Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting "Permission denied" when running Electron apps with --no-sandbox #3883

Closed
mYnDstrEAm opened this issue Jan 12, 2021 · 5 comments
Closed

Getting "Permission denied" when running Electron apps with --no-sandbox #3883

mYnDstrEAm opened this issue Jan 12, 2021 · 5 comments

Comments

@mYnDstrEAm
Copy link

mYnDstrEAm commented Jan 12, 2021
edited
Loading

How can one run Electron apps that use a new version of Electron with Firejail?

This works: /home/username/Downloads/dir/appName --no-sandbox
This doesn't: firejail --profile=/etc/firejail/electron.profile /home/username/Downloads/dir/appName --no-sandbox

The output is:

Warning: networking feature is disabled in Firejail configuration file
Parent pid id, child pid id
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in wx.yz ms
/bin/bash: /home/username/Downloads/dir/appName: Permission denied

(Moved it to ~/Downloads/dir to prevent No such file or directory errors.)

sudo less /var/log/syslog | grep appName shows:

audit: type=1400 audit(id:id): apparmor="DENIED" operation="exec" profile="firejail-default" name="/home/username/Downloads/dir/appName" pid=id comm="bash" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

I also tried it with --ignore=disable-mnt --ignore=nodbus

System: Debian 10/KDE
Firejail version: 0.9.64 (with /etc/firejail/electron.profile of that version)

Some electron apps work even without setting --no-sandbox so it's probably already solved/solvable somehow.
Possibly related issues (will remove the links if not found to be related later): #3586 #3871 #2690 #2946
@rusty-snake
Copy link
Collaborator

apparmor makes your ${HOME} noexec.
Compare firejail --noprofile /home/username/Downloads/dir/appName --no-sandbox (which I expect to work) and firejail --noprofile --apparmor /home/username/Downloads/dir/appName --no-sandbox

It should work if you add --ignore=apparmor '--ignore=noexec ${HOME}' (the last one is required for firejail >=0.9.65 and has no effect on firejail 0.9.64).

@mYnDstrEAm
Copy link
Author

Thank you! So the solution until firejail v >=0.9.65 hits the Debian backports repos seems to be: running cp /etc/firejail/electron.profile ~/.config/firejail/electron-apps.profile && kate ~/.config/firejail/electron-apps.profile, commenting out apparmor there and then running firejail --profile=~/.config/firejail/electron-apps.profile /home/username/Downloads/dir/appName --no-sandbox.

If you know of a (similar but) better / hardened solution (like keeping apparmor in that profile and only removing that noexec part) until that occurs please leave comment, closing this.

@rusty-snake
Copy link
Collaborator

#3629 (comment)
#2987 (comment)
#2938 (comment)

@mYnDstrEAm
Copy link
Author

In Debian (in other OS it might be firejail-local) this should work and seems to be the better solution:

echo "owner /home/username/dir-to-place-electron-build-dir-in/** ix," | sudo tee -a /etc/apparmor.d/local/firejail-default && sudo apparmor_parser -r /etc/apparmor.d/local/firejail-default

The problem with that is that I get: AppArmor parser error for /etc/apparmor.d/local/firejail-default in /etc/apparmor.d/local/firejail-default at line 1: syntax error, unexpected TOK_OWNER, expecting $end and did not find the error-message self-explanatory or explained anywhere online. The firejail-default file was (and is) otherwise empty and there is no firejail-local (nor a dedicated apparmor profile for the specific electron app).

@kmk3
Copy link
Collaborator

kmk3 commented Jan 14, 2021
edited
Loading

So the solution until firejail v >=0.9.65 hits the Debian backports repos
seems to be: running cp /etc/firejail/electron.profile ~/.config/firejail/electron-apps.profile && kate ~/.config/firejail/electron-apps.profile, commenting out apparmor there

If you want to ignore apparmor on all profiles that include electron.profile,
you can just do this instead:

echo 'ignore apparmor' >>~/.config/firejail/electron.local

and then running
firejail --profile=~/.config/firejail/electron-apps.profile /home/username/Downloads/dir/appName --no-sandbox.

Then you could just run it like this:

firejail --profile=/etc/firejail/electron.profile /home/username/Downloads/dir/appName --no-sandbox

Or, if you want to use a separate profile for the programs in
/home/username/Downloads:

cat >~/.config/firejail/electron-apps.profile <<EOF
ignore apparmor

# Redirect
include electron.profile
EOF

Run it with:

firejail --profile=~/.config/firejail/electron-apps.profile /home/username/Downloads/dir/appName --no-sandbox

@mYnDstrEAm mYnDstrEAm mentioned this issue Jul 26, 2021
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mYnDstrEAm @kmk3 @rusty-snake