search

pigmonkey / firewarden

Open a file via the specified application within a private Firejail sandbox.
The Unlicense
74 stars 7 forks source link

Can't get it to work with waterfox-g3 #11

Closed neurodiverseEsoteric closed 3 years ago

neurodiverseEsoteric commented 3 years ago 
/usr/bin/firewarden: line 196: $arg_length: substring expression < 0
Reading profile /etc/firejail/waterfox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 143456, child pid 143457
Warning: skipping firewarden-2021-06-02T14:20:10-07:00 for private /opt
Private /opt installed in 0.08 ms
Warning: skipping firewarden-2021-06-02T14:20:10-07:00 for private /srv
Private /srv installed in 0.07 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 179.63 ms
Error: no suitable waterfox executable found

Parent is shutting down, bye...

It also can't work with waterfox-g3 (command not found), and making a symlink didn't work either...

pigmonkey commented 3 years ago

It looks like it might be getting confused when it tries to check for a local file. How are you launching it?

neurodiverseEsoteric commented 3 years ago

Just with "firewarden waterfox" or "firewarden waterfox-g3" in Konsole

pigmonkey commented 3 years ago

I installed waterfox-g3 on my Arch system. It looks like it puts a bunch of stuff in /opt/waterfox-g3/. Firewarden tells Firejail to mount an empty tmpfs for /opt, so none of that stuff is available in the jail.

I added a -O option to disable the default behavior of creating a private /opt. Try it on the latest master now and see if that fixes it.

$ firewarden -O waterfox-g3
neurodiverseEsoteric commented 3 years ago

Ok, but how do I edit the pkgbuild to just grab the file?

neurodiverseEsoteric commented 3 years ago

Ok, I installed the script manually and "firewarden -O" is able to launch waterfox-g3 on Manjaro...

neurodiverseEsoteric commented 3 years ago

Although waterfox-g3 needs to be linked with the waterfox firejail profile, otherwise it launches with no network connection...

pigmonkey commented 3 years ago

I'll close this since the Firewarden issue is fixed.

If Firejail is not choosing the correct profile for your program, you should create a new profile named for the program that just sources the profile you want. A file at ~/.config/firejail/waterfox-g3.profile that contains the line include waterfox.profile is probably all you need. You can see how Firejail does the same thing with a profile like /etc/firejail/waterfox-current.profile.