Arch Linux

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,498

[solved]firejail profile QLocalSocket::ServerNotFoundError

Hi there, I'm creating a firejail profile for a socket browser (see) https://bbs.archlinux.org/viewtopic.php?id=263121

installed firejail version : firejail 0.9.64.2-1

Now, the profile is still basic but it works until I open a page..

The profile:

# Firejail profile for weaver
# Description: socket controlled web browser from: https://code.jessemcclure.org/weaver
# This file is overwritten after every install/update

# Persistent global definitions
#include globals.local

# Persistent local customizations
include weaver.local

# weaver used dirs.
noblacklist ${HOME}/.cache/weaver
noblacklist ${HOME}/.config/weaver
noblacklist ${HOME}/.local/weaver

# weaver socket 
noblacklist /run/user/1000/weaver

# if dirs. are not created, create and whitelist them
mkdir ${HOME}/.cache/weaver
whitelist ${HOME}/.cache/weaver
mkdir ${HOME}/.config/weaver
whitelist ${HOME}/.config/weaver

blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*

include /etc/firejail/whitelist-common.inc
#include /etc/firejail/default.profile

whitelist /usr/share/doc
include whitelist-usr-share-common.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

The result is what you want to see, here's the command without firejail;

$weaver
Listening on socket "/run/user/1000/weaver"

The program running the profile.I still need to work around 'protocol' if I add it to the profile it fails( at the moment)

$firejail --protocol=unix,inet,inet6,netlink --profile=~/.config/firejail/weaver.profile weaver
Reading profile /home/mark/.config/firejail/weaver.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: two protocol lists are present, "unix,inet,inet6,netlink" will be installed
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Parent pid 1011353, child pid 1011354
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 59.02 ms
Listening on socket "/run/user/1000/weaver"

If actually try to run a page I get the following error message:
I looked at about all existing profiles in 'etc/firejail' and tried a lot, but I can't find a solution.
This is the message:

$weaver open-window https://bbs.archlinux.org
Error: QLocalSocket::ConnectionRefusedError

Appreciate your input, thanks..

edit: updated firejail , tested new version with the above profile( same result ) and added version installed (above)

edit2: Oh my, simply commenting 'include whitelist-runuser-common.inc' solved my issue, page is opening.
I updated the profile above into the working one, it's just a start and nowhere finished..

---------------------------

edit3: I pasted the updated profile above, the 'protocol' warning is solved it was inherited..
You can now run it with

firejail --profile=weaver.profile weaver

The actual (new) output from the terminal

$firejail --profile=~/.config/firejail/weaver.profile weaver
Reading profile /home/mark/.config/firejail/weaver.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Parent pid 82884, child pid 82885
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 31.92 ms
Listening on socket "/run/user/1000/weaver"

If you have more hardening suggestions please share, thanks.

Last edited by qinohe (2021-02-03 20:38:31)