[solved] Firejail and seccomp

IrvineHimself · 2017-09-17 06:50:45

Okay, I have been trying to figure this out for a while and have been getting nowhere: I use Firejail, which, (even though it is enabled in various profiles,) reports that seccomp is disabled.

My main kernel is linux-hardened with apparmor, and looking at config.gz, ALL the seccomp flags are enabled.

Th only other, "possibly", relevant setting I can think of is the net.core.bpf_jit_enable which is set to 0.

Does anyone have any ideas why the Firejail seccomp should be disabled?

Irvine

Last edited by IrvineHimself (2017-09-18 15:04:09)

seth · 2017-09-17 13:54:14

I use Firejail

How do you run it exactly? Did you read https://wiki.archlinux.org/index.php/Firejail ?

IrvineHimself · 2017-09-17 15:39:24

I had been launching Firefox, Vlc and the like from Firetools using eg, firejail --apparmor vlc, but have recently moved to a sandbox everything approach using links to firejail in /usr/local/bin.

Note: the firejail-apparmor package is a clone of the official package with the default apparmor firejail profile enabled. Additionally, as yet, I have not enabled apparmor globally, so it's not the apparmor profile.

Further, I have also tried launching applications with, for example, firejail --seccomp vlc, ie no apparmor and seccomp explicitly enabled. This makes absolutely no difference.

Thanks for your response
Irvine

EDIT
By the way, for the last couple of months, the Wiki page on Firejail has been permanently open in my browser and I read it at least two or three times a day.

Last edited by IrvineHimself (2017-09-17 15:59:10)

seth · 2017-09-17 20:23:24

And did/does "firejail --apparmor vlc" work? (As you "moved")
Did you try the vanilla kernel?
What's the actual output of

firejail --debug vlc | grep -Ev '(^Disable /|^Mounting read-only /home)'

IrvineHimself · 2017-09-18 05:52:37

seth wrote:

And did/does "firejail --apparmor vlc" work? (As you "moved").....

To the best of my knowledge seccomp has never worked. When I first tried firejail with the both the zen and vanilla kernels, I launched applications using the terminal and would get messages about "....seccomp not supported with this kernel...". I no longer get these messages. However, Firetools still reports seccomp as being disabled.

seth wrote:

.....Did you try the vanilla kernel? ....

I just double checked with the official vanilla and linux-hardened kernels: With the vanilla kernel, seccomp, namespaces and protocols are disabled. With the linux-hardened kernel namespaces is enabled, but seccomp and protocols are disabled as they are in my apparmor enabled localmod of linux-hardened

Additionally, since it may be relevant, with all my attention being on seccomp I only just noticed that protocols is also disabled?

seth wrote:

.....What's the actual output of
firejail --debug vlc | grep -Ev '(^Disable /|^Mounting read-only /home)'

The requested output is:

[stupidme@mine ~]$ firejail --debug vlc | grep -Ev '(^Disable /|^Mounting read-only /home)'
Reading profile /etc/firejail/vlc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
DISPLAY=:0.0 parsed as 0
Autoselecting /bin/bash as shell
Building quoted command line: 'vlc'
Command name #vlc#
Found vlc profile in /etc/firejail directory
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2276/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2278/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2280/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2282/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2284/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2286/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2288/fd
Debug 374: new_name #/tmp/.X11-unix#, whitelist
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null)
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/video0 file
mounting /run/firejail/mnt/dev/sr0 file
Create /dev/shm directory
Copying files in the new bin directory
Checking /usr/local/bin/vlc
firejail exec symlink detected
Checking /usr/bin/vlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/vlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/cvlc
firejail exec symlink detected
Checking /usr/bin/cvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/cvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/nvlc
Checking /usr/bin/nvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/nvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/rvlc
Checking /usr/bin/rvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/rvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/qvlc
Checking /usr/bin/qvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/qvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/svlc
Checking /usr/bin/svlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/svlc /run/firejail/mnt/bin (null)
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Mounting noexec /tmp/.X11-unix
Not blacklist /home/stupidme/.config/vlc
Mounting noexec /home/stupidme
Mounting noexec /tmp
DISPLAY=:0.0 parsed as 0
SECCOMP Filter
  VALIDATE_ARCHITECTURE_64
  EXAMINE_SYSCALL
  WHITELIST 41 socket
  UNKNOWN ENTRY 20!
  WHITELIST 1 write
  WHITELIST 2 open
  WHITELIST 10 mprotect
  WHITELIST 16 ioctl
  RETURN_ERRNO 95 EOPNOTSUPP
SECCOMP Filter
  VALIDATE_ARCHITECTURE_32
  EXAMINE_SYSCALL
  BLACKLIST 21 access
  BLACKLIST 52 getpeername
  BLACKLIST 26 msync
  BLACKLIST 283 timerfd_create
  BLACKLIST 341 unknown
  BLACKLIST 342 unknown
  BLACKLIST 127 rt_sigpending
  BLACKLIST 128 rt_sigtimedwait
  BLACKLIST 350 unknown
  BLACKLIST 129 rt_sigqueueinfo
  BLACKLIST 110 getppid
  BLACKLIST 101 ptrace
  BLACKLIST 289 signalfd4
  BLACKLIST 87 unlink
  BLACKLIST 115 getgroups
  BLACKLIST 103 syslog
  BLACKLIST 347 unknown
  BLACKLIST 348 unknown
  BLACKLIST 135 personality
  BLACKLIST 149 mlock
  BLACKLIST 124 getsid
  BLACKLIST 343 unknown
  BLACKLIST 253 inotify_init
  BLACKLIST 336 unknown
  BLACKLIST 338 unknown
  BLACKLIST 349 unknown
  BLACKLIST 286 timerfd_settime
  BLACKLIST 287 timerfd_gettime
  BLACKLIST 288 accept4
  BLACKLIST 86 link
  BLACKLIST 51 getsockname
  BLACKLIST 123 setfsgid
  BLACKLIST 217 getdents64
  BLACKLIST 245 mq_getsetattr
  BLACKLIST 246 kexec_load
  BLACKLIST 247 waitid
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 257 openat
  BLACKLIST 274 get_robust_list
  BLACKLIST 276 tee
  BLACKLIST 294 inotify_init1
  BLACKLIST 317 seccomp
  BLACKLIST 316 renameat2
  BLACKLIST 61 wait4
  BLACKLIST 88 symlink
  BLACKLIST 169 reboot
  BLACKLIST 130 rt_sigsuspend
  RETURN_ALLOW
SECCOMP Filter
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCALL
  HANDLE_X32
  BLACKLIST 154 modify_ldt
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 311 process_vm_writev
  BLACKLIST 156 _sysctl
  BLACKLIST 183 afs_syscall
  BLACKLIST 174 create_module
  BLACKLIST 177 get_kernel_syms
  BLACKLIST 181 getpmsg
  BLACKLIST 182 putpmsg
  BLACKLIST 178 query_module
  BLACKLIST 185 security
  BLACKLIST 139 sysfs
  BLACKLIST 184 tuxcall
  BLACKLIST 134 uselib
  BLACKLIST 136 ustat
  BLACKLIST 236 vserver
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 227 clock_settime
  BLACKLIST 164 settimeofday
  BLACKLIST 176 delete_module
  BLACKLIST 313 finit_module
  BLACKLIST 175 init_module
  BLACKLIST 173 ioperm
  BLACKLIST 172 iopl
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 169 reboot
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 163 acct
  BLACKLIST 321 bpf
  BLACKLIST 161 chroot
  BLACKLIST 165 mount
  BLACKLIST 180 nfsservctl
  BLACKLIST 155 pivot_root
  BLACKLIST 171 setdomainname
  BLACKLIST 170 sethostname
  BLACKLIST 166 umount2
  BLACKLIST 153 vhangup
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 237 mbind
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 251 ioprio_set
  BLACKLIST 103 syslog
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 135 personality
  BLACKLIST 323 userfaultfd
  BLACKLIST 101 ptrace
  BLACKLIST 310 process_vm_readv
  RETURN_ALLOW
Current directory: /home/stupidme
Dropping all capabilities
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null)
configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null)
Dual 32/64 bit seccomp filter configured
configuring 138 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp (null)
seccomp filter configured

Seccomp files:

noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
VLC media player 2.2.6 Umbrella (revision 2.2.6-0-g1aae78981c)
[00000a67f98b4028] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.

As a check, I made a difference file between the output for the above command with the linux-hardened and linux-hardened-apparmor kernels. As you can see, other than date/times, there is no appreciable difference

17,50c17,50
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 0 -> /dev/null
< l-wx------ 1 stupidme stupidme 64 Sep 18 05:43 1 -> pipe:[38233]
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 2 -> /dev/pts/0
< lr-x------ 1 stupidme stupidme 64 Sep 18 05:43 3 -> /proc/2295/fd
< total 0
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 0 -> /dev/null
< l-wx------ 1 stupidme stupidme 64 Sep 18 05:43 1 -> pipe:[38233]
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 2 -> /dev/pts/0
< lr-x------ 1 stupidme stupidme 64 Sep 18 05:43 3 -> /proc/2320/fd
< total 0
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 0 -> /dev/null
< l-wx------ 1 stupidme stupidme 64 Sep 18 05:43 1 -> pipe:[38233]
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 2 -> /dev/pts/0
< lr-x------ 1 stupidme stupidme 64 Sep 18 05:43 3 -> /proc/2326/fd
< total 0
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 0 -> /dev/null
< l-wx------ 1 stupidme stupidme 64 Sep 18 05:43 1 -> pipe:[38233]
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 2 -> /dev/pts/0
< lr-x------ 1 stupidme stupidme 64 Sep 18 05:43 3 -> /proc/2329/fd
< total 0
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 0 -> /dev/null
< l-wx------ 1 stupidme stupidme 64 Sep 18 05:43 1 -> pipe:[38233]
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 2 -> /dev/pts/0
< lr-x------ 1 stupidme stupidme 64 Sep 18 05:43 3 -> /proc/2331/fd
< total 0
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 0 -> /dev/null
< l-wx------ 1 stupidme stupidme 64 Sep 18 05:43 1 -> pipe:[38233]
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 2 -> /dev/pts/0
< lr-x------ 1 stupidme stupidme 64 Sep 18 05:43 3 -> /proc/2336/fd
< total 0
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 0 -> /dev/null
< l-wx------ 1 stupidme stupidme 64 Sep 18 05:43 1 -> pipe:[38233]
< lrwx------ 1 stupidme stupidme 64 Sep 18 05:43 2 -> /dev/pts/0
< lr-x------ 1 stupidme stupidme 64 Sep 18 05:43 3 -> /proc/2339/fd
---
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
> l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
> lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2276/fd
> total 0
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
> l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
> lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2278/fd
> total 0
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
> l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
> lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2280/fd
> total 0
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
> l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
> lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2282/fd
> total 0
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
> l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
> lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2284/fd
> total 0
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
> l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
> lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2286/fd
> total 0
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
> l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
> lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
> lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2288/fd
260c260
< [000003c40c0205f8] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
---
> [00000a67f98b4028] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.

Freely admitting I don't completely understand what I should be looking for. In a quick browse of the above debug output, the following stands out:

...........
Mounting noexec /home/stupidme
Mounting noexec /tmp
DISPLAY=:0.0 parsed as 0
SECCOMP Filter
  VALIDATE_ARCHITECTURE_64
  EXAMINE_SYSCALL
  WHITELIST 41 socket
  UNKNOWN ENTRY 20!
  WHITELIST 1 write
  WHITELIST 2 open
  WHITELIST 10 mprotect
  WHITELIST 16 ioctl
  RETURN_ERRNO 95 EOPNOTSUPP
SECCOMP Filter
  VALIDATE_ARCHITECTURE_32
  EXAMINE_SYSCALL
  BLACKLIST 21 access
......

Doing a bit of googling, the above seems to suggest it is somehow related to an "unsupported or incorrectly labelled socket". However, I have to emphasise, I have honestly not got a clue!

Once again, thank you for your interest
Irvine

seth · 2017-09-18 07:15:29

How does firejail "report seccomp is disabled"? It's clearly using seccomp filters.

IrvineHimself · 2017-09-18 09:39:30

Copy pasted from the Firetools GUI

Home      Shutdown      Join      File Manager      Process Tree      DNS

Command: /usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-cpu-mem-disks.conf 

PID: 1187                       RX: unknown
User: stupidme                  TX: unknown
CPU: 0%                         Seccomp: disabled
Memory: 50876 KiB               Capabilities: 
RSS 28208, shared 22668         User Namespace: enabled
CPU Cores:                      Protocols: disabled

So, it's probably a bug in Firetools as oppose to some thing wrong with my set-up?

Thanks for your help

Irvine

EDIT:
Does the same apply to "Protocols apparently being disabled?

EDIT-2: Thinking about it, I know for a fact Protocols is working because I successfully use protocols unix to disable the internet in some of my custom profiles, (not conky, it has RSS feeds.)

Last edited by IrvineHimself (2017-09-18 15:03:17)

seth · 2017-09-18 13:48:46

Firetools is in AUR only - did you update it after the last kernel change/update and firejail update?
(And yes, smells like a GUI bug.)

IrvineHimself · 2017-09-18 15:02:09

I usually check for AUR updates once a day using "Cower", and everything was up to date. As a check, I just re-installed Firetools to no avail.

In view of your expert guidance and the fact that, even though I know for certain it is both enabled and working, Protocols is also reported by Firetools as being disabled, I am tentatively going to mark this as solved.

For reference, I just checked that Protocols is indeed enabled and working by creating a custom VLC profile with protocol unix and was unable to search/download subtitles. On the other hand, I had no problems searching/downloading subtitles with the default protocol unix,inet,inet6,netlink setting.

If you know of a similar easy way of confirming that, despite what Firetools reports, seccomp is both enabled and working, I will file a bug report.

Thanks again,you have been a really big help. Off and on, I have been struggling with this for months.
Irvine

seth · 2017-09-18 17:40:01

For a quick test edit /etc/firejail/wireshark.profile and uncomment the seccomp line.
The (as ordinary user) try to "firejail wireshark" - should fail now (and not with seccomp commented)

One would have to write a testcase that makes explicit use of block syscalls to check the effective functionality of each, but the above test should at least prove "it's used".

IrvineHimself · 2017-09-19 03:19:28

Just installed Wireshark to test whether seccomp is in fact enabled, and can confirm that un-commenting the indicated field does break the firejail profile

Seccomp commented out:

[stupidme@mine ~]$ firejail wireshark
Reading profile /etc/firejail/wireshark.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 26999, child pid 27000
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 88.18 ms
......
......
Parent is shutting down, bye...
[stupidme@mine ~]$

Seccomp un-commented:

[stupidme@mine ~]$ firejail wireshark
Reading profile /home/stupidme/.config/firejail/wireshark.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Error: invalid syscall list
[stupidme@mine ~]$

I still have to drink my morning coffee and read the papers, so it will take me a couple of hours to compose a bug report. When I have done so, I will post a link here.

Thanks for all your help
Irvine

EDIT:
Just filed the bug report here.

Last edited by IrvineHimself (2017-09-19 04:35:22)

IrvineHimself · 2017-09-19 17:20:17

Just a quick update, the extremely helpful Firejail team helped me solve the problem: It was in fact hidepid.

With hidepid un-installed, the Firetools GUI is correctly reporting Seccomp as enabled, and detailing the missing information about cores, protocols, capabilities etc, etc

@seth, thanks for all your help and patience

Best regards
Irvine

EDIT:
Added a warning about hidepid to the wiki.

Last edited by IrvineHimself (2017-09-21 06:35:37)

Arch Linux

#1 2017-09-17 06:50:45

[solved] Firejail and seccomp

#2 2017-09-17 13:54:14

Re: [solved] Firejail and seccomp

#3 2017-09-17 15:39:24

Re: [solved] Firejail and seccomp

#4 2017-09-17 20:23:24

Re: [solved] Firejail and seccomp

#5 2017-09-18 05:52:37

Re: [solved] Firejail and seccomp

#6 2017-09-18 07:15:29

Re: [solved] Firejail and seccomp

#7 2017-09-18 09:39:30

Re: [solved] Firejail and seccomp

#8 2017-09-18 13:48:46

Re: [solved] Firejail and seccomp

#9 2017-09-18 15:02:09

Re: [solved] Firejail and seccomp

#10 2017-09-18 17:40:01

Re: [solved] Firejail and seccomp

#11 2017-09-19 03:19:28

Re: [solved] Firejail and seccomp

#12 2017-09-19 17:20:17

Re: [solved] Firejail and seccomp

Board footer