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-0connect: missing action removable-device-0connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-0-edit: missing action removable-device-0-edit
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-1-connect: missing action removable-device-1-connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-1-nic-nat: missing action removable-device-1-nic-nat
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-1-edit: missing action removable-device-1-edit
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-2connect: missing action removable-device-2connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-2-edit: missing action removable-device-2-edit
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-3connect: missing action removable-device-3connect
(vmplayer:2): Gtk-WARNING **: 14:40:00.700: removable-device-3-edit: missing action removable-device-3-edit
Parent is shutting down, bye...
To compare with previous test, I replace my "Windows 10 x64" VM by the backed up one, and I launch vmplayer from a terminal.
Terminal output:
$ vmplayer
I/O warning : failed to load external entity "/etc/vmware/hostd/proxy.xml"
Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg".
Cannot load message dictionary "/usr/lib/vmware/messages/fr/vmware-mks.vmsg".
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-0: missing action removable-device-0
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1: missing action removable-device-1
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-2: missing action removable-device-2
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-3: missing action removable-device-3
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-0connect: missing action removable-device-0connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-0-edit: missing action removable-device-0-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-connect: missing action removable-device-1-connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-nic-nat: missing action removable-device-1-nic-nat
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-1-edit: missing action removable-device-1-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-2connect: missing action removable-device-2connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-2-edit: missing action removable-device-2-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-3connect: missing action removable-device-3connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.095: removable-device-3-edit: missing action removable-device-3-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-0: missing action removable-device-0
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1: missing action removable-device-1
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-2: missing action removable-device-2
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-3: missing action removable-device-3
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-0connect: missing action removable-device-0connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-0-edit: missing action removable-device-0-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-connect: missing action removable-device-1-connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-nic-bridged: missing action removable-device-1-nic-bridged
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-nic-nat: missing action removable-device-1-nic-nat
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-nic-host-only: missing action removable-device-1-nic-host-only
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-1-edit: missing action removable-device-1-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-2connect: missing action removable-device-2connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-2-edit: missing action removable-device-2-edit
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-3connect: missing action removable-device-3connect
(vmplayer:8756): Gtk-WARNING **: 14:56:17.096: removable-device-3-edit: missing action removable-device-3-edit
Both terminal logs are similar. The "Gtk-WARNING" occur during Windows shutdown.
At the moment, I would say that with "firejail --profile=noprofile vmplayer" command, vmplayer and Windows 10 seem to work the same way as vmplayer without firejail (note: I have not tested VM creation).
Regards, MN
Description
Describe the bug
Steps to Reproduce
Steps to reproduce the behavior
LC_ALL=C firejail vmplayer
(LC_ALL=C
to get a consistent output in English that can be understood by everybody)Output:
Expected behavior
VMware Worskstation Player can be launched with Firejail
Actual behavior
VMware Workstation Player cannot be launched with Firejail
Behavior without a profile
_What changed calling
LC_ALL=C firejail --noprofile vmplayer
in a terminal?_Terminal output:
A VMware Kernel Module Updater window opens:
Additional context
Any other detail that may help to understand/debug the problem
Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
Output of
LC_ALL=C firejail vmplayer
``` Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 12092, child pid 12093 Child process initialized in 85.11 ms /usr/bin/vmware-modconfig: line 46: /usr/lib/vmware/bin/vmware-modconfig: Permission denied Parent is shutting down, bye... ```
Output of
LC_ALL=C firejail --debug vmplayer
https://gist.github.com/MikeNavy/7bb73370626c8d6926b9f8d2340066fa