View previous topic :: View next topic |
Author |
Message |
jagdpanther l33t
Joined: 22 Nov 2003 Posts: 729
|
Posted: Sun Aug 12, 2018 5:11 pm Post subject: [solved] firejail replies with Error clone and does not work |
|
|
Firejail is not working on my system. For example:
Code: | $ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Error clone: main.c:2475 main: Invalid argument |
After reading the Gentoo Firejail wiki, https://wiki.gentoo.org/wiki/Firejail , I also tried firemon as root:
Code: | # firemon
Error: netlink socket problem |
I re-emerged firejail and still have the same issues. Here are the use flags for my current install:
Code: | Installed versions: 0.9.50 (09:37:28 AM 08/12/2018)(bind chroot file-transfer network seccomp userns -apparmor -contrib -network-restricted -x11) |
I am running gentoo-sources-4.17.14 on intel i9 based system.
Any suggestions for getting firejail working?
Last edited by jagdpanther on Mon Aug 13, 2018 1:12 am; edited 1 time in total |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sun Aug 12, 2018 5:53 pm Post subject: |
|
|
What are the last 100 lines when firejail is run under strace? |
|
Back to top |
|
|
jagdpanther l33t
Joined: 22 Nov 2003 Posts: 729
|
Posted: Sun Aug 12, 2018 6:32 pm Post subject: |
|
|
Hu:
Hi. There are 97 lines total so here is the entire output from
strace firejail firefox > /tmp/firejail_strace.out 2>&1
Code: | execve("/usr/bin/firejail", ["firejail", "firefox"], 0x7ffc4af0c3c8 /* 37 vars */) = 0
access(0x7fdd055070a3, F_OK) = -1 ENOENT (No such file or directory)
brk(NULL) = 0x55616c746000
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
access(0x7fdd055070a3, F_OK) = -1 ENOENT (No such file or directory)
access(0x7fdd0550a130, R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, 0x7fdd05507a28, O_RDONLY|O_CLOEXEC) = 3
fstat(3, 0x7ffc44dca0a0) = 0
mmap(NULL, 296163, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fdd056c4000
close(3) = 0
openat(AT_FDCWD, 0x7fdd0570fdc0, O_RDONLY|O_CLOEXEC) = 3
read(3, 0x7ffc44dca268, 832) = 832
fstat(3, 0x7ffc44dca100) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdd056c2000
mmap(NULL, 3951064, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fdd05124000
mprotect(0x7fdd052df000, 2097152, PROT_NONE) = 0
mmap(0x7fdd054df000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bb000) = 0x7fdd054df000
mmap(0x7fdd054e5000, 14808, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fdd054e5000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7fdd056c3540) = 0
mprotect(0x7fdd054df000, 16384, PROT_READ) = 0
mprotect(0x55616b9b1000, 4096, PROT_READ) = 0
mprotect(0x7fdd0570d000, 4096, PROT_READ) = 0
munmap(0x7fdd056c4000, 296163) = 0
stat(0x55616b79fc73, 0x7ffc44dc97e0) = 0
stat(0x55616b79fd6e, 0x7ffc44dc97e0) = 0
stat(0x55616b79e3df, 0x7ffc44dc97e0) = 0
stat(0x55616b79e385, 0x7ffc44dc97e0) = 0
stat(0x55616b79f7ce, 0x7ffc44dc97e0) = 0
stat(0x55616b7a365c, 0x7ffc44dc97e0) = 0
stat(0x55616b79f7e1, 0x7ffc44dc97e0) = 0
stat(0x55616b79e06e, 0x7ffc44dc97e0) = 0
stat(0x55616b7a646f, 0x7ffc44dc97e0) = 0
stat(0x55616b79fe20, 0x7ffc44dc9520) = 0
stat(0x55616b79f5e0, 0x7ffc44dc94a0) = 0
brk(NULL) = 0x55616c746000
brk(0x55616c767000) = 0x55616c767000
openat(AT_FDCWD, 0x55616b7a64d7, O_RDONLY) = 3
fstat(3, 0x7ffc44dc8d30) = 0
read(3, 0x55616c746490, 1024) = 6
close(3) = 0
open(0x55616b79f813, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
fstat(3, 0x7ffc44dc9590) = 0
brk(0x55616c78f000) = 0x55616c78f000
getdents(3, 0x55616c7668e0, 32768) = 11496
getdents(3, /* 0 entries */, 32768) = 0
brk(0x55616c787000) = 0x55616c787000
close(3) = 0
open(0x55616b7a365c, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
fstat(3, 0x7ffc44dc9590) = 0
getdents(3, 0x55616c7668e0, 32768) = 48
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
brk(0x55616c767000) = 0x55616c767000
getuid() = 527
getgid() = 527
setresuid(-1, 527, -1) = 0
setresgid(-1, 527, -1) = 0
getuid() = 527
geteuid() = 527
getuid() = 527
geteuid() = 527
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
openat(AT_FDCWD, 0x55616b7a5f8c, O_RDONLY) = -1 EACCES (Permission denied)
setresuid(-1, 527, -1) = 0
setresgid(-1, 527, -1) = 0
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
stat(0x55616c746910, 0x7ffc44dc95c0) = 0
openat(AT_FDCWD, 0x55616c746910, O_RDONLY) = 3
fstat(3, 0x7ffc44dc9370) = 0
read(3, 0x55616c746490, 1024) = 5
close(3) = 0
stat(0x55616c746910, 0x7ffc44dc95c0) = 0
openat(AT_FDCWD, 0x55616c746910, O_RDONLY) = 3
fstat(3, 0x7ffc44dc9370) = 0
read(3, 0x55616c746490, 1024) = 9
close(3) = 0
setresuid(-1, 527, -1) = 0
setresgid(-1, 527, -1) = 0
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
geteuid() = 527
write(2, 0x55616b7a4310, 30Error: cannot rise privileges
) = 30
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
getpid() = 32144
unlink(0x55616c746930) = -1 ENOENT (No such file or directory)
unlink(0x55616c746930) = -1 ENOENT (No such file or directory)
unlink(0x55616c746930) = -1 ENOENT (No such file or directory)
unlink(0x55616c746930) = -1 ENOENT (No such file or directory)
unlink(0x55616c746910) = -1 ENOENT (No such file or directory)
exit_group(1) = ?
+++ exited with 1 +++ |
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sun Aug 12, 2018 7:10 pm Post subject: |
|
|
According to that output, it never even tried to use clone, nor did it produce the error message. Is /usr/bin/firejail setuid/setgid? If so, you cannot use a regular strace to monitor it, since an unprivileged tracer prevents the setuid flag from working. |
|
Back to top |
|
|
jagdpanther l33t
Joined: 22 Nov 2003 Posts: 729
|
Posted: Sun Aug 12, 2018 7:25 pm Post subject: |
|
|
Yes firejail is setuid:
Code: | ls -l /usr/bin/firejail
-rws--x--x 1 root root 289040 Aug 12 09:37 /usr/bin/firejail |
Running as root the output is almost the same. Just an additional "Warning: " line.
Code: | # firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Warning: noroot option is not available
Error clone: main.c:2475 main: Invalid argument |
Here is the end of strace when "strace firejail firefox" is run as root. I skipped many of the "getuid() =0" lines.
Code: | ...
getuid() = 0
stat("/root/.config/dconf", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getuid() = 0
...
getuid() = 0
read(5, "", 4096) = 0
close(5) = 0
getuid() = 0
...
getuid() = 0
getuid() = 0
write(2, "Warning: ", 9Warning: ) = 9
write(2, "noroot option is not available\n", 31noroot option is not available
) = 31
getuid() = 0
getuid()
...
getuid() = 0
getuid() = 0
getuid() = 0
read(4, "", 4096) = 0
close(4) = 0
close(3) = 0
getuid() = 0
pipe([3, 4]) = 0
pipe([5, 6]) = 0
setresuid(-1, 0, -1) = 0
setresgid(-1, 0, -1) = 0
setresuid(-1, 0, -1) = 0
setresgid(-1, 0, -1) = 0
getuid() = 0
setresuid(-1, 0, -1) = 0
setresgid(-1, 0, -1) = 0
clone(child_stack=0x559030df9470, flags=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|SIGCHLD) = -1 EINVAL (Invalid argument)
write(2, "Error clone: main.c:2475 main: I"..., 48Error clone: main.c:2475 main: Invalid argument
) = 48
setresuid(-1, 0, -1) = 0
setresgid(-1, 0, -1) = 0
getpid() = 9402
unlink("/run/firejail/bandwidth/9402-bandwidth") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/network/9402-netmap") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/name/9402") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/profile/9402") = 0
unlink("/run/firejail/x11/9402") = -1 ENOENT (No such file or directory)
exit_group(1) = ?
+++ exited with 1 +++ |
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun Aug 12, 2018 7:47 pm Post subject: |
|
|
jagdpanther wrote: | Code: | clone(child_stack=0x559030df9470, flags=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|SIGCHLD) = -1 EINVAL (Invalid argument)
write(2, "Error clone: main.c:2475 main: I"..., 48Error clone: main.c:2475 main: Invalid argument
) = 48 |
|
jagdpanther ... that looks to me like you're missing some NAMESPACE (CONFIG_UTS_NS, CONFIG_IPC_NS, CONFIG_PID_NS) support in the kernel:
Code: | # egrep '_NS' /usr/src/linux/.config |
best ... khay |
|
Back to top |
|
|
jagdpanther l33t
Joined: 22 Nov 2003 Posts: 729
|
Posted: Mon Aug 13, 2018 1:11 am Post subject: |
|
|
Hu and khayyam, thankyou.
Quote: | jagdpanther ... that looks to me like you're missing some NAMESPACE (CONFIG_UTS_NS, CONFIG_IPC_NS, CONFIG_PID_NS) support in the kernel |
Old kernel, 4.17.14-gentoo-01:
Code: | /usr/src/linux # egrep '_NS' .config
# CONFIG_UTS_NS is not set
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_NF_CONNTRACK_NETBIOS_NS=m |
My new kernel configuration, 4.17.14-gentoo-02, has "CONFIG_UTS_NS=y" and the clone error is gone. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|