New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firefox 60+ fails to run content processes #1765
Comments
Thanks for your report. Could you please check briefly if it works when you replace |
No, doesn't work, but I just saw that a |
I verified via mozregression that bug 140162 is the issue. (pushlog) Ok, now I tried again several times and a fresh profile doesn't work either, but |
We'll probably eventually need to remove |
It seems that three options are causing problems: @johnp Can you please comment out these lines in your Firefox profile and give it a try? Instead of disabling
If you want to double-check: Adding |
@smitsohu Yes, works with |
on Ubuntu 16.04 (and firejail 0.9.52 from ppa:deki/firejail) I had to drop pivot-root from the seccomp line above (original issue: I was seeing blank windows, closing them didn't end the firefox program, but it would crash later in libmozsandbox.so - I assume it does some sort of chroot-ing on its own and needs that capability). it works for me with noroot in there, btw. (and there is no apparmor line in my version of firejail) |
Thanks @m0n5t3r for the data point. With regard to the Apparmor policy: Firefox crashes when it can't write to /proc/[pid]/uid_map, gid_map or setgroups. |
That never happened to me. Is this new nightly thing? |
@Vincent43 Yep, it's only Nightly (for now). |
Ok, we can fix it with adding |
Someone an idea why
Another question is if this should be fixed in nightly/dev profiles, or directly in firefox-common.inc. |
I think we should remove |
It should be sufficient to either disable Btw, I still see problems only with chroot and have not been able to replicate the issue with pivot_root yet. Maybe I'm missing a condition? EDITED: @Vincent43 but yes, I would agree to fix directly in firefox-common. palemon and basilisk could then get their own profiles without redirection. |
I don't think In my understanding |
I'd prefer to have at least We should probably drop |
Mozilla has spoken out against a SUID sandbox because it breaks support for downloading and running Firefox as a regular user, without installation, something Chromium has never attempted to support. As a consequence, +1 for disabling |
This should hopefully be fixed in upstream now. After a brief discussion,
|
@Fred-Barclay it isn't fixed for me I had to fix it manually, by commenting out: and possibly: and disable-mnt because i have downloads folder in /media but that's unrelated and this is on debian sid with firefox nightly and firejail latest git Edit: https://pastebin.com/raw/GQx3BVyA which ones are the most important security wise? |
@pizzadude we had to change a few other settings for apparmor. Can you build from the latests source and test again? |
@Fred-Barclay |
Firefox Nightly doesn't seem to be able to start child processes / no tabs loading websites (except
about:
-stuff, which AFAIK runs in the parent process), crashing them instead:https://crash-stats.mozilla.com/report/index/288d3c2b-c0be-4a85-af97-b294f0180207
I suspect bug 1401062 to be the issue, but don't know how to debug further.
firejail latest master / 0.9.53 on Fedora 27, works with
--noprofile
.The text was updated successfully, but these errors were encountered: