Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firecfg: seahorse is not sandboxed (.desktop file) #6658

Open
2 of 7 tasks
ginto37 opened this issue Feb 21, 2025 · 6 comments · May be fixed by #6673
Open
2 of 7 tasks

firecfg: seahorse is not sandboxed (.desktop file) #6658

ginto37 opened this issue Feb 21, 2025 · 6 comments · May be fixed by #6673
Labels
firecfg Anything related to firecfg and not firejail itself

Comments

@ginto37
Copy link

ginto37 commented Feb 21, 2025
edited by rusty-snake
Loading

Description

seahorse AKA Passwords and Keys is not sandboxed with firejail.

Steps to Reproduce

  1. Open Activities/Overview mode from the top panel or using the keyboard shortcut
  2. Search for seahorse or Password and Keys and launch it
  3. In a Terminal, check the output of firejail --list
  4. Close Password and Keys

and

  1. Open a Terminal
  2. Enter seahorse and tap Enter/Return
  3. Check the output of firejail --list

Expected behavior

Output in either case should be similar to the following:

3233:USERNAME::/usr/bin/firejail /usr/bin/seahorse

Actual behavior

There is no output in either case.

Behavior without a profile

N/A

Additional context

I found #2591 but sandboxing mysteriously started working in that case so there was no answer there. I've confirmed that the issue exists over numerous reboots over several weeks and after performing all system updates.

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.8.0-52-generic x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Ubuntu 22.04.5 LTS
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): seahorse 41.0
  • Version of Firejail (firejail --version): firejail version 0.9.72

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- IDS support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD):

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Reading profile /etc/firejail/seahorse.profile
Reading profile /etc/firejail/allow-ssh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 4076, child pid 4079
Warning: cannot find /var/run/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping gconf for private /etc
Warning: skipping pango for private /etc
Warning: skipping pkcs11 for private /etc
Warning: skipping ssh for private /etc
Private /etc installed in 64.60 ms
Private /usr/etc installed in 0.00 ms
Child process initialized in 219.41 ms

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

Gist

output goes here

@rusty-snake
Copy link
Collaborator

rusty-snake commented Feb 21, 2025
edited
Loading

I guess you have to remove pam_gnome_keyring.so from your PAM configuration.

@kmk3 kmk3 changed the title seahorse not sandboxed firecfg: seahorse is not sandboxed Feb 21, 2025
@kmk3 kmk3 added the firecfg Anything related to firecfg and not firejail itself label Feb 21, 2025
@kmk3
Copy link
Collaborator

kmk3 commented Feb 22, 2025

What is the full path to the program?

What is the output of the following:

sudo firecfg
grep seahorse /etc/firejail/firecfg.config
which -a seahorse
ls -al ~/.local/share/applications
grep '^Exec' ~/.local/share/applications/seahorse.desktop

@kmk3 kmk3 added the needinfo More information is needed from the issue author label Feb 22, 2025
@ginto37
Copy link
Author

ginto37 commented Feb 25, 2025
edited by kmk3
Loading 

$ sudo firecfg
Removing all firejail symlinks:
   seahorse removed
   cvlc removed
   ftp removed
   transmission-gtk removed
   gnome-logs removed
   autokey-run removed
   gnome-font-viewer removed
   gcalccmd removed
   evince-previewer removed
   yubioath-desktop removed
   baobab removed
   man removed
   pdftotext removed
   evince removed
   autokey-shell removed
   wget removed
   gnome-characters removed
   rhythmbox removed
   autokey-gtk removed
   strings removed
   gnome-calculator removed
   nslookup removed
   eog removed
   bleachbit removed
   patch removed
   firefox-esr removed
   enchant-2 removed
   xcalc removed
   evince-thumbnailer removed
   file-roller removed
   gapplication removed
   dnsmasq removed
   gedit removed
   dig removed
   ping removed
   rhythmbox-client removed
   host removed
   Xephyr removed
   enchant-lsmod-2 removed
   yelp removed
   vlc removed

Configuring symlinks in /usr/local/bin based on firecfg.config
   Xephyr created
   autokey-gtk created
   autokey-run created
   autokey-shell created
   baobab created
   bleachbit created
   cvlc created
   dig created
   dnsmasq created
   enchant-2 created
   enchant-lsmod-2 created
   eog created
   evince created
   evince-previewer created
   evince-thumbnailer created
   file-roller created
   firefox-esr created
   ftp created
   gapplication created
   gcalccmd created
   gedit created
   gnome-calculator created
   gnome-characters created
   gnome-font-viewer created
   gnome-logs created
   host created
   man created
   nslookup created
   patch created
   pdftotext created
   ping created
   rhythmbox created
   rhythmbox-client created
   seahorse created
   strings created
   transmission-gtk created
   vlc created
   wget created
   xcalc created
   yelp created

Adding user USERNAME to Firejail access database in /etc/firejail/firejail.users
User USERNAME already in the database

Loading AppArmor profile

Fixing desktop files in /home/USERNAME/.local/share/applications
   org.gnome.Nautilus.desktop skipped: file exists
   org.gnome.Logs.desktop skipped: file exists
   org.gnome.baobab.desktop skipped: file exists
   vlc.desktop skipped: file exists
   org.gnome.gedit.desktop skipped: file exists
$ grep seahorse /etc/firejail/firecfg.config 
seahorse
seahorse-adventures
seahorse-daemon
seahorse-tool
$ which -a seahorse
/usr/local/bin/seahorse
/usr/bin/seahorse
/bin/seahorse
$ ls -al ~/.local/share/applications/
total 40
drwx------  2 USERNAME USERNAME  4096 Feb 23 21:56 .
drwx------ 21 USERNAME USERNAME  4096 Dec 27 06:09 ..
-rw-------  1 USERNAME USERNAME   647 Jan 24 01:11 org.gnome.baobab.desktop
-rw-------  1 USERNAME USERNAME   773 Jan 24 01:11 org.gnome.gedit.desktop
-rw-------  1 USERNAME USERNAME   589 Jan 24 01:11 org.gnome.Logs.desktop
-rw-------  1 USERNAME USERNAME  1264 Jan 24 01:11 org.gnome.Nautilus.desktop
-rw-------  1 USERNAME USERNAME 14918 Feb 23 21:56 vlc.desktop

I couldn't tell you why there's no seahorse.desktop file.

@kmk3
Copy link
Collaborator

kmk3 commented Feb 25, 2025
edited
Loading

I couldn't tell you why there's no seahorse.desktop file.

The issue is probably because it uses org.foo.bar.desktop instead of just
bar.desktop, in which case org.foo.bar would also need to be in firecfg.

What is the output of the following:

grep -R 'Exec=.*seahorse' /usr/share/applications

Edit: Now I noticed some relevant details in the output (related to #6657):

Fixing desktop files in /home/USERNAME/.local/share/applications
   org.gnome.Nautilus.desktop skipped: file exists
   org.gnome.Logs.desktop skipped: file exists
   org.gnome.baobab.desktop skipped: file exists
   vlc.desktop skipped: file exists
   org.gnome.gedit.desktop skipped: file exists

What is the output of the following?

grep 'Exec' ~/.local/share/applications/*.desktop | LC_ALL=C sort -u

@rusty-snake
Copy link
Collaborator

rusty-snake commented Feb 25, 2025
edited
Loading

The issue is probably because it uses org.foo.bar.desktop instead of just
bar.desktop, in which case org.foo.bar would also need to be in firecfg.

firejail/src/firecfg/desktop_files.c

Lines 68 to 71 in 7650902

// we get strange names here, such as .org.gnome.gedit.desktop, com.uploadedlobster.peek.desktop,
// or io.github.Pithos.desktop; extract the word before .desktop
// TODO: implement proper fix for #2624 (names like org.gnome.Logs.desktop fall thru
// the 'last word' logic and don't get installed to ~/.local/share/applications

What is the output of the following?
grep 'Exec' ~/.local/share/applications/*.desktop | LC_ALL=C sort -u

DBusActivatable is also important

Seahorse seems to be /usr/share/applications/org.gnome.seahorse.Application.desktop

@kmk3 kmk3 changed the title firecfg: seahorse is not sandboxed firecfg: seahorse is not sandboxed (.desktop file) Feb 25, 2025
@ginto37
Copy link
Author

ginto37 commented Feb 27, 2025 via email
edited by kmk3
Loading

@kmk3 kmk3 removed the needinfo More information is needed from the issue author label Feb 27, 2025
@kmk3 kmk3 mentioned this issue Feb 27, 2025
Open
kmk3 added a commit to kmk3/firejail that referenced this issue Mar 1, 2025
@kmk3
profiles: firecfg: add gedit/seahorse .desktop filenames
699c1f4 
Apparently their .desktop files are located in the following paths:

* /usr/share/applications/org.gnome.gedit.desktop
* /usr/share/applications/org.gnome.seahorse.Application.desktop

Fixes netblue30#6657 netblue30#6658.

Reported-by: @ginto37
Reported-by: @rusty-snake
kmk3 added a commit to kmk3/firejail that referenced this issue Mar 1, 2025
@kmk3
profiles: firecfg: add gedit/seahorse .desktop filenames
0282488 
Apparently their .desktop files are located in the following paths:

* /usr/share/applications/org.gnome.gedit.desktop
* /usr/share/applications/org.gnome.seahorse.Application.desktop

Fixes netblue30#6657 netblue30#6658.

Relates to netblue30#6002.

Reported-by: @ginto37
Reported-by: @rusty-snake
@kmk3 kmk3 linked a pull request Mar 1, 2025 that will close this issue
Draft
kmk3 added a commit to kmk3/firejail that referenced this issue Mar 1, 2025
@kmk3
profiles: seahorse: add redirect org.gnome.seahorse.Application
884d12c 
Apparently the .desktop file for `seahorse` is located in the following
path:

* /usr/share/applications/org.gnome.seahorse.Application.desktop

Which ends in `Application.desktop` instead of `seahorse.desktop`,
leading to it not being automatically detected by firecfg.

So add a redirect profile and an entry in firecfg.config.

Fixes netblue30#6658.

Reported-by: @ginto37
Reported-by: @rusty-snake
kmk3 added a commit to kmk3/firejail that referenced this issue Mar 1, 2025
@kmk3
bugfix: firecfg: check full filename in check_profile()
7f31fbf 
Currently, firecfg only checks the last word in .desktop files when
trying to match them to an existing profile.  For example:

* `org.gnome.gedit.desktop` -> `gedit.desktop`
* `org.gnome.seahorse.Application.desktop` -> `Application.desktop`

This works in the former case where there is an exact match of the last
word on each side (`gedit.desktop` and `gedit.profile`), but not in the
latter case (`Application.desktop` and `seahorse.profile`).

So make firecfg also check the full filename of the .desktop file, to
make it easier to create redirect profiles that match the full name of
the .desktop files.  For example:

* `org.gnome.seahorse.Application.desktop` ->
  `org.gnome.seahorse.Application.profile` (which itself then redirects
  to `seahorse.profile`)

Related commits:

* a6341b9 ("disable DBus activation in firecfg", 2017-09-25)
* 3e69deb ("fix firecfg", 2017-09-25)
* bd97615 ("Temp fix firecfg (netblue30#2634)", 2019-04-02)

Relates to netblue30#2624 netblue30#6658.
@kmk3 kmk3 mentioned this issue Mar 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
firecfg Anything related to firecfg and not firejail itself
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

profiles: seahorse: add redirect org.gnome.seahorse.Application kmk3/firejail
3 participants
@kmk3 @rusty-snake @ginto37