Choose style:

Author Topic: Firejail - Pepp 8 issues - SOLVED (Futher Updated)  (Read 1276 times)

0 Members and 1 Guest are viewing this topic.

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Firejail - Pepp 8 issues - SOLVED (Futher Updated)
« on: April 14, 2018, 06:55:34 am »
Good morning All
Little problem I've being having getting Firejail to work with Pepp 8 respin.
I have installed the latest version of Firejail (version 0.9.52) directly from:

        https://sourceforge.net/projects/firejail/files/firejail/
& have configured it as recommended to integrate Firejail with my desktop environment:
   
Code: [Select]
$ sudo firecfg
Which creates shortcuts for applications in /usr/local/bin:

   
Quote
'Clicking on desktop manager icons and menus will sandbox the application automatically. We support Cinnamon, KDE, LXDE/LXQT, MATE and XFCE desktop managers, and partially Gnome 3 and Unity. This part works well across all Linux distributions.
    Clicking on files in your file manager will open the file in a sandboxed application. It works fine in newer Linux distributions like Debian “stretch”, Ubuntu 17.04, Arch, Gentoo.'

Problems:

Dropbox:
The nemo-dropbox package installs .dropbox-dist folder to /var/lib/dropbox directory which prevents dropbox lauching under Firejail.
If I remove the dropbox shortcut, created in /usr/local/bin by:

   
Code: [Select]
$ sudo firecfg

then dropbox works normally (but obviously not under Firejail).

However in Pepp 7 the nemo-dropbox package installs .dropbox-dist folder in the home directory & it works fine under Firejail configured to integrate with my desktop environment with:
     
Code: [Select]
$ sudo firecfg

So - initially I uninstalled the nemo-dropbox package:

    https://www.dropbox.com/help/desktop-web/uninstall-dropbox

Code: [Select]
dropbox stop
dropbox status  # Should report "not running"
rm -rf ~/.dropbox-dist
rm -rf /var/lib/dropbox
rm -rf ~/.dropbox*
sudo apt-get remove nemo-dropbox
sudo apt-get remove dropbox
rm /etc/apt/source.d/dropbox
(The last 2 commands resulted in no action)

Then I downloaded the dropbox.deb package directly from Dropbox.com:

https://www.dropbox.com/install

It installed (with .dropbox-dist folder in the home directory) & worked fine as per Pepp 7 above but it doesn't fully integrate with nemo i.e. there are no addition folder/file indicator icons to show synced/syncing. So I uninstalled this dropbox package (as above) &, rightly or wrongly, because its for Pepp 7 & not 8, I downloaded the nemo-dropbox 2.2.1+peppermint package & installed it. I dont really know the ramifications, if any, (although from what I see it is a very similar vintage & size to the nemo-dropbox 2.2.0-0~webupd8~xenial0 version installed with Pepp 8) & all seems to be working fine as per in the Pepp 7 installation. Is there going to be a problem with this?

Firefox;
I've replace Chromium with Firefox, 'cos I like it better, but it doesn't launch at all under Firejail configured to integrate with my desktop environment with

   
Code: [Select]
$ sudo firecfg

If I launch in the terminal:

   
Code: [Select]
$ firefox

I get:
Code: [Select]
~ $ firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 2238, child pid 2239
Blacklist violations are logged to syslog
Child process initialized in 58.84 ms
Error: no suitable /usr/sbin/firefox executable found

Parent is shutting down, bye...

/usr/sbin/firefox is a an executable script forcing a light theme on firefox created by peppermint-firefox-themer:
Code: [Select]
#!/bin/sh

env GTK_THEME=Peppermix-Light-7-Red /usr/bin/firefox "$@"

So, as seen above, Firejail does not recognise /usr/sbin/firefox as a suitable executable. If I remove/rename /usr/sbin/firefox then firefox launches under firejail but it launches with the system-wide dark theme that is set up & the script above (/usr/sbin/firefox) is no longer in the Path. I can & have created firefox.desktop file(s) in ~/.local/share/applications/ :
Code: [Select]
[Desktop Entry]
Type=Application
Name=Firefox - Sandbox
GenericName=firefox-sandbox
Exec=env GTK_THEME=Peppermix-Light-7 firejail firefox
Categories=Network
Icon=firefox-aurora.svg
Terminal=false

So I can then launch from the desktop firefox under Firejail with the light theme but this won't launch firefox under Firejail with the light theme as global instance i.e. launch from a hyperlink in a script or another app - so can anyone suggest a solution?


« Last Edit: May 02, 2018, 08:43:14 pm by Bigoeuf »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Firejail - Pepp 8 issues
« Reply #1 on: April 14, 2018, 12:40:16 pm »
The firefox issue is that all files in /usr/sbin are blacklisted by firejail by default

maybe moving that script to /usr/bin and renaming it /usr/bin/ff-with-light-theme would work ?

what happens if you run:
Code: [Select]
sudo cp /usr/sbin/firefox /usr/bin/ff-with-light-theme
then
Code: [Select]
firejail ff-with-light-theme
if that doesn't work, I guess you'd just have to remove the blacklist for /usr/sbin .. I can tell you how to do this if you want ?



As long as it works, the older Dropbox installer should be fine.
« Last Edit: April 14, 2018, 12:44:36 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Re: Firejail - Pepp 8 issues
« Reply #2 on: April 15, 2018, 12:40:13 pm »
Afternoon All

Cheers for the response Mark

Quote
Code: [Select]

sudo cp /usr/sbin/firefox /usr/bin/ff-with-light-theme

then
Code: [Select]

firejail ff-with-light-theme

So:

Code: [Select]
~ $ sudo cp /usr/sbin/firefox /usr/bin/ff-with-light-theme

then

Code: [Select]
~ $ firejail ff-with-light-theme
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 3709, child pid 3710
Child process initialized in 46.37 ms
Error: Access was denied while trying to open files in your profile directory.

Parent is shutting down, bye...
???

I realised there needed to be a ff-with-light-theme.profile so I copied & renamed the firefox.profile to my home directory:
 (as per the instructions here https://firejail.wordpress.com/documentation-2/building-custom-profiles/):

Code: [Select]
$ sudo cp /etc/firejail/firefox.profile ~/.config/firejail/ff-with-light-theme.profile
(I noticed this profile has root ownership - should that be changed to the user?)

Then:
 
Code: [Select]
~ $ firejail ff-with-light-theme
Reading profile /home/mick/.config/firejail/ff-with-light-theme.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 7755, child pid 7756
Blacklist violations are logged to syslog
Child process initialized in 124.88 ms

And all seems good firefox launches under firejail with light theme  :)

 So I presume now the recently 'installed' /usr/bin/ff-with-light-theme (from /usr/sbin/firefox) will need to be renamed /usr/bin/firefox? & the existing /usr/bin/firefox renamed too? then the to-be-renamed /usr/bin/ff-with-light-theme will need to amended to 'point' to the to-be-renamed /usr/bin/firefox? then I can reinstate the symlink /usr/local/bin/firefox & all should work OK system-wide? (obviously remove ~/.config/firejail/ff-with-light-them.profile too)

The caveat I see, if I am correct, is that the apps that point to/are in the path of the present /usr/sbin/firefox & /usr/bin/firefox would have to be amended too, & I don't know of any further consequences either, & it might start to get a bit messy.  :-\

I don't mean to be presumptuousness & am gratefully for your assistance & I may well be wrong but if this is the case what about the other option you mentioned Mark about removing blacklist? Can this be done on a per app basis? (may well be cleaner/easier all round)  ;)
« Last Edit: April 15, 2018, 12:46:48 pm by Bigoeuf »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Firejail - Pepp 8 issues
« Reply #3 on: April 15, 2018, 01:02:28 pm »
No, all you need to do is change the launchers (your menu and taksbar items) to point at /usr/bin/ff-light-theme instead of /usr/bin/firefox.

If you rename /usr/bin/firefox, you WILL break firefox, as /usr/bin/ff-light-theme is just a simple bash script that points at it.

Though you can get rid of /usr/sbin/firefox if you'd like (or rename it something like (firefox-old)



The
Code: [Select]
sudo xed /etc/firejail/ff-light-theme.profile
you created should also read the same as the firefox one, so
Code: [Select]
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/firefox.local

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
noblacklist ~/.config/qpdfview
noblacklist ~/.local/share/qpdfview
noblacklist ~/.kde/share/apps/okular
noblacklist ~/.pki
noblacklist ~/.lastpass
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog

whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
mkdir ~/.pki
whitelist ~/.pki
whitelist ~/.lastpass
whitelist ~/.config/qpdfview
whitelist ~/.local/share/qpdfview
whitelist ~/.kde/share/apps/okular

# silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1

include /etc/firejail/whitelist-common.inc

# experimental features
#private-bin firefox,which,sh,dbus-launch,dbus-send,env
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
#private-dev
#private-tmp - mask KDE problems

Though in reality I don't know why you require this additional profile at all .. I don't  :-\
« Last Edit: April 15, 2018, 01:19:03 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Re: Firejail - Pepp 8 issues
« Reply #4 on: April 17, 2018, 09:11:18 am »
Well I've tried what you have suggested Mark & all that happens is firefox launches, granted with the light theme, but not under Firejail. If I run:

Code: [Select]
$ firejail --tree
I see firefox isn't there i.e. its not running under Firejail - I think the path by-passes Firejail totally - which is kind of what I would expect if the firefox.desktop launcher points directly to /usr/bin/ff-with-light-theme - there is no link to associate it with Firejail.


So to recap this is what's already done:

Code: [Select]
$ sudo cp /usr/sbin/firefox /usr/bin/ff-with-light-theme
(As you initially suggested)


Made an exact copy of the Firejail profile for firefox renamed as ff-with-light-theme.profile & it has been placed in the ~/.config/firejail/ directory as recommended by the Firejail site, as it is a custom profile & it wont get removed during any update to Firejail:

Code: [Select]
$ sudo cp /etc/firejail/firefox.profile ~/.config/firejail/ff-with-light-theme.profile

I have now created a local desktop launcher for firefox in my user directory:

Code: [Select]
sudo cp /usr/share/applications/firefox.desktop ~/.local/share/applications/
opened the file with text editor as sudo:

Code: [Select]
$ sudo nano ~/.local/share/applications/firefox.desktop
& changed the Exec line to read:

Code: [Select]
Exec=ff-with-light-theme
(The same result can be achieved by editing the Firefox Web Browser graphical menu launcher so the command line reads 'ff-with-light-theme' & not 'firefox %U') - again as you suggested Mark.


I then made a symlink for the ff-with-light-theme.profile in /usr/local/bin that points to /usr/bin/firejail:

Code: [Select]
sudo ln -s /usr/bin/firejail /usr/local/bin/ff-with-light-theme
so to invoke Firejail when ff-with-light-theme is called (these symlinks are what are created by $ sudo firecfg - see OP)


I then updated the desktop database:

Code: [Select]
sudo update-desktop-database
And then the system database:

Code: [Select]
sudo updatedb

And all seems OK  :)


Though in reality I don't know why you require this additional profile at all .. I don't  :-\

As in my second post; prior to creating a ff-with-light-theme.profile for Firejail if I then launch it in the terminal:

~ $ firejail ff-with-light-theme
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 3709, child pid 3710
Child process initialized in 46.37 ms
Error: Access was denied while trying to open files in your profile directory.

Parent is shutting down, bye...

& it is accompanied with a popup from firefox:



And I've just explained above what happens when I click the firefox desktop launcher with the command pointing at ff-with-light-theme - & I've tried this with & without the firejail ff-with-light-theme.profile created - so how does it work for you Mark?  ???

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Firejail - Pepp 8 issues
« Reply #5 on: April 17, 2018, 10:08:14 am »
It'd be hard to answer that because I don't use firejail, I only installed it to try assist .. then removed it again.

So is it solved now, or are you still having problems ?

Another problem would be I'm not able to replicate the same behaviour you get, which could render any assistance i could offer invalid for you ???
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Re: Firejail - Pepp 8 issues
« Reply #6 on: April 18, 2018, 11:03:53 am »

So is it solved now, or are you still having problems ?


Well all seems to be working OK  :)

But, before I mark it as solved, this is a bit convoluted & messy &, if I am correct, really the peppermint-firefox-themer script should be amended too so that it points to ff-light-theme in /usr/bin ?

You stated that:

Quote
if that doesn't work, I guess you'd just have to remove the blacklist for /usr/sbin .. I can tell you how to do this if you want ?

prompted by that I did a bit of digging & I believe you are referring to in /etc/firejail/disable-common.inc:

Code: [Select]
..........
# system directories
blacklist /sbin
blacklist /usr/local/sbin
blacklist /usr/sbin
..........

so I could
Code: [Select]
noblacklist  /usr/sbin
in /etc/firejail/firefox.profile (or more appropriately in copy of that profile: ~/.config/firejail/firefox.profile) & that would be all I would have to do! No further amendments required but would it break/lower the security of the sandbox?
I have tried this & it works.

I have also tried to restrict the noblacklist to specifically /usr/sbin/firefox:

Code: [Select]
# Firejail profile for firefox
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/firefox.local
# Persistent global definitions
include /etc/firejail/globals.local

# Allow access to  /usr/sbin/firefox for light-theme
noblacklist  /usr/sbin
whitelist  /usr/sbin/firefox
blacklist  /usr/sbin/*

noblacklist ${HOME}/.cache/mozilla
..............
but it produces whitelist errors  - can you see where I've messed up?  :-\
« Last Edit: April 26, 2018, 08:03:15 am by Bigoeuf »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Firejail - Pepp 8 issues
« Reply #7 on: April 18, 2018, 12:04:51 pm »
Yes, simply changing that section in disable-common.inc to?:-
Code: [Select]
..........
# system directories
blacklist /sbin
blacklist /usr/local/sbin
# blacklist /usr/sbin
..........
Would have negated the need for ANY other changes.

I tried 'noblacklist /usr/sbin' and 'noblacklist /usr/sbin'/firefox' .. but for me they didn't work, only removing the blacklist of /usr/sbin itself seemed to work .. YMMV.
« Last Edit: April 18, 2018, 12:14:15 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Re: Firejail - Pepp 8 issues
« Reply #8 on: April 19, 2018, 05:19:29 am »
Yes, simply changing that section in disable-common.inc to?:-
Code: [Select]
..........
# system directories
blacklist /sbin
blacklist /usr/local/sbin
# blacklist /usr/sbin
..........
Would have negated the need for ANY other changes.
...................


Yes I agree that would be the case BUT that would be pretty much system-wide for any application launched under Firejail as, from what I have seen, they all include the disable-common.inc settings in their Firejail profiles & not blacklisting /usr/sbin for them would be neither necessary or desirable.
So, IMHO, I suggest if anyone did want blacklist /usr/sbin for the purpose of using firefox system-wide under Firejail with light-theme enforced by Firefox Themer to do as I have stated in my last post.

I tried 'noblacklist /usr/sbin' and 'noblacklist /usr/sbin'/firefox' .. but for me they didn't work, only removing the blacklist of /usr/sbin itself seemed to work .. YMMV.

Yes Mark I am having difficulty getting just /usr/sbin/firefox not to be blacklisted - I may tinker a bit more & may ask over on the Firejail forum to see if it can be done  ;)  - I don't really like having the whole /usr/sbin/ unblacklisted (maybe a bit paranoid ey??  ::) )

Anyway I'll mark this as solved now as there is a workable solution & once again Mark cheers for your help  :)

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26276
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Firejail - Pepp 8 issues - SOLVED
« Reply #9 on: April 19, 2018, 09:19:28 am »
Personally I can't see why /usr/sbin is balcklisted in the first place .. why?

I mean /usr/bin obviously isn't (and is likely to contain MANY more binaries than /usr/sbin) .. I mean, sure someone could hide some malicious software in there, but so could they in /usr/bin (or anywhere else in the $PATH .. or indeed anywhere else on the system), I'd argue anyone wanting to bung something malicious in the $PATH is more likely to think of putting it in /usr/bin first.
« Last Edit: April 19, 2018, 09:21:54 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Re: Firejail - Pepp 8 issues - SOLVED
« Reply #10 on: April 29, 2018, 09:42:54 pm »
Update

After some further digging I found this:

https://wiki.gentoo.org/wiki/Firejail#Using_Firejail_by_default

Quote
Using Firejail by default

A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. A good place is /usr/local/bin directory. For example to run Firefox with firejail by default:
Code: [Select]
$ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox

This works for clicking on desktop environment icons, menus etc. Use firejail --tree to verify the program is sandboxed.
Code: [Select]
user $firejail --tree

23615:user:firejail /usr/bin/firefox
  23616:user:firejail /usr/bin/firefox
    23618:user:/usr/bin/firefox
Alternatively you can create the following file instead and make it executable:
 /usr/local/bin/firefox:
Code: [Select]
#!/bin/bash
firejail /usr/bin/firefox $@

This method allows command line options to be passed to firejail. Remember to make it executable with chmod +x /usr/local/bin/firefox.

So if I prefaced the script in the /usr/local/bin/firefox file with:
Code: [Select]
env GTK_THEME=Peppermix-Light-7-Red

Making it:
Code: [Select]
#!/bin/sh

env GTK_THEME=Peppermix-Light-7-Red firejail /usr/bin/firefox "$@"

it would envoke the light theme on launching firefox under firejail.
Note:This script file is almost identical to the /usr/sbin/firefox file created by the Firefox Themer application with just "firejail" inserted (See below).


This method not only works but is the simplest option yet - So once again from the top with feeling  :D:

Install firejail

Run:
Code: [Select]
firecfg--fix-sound
This command fixes some bugs in PulseAudio software versions available on most Linux platforms. After running it, logout and login again for the modifications to take effect. Info:https://firejail.wordpress.com/support/#pulseaudio

Run:
Code: [Select]
$ sudo firecfg
which will create links in /usr/local/bin/ for installed applications with firejail profiles so to integrate firejail with the desktop so the said applications launch under firejail

Remove the firefox link:
 
Code: [Select]
$ sudo rm /usr/local/bin/firefox

Now copy the usr/sbin/firefox file created by Firefox Themer to /usr/local/bin/:
Code: [Select]
$ sudo cp usr/sbin/firefox /usr/local/bin/firefox

Amend the /usr/local/bin/firefox file in a text editor read:
Code: [Select]
#!/bin/sh

env GTK_THEME=Peppermix-Light-7-Red firejail /usr/bin/firefox "$@"
save the file & exit the editor

I then update the system databases:
Code: [Select]
$ sudo updatedb

Restart firefox if running & all should be OK - firefox with light theme envoked running under firejail with desktop integration  :)

This is only necessary with a system-wide dark theme to get firefox using a light theme under firejail & the only issue with the solution in this post is that to get firefox to run with the system-wide dark theme requires the editing of the /usr/local/bin/firefox file to remove the:
Code: [Select]
env GTK_THEME=Peppermix-Light-7-Red 
Hope this helps  :)

« Last Edit: April 29, 2018, 09:47:05 pm by Bigoeuf »

Offline Bigoeuf

  • Member
  • ***
  • Posts: 170
  • Karma: 12
  • New Forum User
    • View Profile
  • Peppermint version(s): 8 & 7 (64bit)
Re: Firejail - Pepp 8 issues - SOLVED (Updated)
« Reply #11 on: May 02, 2018, 08:42:35 pm »
Further & hopefully final update

I tested an alteration to:

........................................................

But, before I mark it as solved, this is a bit convoluted & messy &, if I am correct, really the peppermint-firefox-themer script should be amended too so that it points to ff-light-theme in /usr/bin ?

You stated that:

Quote
if that doesn't work, I guess you'd just have to remove the blacklist for /usr/sbin .. I can tell you how to do this if you want ?

prompted by that I did a bit of digging & I believe you are referring to in /etc/firejail/disable-common.inc:

Code: [Select]
..........
# system directories
blacklist /sbin
blacklist /usr/local/sbin
blacklist /usr/sbin
..........

so I could
Code: [Select]
noblacklist  /usr/sbin
in /etc/firejail/firefox.profile (or more appropriately in copy of that profile: ~/.config/firejail/firefox.profile) & that would be all I would have to do! No further amendments required but would it break/lower the security of the sandbox?
I have tried this & it works.

I have also tried to restrict the noblacklist to specifically /usr/sbin/firefox:

Code: [Select]
# Firejail profile for firefox
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/firefox.local
# Persistent global definitions
include /etc/firejail/globals.local

# Allow access to  /usr/sbin/firefox for light-theme
noblacklist  /usr/sbin
whitelist  /usr/sbin/firefox
blacklist  /usr/sbin/*

noblacklist ${HOME}/.cache/mozilla
..............
but it produces whitelist errors  - can you see where I've messed up?  :-\

I thought about it - specifically the whitelist errors - realised I was barking up the wrong tree  & should of noblacklisted it  & so made my ~/.config/firejail/firefox.profile file read:

Code: [Select]
# Firejail profile for firefox
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/firefox.local
# Persistent global definitions
include /etc/firejail/globals.local

# Allow access to /usr/sbin/firefox for light-theme
noblacklist /usr/sbin
noblacklist /usr/sbin/firefox
blacklist /usr/sbin/*

noblacklist ${HOME}/.cache/mozilla
………………….
& it works - firefox is launched under firejail with the light theme  :)

I posted this comment on the Firejail support page:
Quote
I would like one of the existing profiles to enable the application I am running to be able to read a script in /usr/sbin to force a light-theme on the application in an otherwise dark-themed DE.
I copied the existing profile to ~/.config/firejail/ & amended the profile by adding in the second paragraph (see below). Although this works, is it because the whole /usr/sbin directory is un-blacklisted or is it as I hope that just the /usr/sbin/firefox script file is & the rest of the /usr/sbin is then subsequently re-blacklisted?

# Firejail profile for firefox
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/firefox.local
# Persistent global definitions
include /etc/firejail/globals.local

# Allow access to /usr/sbin/firefox for light-theme
noblacklist /usr/sbin
noblacklist /usr/sbin/firefox
blacklist /usr/sbin/*

noblacklist ${HOME}/.cache/mozilla
………………….

And got this response:
Quote
It is fine, in your /usr/sbin only firefox script is available, everything else is blacklisted. You can check it easily by running something like:

$ firejail –noblacklist=/usr/sbin –noblacklist=/usr/sbin/firefox –blacklist /usr/sbin/*
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use –noprofile to disable default.profile **

Parent pid 1836, child pid 1837
Child process initialized in 38.84 ms
$ ls -l /usr/sbin

I tested it as above & also commenting out the line:

Code: [Select]
noblacklist /usr/sbin/firefox
in my  ~/.config/firejail/firefox.profile to prove the negative (i.e. firefox shouldn't launch because firejail won't read the /usr/sbin directory) & it acts as it should in both cases.

Also since all 'standard' firejail profiles also try to source the additional customization file /etc/firejail/<appname>.local when read, if you simply want to 'tweak' an existing profile, you can supply your additional configuration settings via that file - this approach has the benefit of allowing the main application profile to be upgraded whenever the rest of the package is  ;)

 I removed the ~/.config/firejail/firefox.profile & created an /etc/firejail/firefox.local file that reads only:

Code: [Select]
# Allow access to /usr/sbin/firefox for light-theme
noblacklist /usr/sbin
noblacklist /usr/sbin/firefox
blacklist /usr/sbin/*

So to install Firejail, set it up so all installed applications, that have a provided firejail.profile, to run under Firejail (including firefox with a light theme envoked by the Firefox Themer utility):

Install firejail

Run:

Code: [Select]
firecfg--fix-sound

This command fixes some bugs in PulseAudio software versions available on most Linux platforms. After running it, logout and login again for the modifications to take effect. Info:https://firejail.wordpress.com/support/#pulseaudio

Run:

Code: [Select]
$ sudo firecfg
which will create links in /usr/local/bin/ for installed applications with firejail profiles so to integrate firejail with the desktop so the said applications launch under firejail (any application that is automatically link by firecfg command that you don't wish to run under firejail can be achieved by removing the link for that application from the  /usr/local/bin/ directory).

Then, as stated above, make & edit (as root) a /etc/firejail/firefox.local file to read:

Code: [Select]
# Allow access to /usr/sbin/firefox for light-theme
noblacklist /usr/sbin
noblacklist /usr/sbin/firefox
blacklist /usr/sbin/*
save the file & exit

 I then update the system databases:

Code: [Select]
$ sudo updatedb
& voila alls good in the 'hood  ;)

So after 'going all round the p*sspot to get to the handle' (as my ex-girlfriend used to say  :D ) its solved in the most minimal way :)

« Last Edit: May 02, 2018, 08:47:48 pm by Bigoeuf »