Electron & Chromium

[rusty-snake]

There are serveral issues with the chromium sandbox (see below) which is also used in electron. If firejail breaks a electron-based program (or any other program internaly using chromium) and the problem can be fixed by adding seccomp !chroot to PROFILE.local, post here which program is affected. Note: If you are not using firejail lastet git, you must add the following to PROFILE.local to get the same effect:

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

If this doesn't work, but firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot PROGRAM works, say it here. Otherwise open a new issue.

If none of the commands works, open a new issue.

---

Some issues about the chromium-sandbox:
#2933 - skypeforlinux 8.51.0.86 now requires SYS_ADMIN, SYS_CHROOT capabilities
#2912 - Skypeforlinux 8.51.0.72 crashes on startup since it's not permitted to use the chroot syscall
#2945 - Signal 1.27 Fails to Start
#2866 - new version of Slack Desktop (4.0) not working
#2854 - Standard notes not working
#2901 - [Teamspeak 3] crashes on opening options window if seccomp is enabled
#2821 - /usr/bin/riot-desktop: line 3: 8 Trace/breakpoint trap (core dumped) electron /usr/lib/riot/ "$@"
#2943 - firejail - Ubuntu 19.10 snap chromium incompatibility
#2944 - Firejail breaks Brave browser default sandboxing

Three new issues in 10 hours 😱 .

[daks]

Hi,

I again have a problem with slack after upgrading it to 4.1.1 on Debian 9.
I use firejail version from Debian, and created a slack.local with the private-etc tip from #2866

I tried to add to it the parameters indicated above, without change.

update not sure about the following, it may be because i use fish as a shell

I tried also the command firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot slack without success.

[StarPicard]

Hi,

Visual Studio Code won't start up at all under Archlinux.

firejail version 0.9.60

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

This is the output at startup:

Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-passwdmgr.local
Reading profile /etc/firejail/disable-programs.inc
Parent pid 4538, child pid 4539
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 56.81 ms

Tried both commands recommended at the top.

[rusty-snake]

@daks @StarPicard Can you guys open own issues for that. This issue is to catch the chromium sandbox on program update (I update the OP).

@StarPicard can you also post your globals.local.

[daks]

@rusty-snake done

[rusty-snake]

All AppImages with chromium/electron programs are broken because --appimage force caps.drop=all but sys_admin,sys_chroot are needed.

[cyrinux]

Hi, wire-desktop (electron6) got the problem.

[rusty-snake]

@cyrinux thx, can you confirm that this(27eb40b) works.

[cyrinux]

Hi @rusty-snake it works like this with electron6 bin too in my case (under archlinux)

[setpill]

Slack is broken, fixed when adding seccomp !chroot to ~/.config/firejail/slack.local

[tscolari]

I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the Creating Slack Application.

...
Child process initialized in 50.90 ms
Gtk-Message: 09:20:00.662: Failed to load module "unity-gtk-module"
Gtk-Message: 09:20:00.688: Failed to load module "unity-gtk-module"
Gtk-Message: 09:20:00.714: Failed to load module "unity-gtk-module"
Initializing local storage instance at path: /home/tiagohc/.config/Slack/local-settings.json

(slack:18): dconf-WARNING **: 09:20:00.807: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied
Creating Slack Application

[rusty-snake]

How do you installed slack? snap isn't supported by firejail.

[tscolari]

How do you installed slack? snap isn't supported by firejail.

I've installed it from the .deb file, not the snap store :(

[rusty-snake]

Can you post your current profile.

[bbhtt]

I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the Creating Slack Application.

I don't know what the issue is with slack but this profile seems to work for me on Arch using the AUR slack-desktop package, the sign-in won't work because that is a redirect to firefox, so one time setup without firejail and subsequent sessions can be firejailed https://imgur.com/pWZjW6x

This is more hardened than in master.

https://termbin.com/688p