FS#69523 : firejail 0.9.64.2-1 update - breaks firefox profiles

FS#69523 - firejail 0.9.64.2-1 update - breaks firefox profiles

Attached to Project: Community Packages
Opened by mark (qinohe) - Wednesday, 03 February 2021, 22:02 GMT
Last edited by Daniel M. Capella (polyzen) - Saturday, 21 August 2021, 03:24 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Sergej Pupykin (sergej)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
Installing firejail 0.9.64.2-1[Community] breaks at least Firefox profiles - both Firefox and Firefox-developer.
Downgrading to previous version ((0.9.64-2) solves the problem and makes existing profiles accessible again.

I haven't done anymore testing than this, replacing the profile after every reboot made me downgrade.
I also use 'psd' (profile-sync-daemon) I did not test it's impact, it wasn't updated, though.

Normally I don't reboot that often but a 'systemd' update came right after firejail, that's how I found out..

Steps to reproduce:pacman -Syu firejail

This task depends upon

Closed by Daniel M. Capella (polyzen)
Saturday, 21 August 2021, 03:24 GMT
Reason for closing: None
Additional comments about closing: Appears to be resolved. 0.9.66 (currently in the repos) also includes a fix for the issue linked in the last comment.

Comment by mark (qinohe) - Wednesday, 03 February 2021, 22:32 GMT

I had a look at the changes made for this version at github(netblue30) and couldn't see what could impact this.

The Firefox profiles didn't have a change since April 2020.

I can handle firejail enough to use it, but troubleshooting it is a little above my 'pay grade', that is, I wouldn't know where to start?

Comment by loqs (loqs) - Wednesday, 03 February 2021, 23:21 GMT

Using firejail-git [1] to bisect [2] between the two releases?

[1] https://aur.archlinux.org/packages/firejail-git/
[2] https://wiki.archlinux.org/index.php/Bisecting_bugs_with_Git

Comment by mark (qinohe) - Thursday, 04 February 2021, 00:17 GMT

Thanks @loqs, the thing is I have the package from git, build it choose the good version tried to choose the bad version it's not in the list.

What I did:
$makepkg -Codd
$cd src/firejail-git
$git bisect start
$git bisect good 0.9.64.2
$git bisect bad 0.9.64.2-1
$error: Bad rev input: 0.9.64.2-1

The bad version is '0.9.64.2-1' for sure (see)https://archlinux.org/packages/community/x86_64/firejail/

I want to learn this now 'once and for all'
If you want me to open a thread on it on the forum, I will, thanks.

Comment by Doug Newgard (Scimmia) - Thursday, 04 February 2021, 00:21 GMT

the -1 is an Arch pkgrel, not part of the upstream version.

Comment by loqs (loqs) - Thursday, 04 February 2021, 00:24 GMT

$ git bisect start
$ git bisect good 0.9.64
$ git bisect bad 0.9.64.2
Bisecting: 143 revisions left to test after this (roughly 7 steps)
[9d26477548875a167a68556d746016f1f146223b] curl HSTS cache support (#3813)
Edit:
See Scimmia's explanation.

Comment by mark (qinohe) - Thursday, 04 February 2021, 00:26 GMT

Ah, of course, why didn't I notice that immediately, I'll be back, hopefully with the result;)

Comment by mark (qinohe) - Thursday, 04 February 2021, 00:41 GMT

What do you do when the program doesn't want to compile between steps? - makepkg -efsi

Comment by loqs (loqs) - Thursday, 04 February 2021, 00:54 GMT

$ git bisect skip
Ask git to pick another nearby commit.

Comment by mark (qinohe) - Thursday, 04 February 2021, 01:08 GMT

Okay, I arrived at the point the problem is gone and I gave a :
$git bisect good
$Bisecting: 39 revisions left to test after this (roughly 5 steps)
$[4b0b7ec216ec1a1f337a3a37b2c514bcd6842629] Update build.yml (#3779)

Am I understanding correct, that I now restart with 'makepgs -efsi' - 'git bisect bad/good' until I find the 'troublesome commit'?

It seems, this commit is the offending one:

$git bisect bad
$096d0de5f8bb253d0c1035796464bc5982f06f81 is the first bad commit
$commit 096d0de5f8bb253d0c1035796464bc5982f06f81
$Author: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
$Date: Mon Nov 16 11:41:35 2020 +0100

https://github.com/netblue30/firejail/commit/096d0de5f8bb253d0c1035796464bc5982f06f81

Comment by mark (qinohe) - Thursday, 04 February 2021, 02:16 GMT

I actually installed the new version ( 0.9.64.2-1 ) again.
After that I disabled the added commit for FF

##include whitelist-runuser-common.inc

Now FF opens again without problems.
Thanks for the help @loqs & @Scimmia, appreciated ;-)
mark

edit: I tried to see, if I could find the offending line in '/etc/firejail/whitelist-runuser-common.inc'
I had to disable all of them before FF would start, so for now I disabled the above commit!

Comment by helle vaanzinn (glitsj16) - Monday, 08 February 2021, 18:47 GMT

@mark You can put `ignore include whitelist-runuser-common.inc` into a `firefox.local` override, either in ${HOME}/.config/firejail (per-user) or in /etc/firejail (system-wide). Have you tried that yet?
Also, I see you mentioning 'psd'. That is not related to this issue, but you can still harden your firejail setup if you use it:

globals.local
# psd
blacklist ${RUNUSER}/*-firefox-*

firefox.local
# psd
noblacklist ${RUNUSER}/*-firefox-*
whitelist ${RUNUSER}/*-firefox-*

Comment by mark (qinohe) - Monday, 08 February 2021, 19:44 GMT

@helle, thank you for your message.

I have used the above solution while testing only, I now have 'ignore include whitelist-runuser-common.inc' in
- firefox.local
- firefox-developer-edition.local

This is working as it should, I just thought the added line is a bug for Arch users.
Now, no one actually reported back to this bug report having the same issue, maybe it's only me?

Thanks for the hardening lines regarding psd & already added to the local profiles, appreciated.

Comment by helle vaanzinn (glitsj16) - Monday, 08 February 2021, 20:15 GMT

> This is working as it should, I just thought the added line is a bug for Arch users.
Now, no one actually reported back to this bug report having the same issue, maybe it's only me?

Whether it's only you is hard to judge. I'm pleased you did though, at least upstream is aware of it now.

Firejail's Firefox profile - a collection of split files that can get included or not AND each of them having .local overrides - is one of the more complex ones to follow the 'logic' in, as it caters for several possible use-cases. That makes 'debugging' stuff related to Firefox a bit more involved. For example, it could depend on the addons/plugins used (like KeePassXC). We have only seen one Arch Linux user reporting an issue lately (https://github.com/netblue30/firejail/issues/3952) that seems related to this one.

You're always welcome to open an issue on our tracker if you'd like, so we can get a better view on your specific setup without adding noise to this bug report.

Comment by mark (qinohe) - Monday, 08 February 2021, 21:33 GMT

>You're always welcome to open an issue on our tracker if you'd like, so we can get a better view on your specific setup without adding noise to this bug report.

I will do that, thanks for the invitation.

Comment by mark (qinohe) - Monday, 08 February 2021, 22:55 GMT

edit: Sorry for the double paste

edit: Tue Feb 9 06:04 PM CET 2021
The issue seems to be solved.

I have no idea what solved it.

Anyway, thanks to all that chimed in for the help / support, mark

edit: This may me be more complicated than I thought.

I may not be affected by it right now, it's not solved

(see)https://github.com/netblue30/firejail/issues/3952#issuecomment-776113224

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#69523 - firejail 0.9.64.2-1 update - breaks firefox profiles

Details

Loading...