whitelist from local profile conflicts with Wayland and portals
omega3 opened this issue · comments
Description
I want to run local profile to be able to use Plasma file picker on Wayland.
I do have xdg-destop-portal and xdg-destop-portal-kde and xdg-destop-portal-gtk installed.
It works well when I have just:
dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot
but when I start adding other entries like:
whitelist ${RUNUSER}/pipewire-0
or
whitelist ${RUNUSER}/kpxc_server
it produces error:
firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 41875, child pid 41876
Child process initialized in 12.04 ms
[7] Wayland Proxy [0x7fd9b0f79120] Error: CheckWaylandDisplay(): Failed to connect to Wayland display '/run/user/1000/wayland-0' error: No such file or folder
Authorization required, but no authorization protocol specified
Error: we don't have any display, WAYLAND_DISPLAY='wayland-0' DISPLAY=':1'
Parent is shutting down, bye...
So such profile deosn't work:
dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot
whitelist ${RUNUSER}/pipewire-0
dbus-user.talk org.freedesktop.portal.*
whitelist /usr/share/pipewire/client.conf
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
noblacklist ${RUNUSER}/*firefox*
mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla
# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
When I set profile like this:
dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot
#whitelist ${RUNUSER}/pipewire-0
dbus-user.talk org.freedesktop.portal.*
#whitelist /usr/share/pipewire/client.conf
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
noblacklist ${RUNUSER}/*firefox*
mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla
it shows:
firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 43306, child pid 43307
8 programs installed in 11.10 ms
Child process initialized in 19.95 ms
[Parent 15, Main Thread] WARNING: Server is missing xdg_foreign support: 'glib warning', file /usr/src/debug/firefox/firefox-125.0.1/toolkit/xre/nsSigHandlers.cpp:187
and it doesn't save files.
My about:config portals
https://i.imgur.com/mQXlUP0.png
Environment
Operating System: Manjaro Linux
KDE Plasma Version: 5.27.11
KDE Frameworks Version: 5.115.0
Qt Version: 5.15.12
Kernel Version: 6.6.26-1-MANJARO (64-bit)
Graphics Platform: Wayland
firejail version 0.9.72 from official repo
I wanted install from git but I get errors.
Checklist
- The issues is caused by firejail (i.e. running the program by path (e.g.
/usr/bin/vlc
) "fixes" it). - I can reproduce the issue without custom modifications (e.g. globals.local).
- The program has a profile. (If not, request one in
https://github.com/netblue30/firejail/issues/1139
) - The profile (and redirect profile if exists) hasn't already been fixed upstream.
- I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of
browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.
- I'm aware of
- I used
--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)
LC_ALL=C firejail --debug --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Building quoted command line: '/usr/lib/firefox/firefox'
Command name #firefox#
Using the local network stack
Building quoted command line: '/usr/lib/firefox/firefox'
Command name #firefox#
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
528 468 0:24 /@/etc /etc ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=528 fsname=/@/etc dir=/etc fstype=btrfs
Mounting noexec /etc
529 528 0:24 /@/etc /etc ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=529 fsname=/@/etc dir=/etc fstype=btrfs
Mounting read-only /var
530 468 0:24 /@/var /var ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=530 fsname=/@/var dir=/var fstype=btrfs
Mounting noexec /var
531 530 0:24 /@/var /var ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=531 fsname=/@/var dir=/var fstype=btrfs
Mounting read-only /usr
532 468 0:24 /@/usr /usr ro,noatime master:1 - btrfs /dev/sda1 rw,ssd,discard=async,space_cache=v2,autodefrag,subvolid=329,subvol=/@
mountid=532 fsname=/@/usr dir=/usr fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
573 525 0:62 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=573 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/user/.config/pulse
574 539 0:62 /pulse /home/user/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=574 fsname=/pulse dir=/home/user/.config/pulse fstype=tmpfs
Current directory: /home/user
Mounting read-only /run/firejail/mnt/seccomp
578 525 0:62 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=578 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root root 120 .
drwxr-xr-x root root 180 ..
-rw-r--r-- user user 640 seccomp
-rw-r--r-- user user 432 seccomp.32
-rw-r--r-- user user 0 seccomp.postexec
-rw-r--r-- user user 0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1001, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/lib/firefox/firefox
include whitelist-runuser-common.inc
firejail --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
Reading profile /home/user/jail/.config/firejail/firefox.local
Reading profile /etc/firejail/whitelist-runuser-common.inc
Ignoring "dbus-user.talk org.freedesktop.portal.Desktop" and 1 other dbus-user filter rule.
Parent pid 9145, child pid 9146
8 programs installed in 11.16 ms
Child process initialized in 24.17 ms
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
ExceptionHandler::GenerateDump cloned child 23
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
malloc_consolidate(): unaligned fastbin chunk detected
Parent is shutting down, bye...
I added /home/user/.config/portals.conf
[preferred]
default=kde
org.freedesktop.impl.portal.Settings=kde;gtk;
and
/home/user/.local/share/xdg-desktop-portal/
with the same content but it doesn't help.