chmod chrome-sandbox: operation not permitted

northys commented 2 years ago

What happened:

I just noticed a warning about chmod failing for chrome-sadnbox while digging into different issue. I'm not sure if it is a problem actually. It's happening since 14. November. All paths I got by grepping logs start with /opt/safing so I suppose that started after me switching from manuall installation to fedora package.

211213 14:23:19.211 s/upgrader:074 ▶ WARN 061 updates: failed to handle electron upgrade: chmod /opt/safing/portmaster/updates/linux_amd64/app/portmaster-app_v0-2-2/chrome-sandbox: operation not permitted

What did you expect to happen?:

How did you reproduce it?:

Debug Information:

Version 0.7.11

``` Portmaster version 0.7.11 commit tags/v0.7.11-0-ge0c2a846278b9e6256a75da50e44b29f52b8e5e9 built with go1.15.8 (gc) linux/amd64 using options main.go by user@docker on 13.12.2021 Licensed under the AGPLv3 license. The source code is available here: https://github.com/safing/portmaster ```

Platform: fedora 35

``` System: fedora linux (fedora) 35 Kernel: 5.15.6-200.fc35.x86_64 x86_64 ```

Status: Trusted

``` ActiveSecurityLevel: Trusted SelectedSecurityLevel: Off ThreatMitigationLevel: Trusted CaptivePortal: OnlineStatus: Online ```

Resolvers: 5/5

``` Cloudflare dot://1.1.1.2:853#config Failing: false Cloudflare dot://1.0.0.2:853#config Failing: false 1.1.1.1 dns://1.1.1.1:53#system Failing: false 8.8.8.8 dns://8.8.8.8:53#system Failing: false 8.8.4.4 dns://8.8.4.4:53#system Failing: false ```

No Module Error

Unexpected Logs

``` 211213 14:23:19.211 s/upgrader:074 ▶ WARN 061 updates: failed to handle electron upgrade: chmod /opt/safing/portmaster/updates/linux_amd64/app/portmaster-app_v0-2-2/chrome-sandbox: operation not permitted 211213 14:23:42.468 CURRENT TIME ```

Goroutine Stack

``` goroutine profile: total 85 12 @ 0x43a405 0x44a56f 0xb18365 0x46de21 # 0xb18364 github.com/xtaci/kcp-go/v5.(*TimedSched).sched+0x2c4 /home/user/go/pkg/mod/github.com/xtaci/kcp-go/v5@v5.6.1/timedsched.go:67 11 @ 0x43a405 0x44a56f 0x7f021f 0x7f0890 0x46de21 # 0x7f021e github.com/safing/portbase/api.(*DatabaseAPI).processSub+0x21e /home/user/git/safing/portbase/api/database.go:415 # 0x7f088f github.com/safing/portbase/api.(*DatabaseAPI).handleQsub+0x12f /home/user/git/safing/portbase/api/database.go:478 5 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0x6b616d 0x57a405 0x57b13d 0x57b374 0x64cccc 0x6b216a 0x6b2199 0x6b75fa 0x6bbca5 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0x6b616c net/http.(*connReader).Read+0x1ac /usr/local/go/src/net/http/server.go:798 # 0x57a404 bufio.(*Reader).fill+0x104 /usr/local/go/src/bufio/bufio.go:101 # 0x57b13c bufio.(*Reader).ReadSlice+0x3c /usr/local/go/src/bufio/bufio.go:360 # 0x57b373 bufio.(*Reader).ReadLine+0x33 /usr/local/go/src/bufio/bufio.go:389 # 0x64cccb net/textproto.(*Reader).readLineSlice+0x6b /usr/local/go/src/net/textproto/reader.go:58 # 0x6b2169 net/textproto.(*Reader).ReadLine+0xa9 /usr/local/go/src/net/textproto/reader.go:39 # 0x6b2198 net/http.readRequest+0xd8 /usr/local/go/src/net/http/request.go:1012 # 0x6b75f9 net/http.(*conn).readRequest+0x199 /usr/local/go/src/net/http/server.go:984 # 0x6bbca4 net/http.(*conn).serve+0x704 /usr/local/go/src/net/http/server.go:1851 4 @ 0x43a405 0x40676f 0x4063ab 0xb7e04c 0x46de21 # 0xb7e04b github.com/florianl/go-nfqueue.(*Nfqueue).socketCallback.func2+0x4b /home/user/go/pkg/mod/github.com/florianl/go-nfqueue@v1.3.0/nfqueue_gteq_1.12.go:132 4 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49ff7c 0x49ff59 0x4a9245 0xb73567 0xb73032 0xb7740b 0xb75ccf 0xb75a25 0xb7593c 0xb7dbb0 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49ff7b internal/poll.(*pollDesc).waitRead+0xfb /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49ff58 internal/poll.(*FD).RawRead+0xd8 /usr/local/go/src/internal/poll/fd_unix.go:533 # 0x4a9244 os.(*rawConn).Read+0x64 /usr/local/go/src/os/rawconn.go:31 # 0xb73566 github.com/mdlayher/socket.(*Conn).read+0xe6 /home/user/go/pkg/mod/github.com/mdlayher/socket@v0.0.0-20211102153432-57e3fa563ecb/conn.go:441 # 0xb73031 github.com/mdlayher/socket.(*Conn).Recvmsg+0x191 /home/user/go/pkg/mod/github.com/mdlayher/socket@v0.0.0-20211102153432-57e3fa563ecb/conn.go:344 # 0xb7740a github.com/mdlayher/netlink.(*conn).Receive+0xea /home/user/go/pkg/mod/github.com/mdlayher/netlink@v1.4.1/conn_linux.go:133 # 0xb75cce github.com/mdlayher/netlink.(*Conn).receive+0x6e /home/user/go/pkg/mod/github.com/mdlayher/netlink@v1.4.1/conn.go:273 # 0xb75a24 github.com/mdlayher/netlink.(*Conn).lockedReceive+0x44 /home/user/go/pkg/mod/github.com/mdlayher/netlink@v1.4.1/conn.go:232 # 0xb7593b github.com/mdlayher/netlink.(*Conn).Receive+0x7b /home/user/go/pkg/mod/github.com/mdlayher/netlink@v1.4.1/conn.go:225 # 0xb7dbaf github.com/florianl/go-nfqueue.(*Nfqueue).socketCallback+0x34f /home/user/go/pkg/mod/github.com/florianl/go-nfqueue@v1.3.0/nfqueue_gteq_1.12.go:142 4 @ 0x43a405 0x44a56f 0xb800cc 0x46de21 # 0xb800cb github.com/safing/portmaster/firewall/interception/nfq.New.func1+0x22b /home/user/git/safing/portmaster/firewall/interception/nfq/nfq.go:66 2 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0x57a405 0x57a56f 0x7baa45 0x7bcf1c 0x7bdfcf 0x7be78f 0x7edca5 0x7a14e2 0x7a0c39 0x7a3219 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0x57a404 bufio.(*Reader).fill+0x104 /usr/local/go/src/bufio/bufio.go:101 # 0x57a56e bufio.(*Reader).Peek+0x4e /usr/local/go/src/bufio/bufio.go:139 # 0x7baa44 github.com/gorilla/websocket.(*Conn).read+0x44 /home/user/go/pkg/mod/github.com/gorilla/websocket@v1.4.2/conn.go:370 # 0x7bcf1b github.com/gorilla/websocket.(*Conn).advanceFrame+0x5b /home/user/go/pkg/mod/github.com/gorilla/websocket@v1.4.2/conn.go:798 # 0x7bdfce github.com/gorilla/websocket.(*Conn).NextReader+0x8e /home/user/go/pkg/mod/github.com/gorilla/websocket@v1.4.2/conn.go:980 # 0x7be78e github.com/gorilla/websocket.(*Conn).ReadMessage+0x2e /home/user/go/pkg/mod/github.com/gorilla/websocket@v1.4.2/conn.go:1064 # 0x7edca4 github.com/safing/portbase/api.(*DatabaseAPI).handler+0x44 /home/user/git/safing/portbase/api/database.go:150 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0c38 github.com/safing/portbase/modules.(*Module).RunWorker+0x98 /home/user/git/safing/portbase/modules/worker.go:47 # 0x7a3218 github.com/safing/portbase/modules.(*Module).StartWorker.func1+0x58 /home/user/git/safing/portbase/modules/worker.go:27 2 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49e5a6 0x49e584 0x5af8f0 0x5cb691 0x5c961d 0x860f57 0x84c259 0x8495e5 0x84ae3a 0x849e31 0xb9cd1c 0x7a14e2 0x7a0f45 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49e5a5 internal/poll.(*pollDesc).waitRead+0x245 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49e583 internal/poll.(*FD).ReadMsg+0x223 /usr/local/go/src/internal/poll/fd_unix.go:242 # 0x5af8ef net.(*netFD).readMsg+0x8f /usr/local/go/src/net/fd_posix.go:67 # 0x5cb690 net.(*UDPConn).readMsg+0x90 /usr/local/go/src/net/udpsock_posix.go:59 # 0x5c961c net.(*UDPConn).ReadMsgUDP+0x9c /usr/local/go/src/net/udpsock.go:139 # 0x860f56 github.com/miekg/dns.ReadFromSessionUDP+0xb6 /home/user/go/pkg/mod/github.com/miekg/dns@v1.1.43/udp.go:42 # 0x84c258 github.com/miekg/dns.(*Server).readUDP+0xd8 /home/user/go/pkg/mod/github.com/miekg/dns@v1.1.43/server.go:687 # 0x8495e4 github.com/miekg/dns.defaultReader.ReadUDP+0x44 /home/user/go/pkg/mod/github.com/miekg/dns@v1.1.43/server.go:174 # 0x84ae39 github.com/miekg/dns.(*Server).serveUDP+0x1f9 /home/user/go/pkg/mod/github.com/miekg/dns@v1.1.43/server.go:501 # 0x849e30 github.com/miekg/dns.(*Server).ListenAndServe+0x390 /home/user/go/pkg/mod/github.com/miekg/dns@v1.1.43/server.go:330 # 0xb9cd1b github.com/safing/portmaster/nameserver.startListener.func1+0x3b /home/user/git/safing/portmaster/nameserver/module.go:114 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 2 @ 0x43a405 0x44a56f 0x793978 0x7a14e2 0x7a0f45 0x46de21 # 0x793977 github.com/safing/portbase/database.(*Interface).DelayedCacheWriter+0x1d7 /home/user/git/safing/portbase/database/interface_cache.go:34 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 2 @ 0x43a405 0x44a56f 0x7ee785 0x7a14e2 0x7a0c39 0x7a3219 0x46de21 # 0x7ee784 github.com/safing/portbase/api.(*DatabaseAPI).writer+0x124 /home/user/git/safing/portbase/api/database.go:217 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0c38 github.com/safing/portbase/modules.(*Module).RunWorker+0x98 /home/user/git/safing/portbase/modules/worker.go:47 # 0x7a3218 github.com/safing/portbase/modules.(*Module).StartWorker.func1+0x58 /home/user/git/safing/portbase/modules/worker.go:27 2 @ 0x43a405 0x44a56f 0x7f021f 0x7efe2b 0x46de21 # 0x7f021e github.com/safing/portbase/api.(*DatabaseAPI).processSub+0x21e /home/user/git/safing/portbase/api/database.go:415 # 0x7efe2a github.com/safing/portbase/api.(*DatabaseAPI).handleSub+0xca /home/user/git/safing/portbase/api/database.go:387 1 @ 0x40c434 0x46a77d 0x808625 0x46de21 # 0x46a77c os/signal.signal_recv+0x9c /usr/local/go/src/runtime/sigqueue.go:147 # 0x808624 os/signal.loop+0x24 /usr/local/go/src/os/signal/signal_unix.go:23 1 @ 0x43a405 0x40676f 0x4063ab 0x9a75eb 0x46de21 # 0x9a75ea github.com/godbus/dbus/v5.newConn.func1+0x4a /home/user/go/pkg/mod/github.com/godbus/dbus/v5@v5.0.6/conn.go:288 1 @ 0x43a405 0x40676f 0x4063ab 0xa1b82c 0x7a14e2 0x7a0f45 0x46de21 # 0xa1b82b github.com/safing/portmaster/resolver.listenToMDNS+0x54b /home/user/git/safing/portmaster/resolver/resolver-mdns.go:130 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0x60b9c2 0x4fd191 0x60bc13 0x608a35 0x60ecff 0x60ed0a 0x57aa82 0x47a9e7 0x685009 0x684fba 0x6857a5 0x6a482d 0x6a3fcf 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0x60b9c1 crypto/tls.(*atLeastReader).Read+0x61 /usr/local/go/src/crypto/tls/conn.go:779 # 0x4fd190 bytes.(*Buffer).ReadFrom+0xb0 /usr/local/go/src/bytes/buffer.go:204 # 0x60bc12 crypto/tls.(*Conn).readFromUntil+0xf2 /usr/local/go/src/crypto/tls/conn.go:801 # 0x608a34 crypto/tls.(*Conn).readRecordOrCCS+0x114 /usr/local/go/src/crypto/tls/conn.go:608 # 0x60ecfe crypto/tls.(*Conn).readRecord+0x15e /usr/local/go/src/crypto/tls/conn.go:576 # 0x60ed09 crypto/tls.(*Conn).Read+0x169 /usr/local/go/src/crypto/tls/conn.go:1252 # 0x57aa81 bufio.(*Reader).Read+0x221 /usr/local/go/src/bufio/bufio.go:227 # 0x47a9e6 io.ReadAtLeast+0x86 /usr/local/go/src/io/io.go:314 # 0x685008 io.ReadFull+0x88 /usr/local/go/src/io/io.go:333 # 0x684fb9 net/http.http2readFrameHeader+0x39 /usr/local/go/src/net/http/h2_bundle.go:1477 # 0x6857a4 net/http.(*http2Framer).ReadFrame+0xa4 /usr/local/go/src/net/http/h2_bundle.go:1735 # 0x6a482c net/http.(*http2clientConnReadLoop).run+0x8c /usr/local/go/src/net/http/h2_bundle.go:8257 # 0x6a3fce net/http.(*http2ClientConn).readLoop+0x6e /usr/local/go/src/net/http/h2_bundle.go:8185 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0x6b5bf8 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0x6b5bf7 net/http.(*connReader).backgroundRead+0x57 /usr/local/go/src/net/http/server.go:690 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0xa1dacc 0xa2a04a 0x7a14e2 0x7a0f45 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0xa1dacb github.com/safing/portmaster/resolver.listenForDNSPackets+0x8b /home/user/git/safing/portmaster/resolver/resolver-mdns.go:328 # 0xa2a049 github.com/safing/portmaster/resolver.listenToMDNS.func1+0x49 /home/user/git/safing/portmaster/resolver/resolver-mdns.go:86 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0xa1dacc 0xa2a0ca 0x7a14e2 0x7a0f45 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0xa1dacb github.com/safing/portmaster/resolver.listenForDNSPackets+0x8b /home/user/git/safing/portmaster/resolver/resolver-mdns.go:328 # 0xa2a0c9 github.com/safing/portmaster/resolver.listenToMDNS.func2+0x49 /home/user/git/safing/portmaster/resolver/resolver-mdns.go:97 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0xa1dacc 0xa2a14a 0x7a14e2 0x7a0f45 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0xa1dacb github.com/safing/portmaster/resolver.listenForDNSPackets+0x8b /home/user/git/safing/portmaster/resolver/resolver-mdns.go:328 # 0xa2a149 github.com/safing/portmaster/resolver.listenToMDNS.func3+0x49 /home/user/git/safing/portmaster/resolver/resolver-mdns.go:108 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49dc85 0x49dc63 0x5af62f 0x5be64e 0xa1dacc 0xa2a1ca 0x7a14e2 0x7a0f45 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49dc84 internal/poll.(*pollDesc).waitRead+0x1a4 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49dc62 internal/poll.(*FD).Read+0x182 /usr/local/go/src/internal/poll/fd_unix.go:159 # 0x5af62e net.(*netFD).Read+0x4e /usr/local/go/src/net/fd_posix.go:55 # 0x5be64d net.(*conn).Read+0x8d /usr/local/go/src/net/net.go:182 # 0xa1dacb github.com/safing/portmaster/resolver.listenForDNSPackets+0x8b /home/user/git/safing/portmaster/resolver/resolver-mdns.go:328 # 0xa2a1c9 github.com/safing/portmaster/resolver.listenToMDNS.func4+0x49 /home/user/git/safing/portmaster/resolver/resolver-mdns.go:119 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49e5a6 0x49e584 0x5af8f0 0x5ce7f1 0x5cca7d 0x9a446d 0x47a9e7 0x9a4c66 0x9a4c26 0x98c532 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49e5a5 internal/poll.(*pollDesc).waitRead+0x245 /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49e583 internal/poll.(*FD).ReadMsg+0x223 /usr/local/go/src/internal/poll/fd_unix.go:242 # 0x5af8ef net.(*netFD).readMsg+0x8f /usr/local/go/src/net/fd_posix.go:67 # 0x5ce7f0 net.(*UnixConn).readMsg+0x90 /usr/local/go/src/net/unixsock_posix.go:115 # 0x5cca7c net.(*UnixConn).ReadMsgUnix+0x9c /usr/local/go/src/net/unixsock.go:143 # 0x9a446c github.com/godbus/dbus/v5.(*oobReader).Read+0x8c /home/user/go/pkg/mod/github.com/godbus/dbus/v5@v5.0.6/transport_unix.go:21 # 0x47a9e6 io.ReadAtLeast+0x86 /usr/local/go/src/io/io.go:314 # 0x9a4c65 io.ReadFull+0x125 /usr/local/go/src/io/io.go:333 # 0x9a4c25 github.com/godbus/dbus/v5.(*unixTransport).ReadMessage+0xe5 /home/user/go/pkg/mod/github.com/godbus/dbus/v5@v5.0.6/transport_unix.go:91 # 0x98c531 github.com/godbus/dbus/v5.(*Conn).inWorker+0x51 /home/user/go/pkg/mod/github.com/godbus/dbus/v5@v5.0.6/conn.go:389 1 @ 0x43a405 0x4328db 0x4684b5 0x49cd85 0x49f83c 0x49f81e 0x5b0ba5 0x5c8632 0x5c7185 0x6c0186 0x6bfeb7 0x7f93cd 0x7a14e2 0x7a0c39 0x7f7056 0x46de21 # 0x4684b4 internal/poll.runtime_pollWait+0x54 /usr/local/go/src/runtime/netpoll.go:222 # 0x49cd84 internal/poll.(*pollDesc).wait+0x44 /usr/local/go/src/internal/poll/fd_poll_runtime.go:87 # 0x49f83b internal/poll.(*pollDesc).waitRead+0x1fb /usr/local/go/src/internal/poll/fd_poll_runtime.go:92 # 0x49f81d internal/poll.(*FD).Accept+0x1dd /usr/local/go/src/internal/poll/fd_unix.go:394 # 0x5b0ba4 net.(*netFD).accept+0x44 /usr/local/go/src/net/fd_unix.go:172 # 0x5c8631 net.(*TCPListener).accept+0x31 /usr/local/go/src/net/tcpsock_posix.go:139 # 0x5c7184 net.(*TCPListener).Accept+0x64 /usr/local/go/src/net/tcpsock.go:261 # 0x6c0185 net/http.(*Server).Serve+0x265 /usr/local/go/src/net/http/server.go:2937 # 0x6bfeb6 net/http.(*Server).ListenAndServe+0xb6 /usr/local/go/src/net/http/server.go:2866 # 0x7f93cc github.com/safing/portbase/api.Serve.func1+0x2c /home/user/git/safing/portbase/api/router.go:63 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0c38 github.com/safing/portbase/modules.(*Module).RunWorker+0x98 /home/user/git/safing/portbase/modules/worker.go:47 # 0x7f7055 github.com/safing/portbase/api.Serve+0x1d5 /home/user/git/safing/portbase/api/router.go:62 1 @ 0x43a405 0x44a56f 0x7526d4 0x7522d1 0x46de21 # 0x7526d3 github.com/safing/portbase/log.writer+0x393 /home/user/git/safing/portbase/log/output.go:156 # 0x7522d0 github.com/safing/portbase/log.writerManager+0x90 /home/user/git/safing/portbase/log/output.go:113 1 @ 0x43a405 0x44a56f 0x79a585 0x46de21 # 0x79a584 github.com/safing/portbase/modules.microTaskScheduler+0x1a4 /home/user/git/safing/portbase/modules/microtasks.go:184 1 @ 0x43a405 0x44a56f 0x7a06a5 0x46de21 # 0x7a06a4 github.com/safing/portbase/modules.taskQueueHandler+0x1c4 /home/user/git/safing/portbase/modules/tasks.go:447 1 @ 0x43a405 0x44a56f 0x7a0968 0x46de21 # 0x7a0967 github.com/safing/portbase/modules.taskScheduleHandler+0xe7 /home/user/git/safing/portbase/modules/tasks.go:497 1 @ 0x43a405 0x44a56f 0x7ab29e 0x7a14e2 0x7a0f45 0x46de21 # 0x7ab29d github.com/safing/portbase/rng.(*Feeder).run+0x13d /home/user/git/safing/portbase/rng/entropy.go:101 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x7ab425 0x7a14e2 0x7a0f45 0x46de21 # 0x7ab424 github.com/safing/portbase/rng.(*Feeder).run+0x2c4 /home/user/git/safing/portbase/rng/entropy.go:119 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x7ab75d 0x7a14e2 0x7a0f45 0x46de21 # 0x7ab75c github.com/safing/portbase/rng.fullFeeder+0x15c /home/user/git/safing/portbase/rng/fullfeed.go:25 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x7ac197 0x7a14e2 0x7a0f45 0x46de21 # 0x7ac196 github.com/safing/portbase/rng.osFeeder+0x1d6 /home/user/git/safing/portbase/rng/osfeeder.go:27 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x808bb0 0xb9d825 0x43a009 0x46de21 # 0x808baf github.com/safing/portbase/run.Run+0x22f /home/user/git/safing/portbase/run/main.go:66 # 0xb9d824 main.main+0xc4 /home/user/git/safing/portmaster/cmds/portmaster-core/main.go:31 # 0x43a008 runtime.main+0x208 /usr/local/go/src/runtime/proc.go:204 1 @ 0x43a405 0x44a56f 0x9721f5 0x7a14e2 0x7a0f45 0x46de21 # 0x9721f4 github.com/safing/portbase/notifications.cleaner+0x114 /home/user/git/safing/portbase/notifications/cleaner.go:13 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x9bf578 0x7a14e2 0x7a0f45 0x46de21 # 0x9bf577 github.com/safing/portmaster/intel/geoip.(*updateWorker).run+0x117 /home/user/git/safing/portmaster/intel/geoip/database.go:173 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x9c8b97 0x7a14e2 0x7a0f45 0x46de21 # 0x9c8b96 github.com/safing/portmaster/netenv.monitorNetworkChanges+0x156 /home/user/git/safing/portmaster/netenv/network-change.go:48 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x9ca07c 0x7a14e2 0x7a0f45 0x46de21 # 0x9ca07b github.com/safing/portmaster/netenv.monitorOnlineStatus+0x13b /home/user/git/safing/portmaster/netenv/online-status.go:357 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0x9dbd3c 0x7a14e2 0x7a0c39 0x7a3219 0x46de21 # 0x9dbd3b github.com/safing/portmaster/status.autoPilot+0xdb /home/user/git/safing/portmaster/status/autopilot.go:16 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0c38 github.com/safing/portbase/modules.(*Module).RunWorker+0x98 /home/user/git/safing/portbase/modules/worker.go:47 # 0x7a3218 github.com/safing/portbase/modules.(*Module).StartWorker.func1+0x58 /home/user/git/safing/portbase/modules/worker.go:27 1 @ 0x43a405 0x44a56f 0xa1bd0e 0xa2a23e 0x7a14e2 0x7a0f45 0x46de21 # 0xa1bd0d github.com/safing/portmaster/resolver.handleMDNSMessages+0xed /home/user/git/safing/portmaster/resolver/resolver-mdns.go:137 # 0xa2a23d github.com/safing/portmaster/resolver.listenToMDNS.func5+0x3d /home/user/git/safing/portmaster/resolver/resolver-mdns.go:126 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0xa7e1a5 0x7a14e2 0x7a0f45 0x46de21 # 0xa7e1a4 github.com/safing/portmaster/profile.cleanActiveProfiles+0x184 /home/user/git/safing/portmaster/profile/active.go:84 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0xb188a5 0x46de21 # 0xb188a4 github.com/xtaci/kcp-go/v5.(*TimedSched).prepend+0x284 /home/user/go/pkg/mod/github.com/xtaci/kcp-go/v5@v5.6.1/timedsched.go:103 1 @ 0x43a405 0x44a56f 0xb3e645 0x7a14e2 0x7a0f45 0x46de21 # 0xb3e644 github.com/safing/portmaster/network.connectionCleaner+0x104 /home/user/git/safing/portmaster/network/clean.go:24 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0xb433d5 0x7a14e2 0x7a0f45 0x46de21 # 0xb433d4 github.com/safing/portmaster/network.openDNSRequestWriter+0x114 /home/user/git/safing/portmaster/network/dns.go:91 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x43a405 0x44a56f 0xb83db2 0x46de21 # 0xb83db1 github.com/safing/portmaster/firewall/interception.handleInterception+0x1f1 /home/user/git/safing/portmaster/firewall/interception/nfqueue_linux.go:300 1 @ 0x43a405 0x44a56f 0xb8f297 0x7a14e2 0x7a0c39 0x7a3219 0x46de21 # 0xb8f296 github.com/safing/portmaster/firewall.packetHandler+0xf6 /home/user/git/safing/portmaster/firewall/interception.go:522 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0c38 github.com/safing/portbase/modules.(*Module).RunWorker+0x98 /home/user/git/safing/portbase/modules/worker.go:47 # 0x7a3218 github.com/safing/portbase/modules.(*Module).StartWorker.func1+0x58 /home/user/git/safing/portbase/modules/worker.go:27 1 @ 0x43a405 0x44a56f 0xb8f572 0x7a14e2 0x7a0c39 0x7a3219 0x46de21 # 0xb8f571 github.com/safing/portmaster/firewall.statLogger+0x231 /home/user/git/safing/portmaster/firewall/interception.go:536 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0c38 github.com/safing/portbase/modules.(*Module).RunWorker+0x98 /home/user/git/safing/portbase/modules/worker.go:47 # 0x7a3218 github.com/safing/portbase/modules.(*Module).StartWorker.func1+0x58 /home/user/git/safing/portbase/modules/worker.go:27 1 @ 0x43a405 0x46af3f 0x7ac8f9 0x7a14e2 0x7a0f45 0x46de21 # 0x46af3e time.Sleep+0xbe /usr/local/go/src/runtime/time.go:188 # 0x7ac8f8 github.com/safing/portbase/rng.tickFeeder+0x98 /home/user/git/safing/portbase/rng/tickfeeder.go:46 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0f44 github.com/safing/portbase/modules.(*Module).runServiceWorker+0x124 /home/user/git/safing/portbase/modules/worker.go:78 1 @ 0x4680bd 0x7cf4c2 0x7cf285 0x7cbdf2 0x7e8792 0xa75736 0x7f3a04 0x7f2fcd 0x7f7d4f 0x7f9445 0x7a14e2 0x7a0c39 0x7f719d 0x6bfdc3 0x6bbe4d 0x46de21 # 0x4680bc runtime/pprof.runtime_goroutineProfileWithLabels+0x5c /usr/local/go/src/runtime/mprof.go:716 # 0x7cf4c1 runtime/pprof.writeRuntimeProfile+0xe1 /usr/local/go/src/runtime/pprof/pprof.go:724 # 0x7cf284 runtime/pprof.writeGoroutine+0xa4 /usr/local/go/src/runtime/pprof/pprof.go:684 # 0x7cbdf1 runtime/pprof.(*Profile).WriteTo+0x3f1 /usr/local/go/src/runtime/pprof/pprof.go:331 # 0x7e8791 github.com/safing/portbase/utils/debug.(*Info).AddGoroutineStack+0x91 /home/user/git/safing/portbase/utils/debug/debug.go:132 # 0xa75735 github.com/safing/portmaster/core.debugInfo+0xf5 /home/user/git/safing/portmaster/core/api.go:91 # 0x7f3a03 github.com/safing/portbase/api.(*Endpoint).ServeHTTP+0xa03 /home/user/git/safing/portbase/api/endpoints.go:438 # 0x7f2fcc github.com/safing/portbase/api.(*endpointHandler).ServeHTTP+0xac /home/user/git/safing/portbase/api/endpoints.go:357 # 0x7f7d4e github.com/safing/portbase/api.(*mainHandler).handle+0xb8e /home/user/git/safing/portbase/api/router.go:197 # 0x7f9444 github.com/safing/portbase/api.(*mainHandler).ServeHTTP.func1+0x44 /home/user/git/safing/portbase/api/router.go:81 # 0x7a14e1 github.com/safing/portbase/modules.(*Module).runWorker+0xa1 /home/user/git/safing/portbase/modules/worker.go:119 # 0x7a0c38 github.com/safing/portbase/modules.(*Module).RunWorker+0x98 /home/user/git/safing/portbase/modules/worker.go:47 # 0x7f719c github.com/safing/portbase/api.(*mainHandler).ServeHTTP+0x9c /home/user/git/safing/portbase/api/router.go:80 # 0x6bfdc2 net/http.serverHandler.ServeHTTP+0xa2 /usr/local/go/src/net/http/server.go:2843 # 0x6bbe4c net/http.(*conn).serve+0x8ac /usr/local/go/src/net/http/server.go:1925 ```

dhaavi commented 2 years ago

Hey @northys, thanks for the report.

This is a fix for electron on older kernels that don't support unprivileged USERNS_CLONE.

You can find the details here: https://github.com/safing/portmaster/commit/9751a5244daa87f13310b12c189bedd7fbbcbb5f#diff-f839e53dfe3b32402a831af008948d464c0b056563b68230e8da21764df5a914R22-R55

This shouldn't fail though, but more, this shouldn't be executed as your kernel should have support for unprivileged USERNS_CLONE.

ppacher commented 2 years ago

Hi @northys, could you share the output of sysctl kernel.unprivileged_userns_clone ?

northys commented 2 years ago

» sysctl kernel.unprivileged_userns_clone sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory northys at northys-fedora in ~ » sudo sysctl kernel.unprivileged_userns_clone [sudo] password for northys: sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory On Jan 25, 2022, 09:13 +0100, Patrick Pacher @.***>, wrote:

Hi @northys, could you share the output of sysctl kernel.unprivileged_userns_clone ? — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: @.***>

ppacher commented 2 years ago

Thanks for the output. Seems like there's no such file on your system. I just downloaded and installed a fedora locally to test that and I'm able to reproduce the issue. I will ping you once we have a proper patch available (we changed some stuff in the beta release channel but I fear that fix is incomplete).

ppacher commented 2 years ago

So it turns out there just no easy way to reliably detect whether or not unprivileged user namespaces are enabled or not. Right now I see the following possibilities:

We could try to parse /proc/config.gz but that file is not always available. In that case, we would need to start searching the boot partition for config-<kver> files and try to parse them. Then we need to check if CONFIG_USER_NS and CONFIG_USER_NS_UNPRIVILEGED are enabled. Though the existence of those files is not guaranteed and this approach will likely fail.
To detect user namespaces we can check if /proc/self/ns/user exists but that does not tell us whether unprivileged (CONFIG_USER_NS_UNPRIVILEGED) is enabled as well.
We could try to run unshare --map-root-user id -u and check whether it executes successfully and outputs 0. Though, this adds a new dependency for the unshare binary and will likely require some tweaks/hacks for different verions of that binary.

To sum up, I'm not sure trying to correctly detect that is worth the effort. Maybe we can just set the SUID bit by default on chrome-sandbox and provide a flag to disable that behavior in case somebody really want's to avoid having an SUID binary lying around. That would be the best choice for user experience. Security wise, we could NOT set the SUID bit and rather try to inform the user that this needs to be done manually after an upgrade of electron. Though, communicating this is hard since the UI doesn't start and it might be hard to fix for less tech-savvy users.

My pitch would be to set the SUID bit and let users disable the behavior using a --disable-sandbox-suid flag.

northys commented 2 years ago

Sorry for late reply I forgot about this issue. I actually don't understand the internals much and the log isn't bothering me since everything works. I just wanted to ask if everything is fine and whether I should care about the warning.

So it's up to you to figure out how to solve this issue. Someone would say to write it to doc but who reads the doc right? :D

safing / portmaster-packaging

chmod chrome-sandbox: operation not permitted #62