Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chromium: failure due to AppArmor user namespace errors #6368

Open
4 of 7 tasks
luckylinux opened this issue Jun 3, 2024 · 11 comments
Open
4 of 7 tasks

chromium: failure due to AppArmor user namespace errors #6368

luckylinux opened this issue Jun 3, 2024 · 11 comments

Comments

@luckylinux
Copy link

luckylinux commented Jun 3, 2024

Description

Trying to run Chromium results in a AppArmor "DENIED" Message in dmesg.

Steps to Reproduce

Run in BASH firejail /usr/bin/chromium.
Result:

Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 151561, child pid 151562
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 207.51 ms
[6:6:0603/112348.640246:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/112348.640438:WARNING:exception_handler_server.cc(204)] no ptrace

I also tried to add a Custom AppArmor Profile in /etc/apparmor.d/chromium and Issueing systemctl restart apparmor but this does NOT solve the Issue:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile chromium /usr/bin/chromium flags=(unconfined) {
  userns,
}

Expected behavior

Chromium starting normally.

Actual behavior

Chromium refuses to start.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

It actually works (or at least starts ...)

LC_ALL=C firejail --noprofile /usr/bin/chromium 
Parent pid 169691, child pid 169692
Child process initialized in 16.07 ms
[2:31:0603/112938.212607:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

(chromium:2): IBUS-WARNING **: 11:29:39.142: Unable to connect to ibus: Could not connect: Connection refused

Parent is shutting down, bye...

Additional context

Any other detail that may help to understand/debug the problem

Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue:

# This is needed to run some AppImage (notably Electron Apps)
kernel.unprivileged_userns_clone=1

# However, make sure to restrict their activity
# Setup an AppArmor Profile based on e.g. the following references
# - https://github.com/bitwarden/clients/issues/5153
# - https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
# - https://github.com/johannesjo/super-productivity/issues/3193
# See /etc/apparmor.d/bitwarden for Rerefence
# Then Issue a systemctl restart apparmor
kernel.apparmor_restrict_unprivileged_userns=1
kernel.apparmor_restrict_unprivileged_userns_complain=0
kernel.apparmor_restrict_unprivileged_userns_force=1

kernel.apparmor_restrict_unprivileged_unconfined=1

kernel.unprivileged_userns_apparmor_policy=1

Relevant dmesg Output:

[ 3138.280909] audit: type=1400 audit(1717407068.562:853): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=175054 comm="chromium" requested="userns_create" denied="userns_create"
[ 3139.085996] audit: type=1400 audit(1717407069.367:854): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=175084 comm="chromium" requested="userns_create" denied="userns_create"

Environment

  • Ubuntu 24.04 Noble AMD64
  • Firejail version 0.9.72
firejail --version
firejail version 0.9.72

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

  • If you use a development version of firejail: No (using Ubuntu Noble Repositories):
Package: firejail                        
Version: 0.9.72-2ubuntu3
State: installed
Automatically installed: no
Priority: optional
Section: universe/utils
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Uncompressed Size: 1.675 k
Depends: libapparmor1 (>= 2.10.95), libc6 (>= 2.38), libselinux1 (>= 3.1~)
Recommends: firejail-profiles, iproute2, iptables, xauth, xdg-dbus-proxy, xpra | xserver-xephyr | xvfb
Conflicts: firejail:i386
Description: sandbox to restrict the application environment
 Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.  It allows a process and all its descendants to have their
 own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Homepage: https://firejail.wordpress.com
Tags: implemented-in::c, interface::commandline, role::program, scope::utility, security::privacy, use::filtering, works-with::software:running
Package: firejail-profiles               
Version: 0.9.72-2ubuntu3
State: installed
Automatically installed: no
Priority: optional
Section: universe/utils
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: all
Uncompressed Size: 1.708 k
Depends: firejail
Breaks: firejail (< 0.9.46~rc1-1), firejail:i386 (< 0.9.46~rc1-1)
Replaces: firejail (< 0.9.46~rc1-1), firejail:i386 (< 0.9.46~rc1-1)
Description: profiles for the firejail application sandbox
 Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.  It allows a process and all its descendants to have their
 own private view of the globally shared kernel resources, such as the network stack, process table, mount table. 
 
 This package contains firejail profiles for various applications.
Homepage: https://firejail.wordpress.com
Tags: role::app-data

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 3, 2024

Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue

Is this a file installed by your OS? Or did you add it yourself? Also, please add your OS and firejail version to the report.

For now I see a few ways to try to get chromium to work as expected. Please test the below chromium-common.local overrides one by one and report back the result of each attempt.

  • test 1 [use the dedicated AppArmor profile created by user]
$ cat ~/.config/firejail/chromium-common.local
apparmor /usr/bin/chromium
  • test 2 [disable apparmor]
$ cat ~/.config/firejail/chromium-common.local
ignore apparmor
  • test 3 [allow userns_create capability]
$ cat ~/.config/firejail/chromium-common.local
caps.keep sys_admin,sys_chroot,userns_create
ignore caps.keep

@luckylinux
Copy link
Author

luckylinux commented Jun 3, 2024

Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue

Is this a file installed by your OS? Or did you add it yourself? Also, please add your OS and firejail version to the report.
Thank you for your quick Answer.

I added the File /etc/sysctl.d/99-userns.conf myself.

According to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces Ubuntu should enforce AppArmor Profiles by default now, but lots of back and forths while trying to have a Hardened GNU/Linux System, especially with Electron Apps refusing to work (particularly Bitwarden AppImage).

Hence I prefer to show the File that reflects the current Configuration.

* test 1 [use the dedicated AppArmor profile created by user]

(More or less) same Result as before

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 411801, child pid 411802
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 197.58 ms
[6:6:0603/124730.469542:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/124730.469786:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...
* test 2 [disable apparmor]

Chromium starts, but Keyboard disabled (GTK_IM_MODULE=xim might solve this, untested).

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 414964, child pid 414965
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 198.60 ms
[6:38:0603/124832.094464:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:46:0603/124832.174249:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:46:0603/124832.174293:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.356952:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357001:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357066:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357091:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357110:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied

(chromium:6): dbind-WARNING **: 12:48:32.361: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
[6:37:0603/124832.791458:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

(chromium:6): IBUS-WARNING **: 12:48:33.936: Unable to connect to ibus: Could not connect: Connection refused

[59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202

(chromium:6): IBUS-WARNING **: 12:49:03.005: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.005: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.010: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.098: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.428: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.428: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.474: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.478: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.585: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.585: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.621: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.624: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.625: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.658: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.690: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.712: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.750: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.756: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.789: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.807: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.072: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.091: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.232: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.313: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.484: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.565: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.878: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.966: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.286: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.296: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.347: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.358: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.369: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.383: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.710: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.714: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.718: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.765: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.795: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.796: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.820: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.821: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.858: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.863: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.903: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.905: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.982: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:06.046: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:06.050: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:06.082: Events queue growing too big, will start to drop.

Parent is shutting down, bye...

* test 3 [allow userns_create capability]

Possible Typo in your File ? userns_create is not recognized

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Error: capability "userns_create" not found

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 3, 2024

Thanks for testing.

test 1 [use the dedicated AppArmor profile created by user]

No change, so we can focus on the alternatives.

test 2 [disable apparmor]

For the moment this seems to be the most promising candidate to fix this. Obviously we need to adress the keyboard issue. Also, the (new?) SSL-related error is a bit unexpected:

[59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202

test 3 [allow userns_create capability]
Error: capability "userns_create" not found

My bad. I took userns_create straight from your posted dmesg output above. I'll do some more digging, but it would be nice to try dropping the caps option alltogether:

$ ~/.config/firejail/chromium-common.profile
ignore caps.keep

To confirm that Firejail can actually sandbox chromium properly in combination with your AppArmor profile we also need to test if it works with our noprofile.profile. This offers the weakest possible sandbox Firejail can apply to a program, and a such is considered useful for debugging purposes only.

$ firejail --profile=noprofile /usr/bin/chromium

Hope we can fix this properly and securely :)

@luckylinux
Copy link
Author

luckylinux commented Jun 3, 2024

Thanks for testing.
Thanks for helping me 👍.

test 2 [disable apparmor]

For the moment this seems to be the most promising candidate to fix this. Obviously we need to adress the keyboard issue. Also, the (new?) SSL-related error is a bit unexpected:

[59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202

Nah ... I omitted some part of the Logs, because it concerns a self-signed SSL Certificate (default OPNSense self-signed SSL Certificate). I assume this is also related to that.

test 3 [allow userns_create capability]
Error: capability "userns_create" not found

My bad. I took userns_create straight from your posted dmesg output above. I'll do some more digging, but it would be nice to try dropping the caps option alltogether:

$ ~/.config/firejail/chromium-common.profile
ignore caps.keep

Now you are suggesting a different File (~/.config/firejail/chromium-common.profile vs the previous ~/.config/firejail/chromium-common.local). Is this intentional ?

If I do with ~/.config/firejail/chromium-common.local (same filename as before) with just ignore caps.keep I get:

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 767989, child pid 767990
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 203.60 ms
[6:6:0603/144024.125859:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/144024.126059:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...

With your new proposed Filename (~/.config/firejail/chromium-common.profile) I get instead (with the same Contents):

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /home/<username>/.config/firejail/chromium-common.profile
Parent pid 769740, child pid 769741
Child process initialized in 17.33 ms

(chromium:6): GLib-GIO-ERROR **: 12:40:56.561: No GSettings schemas are installed on the system
[0603/124056.561860:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...

To confirm that Firejail can actually sandbox chromium properly in combination with your AppArmor profile we also need to test if it works with our noprofile.profile. This offers the weakest possible sandbox Firejail can apply to a program, and a such is considered useful for debugging purposes only.

$ firejail --profile=noprofile /usr/bin/chromium
firejail --profile=noprofile /usr/bin/chromium
Reading profile /etc/firejail/noprofile.profile
Parent pid 783142, child pid 783143
Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied
Child process initialized in 7.89 ms

(chromium:2): IBUS-WARNING **: 14:45:12.658: Unable to connect to ibus: Could not connect: Connection refused
[2:30:0603/144512.828720:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

Parent is shutting down, bye...

Chromium starts, but Keyboard isn't working.

The following makes the Keyboard also work, although not sure about this being a long-term Solution:

GTK_IM_MODULE=xim firejail --profile=noprofile /usr/bin/chromium
Reading profile /etc/firejail/noprofile.profile
Parent pid 791417, child pid 791418
Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied
Child process initialized in 6.74 ms
[2:31:0603/144748.043764:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

(chromium:2): Gdk-WARNING **: 14:47:49.009: gdk_window_set_user_time called on non-toplevel


(chromium:2): Gdk-WARNING **: 14:47:49.141: gdk_window_set_user_time called on non-toplevel


(chromium:2): Gdk-WARNING **: 14:47:49.380: gdk_window_set_user_time called on non-toplevel


(chromium:2): Gdk-WARNING **: 14:47:49.545: gdk_window_set_user_time called on non-toplevel


Parent is shutting down, bye...

For Reference File /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32 does NOT exist.
Contents of Folder ls -la /usr/lib/x86_64-linux-gnu/firejail

drwxr-xr-x   2 root root     30 Jun  2 17:21 .
drwxr-xr-x 202 root root   4392 Jun  2 18:21 ..
-rwxr-xr-x   1 root root  35200 Apr 16 05:09 fbuilder
-rwx--x--x   1 root root  22848 Apr 16 05:09 fcopy
-rwxr-xr-x   1 root root  22840 Apr 16 05:09 fids
-rwxr-xr-x   1 root root   6826 Apr 16 05:09 firejail-welcome.sh
-rwx--x--x   1 root root  18816 Apr 16 05:09 fldd
-rwx--x--x   1 root root  35208 Apr 16 05:09 fnet
-rwx--x--x   1 root root  14640 Apr 16 05:09 fnetfilter
-rwx--x--x   1 root root  31408 Apr 16 05:09 fnettrace
-rwx--x--x   1 root root  14648 Apr 16 05:09 fnettrace-dns
-rwx--x--x   1 root root  14720 Apr 16 05:09 fnettrace-icmp
-rwx--x--x   1 root root  14648 Apr 16 05:09 fnettrace-sni
-rwx--x--x   1 root root  80368 Apr 16 05:09 fseccomp
-rwx--x--x   1 root root  22912 Apr 16 05:09 fsec-optimize
-rwx--x--x   1 root root  31104 Apr 16 05:09 fsec-print
-rwx--x--x   1 root root   1811 Apr 16 05:09 fshaper.sh
-rwxr-xr-x   1 root root  14640 Apr 16 05:09 ftee
-rwxr-xr-x   1 root root  14640 Apr 16 05:09 fzenity
-rw-r--r--   1 root root  14480 Apr 16 05:09 libpostexecseccomp.so
-rw-r--r--   1 root root  18576 Apr 16 05:09 libtracelog.so
-rw-r--r--   1 root root  27448 Apr 16 05:09 libtrace.so
-rwxr-xr-x   1 root root  22832 Apr 16 05:09 profstats
-rw-r--r--   1 root root    640 Apr 16 05:09 seccomp
-rw-r--r--   1 root root    432 Apr 16 05:09 seccomp.32
-rw-r--r--   1 root root    120 Apr 16 05:09 seccomp.block_secondary
-rw-r--r--   1 root root    616 Apr 16 05:09 seccomp.debug
-rw-r--r--   1 root root    280 Apr 16 05:09 seccomp.mdwx
-rw-r--r--   1 root root    272 Apr 16 05:09 seccomp.mdwx.32
-rw-r--r--   1 root root 132290 Apr 16 05:09 static-ip-map

Hope we can fix this properly and securely :)

I also hope that. I was NOT using ANY sandboxing until now 👎, but given how many exploits and vulnerabilities, "hoping" is NOT a Plan.

I also read that firejail is probably insecure on its own (due to the setuid bit etc), and Bubblewrap / bwrap might be better and so on ... Yet Bubblewrap isn't really User-friendly IMHO 😞, so at least firejail should be a good additional Layer of Protection ... at least for the foreseable Future.

This isn't yet taking care of X11 Sandboxing of course. Launching firejail with --x11=xpra doesn't work (it just crashes), while I could play a bit around yesterday and got it to worth with Thunderbird (firejail --x11=xephyr thunderbird).

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 3, 2024

Observations on your latest round of testing:

test 2 [disable apparmor]

Glad to read that the SSL-related output isn't a breakage factor.

test 3 [allow userns_create capability]

Good that you caught my mistake, it was indeed the intention to test with ~/.config/firejail/chromium-common.local. Now we've confirmed tha it's not a fix, we can skip this option.

noprofile.profile

Good news! Happy that this is working, regardless of the keyboard side-issue. Now it's a matter of tracking down the culprit option(s) and implement a proper, secure chromium sandbox.
Regarding that keyboard aspect, having to use GTK_IM_MODULE=xim isn't that uncommon or insecure. You will need this, now as well as in a future Firejail release. Because we don't know if, nor which IM module users prefer to use, it would be pointless to put this environment variable in the profile. But you as user definitely can. The supported syntax for doing so is documented in the man page, but rather straightforward: env GTK_IM_MODULE=xim.

For Reference File /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32 does NOT exist.

Due to Firejail's support for both 32bit and 64bit OSes this is a common and ignorable output on a 64bit system. I realize that it's hard to distinguish at first between what's okay and what's not in (some of) the more verbose (debug) output Firejail can throw. Your keen eye for details (e.g. like catching on to my mistakes), context-awareness during this troubleshooting session, etcetera, that indicates you're going to do just fine with sandboxing. Whether using Firejail or alternative tech, that's not for me to decide or try to influence by glossing over some 'facts' about the limitations of such endeavours.

Which brings us to the setuid topic. Users should be very much aware of the implications of running a SUID binary, be it firejail, pkexec, sudo, su or others. Yes, all of these well-known other layers we use without giving it much thought, are also setuid/setgid. Reading up is always something to be stimulated. And it's not getting any less complex/complicated 'out there' is it? :)
What Firejail is concerned, there are documented mitigations. Here are some links on that topic:

X11 Sandboxing

Definately a powerful set of options. And there's also Wayland getting more and more polished for daily use. Sadly, Firejail's --x11=xorg option doesn't work for chromium (and xterm). There's some more context provided in man firejail on this topic.

That's it for now. Enjoy!

@luckylinux
Copy link
Author

luckylinux commented Jun 3, 2024

noprofile.profile

Good news! Happy that this is working, regardless of the keyboard side-issue. Now it's a matter of tracking down the culprit option(s) and implement a proper, secure chromium sandbox. Regarding that keyboard aspect, having to use GTK_IM_MODULE=xim isn't that uncommon or insecure. You will need this, now as well as in a future Firejail release. Because we don't know if, nor which IM module users prefer to use, it would be pointless to put this environment variable in the profile. But you as user definitely can. The supported syntax for doing so is documented in the man page, but rather straightforward: env GTK_IM_MODULE=xim.

Isn't this something that can be set on a "global" level ? I'm tempted to say ~/.bashrc and/or ~/.bash_profile, but since this is firejail-specific, maybe there is a way for a "common" include (like for instance /etc/firejail/disable-common.inc, but NOT for disabling stuff and in my User Folder) ?

I think both geany, chromium, thunderbird and probably several other are affected by the same Issue.

Which brings us to the setuid topic. Users should be very much aware of the implications of running a SUID binary, be it firejail, pkexec, sudo, su or others. Yes, all of these well-known other layers we use without giving it much thought, are also setuid/setgid. Reading up is always something to be stimulated. And it's not getting any less complex/complicated 'out there' is it? :) What Firejail is concerned, there are documented mitigations. Here are some links on that topic:

* [SUID and mitigations](https://firejail.wordpress.com/documentation-2/basic-usage/#suid)

* [Does firejail improve the security of my system? thoughts by @rusty-snake #4601](https://github.com/netblue30/firejail/discussions/4601)

* [Delimitate execution permissions for firejail #5288](https://github.com/netblue30/firejail/issues/5288)

* [docs: mention risk of SUID binaries and also firejail-users(5) #5290](https://github.com/netblue30/firejail/pull/5290)

Actually I set force-nonewprivs yes in /etc/firejail/firejail.config.
Maybe the Chromium Issue is related to this actually (although kernel.unprivileged_userns_clone=1 and NOT 0) ?

Although I find it a bit weird that this isn't something "standardized" in the "normal" (shipped) Chromium profile, isn't it ?

X11 Sandboxing

Definately a powerful set of options. And there's also Wayland getting more and more polished for daily use. Sadly, Firejail's --x11=xorg option doesn't work for chromium (and xterm). There's some more context provided in man firejail on this topic.
Wayland isn't very well supported by NVIDIA Drivers and I have (mostly) NVIDIA GPUs.
They seem to be getting better lately, so I might give it a try.

I just sense that it's going to maybe fix 1 Issue while creating 10 new ones 😞.

That's it for now. Enjoy!

Thanks for your help 👍.

I guess, as usual, it's like opening a Pandora Box. You know where you start, you do NOT know where you end up 😆.

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 3, 2024

Follow-up

Not my best day apparently. There's something I have overlooked.

I also tried to add a Custom AppArmor Profile in /etc/apparmor.d/chromium and Issueing systemctl restart apparmor but this does NOT solve the Issue

To actually test this in combination with Firejail's apparmor option there's two conditions that need to be fulfilled:

  • the custom AA profile referenced in chromium-common.local needs to be loaded into the kernel prior to starting the sandbox;
  • the proper option to instruct Firejail to use that custom AA profile instead of its default version.

So, if you're up for it (doesn't have to be right now of course), it might try this again. After all, if it's possible, that would provide the 'ideal' fix.

(1) the Firejail part (we've done similarly above)

$ cat ~/.config/firejail/chromium-common.local
apparmor /usr/bin/chromium

(2) the AppArmor part

# use proper AA naming scheme
$ sudo mv /etc/apparmor.d/chromium /etc/apparmor.d/usr.bin.chromium

# purge AA cache
$ sudo apparmor_parser --purge-cache

Additionally, to absolutely make sure this AA profile makes it into kernelspace, a reboot is advised instead of restarting the apparmor.service.

Fingers crossed!

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 3, 2024

GTK_IM_MODULE=xim

Isn't this something that can be set on a "global" level ? I'm tempted to say ~/.bashrc and/or ~/.bash_profile, but since this is firejail-specific, maybe there is a way for a "common" include (like for instance /etc/firejail/disable-common.inc, but NOT for disabling stuff and in my User Folder) ?

Absolutely. Like two sides of a coin. Do it in your desktop environment via shell configuration like you mentioned (per-user) or (system-wide) via /etc/bash.bashrc. Additionally try setting it in Firejail's sandbox. Easiest is using ~/.config/firejail/globals.local. That way it'll get included in (almost) all profiles and - as far as I can see - doing so won't break sandboxed CLI programs that don't need it. That globals.local is a very powerful built-in override. If you don't have one yet, my guess is you'll soon see its advantages and create one :)

force-nonewprivs

Actually I set force-nonewprivs yes in /etc/firejail/firejail.config.

That's a wise decision. But be/stay aware of the implications. Wireshark for example will break under these conditions. Likely others, but very few. And the settings in firejail.config aren't run-time ones, hence a bit awkward to override. Alternatively you can keep the default in firejail.config and set it in the aforementioned globals.local. Less hassle, same effect. Just my $ 0.02 :)

Believe it or not, but I don't use Chromium and don't even have it installed. Just a personal thing, unrelated to security and/or sandboxing. TL;DR can't be sure if enforcing nonewprivs is the cause of all this. But I'd definitely try that!

Ciao

@luckylinux
Copy link
Author

Additionally, to absolutely make sure this AA profile makes it into kernelspace, a reboot is advised instead of restarting the apparmor.service.

Fingers crossed!
I tried all of this (minus the reboot part) and this is the Result (NOT working - yet):

GTK_IM_MODULE=xim firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 1322122, child pid 1322150
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 200.21 ms
[6:6:0603/173442.316373:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/173442.316594:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...

Will try to Reboot at some Point ...

@luckylinux
Copy link
Author

Believe it or not, but I don't use Chromium and don't even have it installed. Just a personal thing, unrelated to security and/or sandboxing. TL;DR can't be sure if enforcing nonewprivs is the cause of all this. But I'd definitely try that!

Thanks again 👍.

To be honest I use Firefox as my Daily Driver, but I sometimes need a "Backup" to cross-check some of the weird Issues I sometimes encounter with Firefox (SSL Certificates, Authentication, Cache of Credentials, etc).

@kmk3 kmk3 changed the title Chromium not allowed by AppArmor chromium: failure due to AppArmor user namespace errors Aug 23, 2024
@gcqmkm02
Copy link

Tengo lo mismo problema con el flatpak.
Despues de hacer
sd sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
los flatpaks funcionan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants