-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chromium-privacy-browser crashed and won't launch under firejail #3633
Comments
chromium-privacy-browser has no profile, therefore firejail uses default.profile. You can try to use the chromium.profile ( |
Apologies for the delay in responding to you. I tried your suggestion and it launched Chromium but with this error: firejail --profile=chromium chromium-freeworld My apologies but I am out of my depth here as to the cause of this. Perhaps it is my distro? I am using Fedora 32. In addition, when I launched Chromium using its icon it does not respect firejail even though I already linked it. Any suggestions? My apologies for all this hassle. Thank you so much for your help. |
Is something broken or are there just error messages? What's your firejail version?
This is likely caused by an absolute path in its .desktop file. Copy it to your home and change the line Assuming is uses chromium-freeworld.desktop:
So no other config files needed. You can create
|
Does this profile work? If so I can commit it upstream, so the next release can firejail chromium-freeworld with firecfg. |
Thank you for the follow up. I really appreciate it. The version of firejail I am running is firejail.x86_64 0.9.62.4-1.fc32. Regarding the error message, the one I posted above is the only error message I got but even with that error message Firjeail managed to run Chromium Freeworld and jail it. As to the steps you enumerated, I used it and I was able to run chromium-freeworld inside firejail when I type on my terminal "chromium-freeworld" but with this error message: chromium-freeworld Next, when I click my Chromium Freeworld icon it will launch but not inside firejail. I am using Cinnamon Desktop Environment. Sorry but anything else I should do at this point? I feel we are at a point that this thing will be solved except I am simply lost as to what else to do. Sorry. Thank you so much for the quick response and assistance. I really appreciate it. |
If nothing is broken, that's fine. The first three I saw often with chromium-based browsers. The last is about VA-API which is almost useless for Chrome+Linux AFAIK.
Did you tried my suggestion above? |
Hi! I did this "cp /usr/share/applications/chromium-freeworld.desktop ~/.local/share/applications Did I miss anything? Thanks. |
Sum up: ~/.local/share/applications/chromium-freeworld.desktop does not contain /usr/bin/chromium-freewold (or similar) and If this still not respects firejail, I cann't help because IDK how cinnamon's menu works. |
+ 516d081 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM. TODO: rethink this again + create chromium-browser-privacy.profile (closes netblue30#3633)
* rework chromium + 516d081 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709
I got this error when using firejail to run chromium-privacy-browser:
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 144065, child pid 144066
Warning: cleaning all supplementary groups
Child process initialized in 33.87 ms
[3:3:0917/174043.946346:FATAL:zygote_host_impl_linux.cc(203)] Check failed: ReceiveFixedMessage(fds[0], kZygoteHelloMessage, sizeof(kZygoteHelloMessage), &real_pid).
#0 0x55e9a7d15829 base::debug::CollectStackTrace()
Received signal 6
#0 0x55e9a7d15829 base::debug::CollectStackTrace()
r8: 0000000000000000 r9: 00007ffdd7c67790 r10: 0000000000000008 r11: 0000000000000246
r12: 00007ffdd7c68a00 r13: 00007ffdd7c68a10 r14: 00000000000000a6 r15: 00007ffdd7c689f0
di: 0000000000000002 si: 00007ffdd7c67790 bp: 00007ffdd7c679e0 bx: 00007f690ac57240
dx: 0000000000000000 ax: 0000000000000000 cx: 00007f690e1a09e5 sp: 00007ffdd7c67790
ip: 00007f690e1a09e5 efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Parent is shutting down, bye...
I also get the same error when I use firejail to launch Chromium-freeworld.
Any idea on how to solve this?
Thanks
The text was updated successfully, but these errors were encountered: