firefox: whitelisting in ${RUNUSER} breaks Wayland and portals

omega3 commented 7 months ago

Description

I want to run local profile to be able to use Plasma file picker on Wayland. I do have xdg-destop-portal and xdg-destop-portal-kde and xdg-destop-portal-gtk installed.

It works well when I have just:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot

but when I start adding other entries like: whitelist ${RUNUSER}/pipewire-0 or whitelist ${RUNUSER}/kpxc_server

it produces error:

firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 41875, child pid 41876
Child process initialized in 12.04 ms
[7] Wayland Proxy [0x7fd9b0f79120] Error: CheckWaylandDisplay(): Failed to connect to Wayland display '/run/user/1000/wayland-0' error: No such file or folder
Authorization required, but no authorization protocol specified

Error: we don't have any display, WAYLAND_DISPLAY='wayland-0' DISPLAY=':1'

Parent is shutting down, bye...

So such profile deosn't work:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot

whitelist ${RUNUSER}/pipewire-0
dbus-user.talk org.freedesktop.portal.*
whitelist /usr/share/pipewire/client.conf

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
noblacklist ${RUNUSER}/*firefox*

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla

# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which

When I set profile like this:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot

#whitelist ${RUNUSER}/pipewire-0
dbus-user.talk org.freedesktop.portal.*
#whitelist /usr/share/pipewire/client.conf

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
noblacklist ${RUNUSER}/*firefox*

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla

it shows:

firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 43306, child pid 43307
8 programs installed in 11.10 ms
Child process initialized in 19.95 ms
[Parent 15, Main Thread] WARNING: Server is missing xdg_foreign support: 'glib warning', file /usr/src/debug/firefox/firefox-125.0.1/toolkit/xre/nsSigHandlers.cpp:187

and it doesn't save files.

My about:config portals https://i.imgur.com/mQXlUP0.png

Environment

Operating System: Manjaro Linux KDE Plasma Version: 5.27.11 KDE Frameworks Version: 5.115.0 Qt Version: 5.15.12 Kernel Version: 6.6.26-1-MANJARO (64-bit) Graphics Platform: Wayland

firejail version 0.9.72 from official repo I wanted install from git but I get errors.

Checklist

[x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[ ] I can reproduce the issue without custom modifications (e.g. globals.local).
[x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[ ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
[x] I have performed a short search for similar issues (to avoid opening a duplicate).
- [x] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)


LC_ALL=C firejail --debug --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox

Building quoted command line: '/usr/lib/firefox/firefox' 
Command name #firefox#
Using the local network stack
Building quoted command line: '/usr/lib/firefox/firefox' 
Command name #firefox#
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
528 468 0:24 /@/etc /etc ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=528 fsname=/@/etc dir=/etc fstype=btrfs
Mounting noexec /etc
529 528 0:24 /@/etc /etc ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=529 fsname=/@/etc dir=/etc fstype=btrfs
Mounting read-only /var
530 468 0:24 /@/var /var ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=530 fsname=/@/var dir=/var fstype=btrfs
Mounting noexec /var
531 530 0:24 /@/var /var ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=531 fsname=/@/var dir=/var fstype=btrfs
Mounting read-only /usr
532 468 0:24 /@/usr /usr ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=532 fsname=/@/usr dir=/usr fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
573 525 0:62 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=573 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/user/.config/pulse
574 539 0:62 /pulse /home/user/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=574 fsname=/pulse dir=/home/user/.config/pulse fstype=tmpfs
Current directory: /home/user
Mounting read-only /run/firejail/mnt/seccomp
578 525 0:62 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=578 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             180 ..
-rw-r--r-- user   user           640 seccomp
-rw-r--r-- user   user           432 seccomp.32
-rw-r--r-- user   user             0 seccomp.postexec
-rw-r--r-- user   user             0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1001, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/lib/firefox/firefox

rusty-snake commented 7 months ago

include whitelist-runuser-common.inc

omega3 commented 7 months ago

firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Reading profile /etc/firejail/whitelist-runuser-common.inc
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 9145, child pid 9146
8 programs installed in 11.16 ms
Child process initialized in 24.17 ms
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
ExceptionHandler::GenerateDump cloned child 23
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
malloc_consolidate(): unaligned fastbin chunk detected

Parent is shutting down, bye...

I added /home/user/.config/portals.conf

[preferred]
default=kde
org.freedesktop.impl.portal.Settings=kde;gtk;

and /home/user/.local/share/xdg-desktop-portal/ with the same content but it doesn't help.

netblue30 / firejail