hashcat: failure with private-dev & private-bin

[schrotthaufen]

Description

The default profile for hashcat uses, private-bin, and private-dev, which break hashcat. I have a AMD RX 7900 XT GPU.

Steps to Reproduce

1. Run in bash LC_ALL=C firejail hashcat -b -m 1000

Expected behavior

hashcat starts working.

Actual behavior

• With private-bin hashcat: hashcat throws an error, and quits: /usr/local/bin/OpenCL/: No such file or directory
• With private-dev: hashcat throws an error, and quits: No devices found/left.

  Behavior without a profile

hashcat works as expected.

Additional context

I think /dev/kfd is required to make private-dev work, but if I pass --whitelist=/dev/kfd, the /dev/ directory is empty.

Environment

• Arch Linux, kernel 6.9.3-arch1-1
• firejail version 0.9.72 Compile time support:
  • always force nonewprivs support is disabled
  • AppArmor support is enabled
  • AppImage support is enabled
  • chroot support is enabled
  • D-BUS proxy support is enabled
  • file transfer support is enabled
  • firetunnel support is disabled
  • IDS support is disabled
  • networking support is enabled- output logging is enabled
  • overlayfs support is disabled
  • private-home support is enabled
  • private-cache and tmpfs as user enabled
  • SELinux support is disabled
  • user namespace support is enabled
  • X11 sandboxing support is enabled

Checklist

• [x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

[rusty-snake]

Related: https://github.com/netblue30/firejail/issues/6148

[glitsj16]

Thanks for reporting. Sadly my current hardware is partly broken so I can't reliably test hashcat. I do have a few questions/remarks.

With private-bin hashcat: hashcat throws an error, and quits: /usr/local/bin/OpenCL/: No such file or directory

Do you have binaries installed under that /usr/local/bin/OpenCL/ path (or under /usr/bin)? Just asking because instead of dropping private-bin we might be able to keep that and add the needed binary name(s) to it.

After installing the hashcat package and running hashcat -h I noticed it creates only two directories under ${HOME}:

• ${HOME}/.cache/hashcat
• ${HOME}/.local/share/hashcat

The referenced ${HOME}/.hashcat does not exist on my box after running the app (unsandboxed). Do you have that dir on your Arch Linux machine? This isn't directly related to this issue IMO, but it would be nice to update the profile accordingly if we can check/confirm these discrepancies.

Regards

[schrotthaufen]

Do you have binaries installed under that /usr/local/bin/OpenCL/ path (or under /usr/bin)?

Hashcat is installed to /usr/bin/, but I have firejail symlinks in /usr/local/bin/ (generated with firecfg). When I run firejail /usr/bin/hashcat -b -m 1000, I only get the No devices found/left. error. Maybe the OpenCL path issue is because the sandboxed hashcat can´t find /usr/share/hashcat/OpenCL/, and so it tries to find it next to /usr/local/bin/hashcat.

The referenced ${HOME}/.hashcat does not exist on my box after running the app (unsandboxed). Do you have that dir on your Arch Linux machine?

Yes, this directory exists on my box, and contains the potfile, session data, etc. It seems ${HOME}/.local/share/hashcat is the new location for ${HOME}/.hashcat.

[glitsj16]

It seems ${HOME}/.local/share/hashcat is the new location for ${HOME}/.hashcat.

Thanks. We'll better keep that in then for backward-compatibility.