Strange behaviour with Firejail



  • Hi All !
    I have used the firejail utility to sandbox Vivaldi under Linux Mint 17.3 (64-bit) for many months without problems. All that is necessary is to right-click the icon, chose "Properties" and prefix the launch command (usr/bin/vivaldi-stable %U) with the word "firejail". The version of Vivaldi currently on this system is 1.14.1077.55 (Stable channel) (64-bit)

    I am setting up a new system on another machine to run running under Linux Mint 18.3 (64-bi)t. This is a clean install. I downloaded a fresh copy of Vivaldi. This is - 1.14.1077.60 (Stable channel) (64-bit). Firejail was downloaded from the repos, using Synaptic. I have found that Firejail completely blocks the launch of Vivaldi. I have tried both a Desktop launcher and invoking Vivaldi from the "Internet" section of the Main Menu but the effect is the same in both cases.

    As can be seen, the versions of Vivaldi are slightly different and the implication is that the cause of this strange behaviour lies somewhere within to code chanes.

    1.14.1077.55 (Stable channel) (64-bit) --- For LM 17.3

    1.14.1077.60 (Stable channel) (64-bit) --- For LM 18.3

    Best regards to all



  • @hatrack Hiya. I continue to successfully use all my browsers, of course including V SS & Stable, in Firejail for a few years. That's in Manjaro KDE now, prior was openSUSE Tumbleweed KDE, prior was Maui. I have a Mint 18.3 KDE VM in my Tower. Later today i shall play with V Stable & FJ in it, see if i can make it work, & post back here if i can help you.

    Just be aware btw, Mint tends to use old [or very old] packages in its repos for many programs... it's one of the many reasons i abandoned Mint a few years ago. With FJ therefore it's possible the Mint repo version is antiquated; i'll check on that too. It's relevant because from FJ version to version many of the *.profile files very substantially change.

    My Manjaro repo version for FJ is 0.9.52-1. Based on its Dev's https://firejail.wordpress.com/download-2/ this is the current version.

    My current Manjaro launchers fyi are:

    Vivaldi-Snapshot:
    firejail -- vivaldi-snapshot --disk-cache-dir=/tmp/vivaldi-snapshot-cache
    
    Vivaldi-Stable:
    firejail -- vivaldi-stable --disk-cache-dir=/tmp/vivaldi-stable-cache
    

    Oh, you said

    setting up a new system on another machine to run running under Linux Mint 18.3 (64-bi)t.

    ...but which DE? KDE, Cinnamon, MATE, Xfce...?



  • The Mint Synaptic version of FJ is 0.9.42-1 -- that's ancient [Oh Mint, how you used to exasperate me with your staleness, which i'm now seeing all over again, thank goodness i moved on].

    ==========================================
    EDITED LATER: No, wrong, it's even worse. That .42 is not the Mint default [i forgot i put that in last year when i created this VM]. The real default in Mint is, laughably, .38 -- OMZ.
    ==========================================

    In my Mint 18.3 KDE VM i installed V-Stable "1.14.1077.60 (Stable channel) (64-bit)", then confirmed that it runs when launched "naked" from the Mint Applications Menu [whose launcher is "/usr/bin/vivaldi-stable %U"].

    Then when trying to run it in FJ, this failure occurred:

    steffie@steffie-VirtualBox ~ $ firejail -- vivaldi-stable
    Reading profile /etc/firejail/default.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    
    ** Note: you can use --noprofile to disable default.profile **
    
    Parent pid 13211, child pid 13212
    Child process initialized
    
    No suitable library for HTML5 MP4 (H.264/AAC) video and MP3 audio was
    found, therefore only open codecs will play.
    
    For assistance on how to enable proprietary media, visit:
    
    https://help.vivaldi.com/article/html5-mp4-h-264aac-video-and-mp3-audio-support-under-linux/
    
    
    Parent is shutting down, bye...
    steffie@steffie-VirtualBox ~ $ 
    

    Similarly for V-SS in the VM's FJ:

    steffie@steffie-VirtualBox ~ $ firejail -- vivaldi-snapshot
    Reading profile /etc/firejail/default.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    
    ** Note: you can use --noprofile to disable default.profile **
    
    Parent pid 12831, child pid 12832
    Child process initialized
    
    No suitable library for HTML5 MP4 (H.264/AAC) video and MP3 audio was
    found, therefore only open codecs will play.
    
    For assistance on how to enable proprietary media, visit:
    
    https://help.vivaldi.com/article/html5-mp4-h-264aac-video-and-mp3-audio-support-under-linux/
    
    
    Parent is shutting down, bye...
    steffie@steffie-VirtualBox ~ $ 
    

    When launching Stable sans profile, ie, bypassing the obsolete FJ 0.9.42-1 /etc/firejail/default.profile [see Note 1], V DOES launch & run [note that we can see below that the identical codec warning occurs, thus telling us this was NOT the reason for the earlier failures]:

    steffie@steffie-VirtualBox ~ $ firejail --noprofile -- vivaldi-stable
    Parent pid 13247, child pid 13248
    Child process initialized
    
    No suitable library for HTML5 MP4 (H.264/AAC) video and MP3 audio was
    found, therefore only open codecs will play.
    
    For assistance on how to enable proprietary media, visit:
    
    https://help.vivaldi.com/article/html5-mp4-h-264aac-video-and-mp3-audio-support-under-linux/
    
    [2:2:0325/120428.795675:ERROR:gpu_process_transport_factory.cc(1009)] Lost UI shared context.
    [1:10:0325/120428.824933:ERROR:command_buffer_proxy_impl.cc(115)] ContextResult::kFatalFailure: Shared memory handle is not valid
    

    Note 1: Ooh, that's right, FJ .42 is soooo old that back then they did not actually have a dedicated profile for "vivaldi-stable"; they only had "vivaldi-beta.profile" & "vivaldi.profile". My goodness!! That's why trying to launch it with firejail -- vivaldi-stable fails, coz there is NO such profile file in /etc/firejail/, so FJ falls back to merely using /etc/firejail/default.profile, which itself is incompatible with V-Stable.

    Here's the workaround you need to do.

    1. Create this new directory in your /home directory, per the RHS of the following pic.
    2. Copy "vivaldi.profile" from "/etc/firejail/", per LHS of pic.
    3. Paste & rename this copy per the RHS of the following pic.

    0_1521946465145_20180325_002.png

    Now you should find that your V-Stable launches fine with firejail -- vivaldi-stable.

    FWIW, IMO if you desire to continue using Mint, you should at the very least download & install the current versions of Firejail & Firetools from the Dev's site, & ditch Mint's Jurassic versions. FYI, here is FJ .52's contents of "vivaldi-stable.profile":

    # Firejail profile alias for vivaldi
    # This file is overwritten after every install/update
    
    # Redirect
    include /etc/firejail/vivaldi.profile
    

    ...& here's its corresponding "vivaldi.profile":

    # Firejail profile for vivaldi
    # This file is overwritten after every install/update
    # Persistent local customizations
    include /etc/firejail/vivaldi.local
    # Persistent global definitions
    include /etc/firejail/globals.local
    
    noblacklist ${HOME}/.cache/vivaldi
    noblacklist ${HOME}/.config/vivaldi
    
    include /etc/firejail/disable-common.inc
    include /etc/firejail/disable-devel.inc
    include /etc/firejail/disable-programs.inc
    
    mkdir ${HOME}/.cache/vivaldi
    mkdir ${HOME}/.config/vivaldi
    whitelist ${DOWNLOADS}
    whitelist ${HOME}/.cache/vivaldi
    whitelist ${HOME}/.config/vivaldi
    include /etc/firejail/whitelist-common.inc
    include /etc/firejail/whitelist-var-common.inc
    
    caps.keep sys_chroot,sys_admin
    netfilter
    nodvd
    nogroups
    notv
    shell none
    
    disable-mnt
    private-dev
    # private-tmp - problems with multiple browser sessions
    
    noexec ${HOME}
    noexec /tmp
    

    Mint seem to regard Cinnamon as their flagship, & so many people simply say "Mint" when they're using "Mint Cinnamon". It's therefore statistically probable that your Mint is also Cinnamon, so i shall next fire up my Mint 18.3 Cinnamon VM & test V-Stable + FJ therein too.



  • I've now tested Mint 18.3 Cinnamon, & though i have made it work, i discovered some things which supersede some of my text in my preceding post.

    As per my "EDITED LATER" insertion above, the actual repo default in Mint for FJ is, laughably, .38. That prehistoric version does not have ANY variant of Vivaldi profile file at all. I repeated my "pic procedure" per above again, but using this time the "chromium.profile" from FJ .38's "/etc/firejail/", & then after renaming the copy replacing each operational "chromium" instance with "vivaldi" in the file. That works ... V-Stable then runs in FJ.

    Here it is, ie, this should allow your V-Stable to run in FJ .38 in Mint Cinnamon via /home/hatrack/.config/firejail/vivaldi-stable.profile ... & i expect also the other Mint flavours [note i have not bothered returning to my KDE VM to check].

    # Steffie 25/3/18: Created today by copying FJ .38's Chromium browser profile, then replacing each operational "chromium" instance with "vivaldi" below.
    
    noblacklist ${HOME}/.config/vivaldi
    include /etc/firejail/disable-mgmt.inc
    include /etc/firejail/disable-secret.inc
    include /etc/firejail/disable-common.inc
    
    # chromium is distributed with a perl script on Arch
    # include /etc/firejail/disable-devel.inc
    #
    
    netfilter
    whitelist ${DOWNLOADS}
    whitelist ~/.config/vivaldi
    whitelist ~/.cache/vivaldi
    include /etc/firejail/whitelist-common.inc
    

    MTFBWY.



  • @steffie
    Hi Steffi
    Thank you for all your efforts so far,

    I apologise that I forgot to tell you that the Desktop for my new system running LM 18.3 is Mate.

    I've done a little bit of research myself since my original post and I found that LM 18.3 doesn't even have a profile for Vivaldi at all.. I mentioned that I have another system running LM 17.3 and the very latest Stable Vivaldi runs nicely, sandboxed with firejail.

    As an experiment, I copied the Vivaldi profile from the LM 17.3 system and then added this to
    .etc/firejail on the LM 18.3 machine. I invoked Vivaldi from the "Internet" section of the LM menu and Vivaldi started and ran perfectly although there was no mention of running as Superuser (which is normally the case). However, after that one time, Vivaldi will not start at all !

    I've obviously got a real mess here which I do not understand. I am thinking now that perhaps the best plan is to go back to Square ONE, re-install LM 18.3 and then start all over again..

    Fortunately, I'm not in a hurry over this job so, I will wait for the further information from you and only then change anything on the new system.

    Naturally, I;ll report progress.

    Thank you very much for your kind assistance --
    Best regards --



  • @hatrack Pls follow my steps per my previous post. If they work for me then they logically should work for you. Repeat -- follow my steps, not a hybrid of your 17.3 steps. No browser should ever be run with superuser privilege; that's most dangerous.



  • @steffie
    Hi Steffi
    I am afraid that I did not make things clear in my last message. I do indeed understand the dangers of running a system which is connected to the outside world whilst in Superuser mode and I never do this.

    In my limited experience, when Vivaldi is run sandboxed by firejail it reports the location to which i is connected --- E.G. Vivaldi Forum --- and then adds (as superuser) in brackets, as shown. I am sure that that message is coming from Vivaldi itself because its functionality is being constraine by firejail. I think it interprets this constraint as being due to a "superuser" command (sudo)

    I understand that sandboxing severly constrains the actions a browser can allow. I have confirmed this (accordinmg to my limited understanding) by downloading something and then trying to send this to some directory other than the one nominated for Downloads (which is the only one allowed by firejail). As further confirmation, I have run Vivaldi "Naked" -- I.E. without first invoking firejail. In this mode, I can send a downloaded file to any destination I choose that is capable of accepting it --- E.G. Documents, Pictures.

    My conclusion therefore, is that when Vivaldi presents its message about Superuser, we can take this as an indication that it is indeed running sandbox and not be otherwise alarmed.

    The macular degeneration has been very bad today --- I think the lesion has swollen further, degrading visual acuity to even more of the retina. So writing each of todays posts has taken a long time. I have very poor stereo perception so my typing is full of the errors produced by hitting two keys at the same time. After every sentence, I have to hunt for these, using a x3 hand lens, because I have great difficulty finding the very thin flashing insertion cursor. I am hoping rest will help so I am not going to do anything until tomorrow.

    I thank you for your kind help and I will report progress.

    Many thanks and Best Regards ---



  • @hatrack I'm most sorry for your MD affliction, & can only wish you well wrt hopefully keeping ongoing deterioration rate as slow as possible. Best wishes.

    Today in my Mint Mate VM i:

    1. updated it to 18.3.
    2. installed V-Stable 1.14.1077.60 (Stable channel) (64-bit)
    3. verified V-Stable runs ok naked.
    4. installed the repo version [massively obsolete] of Firejail; 0.9.38.10.
    5. installed Firetools via my old "firetools_0.9.46_1_amd64.deb" [not latest version, but latest deb installer version i have on hand locally]
    6. created new directory /home/steffie/.config/firejail
    7. copied /etc/firejail/chromium.profile
    8. pasted it into /home/steffie/.config/firejail
    9. renamed file to be /home/steffie/.config/firejail/vivaldi-stable.profile
    10. edited this file by replacing each operational "chromium" instance with "vivaldi" in the file
    11. launched V-Stable via firejail -- vivaldi-stable
    12. confirmed that the now-running V-Stable IS inside FJ, by observing Firetools, per pic below:
      0_1522033365802_20180326_001.png
    13. confirmed that the now-running V-Stable IS inside FJ, by observing in Terminal:
    steffie@steffie-VB-Mint18Sarah ~ $ firejail --list
    8306:steffie:firejail -- vivaldi-stable 
    steffie@steffie-VB-Mint18Sarah ~ $ 
    

    If you can be confident that your installed Mint 18.3 Mate is "good", & if you then apply each of my preceding steps accurately, there is no logical reason i can foresee why you should not enjoy the same success as i have demonstrated over the past two days, in my Mint 18.3 VMs for KDE, Cinnamon & Mate.

    I repeat however that IMO you would be better advised to uninstall the repo's obsolete FJ version & replace it with the latest FJ version via Deb installer downloaded direct from the Dev's site.



  • Hi Steffie !
    I feel very remiss at the rate I am reading and replying to your messages. I have spent much of the past 36 hrs lying in a darkened room with a cold flannel over my eyes in the hope this will reduce the swelling. It doesn't seem to have done much but the consolation is that it hasn't made matters worse.

    I'm having terrible difficulty reading this site - - - not a criticism of the site, rather a report on my vision. I have copied everything into a text editor (Pluma). This is set up for white letters on a dark blue background and text size is set to 20 Pt Arial.. This works to some extent but Pluma doesn't know what to do with *.png files whilst Clipboard doesn't pick up your item numbers. All-in-all, it's a bit of a Kludge !

    Whist I have been lying in the darkness, I have been thinking about this whole business and I have reached the sad conclusion that I am not confident that I fully understand your detailed instructions.. This arises purely from my vision problems - - - the mental effort involved in trying to decipher some word or phrase which is unfamiliar and only partially resolved visually , leads one to lose the sense of the sentence it self. It is a strange effect, for I read fluently under normal conditions.

    There is no special reason why this new system should have LM 18.3 - - - this arose purely out of my curiosity. My main system runs LM 17.3, which is stable. The latest Vivaldi runs perfectly on this and firejail satisfactorily sandboxes any browser I install. So, I can set the new system up with LM 17.3 and solve all the problems (including those due to my limited vision) is one swoop.

    The only matter remaining is the debt of gratitude I owe to you for your efforts. I do apologise most sincerely for causing so much trouble and can only hope you will pardon me for failing to implement all your work.

    My thanks and best regards to you --



  • @hatrack Oh no, that's really sad news... not for me, but purely for you. Don't feel bad on my behalf; i just enjoy the intellectual challenge of doing these kinds of things [+ given that i'm a fan of both Vivaldi & Firejail i do thus also have a vested interest], and i like trying to help people where possible. I'm simply sad for you that your health is so plainly burdensome & restrictive for you. Wan though the probability of restitution might be, i sincerely offer my best wishes & hopes.



  • @steffie
    Hi Steffie !
    I thank you for your kindness. I've spent another "quiet" day and I plan to start on my revised ideas tomorrow.

    It has been a pleasure to get your detailed advice and my only regret is not being physically able to implement your ideas. I send my very best wishes for your future.

    Best regards --


 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.