Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-10-03 Thread Vincent Lefevre 
On 2018-10-04 00:34:20 +0200, Reiner Herrmann wrote:
> On Thu, Oct 04, 2018 at 12:22:04AM +0200, Vincent Lefevre wrote:
> > So, I downgraded to firejail and firejail-profiles 0.9.54-1... and
> > I could not reproduce the bug!
> > 
> > Perhaps that was bug a that was only occurring in May. :-/
> 
> Interesting. :)  Perhaps it really was related to the Firefox version

No, it appeared that the Firefox version didn't matter at that time.

> or some other library...

Perhaps the problem could appear only under some conditions and
an upgrade made it disappear. Or perhaps a reboot (e.g. in case
something was cached).

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-10-03 Thread Reiner Herrmann 
On Thu, Oct 04, 2018 at 12:22:04AM +0200, Vincent Lefevre wrote:
> On 2018-10-03 23:55:03 +0200, Vincent Lefevre wrote:
> > Version: 0.9.56-2
> > 
> > On 2018-10-03 13:43:57 +0200, Reiner Herrmann wrote:
> > > Are you experiencing the issue also with firejail 0.9.56?
> > 
> > No problems with firejail 0.9.56-2. Closing.
> 
> Note: Since upstream was able to reproduce the bug in May, but not
> a few days later, this could also be something similar.
> 
> So, I downgraded to firejail and firejail-profiles 0.9.54-1... and
> I could not reproduce the bug!
> 
> Perhaps that was bug a that was only occurring in May. :-/

Interesting. :)  Perhaps it really was related to the Firefox version
or some other library...

Thanks for retesting and closing it.


signature.asc
Description: PGP signature

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-10-03 Thread Vincent Lefevre 
On 2018-10-03 23:55:03 +0200, Vincent Lefevre wrote:
> Version: 0.9.56-2
> 
> On 2018-10-03 13:43:57 +0200, Reiner Herrmann wrote:
> > Are you experiencing the issue also with firejail 0.9.56?
> 
> No problems with firejail 0.9.56-2. Closing.

Note: Since upstream was able to reproduce the bug in May, but not
a few days later, this could also be something similar.

So, I downgraded to firejail and firejail-profiles 0.9.54-1... and
I could not reproduce the bug!

Perhaps that was bug a that was only occurring in May. :-/

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-10-03 Thread Reiner Herrmann 
Control: tags -1 + unreproducible

Hi Vincent,

On Thu, May 17, 2018 at 11:42:44PM +0200, Vincent Lefevre wrote:
> I've tried on a second machine, with a new Firefox profile.
> Without using firejail or with firejail-profiles 0.9.52-3,
> I get no errors, but with firejail-profiles 0.9.54-1, I can
> still reproduce the failure of the second instance.
> 
> I can also reproduce the failure when using firefox 60.0-1
> instead of firefox-esr 52.8.0esr-1.

Are you experiencing the issue also with firejail 0.9.56?
Unfortunately no upstream developer was able to reproduce it,
so the upstream bug [0] has been closed.
As you seem to be the only person experiencing this issue,
I still need your help to find the cause of it.

Can you try compiling/installing firejail from git
(after uninstalling the Debian package):
 https://github.com/netblue30/firejail.git
And then start a bisection [1] of the commits between git tags
0.9.52 and 0.9.54? Maybe it's possible to figure out what's going
wrong when we find the commit that causes it.

Thanks!

Kind regards,
   Reiner

[0] https://github.com/netblue30/firejail/issues/1947
[1] https://git-scm.com/book/en/v2/Git-Tools-Debugging-with-Git


signature.asc
Description: PGP signature

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-05-17 Thread Vincent Lefevre 
On 2018-05-17 22:46:05 +0200, Reiner Herrmann wrote:
> I've tried this as well. Started a firefox session with the script, then
> opened another tab by calling the script again with a URL as parameter.
> It opens the tab and the script immediately exits, but with exit status 0.

I've tried on a second machine, with a new Firefox profile.
Without using firejail or with firejail-profiles 0.9.52-3,
I get no errors, but with firejail-profiles 0.9.54-1, I can
still reproduce the failure of the second instance.

I can also reproduce the failure when using firefox 60.0-1
instead of firefox-esr 52.8.0esr-1.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-05-17 Thread Reiner Herrmann 
On Thu, May 17, 2018 at 10:35:31PM +0200, Vincent Lefevre wrote:
> On 2018-05-17 18:49:49 +0200, Reiner Herrmann wrote:
> > I'm currently not able to reproduce it.
> 
> You need to run the firefox script twice: The first one, typically
> with no argument (the goal is to restore and use the previous session).
> The second one with a URL in argument, the goal being to open this URL
> in the running Firefox. It is this second instance that now fails with
> firejail.

I've tried this as well. Started a firefox session with the script, then
opened another tab by calling the script again with a URL as parameter.
It opens the tab and the script immediately exits, but with exit status 0.

I'll ask on the upstream bug tracker if someone has the same issue.


signature.asc
Description: PGP signature

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-05-17 Thread Vincent Lefevre 
On 2018-05-17 18:49:49 +0200, Reiner Herrmann wrote:
> I'm currently not able to reproduce it.

You need to run the firefox script twice: The first one, typically
with no argument (the goal is to restore and use the previous session).
The second one with a URL in argument, the goal being to open this URL
in the running Firefox. It is this second instance that now fails with
firejail.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-05-17 Thread Reiner Herrmann 
Hi Vincent,

On Thu, May 17, 2018 at 09:32:20AM +0200, Vincent Lefevre wrote:
> With the previous profiles, I could use the following firefox script:
> 
> exec /usr/bin/firejail --name=firefox firefox-esr "$@"
> 
> and everything was fine. After starting firefox, I could open a
> new URL with it and didn't get any error. For instance:
> 
[...]
> 
> With the new profile, the URL is still opened, but firejail now
> terminates with an exit status 1. For instance:
> 
> cventin:~> firefox http://localhost/
> zsh: exit 1 firefox http://localhost/
> cventin:~[1]>

I'm currently not able to reproduce it.

% cat `which firefox`
#!/bin/sh
exec /usr/bin/firejail --name=firefox firefox-esr "$@"
% firefox --private http://debian.org
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 28995, child pid 28996
Warning: An abstract unix socket for session D-BUS might still be
available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Warning fseccomp: syscall "ni_syscall" not available on this platform
Warning fseccomp: syscall "umount" not available on this platform
Seccomp list in:
@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice,
check list: @default-keep, prelist:
adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 110.13 ms
[...]
Parent is shutting down, bye...
% echo $?
0
%

I assume you are also using the current Firefox ESR version 52 (52.8.0esr-1)?
Are you using any addons or so that could influence the exit code?

Regards,
   Reiner


signature.asc
Description: PGP signature

Bug#898891: firejail-profiles: firejail --name=... can no longer be used with the firefox profile

2018-05-17 Thread Vincent Lefevre 
Package: firejail-profiles
Version: 0.9.54-1
Severity: important

With the previous profiles, I could use the following firefox script:

exec /usr/bin/firejail --name=firefox firefox-esr "$@"

and everything was fine. After starting firefox, I could open a
new URL with it and didn't get any error. For instance:

cventin:~> firefox http://localhost/
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: Sandbox name changed to firefox-1
Parent pid 20640, child pid 20641
Blacklist violations are logged to syslog
Child process initialized in 124.80 ms

Parent is shutting down, bye...
cventin:~>

With the new profile, the URL is still opened, but firejail now
terminates with an exit status 1. For instance:

cventin:~> firefox http://localhost/
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: Sandbox name changed to firefox-1
Parent pid 22332, child pid 22333
Warning: An abstract unix socket for session D-BUS might still be available. 
Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Warning fseccomp: syscall "ni_syscall" not available on this platform
Warning fseccomp: syscall "umount" not available on this platform
Seccomp list in: 
@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice,
 check list: @default-keep, prelist: 
adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 149.79 ms

Parent is shutting down, bye...
zsh: exit 1 firefox http://localhost/
cventin:~[1]>

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail-profiles depends on:
ii  firejail  0.9.54-1

firejail-profiles recommends no packages.

firejail-profiles suggests no packages.

-- no debconf information