Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to start hexchat with firejail #3823

Closed
ibahnasy opened this issue Dec 15, 2020 · 21 comments
Closed

Unable to start hexchat with firejail #3823

ibahnasy opened this issue Dec 15, 2020 · 21 comments

Comments

@ibahnasy
Copy link

ibahnasy commented Dec 15, 2020
edited
Loading

Distro: Arch Linux
Firejail: 0.9.64
Hexchat: 2.14.3

I can run hexchat with firejail using "--noprofile" only now, however it was working fine before.
Here is the log

$ firejail hexchat
Reading profile /etc/firejail/hexchat.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/allow-perl.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31270, child pid 31271
65 programs installed in 58.35 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 187.76 ms
@rusty-snake
Copy link
Collaborator

Work for me: Fedora 32, hexchat 2.14.3.

Are there any error in the terminal or in the syslog?

@ibahnasy
Copy link
Author

ibahnasy commented Dec 15, 2020
edited
Loading

I'm not seeing any errors but when I try to launch it, the CPU fan spins so high and no more output logged in the terminal until I kill it.

@reinerh
Copy link
Collaborator

reinerh commented Dec 15, 2020

Works here as well (HexChat 2.14.3, Firejail 0.9.64, Debian).

@rusty-snake
Copy link
Collaborator

Anyway, if it works with --noprofile, one (or more) command in the profile (or it's includes) causes this. Can you comment the profile and then uncomment it line for line.

@ibahnasy
Copy link
Author

ibahnasy commented Dec 17, 2020
edited
Loading

Commenting "include disable-shell.inc" AND "private-bin hexchat,python" in /etc/firejail/hexchat.profile make it works!

@rusty-snake
Copy link
Collaborator

Depending on what shell is used, a hexchat.local like this should works.

noblacklist ${PATH}/sh
private-bin sh

Is /usr/bin/hexchat a shellscript?

@ibahnasy
Copy link
Author

/usr/bin/hexchat: ELF 64-bit LSB pie executable

@reinerh
Copy link
Collaborator

reinerh commented Dec 17, 2020

Is this also the one that is executed? Does which hexchat show the same path?

@rusty-snake
Copy link
Collaborator

Better: which -a hexchat or where hexchat, as which hexchat will only show /usr/local/bin/hexchat (firecfg).

@ibahnasy
Copy link
Author

$ which -a hexchat
/usr/bin/hexchat

@ibahnasy
Copy link
Author

I want to add that there is a feature in hexhcat that is "Open link in browser" which didn't work before when using the hexchat firejaij's profile but after disabling the above to options, this feature works fine.

@rusty-snake
Copy link
Collaborator

Because the sandbox can now start /usr/bin/firefox. Before with the private hexchat,python*, there was no /usr/bin/firefox in the sandbox.

Does my suggestion from above (noblacklist + private-bin) work? note: you maybe need to add other shells like bash.

@ibahnasy
Copy link
Author

ibahnasy commented Jan 4, 2021

With your suggestion hexchat doesn't start at all giving this error: "Error: no suitable hexchat executable found"

@rusty-snake
Copy link
Collaborator

You need to undo your comments in hexchat.profile.

@ibahnasy
Copy link
Author

ibahnasy commented Jan 4, 2021

Yes I did that but still throw that error.

@rusty-snake
Copy link
Collaborator

Any progress here?

@rusty-snake
Copy link
Collaborator

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

@ibahnasy
Copy link
Author

I'm still having the same issue btw.

@rusty-snake rusty-snake reopened this May 16, 2021
@rusty-snake
Copy link
Collaborator

Can you try

include allow-bin-sh.inc
private-bin sh
# or maybe 'private-bin bash,sh'?

if this does not help, what is the private-bin line generated by firejail --build hexchat?

@ibahnasy
Copy link
Author

Your suggestion made it work.
BTW, firejail --build hexcha produce empty private-bin line.

@rusty-snake
Copy link
Collaborator

rusty-snake commented May 16, 2021
edited
Loading

This is the same as #3823 (comment), but there I forgot that we blacklist sh and bash. If we now only noblacklist sh but bash is still blacklisted and sh is a symlink to bash, it can not work.

Since hexchat needs /bin/sh under Arch (for any reasons), we should allow it. Allowing sh does weaken the profile lesser then dropping private-bin.

rusty-snake added a commit to rusty-snake/firejail that referenced this issue May 29, 2021
@rusty-snake
Fix netblue30#3823 -- Unable to start hexchat with firejail
33a9542
@matu3ba matu3ba mentioned this issue Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

luarocks matu3ba/firejail
3 participants
@reinerh @ibahnasy @rusty-snake