Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firejail [Error: the sandbox is not setuid root] #15970

Closed
DeivAstra opened this issue Jun 3, 2016 · 13 comments
Closed

firejail [Error: the sandbox is not setuid root] #15970

DeivAstra opened this issue Jun 3, 2016 · 13 comments

Comments

@DeivAstra
Copy link

Issue description

Can't run firejail. It throws "Error: the sandbox is not setuid root" all the time with any arguments. May be something misconfigured?

Steps to reproduce

Install and run firejail

Technical details

  • System: 16.03.802.01f5711 (Emu)
  • Nix version: nix-env (Nix) 1.11.2
  • Nixpkgs version: "16.03.802.01f5711"
@joachifm
Copy link
Contributor

joachifm commented Jun 3, 2016

The Nix store cannot contain setuid binaries, so you need to set

let # syntax highlighting
security.setuidPrograms = [ "firejail" ];

in your configuration.nix, to generate a setuid wrapper for it.

@DeivAstra
Copy link
Author

Thanks a lot!
I had add the string and run nixos-rebuild switch.
So, it's runs but throw error messages, for example:
firejail chromium
Reading profile /nix/store/w2nwl1w05pnjc1k3p3kxw2558kxyv71m-firejail-0.9.38/etc/firejail/chromium.profile
Reading profile /nix/store/w2nwl1w05pnjc1k3p3kxw2558kxyv71m-firejail-0.9.38/etc/firejail/disable-mgmt.inc
Reading profile /nix/store/w2nwl1w05pnjc1k3p3kxw2558kxyv71m-firejail-0.9.38/etc/firejail/disable-secret.inc
Reading profile /nix/store/w2nwl1w05pnjc1k3p3kxw2558kxyv71m-firejail-0.9.38/etc/firejail/disable-common.inc
Reading profile /nix/store/w2nwl1w05pnjc1k3p3kxw2558kxyv71m-firejail-0.9.38/etc/firejail/whitelist-common.inc
Parent pid 559, child pid 560
Error: invalid /etc/pulse/client.conf file
Error: cannot establish communication with the parent, exiting...

@joachifm
Copy link
Contributor

joachifm commented Jun 4, 2016

To me, that trace suggests that the upstream profile for chromium fails to mesh with NixOS somehow, I don't know off hand what it could be exactly. Two things: 1) you could try bumping firejail (0.9.38 is old) and see if that helps; and/or 2) write your own profiles. Perhaps something like programs.firejail for better NixOS integration out of the box is warranted.

@joachifm
Copy link
Contributor

joachifm commented Jun 4, 2016

@danykey you could start out by using firejail --noprofile and incrementally add restrictions to figure out where it breaks.

@DeivAstra
Copy link
Author

I tried
firejail --noprofile leafpad
Parent pid 1526, child pid 1527
Error: invalid /etc/pulse/client.conf file
Error: cannot establish communication with the parent, exiting...

It crashes immediately with any programs(with or without profile)
I also tried skype, firefox, thunar, leafpad,chromium..

@joachifm
Copy link
Contributor

joachifm commented Jun 5, 2016

Hrm, never seen that with firejail and I've used it quite a bit for testing.

@joachifm
Copy link
Contributor

joachifm commented Jun 5, 2016

@7c6f434c is the maintainer, they may know more.

@7c6f434c
Copy link
Member

7c6f434c commented Jun 5, 2016

I would try --no-sound if its problem is about pulseaudio

@DeivAstra
Copy link
Author

Thanks!
I guess you made a typo. --nosound is correct.

So, with --nosound is working. But I need sound for Skype and browsers. I had check /etc/pulse/client.conf and no something strange found. It's contans two rows and seems are correct:

autospawn=yes
daemon-binary=/nix/store/qd1cgpzs3hpa185vhc9hmg4xjflc0852-pulseaudio-8.0/bin/pulseaudio

Could you check your pulse client config?
Thanks.

@j1r1k
Copy link
Contributor

j1r1k commented Jun 14, 2016
edited

Firejail currently does not support symbolic link in place of /etc/pulse/client.conf.

I have created an issue asking about it in netblue30/firejail project (see netblue30/firejail#571).

Following override hot-fixes the problem (at least for version 0.9.38) for me (last line is added by the override)

packageOverrides = pkgs: {
    firejail = pkgs.lib.overrideDerivation pkgs.firejail (old: {
      preConfigure = ''
         sed -e 's@/bin/bash@${pkgs.stdenv.shell}@g' -i $( grep -lr /bin/bash .)
         sed -e "s@/bin/cp@$(which cp)@g" -i $( grep -lr /bin/cp .)
         sed -e '/void fs_var_run(/achar *vrcs = get_link("/var/run/current-system")\;' -i ./src/firejail/fs_var.c
         sed -e '/ \/run/iif(vrcs!=NULL){symlink(vrcs, "/var/run/current-system")\;free(vrcs)\;}' -i ./src/firejail/fs_var.c
         sed -e '107,110d' -i ./src/firejail/pulseaudio.c
       '';
        });
      };

@DeivAstra
Copy link
Author

Incredible thanks! I will test.

@j1r1k
Copy link
Contributor

j1r1k commented Jun 14, 2016

FYI, It is now fixed in netblue30/firejail.

@milahu
Copy link
Contributor

milahu commented Apr 29, 2022 

let # syntax highlighting
security.setuidPrograms = [ "firejail" ];

gives

error:
       Failed assertions:
       - The option definition `security.setuidPrograms' in `configuration.nix' no longer has any effect; please remove it.
       Use security.wrappers instead

so now its just

{
  programs.firejail.enable = true;
$ which firejail
/run/wrappers/bin/firejail

$ stat $(which firejail)
Access: (4511/-r-s--x--x)  Uid: (    0/    root)   Gid: (    0/    root)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@joachifm @7c6f434c @DeivAstra @j1r1k @milahu