search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.54k stars 556 forks source link

Tor Browser failed to start #6269

Open marek22k opened 3 months ago

marek22k commented 3 months ago

Description

I am on Arch Linux and have installed Tor via the "Tor Browser Launcher". When I start Tor without Firejail everything works, when I start Tor with Firejail an error message appears.

Steps to Reproduce

Steps to reproduce the behavior

  1. Install Arch Linux (Xfce4, linux-lts)
  2. Install Tor Browser via Tor Browser Launcher
  3. Start Tor
  4. Error message appears

Expected behavior

Tor Browser shows the error message:

Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start.

Furthermore, it cannot connect to the network.

Actual behavior

No error message, successfully connection to the tor network.

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?_

Works

$LC_ALL=C firejail --noprofile /usr/bin/torbrowser-launcher
Parent pid 77321, child pid 77322
Child process initialized in 5.63 ms
Tor Browser Launcher
By Micah Lee & Tor Project, licensed under MIT
version 0.3.7
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/
Launching Tor Browser.
Running /home/marek/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...

Parent is shutting down, bye...

Additional context

Screenshot: tor

Environment

Arch Linux

$ firejail --version
firejail version 0.9.72

Compile time support:
    - always force nonewprivs support is disabled
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - D-BUS proxy support is enabled
    - file transfer support is enabled
    - firetunnel support is disabled
    - IDS support is disabled
    - networking support is enabled
    - output logging is enabled
    - overlayfs support is disabled
    - private-home support is enabled
    - private-cache and tmpfs as user enabled
    - SELinux support is disabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

Checklist

Log

Output of LC_ALL=C firejail /path/to/program

``` $LC_ALL=C firejail /usr/bin/torbrowser-launcher Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 78530, child pid 78531 79 programs installed in 117.92 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 38.72 ms Private /usr/etc installed in 0.00 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 242.48 ms Tor Browser Launcher By Micah Lee & Tor Project, licensed under MIT version 0.3.7 https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/ (python:99): dbind-WARNING **: 19:44:27.032: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Launching Tor Browser. Running /home/marek/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop Launching './Browser/start-tor-browser --detach'... Parent is shutting down, bye... ```

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/marek22k/6de941d4f8d644e1ee4736007a8ea577

glitsj16 commented 3 months ago

Apparently Tor Browser 13.0.11 (based on Mozilla Firefox 115.8.0esr) changed a few things. The former versions installed under ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser and now under ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser. This affects our apparmor opt-in rule, although you don't seem to have that enabled AFAICT from your logs.

Can you try adding the below and report back please?

$ cat ~/.config/firejail/torbrowser-launcher.local
private-bin execdesktop

HTH

glitsj16 commented 3 months ago

UPDATE: note for people that do enable apparmor in a local override

https://github.com/netblue30/firejail/blob/c16f7a2902cfbae0c022edd795e155c5abde48c8/etc/apparmor/firejail-local#L27

Fixed rule:

owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix,

marek22k commented 3 months ago

Can you try adding the below and report back please?

Mhh, somehow it doesn't work for me. (Log: https://gist.github.com/marek22k/763449af038fefe103cf8c57259eada1)

This affects our apparmor opt-in rule, although you don't seem to have that enabled AFAICT from your logs.

As I understand it, AppArmor offers additional protection. How can I activate it?

glitsj16 commented 3 months ago

Mhh, somehow it doesn't work for me.

From a diff between the 0.9.72 versus the one in git master I notice we also added include whitelist-run-common.inc and seccomp.block-secondary. Any improvement when you also add those to torbrowser-launcher.local?

As I understand it, AppArmor offers additional protection. How can I activate it?

marek22k commented 3 months ago

From a diff between the 0.9.72 versus the one in git master I notice we also added include whitelist-run-common.inc and seccomp.block-secondary. Any improvement when you also add those to torbrowser-launcher.local?

Unfortunately not. Log: log.txt

AppArmor: Thanks for the links! I might have a look at that later.

kmk3 commented 3 months ago

From a diff between the 0.9.72 versus the one in git master I notice we also added include whitelist-run-common.inc and seccomp.block-secondary. Any improvement when you also add those to torbrowser-launcher.local?

Unfortunately not. Log: log.txt

Does it work with firejail-git?

I'd suggest to comment lines in torbrowser-launcher.profile until you find which ones are causing issues.

johkra commented 3 months ago

The path on my installation is:

$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop

The Browser path component in #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser*/Browser/** ix, changed in #6270 makes the path not match.

Changing this to owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser*/** ix, worked for me.

glitsj16 commented 3 months ago

@johkra Thanks for reporting! I changed it in git accordingly.

powerjungle commented 3 months ago

Can you try adding the below and report back please?

$ cat ~/.config/firejail/torbrowser-launcher.local
private-bin execdesktop

@glitsj16 I tried this and I get: Warning: file execdesktop not found and it still didn't fix the tor browser error. I don't use the apparmor profile.

I also tried adding these three lines:

include disable-proc.inc
include whitelist-run-common.inc
seccomp.block-secondary

This did nothing as well.

I commented the whole firejail torbrowser-launcher profile and started uncommenting lines one by one. These lines need to remain commented for the error to disappear:

nonewprivs
protocol unix,inet,inet6
seccomp !chroot
glitsj16 commented 3 months ago

tried this and I get: Warning: file execdesktop not found and it still didn't fix the tor browser error. I don't use the apparmor profile.

Thanks for testing. Outside of the sandbox, do you have $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/execdesktop? it's a small bash script that checks the X-TorBrowser-ExecShell= line in $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop. Just asking to stay on the same page. Your Tor Browser Launcher installation should have that file on disk.

I don't use the apparmor profile

Good to know.

These lines need to remain commented for the error to disappear:

nonewprivs protocol unix,inet,inet6 seccomp !chroot

Hmmm, those are pretty vital parts of the sandbox. Personally I wouldn't use TB without those options. Still can't reproduce. I'd try putting aside the TB profile in $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/TorBrowser/Data and see if anything changes for the better...

powerjungle commented 3 months ago

Thanks for testing. Outside of the sandbox, do you have $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/execdesktop?

I do have it, but how is firejail supposed to find it? I'm assuming it finds the other binaries using PATH, but execdesktop isn't added to the env.

Hmmm, those are pretty vital parts of the sandbox.

Yeah I know, but I'm assuming the reason it fails with them is that the child requires some privileges which it doesn't get. I was looking at the tor profile, but couldn't find anything that seems to be causing it yet. I don't understand why protocol unix,inet,inet6 should interfere, but uncommenting it causes the error to appear even if the other 2 are commented.

Still can't reproduce.

Are you using the current master version of firejail? Maybe something other than the profiles got fixed.

glitsj16 commented 3 months ago

I do have it, but how is firejail supposed to find it? I'm assuming it finds the other binaries using PATH, but execdesktop isn't added to the env.

execdesktop is a helper script, part of what get's installed by torbrowser-launcher in your ${HOME}. It isn't in your PATH, but it is the shebang of $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop:

$ head -n 1 $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop
#!/usr/bin/env ./Browser/execdesktop

That's exactly why it now needs to be part of private-bin, where this issue all started :-)

Are you using the current master version of firejail? Maybe something other than the profiles got fixed.

Indeed I am, like most if not all collaborators here are. It's also why you were asked asked if it works with firejail-git.

Did you try that yet?

glitsj16 commented 3 months ago

@powerjungle I just reverted to Firejail 0.9.72 to further test this. My TB is at version 13.0.13 (based on Mozilla Firefox 115.9.1esr), which is the latest available. It just works fine for me here with firejail, only needing the private-bin execdesktop 0.9.72's torbrowser-launcher.profile is missing.

So I'm not any wiser as to what might be causing the issue at your end. Assuming you use firecfg I wonder what your start-tor-browser.desktop actually looks like. For testing, please put aside any torbrowser.local you might have and run the below:

$ firejail --profile=torbrowser-launcher ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser

That bypasses the .desktop file and the extra execdesktop isn't needed in this case.

marek22k commented 1 month ago

Is there a workaround? The fix in https://github.com/glitsj16/firejail/commit/988e71de0999097ce7be3a3a97b0a2b831bbe7f9 does not solve the problem for me. (Maybe re-open the issue?) (Also same issue with firejail-git from AUR.)

glitsj16 commented 1 month ago

Is there a workaround? The fix in glitsj16@988e71d does not solve the problem for me. (Maybe re-open the issue?)

Reopening...

Any logs and/or context description to try to understand what's going wrong on your end?

marek22k commented 1 month ago

The same symptoms occur as before. firejail.log

And with firejail-git: firejail-git.log

glitsj16 commented 1 month ago

The same symptoms occur as before.

I've looked and re-looked, but, alas, I can't get a meaningful grip on your issue. Let's hope someone else can join in with a fresh pair of eyes and be more helpful.