Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
Hi, On 08/03/20 15:51:52 CET, Reiner Herrmann wrote: > I now also saw the same problem with a test profile. > As it is related to whitelist-usr-share-common.inc, which blacklists > everything in /usr/share except the directories that are whitelisted, > [...] > So I added "whitelist /usr/share/firefox" to my firefox.profile > and I no longer saw the problem (I didn't get the popup question > about default browser, and the correct settings were applied). > > Can you please try this and confirm if this also works for you? Yes it works! Careful though, on Debian Stable and Testing we have firefox-esr, therefore it is /usr/share/firefox-esr that has to be whitelisted. Cheers
Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
Hi, thank you for your detailed steps how to reproduce it. I now also saw the same problem with a test profile. As it is related to whitelist-usr-share-common.inc, which blacklists everything in /usr/share except the directories that are whitelisted, I looked for a directory that could cause this behavior. After a bit of searching I found that /usr/share/firefox is not whitelisted. And it contains a few files that seem to be related to default configuration of firefox. (Maybe some settings fail to apply, if firefox does not know about them?) So I added "whitelist /usr/share/firefox" to my firefox.profile and I no longer saw the problem (I didn't get the popup question about default browser, and the correct settings were applied). Can you please try this and confirm if this also works for you? Kind regards, Reiner On Sat, Feb 29, 2020 at 04:32:45PM +0100, /dev/fra wrote: > 1. Create a new firefox test profile, change these preferences > a. General, Always check if Firefox is your default browser --> Unset > b. Home, Homepage and new windows --> debian.org > c. Privacy & Security, Content Blocking --> Strict > d. Privacy & Security, Allow Firefox to send technical... --> Unset > and quit firefox. > 2. Run such profile with firejail (firejail firefox -P test), note that > - firefox asks to be set as default browser; > - indeed preferences a. and d. have been enabled; > 3. While running the test profile with firejail, change preferences a. and d. > so > that they are unset, quit firefox; > 4. Run again the test profile with firejail, preferences set in step 3 have > been > retained, quit firefox; > 5. Run the test profile this time without firejail, note that preferences set > in > step 1 (and 3) remained unchanged, quit firefox; > 6. Run one more time the test profile with firejail, and note that preferences > a. and d. have been enabled once again (like in step 2). signature.asc Description: PGP signature
Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
On 23/01/20 20:48:07 CET, Reiner Herrmann wrote: > On Thu, Jan 23, 2020 at 08:25:10PM +0100, /dev/fra wrote: > > Just a quick update, upgrading to firejail-profiles 0.9.62-3 does not fix > > the issue while downgrading to version 0.9.60-2 does it. So it seems that > > this issue is definitely caused by a change introduced after 0.9.60-2. > [...] > The changes between these two version were not so big. > In firefox.profile these two lines are new: > > whitelist /usr/share/mozilla > include whitelist-usr-share-common.inc This is it, commenting out the lines above prevents the issue to happen. For sake of completeness, the lines added in firefox.profile between 0.9.60-2 and 0.9.62-3 are these: whitelist /usr/share/mozilla whitelist /usr/share/webext include whitelist-usr-share-common.inc However by commenting them out we get the issue reported in #948558, and maybe something more. I noted in fact that also something else gets out of place (with this version of firejail), but I couldn't test it further. Now, the two whitelist entries are clear, I have also quickly skimmed whitelist-usr-share-common.inc but I really couldn't say what is causing this odd behaviour. I am starting to wonder if the problem might lie in firefox itself, because it is like part of the user preferences are set to certain defaults should some conditions change. For example, try this other test: 1. Create a new firefox test profile, change these preferences a. General, Always check if Firefox is your default browser --> Unset b. Home, Homepage and new windows --> debian.org c. Privacy & Security, Content Blocking --> Strict d. Privacy & Security, Allow Firefox to send technical... --> Unset and quit firefox. 2. Run such profile with firejail (firejail firefox -P test), note that - firefox asks to be set as default browser; - indeed preferences a. and d. have been enabled; 3. While running the test profile with firejail, change preferences a. and d. so that they are unset, quit firefox; 4. Run again the test profile with firejail, preferences set in step 3 have been retained, quit firefox; 5. Run the test profile this time without firejail, note that preferences set in step 1 (and 3) remained unchanged, quit firefox; 6. Run one more time the test profile with firejail, and note that preferences a. and d. have been enabled once again (like in step 2). So, most of the user preferences are retained but some are altered when firefox is ran with firejail. But I do not understand how and why this happens, given that user preferences should be just saved in ~/.mozilla/firefox//, a path that does should be accessible by firefox without so much restriction from firejail. Cheers
Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
On Thu, Jan 23, 2020 at 08:25:10PM +0100, /dev/fra wrote: > Just a quick update, upgrading to firejail-profiles 0.9.62-3 does not fix the > issue while downgrading to version 0.9.60-2 does it. So it seems that this > issue is definitely caused by a change introduced after 0.9.60-2. Thanks for the update. Unfortunately I wasn't able to reproduce that issue yet. The changes between these two version were not so big. In firefox.profile these two lines are new: whitelist /usr/share/mozilla include whitelist-usr-share-common.inc And in firefox-common.profile (included by firefox.profile), the only effective change (ignoring comments) was the seccomp line to: seccomp !chroot Could you maybe install 0.9.62 again and try to figure out which of these changes is causing your problem? Maybe also start firejail with the --trace parameter, as it will tell which files are being accessed by the program. Kind regards, Reiner signature.asc Description: PGP signature
Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
Hi, Just a quick update, upgrading to firejail-profiles 0.9.62-3 does not fix the issue while downgrading to version 0.9.60-2 does it. So it seems that this issue is definitely caused by a change introduced after 0.9.60-2. Cheers,
Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
Hi, On 12/01/20 15:43:53 CET, Reiner Herrmann wrote: > I started with a fresh firefox profile (by using the firejail option > --private=/foo/bar for a separate/isolated home directory) and then > changed all of the settings you mentioned. > Then I restarted firefox, and all my changes were still applied, as > expected. My test case is a bit different, I don't need a separate home directory but instead just using firejail for a specific ff profile in my home, eventually whitelisting some folders. But see next for details. > Can you please give some more information how you are starting firefox > inside firejail. For example, are you using --private (without > argument)? In this case it would use only a temporary home directory, > so all changes would be lost after restart. > Can you maybe also retry it from a clean profile? > > This is the command I used for testing: > $ firejail --private=/tmp/ff-home firefox-esr -no-remote Here my test: - run firefox without firejail; - create a new profile 'test' from about:profiles and close ff; - run 'firefox-esr -P test', customise preferences and quit; - run again 'firefox-esr -P test', preferences are the ones previously saved, quit ff; - run 'firejail firefox-esr -P test', preferences are not the ones previously saved, see my first e-mail and the output from the shell below; - run ff without firejail, 'firefox-esr -P test', loaded preferences are correct. Here the output from the shell: $ firejail firefox-esr -P test Reading profile /etc/firejail/firefox-esr.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 15089, child pid 15090 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 90.70 ms Gtk-Message: 16:34:47.781: Failed to load module "appmenu-gtk-module" Gtk-Message: 16:34:48.761: Failed to load module "appmenu-gtk-module" Gtk-Message: 16:34:49.086: Failed to load module "appmenu-gtk-module" Cheers
Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
Hi, On Sat, Jan 11, 2020 at 11:54:34AM +0100, /dev/fra wrote: > With the upgrade to firejail-profiles 0.9.62-2 Firefox ESR running under > firejail now does not load the correct user preferences. > > In my case these are the Firefox preferences that are altered when using > firejail: > > # General / Startup > - Always check if Firefox is your default browser --> set to enabled > > # General / Language and Appearance / Language > - language used to display menus, messages, and notifications --> unset > > # Search > - One-Click Search Engines --> Twitter added as Search Engine (??) > > # Privacy and Security / Firefox Data Collection and Use > - send technical and interaction data to Mozilla --> set to enabled > - install and run studies --> set to enabled > - make personalized extension recommendations --> set to enabled Thanks for the report. Unfortunately I haven't been able to reproduce it yet. I tried it with firefox-esr 68.4.1esr-1 and firejail 0.9.62-2. I started with a fresh firefox profile (by using the firejail option --private=/foo/bar for a separate/isolated home directory) and then changed all of the settings you mentioned. Then I restarted firefox, and all my changes were still applied, as expected. Can you please give some more information how you are starting firefox inside firejail. For example, are you using --private (without argument)? In this case it would use only a temporary home directory, so all changes would be lost after restart. Can you maybe also retry it from a clean profile? This is the command I used for testing: $ firejail --private=/tmp/ff-home firefox-esr -no-remote Kind regards, Reiner signature.asc Description: PGP signature
Bug#948656: firejail-profiles: firefox-esr running under firejail does not load correct preferences
Package: firejail-profiles Version: 0.9.62-2 Severity: normal Dear Maintainer, With the upgrade to firejail-profiles 0.9.62-2 Firefox ESR running under firejail now does not load the correct user preferences. In my case these are the Firefox preferences that are altered when using firejail: # General / Startup - Always check if Firefox is your default browser --> set to enabled # General / Language and Appearance / Language - language used to display menus, messages, and notifications --> unset # Search - One-Click Search Engines --> Twitter added as Search Engine (??) # Privacy and Security / Firefox Data Collection and Use - send technical and interaction data to Mozilla --> set to enabled - install and run studies --> set to enabled - make personalized extension recommendations --> set to enabled -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-3-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail-profiles depends on: ii firejail 0.9.62-2 firejail-profiles recommends no packages. firejail-profiles suggests no packages. -- no debconf information
