whalebird: program does not start (AppArmor/private-etc)

[cyberpunkrocker-zero]

Description

Whalebird-4.6.2 does not start using the default whalebird.profile. I had to comment out private-etc and add ignore apparmor to make it work.

Steps to Reproduce

Expected behavior

Actual behavior

Output with the default profile

Reading profile /etc/firejail/whalebird.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 17300, child pid 17301
13 programs installed in 22.34 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 3.61 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.04 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 101.68 ms
LaunchProcess: failed to execvp:
/usr/share/whalebird/whalebird
LaunchProcess: failed to execvp:
/usr/share/whalebird/whalebird

Parent is shutting down, bye...

I got past this by adding "ignore apparmor". After that:

Reading profile /etc/firejail/whalebird.profile
Reading profile /etc/firejail/whalebird.local
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 18285, child pid 18287
13 programs installed in 22.60 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 3.18 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.05 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 120.38 ms
06:43:22.489 › Error: Can't insert key 2, it violates the unique constraint
    at _AVLTree.insert (/usr/share/whalebird/resources/app.asar/node_modules/binary-search-tree/lib/avltree.js:273:19)
    at AVLTree.insert (/usr/share/whalebird/resources/app.asar/node_modules/binary-search-tree/lib/avltree.js:307:27)
    at Index.insert (/usr/share/whalebird/resources/app.asar/node_modules/nedb/lib/indexes.js:77:15)
    at Index.updateMultipleDocs (/usr/share/whalebird/resources/app.asar/node_modules/nedb/lib/indexes.js:193:12)
    at Index.update (/usr/share/whalebird/resources/app.asar/node_modules/nedb/lib/indexes.js:163:36)
    at Datastore.updateIndexes (/usr/share/whalebird/resources/app.asar/node_modules/nedb/lib/datastore.js:223:29)
    at /usr/share/whalebird/resources/app.asar/node_modules/nedb/lib/datastore.js:632:14
    at /usr/share/whalebird/resources/app.asar/node_modules/nedb/lib/datastore.js:329:14
    at Object.async.eachSeries (/usr/share/whalebird/resources/app.asar/node_modules/async/lib/async.js:130:20)
    at /usr/share/whalebird/resources/app.asar/node_modules/nedb/lib/datastore.js:323:11
06:43:22.536 › System proxy configuration: DIRECT
[23:0813/064322.586788:ERROR:browser_main_loop.cc(267)] Gtk: gtk_widget_add_accelerator: assertion 'GTK_IS_ACCEL_GROUP (accel_group)' failed
[23:0813/064322.586897:ERROR:browser_main_loop.cc(267)] Gtk: gtk_widget_add_accelerator: assertion 'GTK_IS_ACCEL_GROUP (accel_group)' failed
[58:0813/064322.591540:ERROR:angle_platform_impl.cc(44)] Display.cpp:940 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[58:0813/064322.591624:ERROR:gl_surface_egl.cc(808)] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[58:0813/064322.591648:ERROR:gl_surface_egl.cc(1430)] eglInitialize OpenGL failed with error EGL_NOT_INITIALIZED, trying next display type
[58:0813/064322.621458:ERROR:angle_platform_impl.cc(44)] Display.cpp:940 (initialize): ANGLE Display::initialize error 12289: Could not create a backing OpenGL context.
[58:0813/064322.621533:ERROR:gl_surface_egl.cc(808)] EGL Driver message (Critical) eglInitialize: Could not create a backing OpenGL context.
[58:0813/064322.621557:ERROR:gl_surface_egl.cc(1430)] eglInitialize OpenGLES failed with error EGL_NOT_INITIALIZED
[58:0813/064322.621579:ERROR:gl_ozone_egl.cc(20)] GLSurfaceEGL::InitializeOneOff failed.
[58:0813/064322.622480:ERROR:viz_main_impl.cc(188)] Exiting GPU process due to errors during initialization
[105:0813/064322.637937:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
[23:0813/064322.722043:ERROR:browser_main_loop.cc(267)] Gdk: gdk_window_thaw_toplevel_updates: assertion 'window->update_and_descendants_freeze_count > 0' failed
Error occurred in handler for 'refresh-accounts': AxiosError: getaddrinfo EAI_AGAIN mastodon.online
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:71:26) {
  hostname: 'mastodon.online',
  syscall: 'getaddrinfo',
  code: 'EAI_AGAIN',
  errno: -3001,
  config: {

...and then a very, very long list of json code, I suppose whalebird's internal configuration, and finally:

Error sending from webFrameMain:  Error: Failed to serialize arguments
    at EventEmitter.n.send (node:electron/js2c/browser_init:165:417)
    at EventEmitter.b.send (node:electron/js2c/browser_init:161:2494)
    at /usr/share/whalebird/resources/app.asar/dist/electron/main.js:1:261646
    at Generator.throw (<anonymous>)
    at s (/usr/share/whalebird/resources/app.asar/dist/electron/main.js:1:241903)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

At that point whalebird started, but couldn't connect anywhere in the net. Commenting out the "private-etc" section in the whalebird.profile fixed this and allowed whalebird to run normally.

Do you need the full output? As I said above it is a very, very, very long file...

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?

Whalebird started normally.

Additional context

Environment

• Linux distribution and version: Arch Linux
• Firejail version: 0.9.70

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

[rusty-snake]

Can you try

ignore apparmor
private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl

[cyberpunkrocker-zero]

Yeah, thanks for the fast response! That fixed the issue :).
Whalebird runs now normally with firejail.