Chrome cannot get the timezone correctly breaking many websites

[nitrocode]

My firejail command

firejail --dns=1.1.1.1 --dns=8.8.4.4 google-chrome-stable %U

If I open up DevTools and run

new Date().toLocaleTimeString()

This returns

VM42:1 Uncaught RangeError: Unsupported time zone specified undefined
at new DateTimeFormat (chrome:https://newtab/native)
at Date.toLocaleTimeString (chrome:https://newtab/native)
at :1:12

In order to set the timezone correctly so it does not break websites, I found this workaround.

firejail --dns=1.1.1.1 --dns=8.8.4.4 --env=TZ=America/Tijuana google-chrome-stable %U

Firefox doesn't seem to have this issue and I'm currently running firejail version 0.9.55

[SkewedZeppelin]

What distro are you running?
Is the output of ls -lha /etc/localtime your correct timezone?

[nitrocode]

@SkewedZeppelin running Ubuntu 16.04 Xenial.

My timezone is set correctly

$ ls -lha /etc/localtime
lrwxrwxrwx 1 root root 36 Jan  7 11:40 /etc/localtime -> /usr/share/zoneinfo/America/Tijuana

[SkewedZeppelin]

Can you try commenting apparmor and nodbus in /etc/firejail/chromium-common.profile?

[chiraag-nataraj]

@nitrocode Is this still an issue?

[nitrocode]

I haven't checked in a while but I'll check again by the end of the week.

[tofurky]

Seeing the same thing when using private-etc in google-chrome.local using 0.9.56-1~0ubuntu18.10.0.

For some reason, specifying private-etc ...,localtime,... causes /etc/localtime to point at the wrong file (seen by joining chrome's namespace):

bash-4.4$ ls -l /etc/localtime 
lrwxrwxrwx 1 root root 30 Jan 20 04:34 /etc/localtime -> /usr/share/zoneinfo/posixrules

However, my actual filesystem has this:

matt@aquos:~$ ls -l /etc/localtime 
lrwxrwxrwx 1 root root 36 Jan  1 22:31 /etc/localtime -> /usr/share/zoneinfo/America/New_York

I poked around but I'm kind of stumped. Running with --debug shows:

...
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fcopy /etc/hosts /run/firejail/mnt/etc (null) 
copying /etc/localtime to private /etc
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fcopy /etc/localtime /run/firejail/mnt/etc (null) 
copying /etc/nsswitch.conf to private /etc
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fcopy /etc/nsswitch.conf /run/firejail/mnt/etc (null) 
copying /etc/resolv.conf to private /etc
...

The only reference I saw to localtime was here:

firejail/src/firejail/fs_whitelist.c

Lines 601 to 615 in 97eed29

	else if (strncmp(new_name, "/etc/", 5) == 0) {
	entry->etc_dir = 1;
	etc_dir = 1;
	// special handling for some of the symlinks
	if (strcmp(new_name, "/etc/localtime") == 0);
	else if (strcmp(new_name, "/etc/mtab") == 0);
	else if (strcmp(new_name, "/etc/os-release") == 0);
	// both path and absolute path are under /etc
	else {
	if (strncmp(fname, "/etc/", 5) != 0) {
	free(fname);
	goto errexit;
	}
	}
	}

As a workaround for the time being, removing localtime from private-etc and adding env TZ=America/New_York to google-chrome.local seems to fix it.

[tofurky]

Seems that it might have to do with fcopy resolving the final file, rather than the intermediate symlink:

matt@aquos:~$ ls -l /etc/localtime 
lrwxrwxrwx 1 root root 36 Jan  1 22:31 /etc/localtime -> /usr/share/zoneinfo/America/New_York
matt@aquos:~$ ls -l /usr/share/zoneinfo/America/New_York
lrwxrwxrwx 1 root root 13 Jan  1 00:05 /usr/share/zoneinfo/America/New_York -> ../posixrules

If copy_link() is the function in question, I guess readlink() could be used there instead of realpath(), but that would be a major change in behavior:

firejail/src/fcopy/main.c

Lines 117 to 134 in 012dd9f

	void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) {
	(void) mode;
	(void) uid;
	(void) gid;
	// if the link is already there, don't create it
	struct stat s;
	if (stat(linkpath, &s) == 0)
	return;
	char *rp = realpath(target, NULL);
	if (rp) {
	if (symlink(rp, linkpath) == -1) {
	free(rp);
	goto errout;
	}
	free(rp);
	}

[chiraag-nataraj]

Is this still an issue?

[tofurky]

Is this still an issue?

yes, and will continue to be until copy_link() includes all intermediate symlinks.

[chiraag-nataraj]

The thing is that this doesn't seem to affect Firefox's ability to get the system time right (or any other program's, for that matter)...that's why this is so odd.

[tofurky]

it might have to do with chrome's extra sandboxing, not sure.

[chiraag-nataraj]

Does this profile work for you? I don't get the error you're getting.
~/.config/firejail/chromium.profile

ignore noroot
ignore seccomp
ignore seccomp.block-secondary
ignore nonewprivs
ignore caps.drop
ignore net
ignore memory-deny-write-execute
ignore private-dev
ignore nou2f

include ${HOME}/.config/firejail/common.inc

mkdir ${HOME}/.config/chromium

whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.themes
whitelist ${HOME}/.config/gtk-3.0

whitelist ${DOWNLOADS}

# private-bin seems to only work with firejail /usr/lib/chromium/chromium on
# Debian... Kept it enabled since other platforms may be different
private-bin chromium,bash,readlink,dirname,cat,uname,mktemp,sed,man,grep,expr
private-etc fonts,alternatives,X11,pulse,resolv.conf,localtime,chromium.d

caps.keep sys_chroot,sys_admin
blacklist /usr/share/fonts/truetype/unifont

~/.config/firejail/common.inc

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
read-only /tmp/.X11-unix
private-dev
disable-mnt
private-opt emp
private-srv emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nou2f
nogroups
net none
netfilter
memory-deny-write-execute

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}

I don't have google-chrome installed, but I can try that to see if chromium versus google-chrome makes a difference.

[tofurky]

you can see what timezone the browser is using @ https://browserspy.dk/date.php

[chiraag-nataraj]

So it thinks I'm in GMT (come to think of it, I got the same result when I used the Date object in the Dev console...). I guess I never noticed this because I enabled fingerprinting resistance in Firefox, which also spoofs the timezone to GMT 😜

[Vincent43]

@tofurky why /usr/share/zoneinfo/America/New_York is a symlink to posixrules on your system?

[chiraag-nataraj]

It is on mine as well @Vincent43. From exploring a bit, it seems that (I think) the chosen timezone file is symlinked to posixrules for some reason...

[Vincent43]

Interesting. On Arch Linux I don't have such symlink.

[chiraag-nataraj]

Hmm, I see.

[tofurky]

@tofurky why /usr/share/zoneinfo/America/New_York is a symlink to posixrules on your system?

it's the standard way of doing it on debian/ubuntu, at least.

[dw-loewe]

had the same problem with firefox-esr (debian 11; firejail version 0.9.72) with private-etc enabled in firefox.local and firefox-common.local; circumvent that with env TZ=<timezone> as mentioned by @tofurky