-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firefox DBus user socket was not found #3769
Comments
Reading from the other issue i found
This also seems to work for me
I have a directory called |
What files are in /run/user/1000/dbus-1? What's the output of |
nothing.
Note that I am running Gentoo Linux with OpenRC and not systemd. The distribution in the other bug #3689, is also using OpenRC. Could this be related ? |
If that's not a socket, ignore the rest of this comment.
Sorry I give you the wrong format. Right is
It is pretty sure the same reason. As both have Lines 36 to 37 in 3a3c100
|
I'm unsure how to use whitelist-runuser-common.inc
There is no existing sandbox running when I execute the firejail command. I verified this with |
There's no "DBus user socket was not found. No proxies specified" anymore, so it seems that firejail can no find the DBus user socket and firefox gets "Connection refused". If
This happens because the first |
Did some testing in artix OpenRC (was the only OpenRC system I found with live desktop). /run/user/1000/dbus-1/services is a directory. |
Using the first one works. |
I've no knowledge of OpenRC and X11. I guess one of the X init/start scripts executes @kris7t can we do anything to make |
@rusty-snake We can change it to only emit a warning, but that's probably unsafe, because the sandboxed application still has access to the socket. A better fix would be to try and find the socket in the filesystem somehow. But I don't know how are application supposed to find the socket (unless you eval This leaves the case where somebody legitimately wants to use firejail in an environment without an active session bus. This is quite tricky, but one solution would be to essentially |
I did som reading and found my simple approach of just having |
ok, IMHO it's then enough to improve the error message. |
I just updated my firejail configs, I am having this issue as well, I can't say I entirely understand the above comments. Edit: hm, same issue with keepassxc, commenting out the dbus filter line fixed it Edit 2: looks like changing filter to none (as seen in #3689) works on both keepassxc, and firefox. Is this the ideal solution? On a sidenote, is there anyway to stay up to date with the new firejail configs, but without them overwriting your original modifications? I havs them in home .config, and it doesn't overwrite them, however I had to manually remove them, run sudo firecfg to get the new ones, or I would have never known it got updated. |
Summary: You need to ensure that
Using
strictly speaking: same issue with all profile containing
This is more secure then
Just create a
|
I added the second one to my xinit and it didn't work.
Is my xinit, I tried adding it at the top but it broke my sxhkd. |
I think your whole desktop should run in
your
into Although if you wanted to be fancy, I guess something like
would also work. |
I did the latter (EOF), it seems to have worked, I swapped the profiles back to filter and they launch. Also is there any chance you could provide a ELI5 explanation as to why the dbus commands were added to the configs, and how they're used? I'm not too familiar with dbus, however I haven't seen anyone else do this (dbus launch script), they generally just use xinitrc withojt a dbuslaunch line either. It looks like dbus is rather important, which makes me wonder why things worked fine before (ignoring the lines being added to firejail configs, I mean my system itself didn't have issues without my desktop running in dbus): |
D-Bus is a great way to escape from a sandbox. That's why firejail 0.9.54 added the
Either you made a typo or dbus-launch added a socket to one of the hardcoded places. |
Another key point is that it's much better to run with a D-Bus server in your session (systemd user sessions start one anyways) than without, because then at least we know where the bus socket is. The point being, if a privileged application (say, a notification daemon) started up a D-Bus user daemon and it placed a socket in some random filesystem location or as a named socket, sandboxed applications could find that socket and potentially escape through it. So by ensuring that there's a user D-Bus daemon at all times, we know that we only need to control access to it, and not to some other random socket. Of course, privileged applications could just randomly decide to expose some IPC mechanism in a place that's not easily blocklistable for sandboxing, but that's relatively rarer, and such applications would arguably be broken in terms of security. But D-Bus is nearly ubiquitous for in-session IPC (especially in Gnome and KDE), so declaring any application that uses it broken is untenable. Note that accidentally starting a D-Bus daemon within a sandbox is much less dangerous, because we could only use it break into a sandbox, not out of, and oftentimes the socked wouldn't even be visible outside the sandbox due to allowlisting. |
Bug and expected behavior
Firefox does not start, instead it prints:
Firefox starting
No profile and disabling firejail
Firefox works just fine without firejail
Reproduce
Steps to reproduce the behavior:
firejail firefox
Environment
lsb_release -a
,screenfetch
orcat /etc/os-release
)Gentoo Linux, Kernel 5.9.9
firejail version 0.9.65
Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled
Additional context
Other context about the problem like related errors to understand the problem.
I think the issue started after my latest kernel upgrade, to 5.9.9 from 5.9.6.
debug output
The text was updated successfully, but these errors were encountered: