Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Requesting rework of geekbench.profile #4576

Closed
5 of 7 tasks
ghost opened this issue Sep 23, 2021 · 42 comments
Closed
5 of 7 tasks

Requesting rework of geekbench.profile #4576

ghost opened this issue Sep 23, 2021 · 42 comments

Comments

@ghost
Copy link

ghost commented Sep 23, 2021

Description

Current profile for the crossplatform benchmarking utility Geekbench is not up-to-date and unusable.

Steps to Reproduce

  1. Install current geekbench version 5.
  2. Run firecfg
  3. Run geekbench

Expected behavior

Geekbench should run confined to its jail.

Actual behavior

Denies execution during firejail start up procedure.

Behavior without a profile

Geekbench begins executing as expected.

Additional context

Geekbench exists in different versions. The current version is 5.x

Environment

  • Linux distribution: Arch Linux
  • Firejail version firejail version 0.9.66

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Reading profile /etc/firejail/geekbench.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1145925, child pid 1145930
Warning: skipping none for private /opt
Private /opt installed in 0.11 ms
Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench
5 programs installed in 9.01 ms
Standard C library installed in 2.31 ms
Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...
Error: proc 1145925 cannot sync with peer: unexpected EOF
Peer 1145930 unexpectedly exited with status 1
@smitsohu
Copy link
Collaborator

Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...

That's curious. Does firejail --noprofile --private-lib work?

If not, what does ls -l /usr/bin/firejail say?

@ghost
Copy link
Author

ghost commented Sep 23, 2021

firejail --noprofile --private-lib

Parent pid 1205021, child pid 1205022
Standard C library installed in 2.30 ms
Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...
Error: proc 1205021 cannot sync with peer: unexpected EOF
Peer 1205022 unexpectedly exited with status 1

ls -l /usr/bin/firejail

-rwsr-x--- 1 root firejail 515440 Aug 21 06:22 /usr/bin/firejail

@smitsohu
Copy link
Collaborator

-rwsr-x--- 1 root firejail 515440 Aug 21 06:22 /usr/bin/firejail

Thanks! I think this is a bug. Probably the reason is that our helper fldd is not a member of the firejail group.

@ghost
Copy link
Author

ghost commented Sep 23, 2021

Great, if it gets solved in the end all is well. What is the estimated timeframe for a fix to get merged to master? Is there any kind of manual workaround that can be applied in the meantime?

@rusty-snake
Copy link
Collaborator

ignore private-lib

@ghost
Copy link
Author

ghost commented Sep 23, 2021

ignore private-lib

For now, of my programs, only geekbench is affected. What would be the ignore private-lib equivalent for the *.local file.

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 23, 2021

echo "ignore private-lib" >> ~/.config/firejail/geekbench.local

This will affect all program if their profile contains private-lib as I understand.

@ghost
Copy link
Author

ghost commented Sep 23, 2021

Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1227730, child pid 1227731
Warning: skipping none for private /opt
Private /opt installed in 0.06 ms
Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench
5 programs installed in 9.59 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.42 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 75.81 ms
Error: no suitable /sbin/geekbench executable found

Parent is shutting down, bye...

The geekbench binary is located at /opt/geekbench/geekbench5

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 23, 2021

noblacklist /sbin
noblacklist /usr/sbin

Does anyone know if private-bin bash,geekbenc*,sh is intended or is this a typo and should be geekbench* (with a "h")?

@ghost
Copy link
Author

ghost commented Sep 23, 2021

noblacklist /sbin
noblacklist /usr/sbin./

Error: no suitable /sbin/geekbench executable found

ls -al | grep geekbench
lrwxrwxrwx  1 root root           25 Sep 23 21:29 geekbench -> /opt/geekbench/geekbench5

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 23, 2021

Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench

// If the absolute filename is indicated, directly use it. This
// is required for the following cases:
// - if user's $PATH order is not the same as the above
// paths[] variable order
if (!valid_full_path_file(fname)) {
fwarning("invalid private-bin path %s\n", fname);
return;
}

@rusty-snake
Copy link
Collaborator

Does firejail --profile=geekbench /opt/geekbench/geekbench5 work?

@ghost
Copy link
Author

ghost commented Sep 23, 2021

[sapiens]$ firejail --profile=geekbench /opt/geekbench/geekbench5
Reading profile geekbench
Error: line 1 in geekbench is invalid

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 23, 2021

Do you have a geekbench file/dir in your cwd?

@glitsj16
Copy link
Collaborator

glitsj16 commented Sep 23, 2021

Our current geekbench.profile has private-opt none, which stops the symlink in /usr/bin to find /opt/geekbench/geekbench5. Have you tried private-opt geekbench yet?

@ghost
Copy link
Author

ghost commented Sep 23, 2021

Ups, yes, I was in /sbin.

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin
[sapiens@pc ~]$ firejail --profile=geekbench /opt/geekbench/geekbench5
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1243215, child pid 1243216
Warning: skipping none for private /opt
Private /opt installed in 0.06 ms
Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench
5 programs installed in 9.41 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.06 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 77.10 ms
Error: no suitable /opt/geekbench/geekbench5 executable found

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 23, 2021

🤦 was to obvious

Either use private-opt geekbench or, if du -sc /opt/geekbench is more than a few MB, ignore private-opt.

EDIT: Did not saw @glitsj16 comment until now.

@ghost
Copy link
Author

ghost commented Sep 23, 2021

[sapiens@pc ~]$ du -hsc /opt/geekbench
95M	/opt/geekbench
95M	total

What should the geekbench.local look now?

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-opt

Results in:

[sapiens@pc ~]$ geekbench
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1258300, child pid 1258301
9 programs installed in 12.67 ms
Standard C library installed in 1.75 ms
Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...
Error: proc 1258300 cannot sync with peer: unexpected EOF
Peer 1258301 unexpectedly exited with status 1

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 23, 2021

What should the geekbench.local look now?

All 4 lines (2 noblacklist and 2 ignore).

@ghost
Copy link
Author

ghost commented Sep 23, 2021

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-opt
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin
[sapiens@pc ~]$ geekbench
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1264114, child pid 1264115
9 programs installed in 11.40 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.45 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 78.47 ms
Error: no suitable /sbin/geekbench executable found

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

And with firejail --profile=geekbench /opt/geekbench/geekbench5?

@ghost
Copy link
Author

ghost commented Sep 23, 2021

With firejail --profile=geekbench /opt/geekbench/geekbench5 geekbench starts!

@ghost
Copy link
Author

ghost commented Sep 23, 2021

ignore private-libwas for the issue with the helper.
But why does just geekbench not work if I have ignore private-opt and noblacklist /sbin?

@glitsj16
Copy link
Collaborator

Linux distribution: Arch Linux
[...]
ls -l /usr/bin/firejail
-rwsr-x--- 1 root firejail 515440 Aug 21 06:22 /usr/bin/firejail

Just out of curiosity, did you create the firejail group yourself? I'm on Arch Linux too and can't recall ever seeing that when installing firejail via pacman. Not that @smitsohu 's reasoning is in any way off regarding our fldd helper. But it might be confusing for other AL users when seeing this thread.

@ghost
Copy link
Author

ghost commented Sep 23, 2021

Just out of curiosity, did you create the firejail group yourself?

https://wiki.archlinux.org/title/Firejail#Hardening_Firejail
https://firejail.wordpress.com/documentation-2/basic-usage/#suid

@ghost
Copy link
Author

ghost commented Sep 25, 2021

I still have some questions.

  1. Why do I need firejail --profile=geekbench /opt/geekbench/geekbench5when I habe ignore private-opt and noblacklist /sbin
  2. What is the estimated timeframe for a fix to get merged to master?

smitsohu added a commit that referenced this issue Sep 25, 2021
users, and fldd in particular, might have no read permission
on the firejail executable, make that ok by running fldd
as root
@smitsohu
Copy link
Collaborator

There is a fix in master for the private-lib part, you can give it a try.

@rusty-snake
Copy link
Collaborator

  1. Why do I need firejail --profile=geekbench /opt/geekbench/geekbench5 when I habe ignore private-opt and noblacklist /sbin

That's what I want to findout first. My guess is private-bin, so try to ignore it.
What does firejail --profile=geekbench /proc/self/fd/3 /sbin 3</bin/ls show?

@ghost
Copy link
Author

ghost commented Sep 25, 2021

That's what I want to findout first. My guess is private-bin, so try to ignore it.

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-opt
ignore private-bin
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin

With the above setting geekbench starts.

With the above settings, including ignore private-bin firejail --profile=geekbench /proc/self/fd/3 /sbin 3</bin/ls outbuts all binaries.

Without ignore private-bin:

[sapiens@pc ~]$ firejail --profile=geekbench /proc/self/fd/3 /sbin 3</bin/ls
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 58609, child pid 58610
9 programs installed in 14.10 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.26 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 81.38 ms
bash  firejail	geekbench  sh

Parent is shutting down, bye...

@ghost
Copy link
Author

ghost commented Sep 29, 2021

While we are on the topic, geekbench does not seem to have permissions to save the registration key if you have bought a licence.

[sapiens@pc ~]$ cat .config/firejail/geekbench.local
ignore private-opt
ignore private-bin
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin
[sapiens@pc ~]$ geekbench --unlock <redacted_email> <redacted_key>
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 79980, child pid 79981
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.15 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 121.88 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at [email protected] for more assistance.

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 29, 2021

Where and how does it store the license key? Does it need additional whitelists, libraries or D-Bus access?

edit: um, yes then it is clear what the problem is

edit2: adding read-write ${HOME}/.foo/bar/geekbench (together with mkdir) will not make it persistent without whitelist.

@ghost
Copy link
Author

ghost commented Sep 29, 2021

I have no idea where it is trying to save the key. How would I go about finding that out?

@rusty-snake
Copy link
Collaborator

# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
# - launch binary with --private naming a sandbox
# `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
# - work with the program, make some configuration changes and save them, open new documents,
# install plugins if they exists, etc.
# - join the sandbox with bash:
# `firejail --join=test bash`
# - look what has changed and use that information to populate blacklist and whitelist sections
# `ls -aR`

@ghost
Copy link
Author

ghost commented Sep 29, 2021

Geekbench without any additonal parameters will not try to save the licence and Geekbench called via:
firejail --name=test --profile=geekbench --private /opt/geekbench/geekbench5 --unlock [email protected] xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx will immediately exit with the following message.

Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 107204, child pid 107205
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.97 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 111.70 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at [email protected] for more assistance.

Parent is shutting down, bye...

Geekbench is not an interactive program I can just leave running.

[sapiens@pc ~]$ sudo find / -name "geek*" -print
/etc/firejail/geekbench.profile
/usr/bin/geekbench
/usr/local/bin/geekbench
/var/lib/pacman/local/geekbench-5.4.1-1
/opt/geekbench
/opt/geekbench/geekbench5
/opt/geekbench/geekbench.plar
/opt/geekbench/geekbench_x86_64
/home/sapiens/.cache/yay/geekbench
/home/sapiens/.cache/yay/geekbench/geekbench-5.4.1-1-x86_64.pkg.tar.zst
/home/sapiens/.config/firejail/geekbench.local

I might just write the support.

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 29, 2021

firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock [email protected] xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx && tree -a" (or && ls -lRa).

@ghost
Copy link
Author

ghost commented Sep 29, 2021

[sapiens@pc ~]$ firejail --name=test --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <redacted> <redacted> && ls -lRa"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 128882, child pid 128883
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.25 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 110.05 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at [email protected] for more assistance.

Parent is shutting down, bye...

I wrote the support, maybe they are willing to give us a shortcut to figuring this out.

@rusty-snake
Copy link
Collaborator

rusty-snake commented Sep 29, 2021

&& -> ;

firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock [email protected] xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx ; tree -a"

@ghost
Copy link
Author

ghost commented Sep 29, 2021

[sapiens@pc ~]$ firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; tree -a"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 135929, child pid 135930
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.93 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 112.24 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at [email protected] for more assistance.
.
├── .bashrc
├── .config
│   └── dconf
└── .Xauthority

2 directories, 2 files


[sapiens@pc ~]$ firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 133511, child pid 133512
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.08 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 112.71 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at [email protected] for more assistance.
.:
total 4
drwx------ 3 sapiens sapiens 100 Sep 29 20:18 .
drwxr-xr-x 3 nobody  nobody   60 Sep 29 20:18 ..
-rw-r--r-- 1 sapiens sapiens 141 Sep 29 20:18 .bashrc
drwx------ 3 sapiens sapiens  60 Sep 29 20:18 .config
-rw------- 1 sapiens sapiens   0 Sep 29 20:18 .Xauthority

./.config:
total 0
drwx------ 3 sapiens sapiens  60 Sep 29 20:18 .
drwx------ 3 sapiens sapiens 100 Sep 29 20:18 ..
drwx------ 2 sapiens sapiens  40 Sep 29 20:18 dconf

./.config/dconf:
total 0
drwx------ 2 sapiens sapiens 40 Sep 29 20:18 .
drwx------ 3 sapiens sapiens 60 Sep 29 20:18 ..

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

It isn't a filesystem operation (most likely). I should know this sicen #4576 (comment).

  1. firejail --ignore=private-bin --ignore=read-only --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
  2. (if 1 fails) firejail --ignore="dbus-user none" --profile=geekbench /opt/geekbench/geekbench5 --unlock <email> <key>
  3. (if 1 and 2 fail) firejail --noprofile --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
  4. (if all fail) /opt/geekbench/geekbench5 --unlock <email> <key>

@ghost
Copy link
Author

ghost commented Sep 29, 2021

There it is! It's~/.geekbench5

[sapiens@pc ~]$ firejail --ignore=private-bin --ignore=read-only --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 137724, child pid 137725
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.75 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 106.31 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Thank you for purchasing Geekbench! All the limitations of tryout mode have 
been removed. Thank you for your purchase, and we hope you enjoy using 
Geekbench 5.
.:
total 8
drwx------ 3 sapiens sapiens 120 Sep 29 20:27 .
drwxr-xr-x 3 nobody  nobody   60 Sep 29 20:27 ..
-rw-r--r-- 1 sapiens sapiens 141 Sep 29 20:27 .bashrc
drwx------ 3 sapiens sapiens  60 Sep 29 20:27 .config
-rw-r--r-- 1 sapiens sapiens 113 Sep 29 20:27 .geekbench5
-rw------- 1 sapiens sapiens   0 Sep 29 20:27 .Xauthority

./.config:
total 0
drwx------ 3 sapiens sapiens  60 Sep 29 20:27 .
drwx------ 3 sapiens sapiens 120 Sep 29 20:27 ..
drwx------ 2 sapiens sapiens  40 Sep 29 20:27 dconf

./.config/dconf:
total 0
drwx------ 2 sapiens sapiens 40 Sep 29 20:27 .
drwx------ 3 sapiens sapiens 60 Sep 29 20:27 ..

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

Can you try this. (note the read-write must come after the read-only therefore it does not work from a .local).

diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 60f2f338..4812e136 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
 private-etc alternatives,group,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
 private-tmp
 
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5

@ghost
Copy link
Author

ghost commented Sep 29, 2021

I needed to modify the patch a little, since it seems the ld.so.preload part hasn't reached Arch, yet! Also profiles are stored in /etc/firejail/* for me on Arch!

diff --git a/etc/firejail/geekbench.profile b/etc/firejail/geekbench.profile
index 60f2f338..4812e136 100644
--- a/etc/firejail/geekbench.profile
+++ b/etc/firejail/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,lsb-release,passwd
+private-etc alternatives,group,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
 private-tmp
 
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5

Now geekbench runs smoothly!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants