search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.79k stars 567 forks source link

discord: Check failed: . : Permission denied (13) #6110

Closed imgurbot12 closed 5 months ago

imgurbot12 commented 11 months ago

Description

Hello, love the firejail project and I've used it for years! I've recently come across this error when trying to run discord's latest version 0.0.36 on Ubuntu 22.04 within firejail which causes the entire program to crash:

Child process initialized in 223.74 ms
[1:1128/162312.415736:FATAL:proc_util.cc(97)] Check failed: . : Permission denied (13)

Steps to Reproduce

  1. Run in bash LC_ALL=C firejail discord

Behavior without a profile

$ LC_ALL=C firejail --noprofile discord
firejail version 0.9.73

Parent pid 99593, child pid 99594
Base filesystem installed in 0.10 ms
Child process initialized in 9.55 ms
Warning: an existing sandbox was detected. /usr/bin/discord will run without any additional sandboxing features
[1:1129/112108.072421:FATAL:proc_util.cc(97)] Check failed: . : Permission denied (13)

Parent is shutting down, bye...

Additional context

Any other detail that may help to understand/debug the problem

Environment

firejail-version: 0.9.66 firejail deb versions: 

ii  firejail                                  0.9.66-2                                   amd64        sandbox to restrict the application environment
ii  firejail-profiles                         0.9.66-2                                   all          profiles for the firejail application sandbox

Checklist

Log

Output of LC_ALL=C firejail /usr/bin/discord

``` Reading profile /etc/firejail/discord.profile Reading profile /home/andrew/.config/firejail/discord.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Reading profile /etc/firejail/discord-common.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 81203, child pid 81204 Warning: skipping discord for private /opt Private /opt installed in 0.12 ms 16 programs installed in 34.37 ms Warning fcopy: skipping /etc/alternatives/aptitude, cannot find inode Warning fcopy: skipping /etc/alternatives/csscombine, cannot find inode Warning fcopy: skipping /etc/alternatives/ebtables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/lzcmp, cannot find inode Warning fcopy: skipping /etc/alternatives/jar, cannot find inode Warning fcopy: skipping /etc/alternatives/c++, cannot find inode Warning fcopy: skipping /etc/alternatives/mogrify, cannot find inode Warning fcopy: skipping /etc/alternatives/lzcat, cannot find inode Warning fcopy: skipping /etc/alternatives/composite-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/automake, cannot find inode Warning fcopy: skipping /etc/alternatives/arptables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/cc, cannot find inode Warning fcopy: skipping /etc/alternatives/html2markdown, cannot find inode Warning fcopy: skipping /etc/alternatives/pinentry, cannot find inode Warning fcopy: skipping /etc/alternatives/animate-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/identify-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/brave-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/nc, cannot find inode Warning fcopy: skipping /etc/alternatives/signal-desktop, cannot find inode Warning fcopy: skipping /etc/alternatives/x-window-manager, cannot find inode Warning fcopy: skipping /etc/alternatives/ex, cannot find inode Warning fcopy: skipping /etc/alternatives/rlogin, cannot find inode Warning fcopy: skipping /etc/alternatives/gnome-text-editor, cannot find inode Warning fcopy: skipping /etc/alternatives/aclocal, cannot find inode Warning fcopy: skipping /etc/alternatives/x-terminal-emulator, cannot find inode Warning fcopy: skipping /etc/alternatives/view, cannot find inode Warning fcopy: skipping /etc/alternatives/rmt, cannot find inode Warning fcopy: skipping /etc/alternatives/lzma, cannot find inode Warning fcopy: skipping /etc/alternatives/ip6tables-save, cannot find inode Warning fcopy: skipping /etc/alternatives/x-www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/montage, cannot find inode Warning fcopy: skipping /etc/alternatives/c89, cannot find inode Warning fcopy: skipping /etc/alternatives/vim, cannot find inode Warning fcopy: skipping /etc/alternatives/lzegrep, cannot find inode Warning fcopy: skipping /etc/alternatives/netcat, cannot find inode Warning fcopy: skipping /etc/alternatives/ebtables, cannot find inode Warning fcopy: skipping /etc/alternatives/cpp, cannot find inode Warning fcopy: skipping /etc/alternatives/composite, cannot find inode Warning fcopy: skipping /etc/alternatives/ftp, cannot find inode Warning fcopy: skipping /etc/alternatives/animate, cannot find inode Warning fcopy: skipping /etc/alternatives/pinentry-x11, cannot find inode Warning fcopy: skipping /etc/alternatives/jsondiff, cannot find inode Warning fcopy: skipping /etc/alternatives/cssparse, cannot find inode Warning fcopy: skipping /etc/alternatives/mogrify-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/vimdiff, cannot find inode Warning fcopy: skipping /etc/alternatives/convert-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/ip6tables, cannot find inode Warning fcopy: skipping /etc/alternatives/stream-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/lzless, cannot find inode Warning fcopy: skipping /etc/alternatives/stream, cannot find inode Warning fcopy: skipping /etc/alternatives/rsh, cannot find inode Warning fcopy: skipping /etc/alternatives/rvim, cannot find inode Warning fcopy: skipping /etc/alternatives/montage-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/import-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/telnet, cannot find inode Warning fcopy: skipping /etc/alternatives/write, cannot find inode Warning fcopy: skipping /etc/alternatives/iptables-save, cannot find inode Warning fcopy: skipping /etc/alternatives/bibtex, cannot find inode Warning fcopy: skipping /etc/alternatives/ip6tables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/iptables, cannot find inode Warning fcopy: skipping /etc/alternatives/pico, cannot find inode Warning fcopy: skipping /etc/alternatives/vi, cannot find inode Warning fcopy: skipping /etc/alternatives/csscapture, cannot find inode Warning fcopy: skipping /etc/alternatives/convert, cannot find inode Warning fcopy: skipping /etc/alternatives/gnome-www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/compare-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/compare, cannot find inode Warning fcopy: skipping /etc/alternatives/xdvi.bin, cannot find inode Warning fcopy: skipping /etc/alternatives/lzgrep, cannot find inode Warning fcopy: skipping /etc/alternatives/display, cannot find inode Warning fcopy: skipping /etc/alternatives/pybabel, cannot find inode Warning fcopy: skipping /etc/alternatives/conjure-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/iptables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/lzdiff, cannot find inode Warning fcopy: skipping /etc/alternatives/awk, cannot find inode Warning fcopy: skipping /etc/alternatives/lzfgrep, cannot find inode Warning fcopy: skipping /etc/alternatives/rview, cannot find inode Warning fcopy: skipping /etc/alternatives/unlzma, cannot find inode Warning fcopy: skipping /etc/alternatives/arptables, cannot find inode Warning fcopy: skipping /etc/alternatives/rcp, cannot find inode Warning fcopy: skipping /etc/alternatives/tabbed, cannot find inode Warning fcopy: skipping /etc/alternatives/infobrowser, cannot find inode Warning fcopy: skipping /etc/alternatives/editor, cannot find inode Warning fcopy: skipping /etc/alternatives/display-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/import, cannot find inode Warning fcopy: skipping /etc/alternatives/pager, cannot find inode ~ firejail discord Reading profile /etc/firejail/discord.profile Reading profile /home/andrew/.config/firejail/discord.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Reading profile /etc/firejail/discord-common.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 82867, child pid 82868 Warning: skipping discord for private /opt Private /opt installed in 0.13 ms 16 programs installed in 28.34 ms Warning fcopy: skipping /etc/alternatives/aptitude, cannot find inode Warning fcopy: skipping /etc/alternatives/csscombine, cannot find inode Warning fcopy: skipping /etc/alternatives/ebtables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/lzcmp, cannot find inode Warning fcopy: skipping /etc/alternatives/jar, cannot find inode Warning fcopy: skipping /etc/alternatives/c++, cannot find inode Warning fcopy: skipping /etc/alternatives/mogrify, cannot find inode Warning fcopy: skipping /etc/alternatives/lzcat, cannot find inode Warning fcopy: skipping /etc/alternatives/composite-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/automake, cannot find inode Warning fcopy: skipping /etc/alternatives/arptables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/cc, cannot find inode Warning fcopy: skipping /etc/alternatives/html2markdown, cannot find inode Warning fcopy: skipping /etc/alternatives/pinentry, cannot find inode Warning fcopy: skipping /etc/alternatives/animate-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/identify-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/brave-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/nc, cannot find inode Warning fcopy: skipping /etc/alternatives/signal-desktop, cannot find inode Warning fcopy: skipping /etc/alternatives/x-window-manager, cannot find inode Warning fcopy: skipping /etc/alternatives/ex, cannot find inode Warning fcopy: skipping /etc/alternatives/rlogin, cannot find inode Warning fcopy: skipping /etc/alternatives/gnome-text-editor, cannot find inode Warning fcopy: skipping /etc/alternatives/aclocal, cannot find inode Warning fcopy: skipping /etc/alternatives/x-terminal-emulator, cannot find inode Warning fcopy: skipping /etc/alternatives/view, cannot find inode Warning fcopy: skipping /etc/alternatives/rmt, cannot find inode Warning fcopy: skipping /etc/alternatives/lzma, cannot find inode Warning fcopy: skipping /etc/alternatives/ip6tables-save, cannot find inode Warning fcopy: skipping /etc/alternatives/x-www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/montage, cannot find inode Warning fcopy: skipping /etc/alternatives/c89, cannot find inode Warning fcopy: skipping /etc/alternatives/vim, cannot find inode Warning fcopy: skipping /etc/alternatives/lzegrep, cannot find inode Warning fcopy: skipping /etc/alternatives/netcat, cannot find inode Warning fcopy: skipping /etc/alternatives/ebtables, cannot find inode Warning fcopy: skipping /etc/alternatives/cpp, cannot find inode Warning fcopy: skipping /etc/alternatives/composite, cannot find inode Warning fcopy: skipping /etc/alternatives/ftp, cannot find inode Warning fcopy: skipping /etc/alternatives/animate, cannot find inode Warning fcopy: skipping /etc/alternatives/pinentry-x11, cannot find inode Warning fcopy: skipping /etc/alternatives/jsondiff, cannot find inode Warning fcopy: skipping /etc/alternatives/cssparse, cannot find inode Warning fcopy: skipping /etc/alternatives/mogrify-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/vimdiff, cannot find inode Warning fcopy: skipping /etc/alternatives/convert-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/ip6tables, cannot find inode Warning fcopy: skipping /etc/alternatives/stream-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/lzless, cannot find inode Warning fcopy: skipping /etc/alternatives/stream, cannot find inode Warning fcopy: skipping /etc/alternatives/rsh, cannot find inode Warning fcopy: skipping /etc/alternatives/rvim, cannot find inode Warning fcopy: skipping /etc/alternatives/montage-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/import-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/telnet, cannot find inode Warning fcopy: skipping /etc/alternatives/write, cannot find inode Warning fcopy: skipping /etc/alternatives/iptables-save, cannot find inode Warning fcopy: skipping /etc/alternatives/bibtex, cannot find inode Warning fcopy: skipping /etc/alternatives/ip6tables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/iptables, cannot find inode Warning fcopy: skipping /etc/alternatives/pico, cannot find inode Warning fcopy: skipping /etc/alternatives/vi, cannot find inode Warning fcopy: skipping /etc/alternatives/csscapture, cannot find inode Warning fcopy: skipping /etc/alternatives/convert, cannot find inode Warning fcopy: skipping /etc/alternatives/gnome-www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/compare-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/compare, cannot find inode Warning fcopy: skipping /etc/alternatives/xdvi.bin, cannot find inode Warning fcopy: skipping /etc/alternatives/lzgrep, cannot find inode Warning fcopy: skipping /etc/alternatives/display, cannot find inode Warning fcopy: skipping /etc/alternatives/pybabel, cannot find inode Warning fcopy: skipping /etc/alternatives/conjure-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/iptables-restore, cannot find inode Warning fcopy: skipping /etc/alternatives/lzdiff, cannot find inode Warning fcopy: skipping /etc/alternatives/awk, cannot find inode Warning fcopy: skipping /etc/alternatives/lzfgrep, cannot find inode Warning fcopy: skipping /etc/alternatives/rview, cannot find inode Warning fcopy: skipping /etc/alternatives/unlzma, cannot find inode Warning fcopy: skipping /etc/alternatives/arptables, cannot find inode Warning fcopy: skipping /etc/alternatives/rcp, cannot find inode Warning fcopy: skipping /etc/alternatives/tabbed, cannot find inode Warning fcopy: skipping /etc/alternatives/infobrowser, cannot find inode Warning fcopy: skipping /etc/alternatives/editor, cannot find inode Warning fcopy: skipping /etc/alternatives/display-im6, cannot find inode Warning fcopy: skipping /etc/alternatives/import, cannot find inode Warning fcopy: skipping /etc/alternatives/pager, cannot find inode Warning fcopy: skipping /etc/alternatives/c99, cannot find inode Warning fcopy: skipping /etc/alternatives/nawk, cannot find inode Warning fcopy: skipping /etc/alternatives/identify, cannot find inode Warning fcopy: skipping /etc/alternatives/arptables-save, cannot find inode Warning fcopy: skipping /etc/alternatives/fakeroot, cannot find inode Warning fcopy: skipping /etc/alternatives/ebtables-save, cannot find inode Warning fcopy: skipping /etc/alternatives/lzmore, cannot find inode Warning fcopy: skipping /etc/alternatives/mt, cannot find inode Warning fcopy: skipping /etc/alternatives/www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/which, cannot find inode Warning fcopy: skipping /etc/alternatives/conjure, cannot find inode Warning: skipping crypto-policies for private /etc Warning: skipping password for private /etc Warning fcopy: skipping /etc/pulse/client.conf.d/01-enable-autospawn.conf, cannot find inode Private /etc installed in 32.99 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: not remounting /run/user/1000/doc Warning: cleaning all supplementary groups Child process initialized in 221.71 ms [1:1128/162926.824688:FATAL:proc_util.cc(97)] Check failed: . : Permission denied (13) Parent is shutting down, bye... ```

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/imgurbot12/f54ba56ee1a2cb3bc2dc48122477fc37

Edit: I upgraded firejail using the apt-repository listed in the readme for a more recent version and got the same error.

ii  firejail                                  0.9.72-2~0ubuntu22.04.0                    amd64        sandbox to restrict the application environment
ii  firejail-profiles                         0.9.72-2~0ubuntu22.04.0                    all          profiles for the firejail application sandbox

Edit: I cloned master and did an install of 0.9.73 following the instructions on firejail.wordpress.com and received the same error.

kmk3 commented 11 months ago 
Child process initialized in 223.74 ms
[1:1128/162312.415736:FATAL:proc_util.cc(97)] Check failed: . : Permission denied (13)

Edit: I cloned master and did an install of 0.9.73 following the instructions on firejail.wordpress.com and received the same error.

The error message appears to come from discord itself and is unfortunately not very informative.

For debugging I'd suggest to stay on 0.9.73 and comment lines in discord.profile (and in the .profile files that it includes) until it works to try to narrow down which lines are causing issues.

rusty-snake commented 11 months ago

You removed the behavior w/o a profile from the template. What was the result?

imgurbot12 commented 11 months ago

You removed the behavior w/o a profile from the template. What was the result?

whoops. I mean to remove the actual/expected behavior since i felt that was pretty obvious lol, but that one was cut by accident. Sorry about that. Original comment was edited to include the result. Surprisingly the same error still occurs even without a profile.

imgurbot12 commented 11 months ago

@kmk3 I did try and play around with profiles a little bit with no success. I'm not much of an expert on how the whole profile config system works but half the time firejail claimed it couldn't find the binary after i had removed some include.

After a bit of tinkering I had commented out almost all of the actual discord portions of the profile and then it moves to electron so maybe this an electron related issue? I have no idea.

rusty-snake commented 11 months ago

Surprisingly the same error still occurs even without a profile.

What I feared. The very short error from discord had a hint towards processes and even with --noprofile a new pid-namespace is created. You can try with sudo unshare -p sudo -u $USER /usr/bin/discord. This unfortunately means there is no (easy) fix.

imgurbot12 commented 11 months ago

This unfortunately means there is no (easy) fix.

Ah, that's unfortunate. Running the command you recommended by itself and with firejail --noprofile in front of it does work. trying to run it with profile enabled gives a likely intended sudo permissions error Error: execute permission denied for /usr/bin/sudo

What's the process to fix something like this? You said it has to do with pid-namespaces. Is there a way for firejail to support that?

rusty-snake commented 11 months ago

What's the process to fix something like this? You said it has to do with pid-namespaces. Is there a way for firejail to support that?

If something requires a shared pid-namespace, there is currently no solution. However it also does not make really sense to fix it as a sandbox with a shared pid-namespace is very very weak. And only give you a false feeling of security IMHO.

Running the command you recommended by itself

Which could mean it could be something else than the pid-namespace? Maybe try with --profile=noprofile.

Error: execute permission denied for /usr/bin/sudo

Because it is blacklisted.

noblacklisting does not help as there might see be no root and nnp.

imgurbot12 commented 11 months ago

Which could mean it could be something else than the pid-namespace? Maybe try with --profile=noprofile.

Maybe I'm misunderstanding or I wasn't clear enough but that is what I did. Both sudo unshare -p sudo -u $USER /usr/bin/discord and firejail --noprofile sudo unshare -p sudo -u $USER /usr/bin/discord do work and discord boots up properly. firejail --profile=noprofile sudo unshare -p sudo -u $USER /usr/bin/discord also works.

...there is currently no solution. However it also does not make really sense to fix it as a sandbox with a shared pid-namespace is very very weak. And only give you a false feeling of security IMHO.

Wow, that sucks. I use firejail with discord because I don't really trust it as a program nor the company that operates it all that much, but its something I use to communicate with a lot of people. Does this mean the current design of discord essentially negates most of the value from putting it any sort of sandbox? So there's no way to secure it or lock it down?

rusty-snake commented 11 months ago

Can you try just firejail --profile=noprofile /usr/bin/discord

imgurbot12 commented 11 months ago

Can you try just firejail --profile=noprofile /usr/bin/discord

same error:

$ firejail --profile=noprofile /usr/bin/discord
firejail version 0.9.73

Parent pid 99593, child pid 99594
Base filesystem installed in 0.10 ms
Child process initialized in 9.55 ms
Warning: an existing sandbox was detected. /usr/bin/discord will run without any additional sandboxing features
[1:1129/112108.072421:FATAL:proc_util.cc(97)] Check failed: . : Permission denied (13)

Parent is shutting down, bye...
imgurbot12 commented 5 months ago

After an upgrade to the OS from ubuntu 22.04 to 24.04 this is magically fixed so I'm just closing the issue seeing no work is being done on this. Thanks