Bug#920768: firejail --join no longer works

2019-01-28 Thread Vincent Lefevre 
On 2019-01-29 01:12:36 +0100, Reiner Herrmann wrote:
> Can you maybe change your startup script to check that no firejail with
> your intended name ("firefox") is already running (or wait until it's
> terminated)?

This is what I eventually did, while it was actually more complex,
because when there's an existing sandbox, the script must still
open a URL in the running Firefox.

Now, there's still an issue:

zira:~> firejail --list
4207:vinc17:firefox:/usr/bin/firejail --quiet --name=firefox 
--env=BROWSER=firefox-esr firefox-esr 
4701:vinc17::/usr/bin/firejail --quiet --join=firefox firefox-esr 

but...

zira:~> firejail --join=firefox true
Switching to pid 4223, the first child process inside the sandbox
Error: no valid sandbox
zsh: exit 1 firejail --join=firefox true

zira:~> firejail --debug --join=firefox true
Building quoted command line: 'true' 
Extracted command #'true' #
Switching to pid 4223, the first child process inside the sandbox
Error: no valid sandbox
zsh: exit 1 firejail --debug --join=firefox true

zira:~> ps -fC firejail
UIDPID  PPID  C STIME TTY  TIME CMD
vinc174207  4206  0 02:33 ?00:00:00 /usr/bin/firejail --quiet 
--name=firefox --env=BROWSER=firefox-esr firefox-esr
vinc174223  4207  0 02:33 ?00:00:00 /usr/bin/firejail --quiet 
--name=firefox --env=BROWSER=firefox-esr firefox-esr
root  4701  4700  0 02:34 ?00:00:00 /usr/bin/firejail --quiet 
--join=firefox firefox-esr

What is this root process???

Concerning the processes related to firejail:

  vinc17 │   ├─> 4206  /bin/sh -c firefox --start
  vinc17 │   │ └─> 4207  /usr/bin/firejail --quiet --name=firefox 
--env=BROWSER=firefox-esr firefox-esr
  vinc17 │   │   └─> 4223  /usr/bin/firejail --quiet --name=firefox 
--env=BROWSER=firefox-esr firefox-esr
  vinc17 │   ├─> 4700  /bin/sh -c firefox --start
root │   │ └─> 4701  /usr/bin/firejail --quiet --join=firefox 
firefox-esr
  vinc17 │   │   └─> 4717  firefox-esr

firejail seems to be affected by a race condition.

FYI, my current firefox script:


#!/usr/bin/env zsh

opt=join
unset env

if [[ $1 == --start ]] then

  shift
  firejail --list | grep -q '^[^:]*:[^:]*:firefox:'

  if [[ $pipestatus == "0 1" ]] then

opt=name
env="--env=BROWSER=firefox-esr"

  fi

fi

exec /usr/bin/firejail --quiet --$opt=firefox $env firefox-esr "$@"


-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#920768: firejail --join no longer works

2019-01-28 Thread Reiner Herrmann 
Control: retitle -1 sandbox automatically renamed if requested name already in 
use
Control: forwarded -1 https://github.com/netblue30/firejail/issues/2376
Control: tags -1 + upstream

On Tue, Jan 29, 2019 at 01:05:45AM +0100, Vincent Lefevre wrote:
> > For some reason there seems to be a short-lived sandbox called firefox
> > created, and at the same time another one.
> 
> This occurred when I restarted Firefox. If the old sandbox takes time
> to terminate, then this could explain the problem. But in this case,
> I would expect firejail to fail, not to create a sandbox with a wrong
> name.

I agree. Automatic renaming is not documented and one can not really
expect that it changes the name.
I noticed that there is a warning on the terminal if that happens
("Warning: Sandbox name changed to firefox-1"), but users might start it
via script or the desktop and will not see the warning.
I opened an issue upstream to change this behaviour.
Thanks for the report!

Kind regards,
   Reiner


signature.asc
Description: PGP signature

Bug#920768: firejail --join no longer works

2019-01-28 Thread Reiner Herrmann 
On Tue, Jan 29, 2019 at 01:05:45AM +0100, Vincent Lefevre wrote:
> > It creates a firefox-1, if a sandbox called firefox was already existing
> > at the time it is created.
> 
> This is not what is documented:
> 
>--name=name
>   Set  sandbox  name. Several options, such as --join
>   and --shutdown, can use this  name  to  identify  a
>   sandbox.
> 
>   Example:
>   $ firejail --name=mybrowser firefox
> 
> If it creates a sandbox under the wrong name, this would at least be
> a security issue, as --put would send files to the wrong sandbox!

Right, it's missing the bit that it can't use the same name multiple
times and will chose another one, if it's already existing.
I will fix the documentation upstream.

> > For some reason there seems to be a short-lived sandbox called firefox
> > created, and at the same time another one.
> 
> This occurred when I restarted Firefox. If the old sandbox takes time
> to terminate, then this could explain the problem. But in this case,
> I would expect firejail to fail, not to create a sandbox with a wrong
> name.

This could indeed be an explanation, if it happens during restart.
The old sandbox is not yet fully terminated and cleaned up while the new
one already is starting up (and sees that the name is already in use, so
it selects a different one).

Can you maybe change your startup script to check that no firejail with
your intended name ("firefox") is already running (or wait until it's
terminated)?

Kind regards,
  Reiner


signature.asc
Description: PGP signature

Bug#920768: firejail --join no longer works

2019-01-28 Thread Vincent Lefevre 
On 2019-01-29 00:57:03 +0100, Reiner Herrmann wrote:
> On Tue, Jan 29, 2019 at 12:52:16AM +0100, Vincent Lefevre wrote:
> > On 2019-01-29 00:43:43 +0100, Reiner Herrmann wrote:
> > > I'm not yet able to reproduce it.
> > 
> > I can reproduce the problem, but not always.
> > 
> > > Is your firefox-esr by chance a symlink back to firejail?
> > > Can you please run:  ls -l $(which firefox-esr)
> > 
> > lrwxrwxrwx 1 root root 30 2018-06-27 00:33:25 /usr/bin/firefox-esr -> 
> > ../lib/firefox-esr/firefox-esr*
> > 
> > In my $HOME/bin, I have a script "firefox" that does:
> > 
> > exec /usr/bin/firejail --quiet --name=firefox --env=BROWSER=firefox-esr 
> > firefox-esr "$@"
> > 
> > This is how I start Firefox.
> 
> Can you please describe how you are calling your script?

Normally via fvwm, with the configuration:

*FvwmButtons(1x1, Icon firefox.png, Action Exec "Navigator" firefox)

> (Can you please also check "ls -l $(which firefox)", just to make sure
> that your script is the first one to be called.)

-rwxr-xr-x 1 vinc17 vinc17 267 2019-01-29 01:06:10 /home/vinc17/bin/firefox*

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#920768: firejail --join no longer works

2019-01-28 Thread Vincent Lefevre 
On 2019-01-29 00:48:00 +0100, Reiner Herrmann wrote:
> On Tue, Jan 29, 2019 at 12:40:11AM +0100, Vincent Lefevre wrote:
> > > What does "firejail --list" show?
> > 
> > 20396:vinc17:firefox-1:/usr/bin/firejail --quiet --name=firefox 
> > --env=BROWSER=firefox-esr firefox-esr
> > 
> > But why is it called firefox-1? I have requested --name=firefox.
> > This makes no sense.
> 
> It creates a firefox-1, if a sandbox called firefox was already existing
> at the time it is created.

This is not what is documented:

   --name=name
  Set  sandbox  name. Several options, such as --join
  and --shutdown, can use this  name  to  identify  a
  sandbox.

  Example:
  $ firejail --name=mybrowser firefox

If it creates a sandbox under the wrong name, this would at least be
a security issue, as --put would send files to the wrong sandbox!

> For some reason there seems to be a short-lived sandbox called firefox
> created, and at the same time another one.

This occurred when I restarted Firefox. If the old sandbox takes time
to terminate, then this could explain the problem. But in this case,
I would expect firejail to fail, not to create a sandbox with a wrong
name.

> That's why I asked in the other mail if your firefox-esr is maybe a
> symlink to to firejail.
> 
> Perhaps some debug information will give more clues.
> Can you (after shutting down firefox) run the same command, but with
> --debug as an argument at the beginning?

When the problem occurs, I get:

Reading profile /etc/firejail/firefox-esr.profile
Autoselecting /bin/zsh as shell
Building quoted command line: 'firefox-esr' 
Command name #firefox-esr#
Found firefox-esr.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Found firefox.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox-common.profile
Found firefox-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Warning: networking feature is disabled in Firejail configuration file
Warning: Sandbox name changed to firefox-1
DISPLAY=:0 parsed as 0
Parent pid 22807, child pid 22808
[...]

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#920768: firejail --join no longer works

2019-01-28 Thread Reiner Herrmann 
On Tue, Jan 29, 2019 at 12:52:16AM +0100, Vincent Lefevre wrote:
> On 2019-01-29 00:43:43 +0100, Reiner Herrmann wrote:
> > I'm not yet able to reproduce it.
> 
> I can reproduce the problem, but not always.
> 
> > Is your firefox-esr by chance a symlink back to firejail?
> > Can you please run:  ls -l $(which firefox-esr)
> 
> lrwxrwxrwx 1 root root 30 2018-06-27 00:33:25 /usr/bin/firefox-esr -> 
> ../lib/firefox-esr/firefox-esr*
> 
> In my $HOME/bin, I have a script "firefox" that does:
> 
> exec /usr/bin/firejail --quiet --name=firefox --env=BROWSER=firefox-esr 
> firefox-esr "$@"
> 
> This is how I start Firefox.

Can you please describe how you are calling your script?
Just by running "firefox" in a shell?
(Can you please also check "ls -l $(which firefox)", just to make sure
that your script is the first one to be called.)
Or by absolute path $HOME/bin/firefox? Or by using a desktop
shortcut (double-click?)?


signature.asc
Description: PGP signature

Bug#920768: firejail --join no longer works

2019-01-28 Thread Vincent Lefevre 
On 2019-01-29 00:43:43 +0100, Reiner Herrmann wrote:
> I'm not yet able to reproduce it.

I can reproduce the problem, but not always.

> Is your firefox-esr by chance a symlink back to firejail?
> Can you please run:  ls -l $(which firefox-esr)

lrwxrwxrwx 1 root root 30 2018-06-27 00:33:25 /usr/bin/firefox-esr -> 
../lib/firefox-esr/firefox-esr*

In my $HOME/bin, I have a script "firefox" that does:

exec /usr/bin/firejail --quiet --name=firefox --env=BROWSER=firefox-esr 
firefox-esr "$@"

This is how I start Firefox.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#920768: firejail --join no longer works

2019-01-28 Thread Reiner Herrmann 
On Tue, Jan 29, 2019 at 12:40:11AM +0100, Vincent Lefevre wrote:
> > What does "firejail --list" show?
> 
> 20396:vinc17:firefox-1:/usr/bin/firejail --quiet --name=firefox 
> --env=BROWSER=firefox-esr firefox-esr
> 
> But why is it called firefox-1? I have requested --name=firefox.
> This makes no sense.

It creates a firefox-1, if a sandbox called firefox was already existing
at the time it is created.
For some reason there seems to be a short-lived sandbox called firefox
created, and at the same time another one.

That's why I asked in the other mail if your firefox-esr is maybe a
symlink to to firejail.

Perhaps some debug information will give more clues.
Can you (after shutting down firefox) run the same command, but with
--debug as an argument at the beginning?


signature.asc
Description: PGP signature

Bug#920768: firejail --join no longer works

2019-01-28 Thread Reiner Herrmann 
Control: tags -1 severity important

(lowering severity as I don't think that the package becomes unusable,
even if --join was not working.)

On Tue, Jan 29, 2019 at 12:33:51AM +0100, Vincent Lefevre wrote:
> On 2019-01-29 00:19:45 +0100, Vincent Lefevre wrote:
> > I have a firefox in firejail:
> > 
> > zira:~> ps -fC firejail
> > UIDPID  PPID  C STIME TTY  TIME CMD
> > vinc173524  3523  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> > --name=firefox --env=BROWSER=firefox-esr firefox-esr
> > vinc173525  3524  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> > --name=firefox --env=BROWSER=firefox-esr firefox-esr
> > 
> > But it is no longer possible to join it:
> > 
> > zira:~> firejail --join=firefox true
> > Error: cannot find sandbox firefox
> > zsh: exit 1 firejail --join=firefox true
> 
> Downgrading firejail to 0.9.56-2 solves the problem.

I'm not yet able to reproduce it.

In shell 1:
$ firejail --name=firefox bash
...

In shell 2:
$ firejail --list
15093:reiner:firefox:firejail --name=firefox bash
$ firejail --join=firefox
Switching to pid 15094, the first child process inside the sandbox
Child process initialized in 8.91 ms
$

Is your firefox-esr by chance a symlink back to firejail?
Can you please run:  ls -l $(which firefox-esr)

Kind regards,
  Reiner


signature.asc
Description: PGP signature

Bug#920768: firejail --join no longer works

2019-01-28 Thread Vincent Lefevre 
On 2019-01-29 00:28:33 +0100, Reiner Herrmann wrote:
> On Tue, Jan 29, 2019 at 12:19:45AM +0100, Vincent Lefevre wrote:
> > I have a firefox in firejail:
> > 
> > zira:~> ps -fC firejail
> > UIDPID  PPID  C STIME TTY  TIME CMD
> > vinc173524  3523  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> > --name=firefox --env=BROWSER=firefox-esr firefox-esr
> > vinc173525  3524  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> > --name=firefox --env=BROWSER=firefox-esr firefox-esr
> > 
> > But it is no longer possible to join it:
> > 
> > zira:~> firejail --join=firefox true
> > Error: cannot find sandbox firefox
> > zsh: exit 1 firejail --join=firefox true
> 
> What does "firejail --list" show?

20396:vinc17:firefox-1:/usr/bin/firejail --quiet --name=firefox 
--env=BROWSER=firefox-esr firefox-esr

But why is it called firefox-1? I have requested --name=firefox.
This makes no sense.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#920768: firejail --join no longer works

2019-01-28 Thread Vincent Lefevre 
On 2019-01-29 00:19:45 +0100, Vincent Lefevre wrote:
> I have a firefox in firejail:
> 
> zira:~> ps -fC firejail
> UIDPID  PPID  C STIME TTY  TIME CMD
> vinc173524  3523  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> --name=firefox --env=BROWSER=firefox-esr firefox-esr
> vinc173525  3524  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> --name=firefox --env=BROWSER=firefox-esr firefox-esr
> 
> But it is no longer possible to join it:
> 
> zira:~> firejail --join=firefox true
> Error: cannot find sandbox firefox
> zsh: exit 1 firejail --join=firefox true

Downgrading firejail to 0.9.56-2 solves the problem.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#920768: firejail --join no longer works

2019-01-28 Thread Reiner Herrmann 
On Tue, Jan 29, 2019 at 12:19:45AM +0100, Vincent Lefevre wrote:
> I have a firefox in firejail:
> 
> zira:~> ps -fC firejail
> UIDPID  PPID  C STIME TTY  TIME CMD
> vinc173524  3523  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> --name=firefox --env=BROWSER=firefox-esr firefox-esr
> vinc173525  3524  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
> --name=firefox --env=BROWSER=firefox-esr firefox-esr
> 
> But it is no longer possible to join it:
> 
> zira:~> firejail --join=firefox true
> Error: cannot find sandbox firefox
> zsh: exit 1 firejail --join=firefox true

What does "firejail --list" show?

Regards,
  Reiner


signature.asc
Description: PGP signature

Bug#920768: firejail --join no longer works

2019-01-28 Thread Vincent Lefevre 
Package: firejail
Version: 0.9.58-1
Severity: grave
Justification: renders package unusable

I have a firefox in firejail:

zira:~> ps -fC firejail
UIDPID  PPID  C STIME TTY  TIME CMD
vinc173524  3523  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
--name=firefox --env=BROWSER=firefox-esr firefox-esr
vinc173525  3524  0 Jan28 ?00:00:00 /usr/bin/firejail --quiet 
--name=firefox --env=BROWSER=firefox-esr firefox-esr

But it is no longer possible to join it:

zira:~> firejail --join=firefox true
Error: cannot find sandbox firefox
zsh: exit 1 firejail --join=firefox true

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail depends on:
ii  libapparmor1  2.13.2-5
ii  libc6 2.28-5

Versions of packages firejail recommends:
ii  firejail-profiles  0.9.58-1
ii  iproute2   4.20.0-2
ii  iptables   1.8.2-3
ii  xauth  1:1.0.10-1
ii  xpra   2.4.3+dfsg1-1

firejail suggests no packages.

-- no debconf information