Problème pour exécuter Firejail [résolu]

xddj · Septembre 18, 2018, 8:05am

Bonjour

Récemment, on m’a recommandé de faire tourner mon navigateur dans un bac à sable. Alors j’ai tenté Firejail. A vrais dire c’est le seul que j’ai trouvé sous Linux. Mais problème, il ne fonctionne pas, voilà ce que j’ai dans mon terminal:

slack@localhost:~$ firejail /home/slack/firefox/firefox %u
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 11725, child pid 11726
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Warning fseccomp: syscall "ni_syscall" not available on this platform
Warning fseccomp: syscall "umount" not available on this platform
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 127.71 ms
Error: no suitable /home/slack/firefox/firefox executable found

Parent is shutting down, bye...

edit: Je viens de tomber sur ce site:
https://wiki.debian.org/AppArmor/HowToUse

J’ai bien apparmor d’installé mais pas apparmor-utils. Je vais l’installer.
Par contre, j’ai peur de toucher à Grub comme ils le recommandent, j’ai peur que mon système ne boot plus après ça…

edit: Avant tout, j’ai quand même tenté un “aa-enforce firejail-default” en root comme ils le préconisent, mais ça ne fonctionne pas:

aa-enforce firejail-default
Setting /etc/apparmor.d/firejail-default to enforce mode.

ERROR: Path doesn't start with / or variable: firejail-default

xddj · Septembre 17, 2018, 7:12am

J’ai trouvé une partie de la solution sur ce site:

ici:

this also my problem and i fix solutions. step by step :
1. edit firejail-default file.
2. find text like : profile firejail-default flags=(attach_disconnected,mediate_deleted) {
3. edit text : profile firejail-default flags=(attach_disconnected,mediate_deleted) { with profile /etc/apparmor.d/firejail-default flags=(attach_disconnected,mediate_deleted) {
4. save file
5. on console use root : aa-enforce firejail-default
6. check status : aa-status
apparmor module is loaded.
1 profiles are loaded.
1 profiles are in enforce mode.
/etc/apparmor.d/firejail-default
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined. thanks.

Ca a fonctionné aussi pour moi, maintenant quand je lance “aa-enforce firejail-default” ça me répond:

Setting /etc/apparmor.d/firejail-default to enforce mode.

Puis:

root@localhost:~# aa-status
apparmor module is loaded.
26 profiles are loaded.
24 profiles are in enforce mode.
   /etc/apparmor.d/firejail-default
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//pxgsettings
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/lib/telepathy/telepathy-ofono
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ntpd
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   man_filter
   man_groff
   system_tor
2 profiles are in complain mode.
   libreoffice-oopslash
   libreoffice-soffice
4 processes have profiles defined.
4 processes are in enforce mode.
   /usr/lib/telepathy/mission-control-5 (1549) 
   /usr/sbin/cups-browsed (9018) 
   /usr/sbin/cupsd (9016) 
   /usr/sbin/ntpd (712) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Mais quand je tente un “firejail /home/slack/firefox/firefox %u” j’ai toujours la même erreur que celle décrite ci-dessus.

xddj · Septembre 18, 2018, 8:19am

Bon, alors le problème vient de Firefox beta. Firejail refuse de fonctionner avec lui mais fonctionne parfaitement avec Firefox ESR. Donc je vais désinstaller Firejail, tant pis.
Mais sinon, pour que ça fonctionne, il fallait simplement faire un:

root@localhost:~# firecfg