WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: firejail: known incompatibility with TCL?  (Read 1977 times)

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
firejail: known incompatibility with TCL?
« on: February 25, 2020, 12:33:32 PM »
I'm trying to get firejail working in TCL 11.0 64-bit.
Source code is here and it's trivial to compile: https://github.com/netblue30/firejail/releases

I compiled both recent versions: 0.9.62 and 0.9.56.2-LTS

For whatever reason, I cannot get either version to work. The error is slightly different depending on the application I try to sandbox. Alas, the errors are cryptic and unhelpful--depending on the application, errors vary from "execpv: No such file" to "Permission denied" to "run modprobe fuse" (even though fuse.tcz is loaded). There seems to be no pattern to the errors, which suggests that there might be more than one thing broken (or a fundamental incompatibility).

I tried both creating an extension as well as copying all the files to the correct places on a running system. I also made sure the handful of binaries have the correct ownership and permissions (root:root, 755, SUID on /usr/local/bin/firejail).

Before I chase my tail too much, is there a known incompatibility between firejail's approach and TCL's kernel or configuration?
« Last Edit: February 25, 2020, 12:53:50 PM by GNUser »

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: firejail: known incompatibility with TCL?
« Reply #1 on: February 25, 2020, 06:22:38 PM »
I just re-read my post and realized it's pretty lousy--too many moving parts. Just ignore it.

I'm going to poke at firejail some more when I find the time. If I find out how to make it work--or if I have a decent question--I'll post it here.
« Last Edit: February 25, 2020, 06:24:19 PM by GNUser »

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: firejail: known incompatibility with TCL?
« Reply #2 on: February 26, 2020, 06:43:37 AM »
I figured it out, but it's not pretty.

First the good news: Firejail works fine with TCL and its kernel.

Now the bad news: The application profiles that come with firejail (in /usr/local/etc/firejail/), including default.profile, are too strict. I couldn't get a single application to work while sandboxed unless I edited the application's profile to relax things a bit. (I don't want to clutter this post too much, so I'll give specific examples of profile edits in a separate post.)

One directive found in multiple application profiles that causes problems for TCL is private-tmp. This must be because when loading extensions using "mount mode", the application needs access to its files inside /tmp/tcloop/foo.

Since it's already prepared, I'll submit firejail.tcz for Pure64 11.x. I removed private-tmp from all the profiles; otherwise, the profiles are exactly as provided by upstream.

The reason I use TCL is because I appreciate simplicity and intelligibility. Firejail complicates things a bit too much for my taste, so I don't think I'll be using it. I just wanted to understand it.


Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: firejail: known incompatibility with TCL?
« Reply #3 on: February 26, 2020, 06:49:28 AM »
Here are some example edits that were required in order to use applications in firejail:

gnumeric
In  /usr/local/etc/firejail/disable-common.inc  I needed to comment-out  blacklist ${PATH}/nc

gimp2
In  /usr/local/etc/firejail/gimp.profile  I needed to comment-out  private-bin  and  shell none

a custom AppImage that I use
In  /usr/local/etc/firejail/default.profile  I needed to comment-out all these lines:
seccomp
protocol unix,inet,inet6
caps.drop all
nonewprivs
noroot
include disable-common.inc

Bottomline is that A LOT of tinkering and trial and error was required in order to get applications that normally "just work" to run in firejail.
« Last Edit: February 26, 2020, 06:53:07 AM by GNUser »

Offline GNUser

  • Hero Member
  • *****
  • Posts: 1343
Re: firejail: known incompatibility with TCL?
« Reply #4 on: February 26, 2020, 11:44:35 AM »
My last post on this topic, I promise.

In case other TCL users ever have the need to run an AppImage with a firejail sandbox, here is some information that will help you:
https://github.com/netblue30/firejail/issues/3249