New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

breaks with /proc/xen mounted (QubesOS) #134

Open
adrelanos opened this Issue Dec 26, 2016 · 19 comments

Comments

Projects
None yet
6 participants
@adrelanos

adrelanos commented Dec 26, 2016

Using Qubes Debian jessie based AppVM with bubblewrap from jessie-backports (version 0.1.4-2~bpo8+1).

(Neither AppArmor nor grsecurity is being involved.)

Here are instructions on how to reproduce this in Qubes:
QubesOS/qubes-issues#2540

user@host:~/sandbox$ ./sandboxed-tor-browser -debug
2016/12/25 05:35:20 launch: Starting.
2016/12/25 05:35:20 launch: Connecting to the Tor network.
2016/12/25 05:35:20 launch: Starting Tor Browser.
2016/12/25 05:35:20 sandbox: User namespace support detected.
2016/12/25 05:35:20 dynlib: ELF AUXV AT_HWCAP: 0000000000000000
2016/12/25 05:35:20 dynlib: osVersion: 0004041f
2016/12/25 05:35:20 dynlib: debug: Multiple entry: libpng12.so.0: [/lib/x86_64-linux-gnu/libpng12.so.0 /usr/lib/x86_64-linux-gnu/libpng12.so.0]
2016/12/25 05:35:20 dynlib: debug: Multiple entry: libusb-0.1.so.4: [/lib/x86_64-linux-gnu/libusb-0.1.so.4 /usr/lib/x86_64-linux-gnu/libusb-0.1.so.4]
2016/12/25 05:35:20 sandbox: ld.so appears to be '/lib64/ld-linux-x86-64.so.2' -> /lib/x86_64-linux-gnu/ld-2.19.so.
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: Appending extra libs: [libxcb.so.1 libXau.so.6 libXdmcp.so.6 libadwaita.so libprintbackend-file.so libpixbufloader-png.so]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libfreebl3.so imports: [libnssutil3.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/liblgpllibs.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libmozsqlite3.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnspr4.so imports: [libasan.so.2 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnss3.so imports: [libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssckbi.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssdbm3.so imports: [libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssutil3.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplc4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplds4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libsmime3.so imports: [libnss3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libsoftokn3.so imports: [libmozsqlite3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libssl3.so imports: [libnss3.so libnssutil3.so libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libxul.so imports: [libasan.so.2 libpthread.so.0 libdl.so.2 libnss3.so libsmime3.so libssl3.so libnssutil3.so libmozsqlite3.so libplds4.so libplc4.so libnspr4.so liblgpllibs.so libfreetype.so.6 libfontconfig.so.1 librt.so.1 libXrender.so.1 libasound.so.2 libdbus-glib-1.so.2 libdbus-1.so.3 libgobject-2.0.so.0 libglib-2.0.so.0 libgtk-x11-2.0.so.0 libatk-1.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libgdk_pixbuf-2.0.so.0 libpango-1.0.so.0 libcairo.so.2 libX11.so.6 libXext.so.6 libXt.so.6 libgthread-2.0.so.0 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libdl.so.2 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libasound.so.2 imports: [libm.so.6 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0 imports: [libpthread.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1 imports: [libfreetype.so.6 libexpat.so.1 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libX11.so.6 imports: [libxcb.so.1 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libgcc_s.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb.so.1 imports: [libXau.so.6 libXdmcp.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXdmcp.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0 imports: [libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libm.so.6 libthai.so.0 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/librt.so.1 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 imports: [libglib-2.0.so.0 libffi.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0 imports: [libpango-1.0.so.0 libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libharfbuzz.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnssutil3.so imports: [libplc4.so libplds4.so libnspr4.so libpthread.so.0 libdl.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2 imports: [libdbus-1.so.3 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libglib-2.0.so.0 imports: [libpcre.so.3 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libcairo.so.2 imports: [libpthread.so.0 libpixman-1.so.0 libfontconfig.so.1 libfreetype.so.6 libpng12.so.0 libxcb-shm.so.0 libxcb-render.so.0 libxcb.so.1 libXrender.so.1 libX11.so.6 libXext.so.6 libz.so.1 librt.so.1 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpthread.so.0 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor/libstdc++.so.6 imports: [libm.so.6 libc.so.6 ld-linux-x86-64.so.2 libgcc_s.so.1]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libadwaita.so imports: [libgtk-x11-2.0.so.0 libatk-1.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libfontconfig.so.1 libfreetype.so.6 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libpango-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplc4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 imports: [libgobject-2.0.so.0 libgmodule-2.0.so.0 libglib-2.0.so.0 libz.so.1 libselinux.so.1 libresolv.so.2 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0 imports: [libpangocairo-1.0.so.0 libpango-1.0.so.0 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libXrender.so.1 libXinerama.so.1 libXi.so.6 libXrandr.so.2 libXcursor.so.1 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libcairo.so.2 libX11.so.6 libXext.so.6 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0 imports: [libgmodule-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpng12.so.0 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXext.so.6 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXt.so.6 imports: [libSM.so.6 libICE.so.6 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libc.so.6 imports: [ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXau.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0 imports: [libgobject-2.0.so.0 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so imports: [libgdk_pixbuf-2.0.so.0 libgmodule-2.0.so.0 libgio-2.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libpng12.so.0 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libplds4.so imports: [libasan.so.2 libdl.so.2 libnspr4.so libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0 imports: [libpango-1.0.so.0 libgobject-2.0.so.0 libgmodule-2.0.so.0 libgthread-2.0.so.0 libglib-2.0.so.0 libcairo.so.2 libm.so.6 libpangoft2-1.0.so.0 libfontconfig.so.1 libfreetype.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor/libasan.so.2 imports: [librt.so.1 libpthread.so.0 libdl.so.2 libstdc++.so.6 libm.so.6 libc.so.6 ld-linux-x86-64.so.2 libgcc_s.so.1]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libm.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so imports: [libgtk-x11-2.0.so.0 libgdk-x11-2.0.so.0 libpangocairo-1.0.so.0 libX11.so.6 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libatk-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libpango-1.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libdbus-1.so.3 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 imports: [libgdk-x11-2.0.so.0 libgmodule-2.0.so.0 libpangocairo-1.0.so.0 libX11.so.6 libXcomposite.so.1 libXdamage.so.1 libXfixes.so.3 libatk-1.0.so.0 libcairo.so.2 libgdk_pixbuf-2.0.so.0 libgio-2.0.so.0 libpangoft2-1.0.so.0 libpango-1.0.so.0 libgobject-2.0.so.0 libglib-2.0.so.0 libfontconfig.so.1 libfreetype.so.6 libm.so.6 libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/libnspr4.so imports: [libasan.so.2 libdl.so.2 libpthread.so.0 librt.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libfreetype.so.6 imports: [libz.so.1 libpng12.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXrender.so.1 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXdamage.so.1 imports: [libXfixes.so.3 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXfixes.so.3 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 imports: []
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libexpat.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXi.so.6 imports: [libX11.so.6 libXext.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 imports: [libxcb.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libresolv.so.2 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXcomposite.so.1 imports: [libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libSM.so.6 imports: [libICE.so.6 libuuid.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libICE.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpcre.so.3 imports: [libpthread.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libpixman-1.so.0 imports: [libm.so.6 libpthread.so.0 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0 imports: [libxcb.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libpng12.so.0 imports: [libz.so.1 libm.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libz.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXinerama.so.1 imports: [libX11.so.6 libXext.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXcursor.so.1 imports: [libXrender.so.1 libXfixes.so.3 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 imports: [libdl.so.2 libglib-2.0.so.0 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libthai.so.0 imports: [libdatrie.so.1 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0 imports: [libglib-2.0.so.0 libfreetype.so.6 libgraphite2.so.3 libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libffi.so.6 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libselinux.so.1 imports: [libpcre.so.3 libdl.so.2 libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libXrandr.so.2 imports: [libXext.so.6 libXrender.so.1 libX11.so.6 libc.so.6]
2016/12/25 05:35:20 dynlib: /lib/x86_64-linux-gnu/libuuid.so.1 imports: [libc.so.6 ld-linux-x86-64.so.2]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libdatrie.so.1 imports: [libc.so.6]
2016/12/25 05:35:20 dynlib: /usr/lib/x86_64-linux-gnu/libgraphite2.so.3 imports: [libc.so.6]
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libc-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libdbus-1.so.3.8.13
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libdl-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libexpat.so.1.6.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libgcc_s.so.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libm-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpcre.so.3.13.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpng12.so.0.50.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libpthread-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libresolv-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/librt-2.19.so
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libselinux.so.1
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libuuid.so.1.3.0
2016/12/25 05:35:20 sandbox: lib: /lib/x86_64-linux-gnu/libz.so.1.2.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXcomposite.so.1.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libXt.so.6.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0.21409.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libdatrie.so.1.3.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2.2.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libffi.so.6.0.2
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libfreetype.so.6.11.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0.2400.25
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3100.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0.4200.1
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.25
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0.935.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0.3600.8
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libthai.so.0.2.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0
2016/12/25 05:35:20 sandbox: lib: /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
2016/12/25 05:35:20 sandbox: fdArgs: [--dev /dev --tmpfs /tmp --setenv XDG_RUNTIME_DIR /run/user/1000 --dir /run/user/1000 --setenv HOME /home/amnesia --dir /home/amnesia --unshare-user --unshare-ipc --unshare-pid --unshare-net --unshare-uts --unshare-cgroup-try --hostname amnesia --proc /proc --chdir /home/amnesia/sandboxed-tor-browser/tor-browser/Browser --uid 1000 --gid 1000 --seccomp 10 --info-fd 11 --setenv DISPLAY :0 --dir /tmp/.X11-unix --bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 --ro-bind /usr/share/themes/Adwaita/gtk-2.0 /usr/share/themes/Adwaita/gtk-2.0 --ro-bind /usr/share/icons/Adwaita /usr/share/icons/Adwaita --ro-bind /usr/share/icons/hicolor /usr/share/icons/hicolor --ro-bind /usr/share/mime /usr/share/mime --setenv GTK2_RC_FILES /home/amnesia/.gtkrc-2.0 --file 4 /home/amnesia/.gtkrc-2.0 --ro-bind /usr/share/libthai/thbrk.tri /usr/share/libthai/thbrk.tri --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser /home/amnesia/sandboxed-tor-browser/tor-browser --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/Desktop /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Desktop --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/Downloads /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Downloads --bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/Caches /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/Caches --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/preferences /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/preferences --ro-bind /home/user/.local/share/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions --setenv LD_LIBRARY_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor --setenv FONTCONFIG_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Data/fontconfig --setenv FONTCONFIG_FILE fonts.conf --setenv ASAN_OPTIONS detect_leaks=0 --setenv NSS_DISABLE_HW_AES 1 --symlink /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Desktop /home/amnesia/Desktop --symlink /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/Downloads /home/amnesia/Downloads --setenv TOR_SOCKS_PORT 9150 --setenv TOR_CONTROL_PORT 9151 --setenv TOR_SKIP_LAUNCH 1 --setenv TOR_NO_DISPLAY_NETWORK_SETTINGS 1 --setenv TOR_STUB_CONTROL_SOCKET /run/user/1000/control --setenv TOR_STUB_SOCKS_SOCKET /run/user/1000/socks --bind /run/user/1000/sandboxed-tor-browser/control /run/user/1000/control --bind /run/user/1000/sandboxed-tor-browser/socks /run/user/1000/socks --file 5 /home/amnesia/.tbb_stub.so --setenv LD_PRELOAD libasan.so.2:/home/amnesia/.tbb_stub.so --setenv LIBGL_ALWAYS_SOFTWARE 1 --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libadwaita.so /usr/lib/gtk-2.0/2.10.0/engines/libadwaita.so --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libpixmap.so /usr/lib/gtk-2.0/2.10.0/engines/libpixmap.so --ro-bind /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so /usr/lib/gtk-2.0/2.10.0/printbackends/libprintbackend-file.so --setenv GTK_PATH /usr/lib/gtk-2.0 --ro-bind /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so --file 6 /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache --setenv GDK_PIXBUF_MODULE_FILE /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache --ro-bind /lib/x86_64-linux-gnu/ld-2.19.so /lib/ld-linux-x86-64.so.2 --ro-bind /lib/x86_64-linux-gnu/libc-2.19.so /usr/lib/libc.so.6 --ro-bind /lib/x86_64-linux-gnu/libdbus-1.so.3.8.13 /usr/lib/libdbus-1.so.3 --ro-bind /lib/x86_64-linux-gnu/libdl-2.19.so /usr/lib/libdl.so.2 --ro-bind /lib/x86_64-linux-gnu/libexpat.so.1.6.0 /usr/lib/libexpat.so.1 --ro-bind /lib/x86_64-linux-gnu/libgcc_s.so.1 /usr/lib/libgcc_s.so.1 --ro-bind /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1 /usr/lib/libglib-2.0.so.0 --ro-bind /lib/x86_64-linux-gnu/libm-2.19.so /usr/lib/libm.so.6 --ro-bind /lib/x86_64-linux-gnu/libpcre.so.3.13.1 /usr/lib/libpcre.so.3 --ro-bind /lib/x86_64-linux-gnu/libpng12.so.0.50.0 /usr/lib/libpng12.so.0 --ro-bind /lib/x86_64-linux-gnu/libpthread-2.19.so /usr/lib/libpthread.so.0 --ro-bind /lib/x86_64-linux-gnu/libresolv-2.19.so /usr/lib/libresolv.so.2 --ro-bind /lib/x86_64-linux-gnu/librt-2.19.so /usr/lib/librt.so.1 --ro-bind /lib/x86_64-linux-gnu/libselinux.so.1 /usr/lib/libselinux.so.1 --ro-bind /lib/x86_64-linux-gnu/libuuid.so.1.3.0 /usr/lib/libuuid.so.1 --ro-bind /lib/x86_64-linux-gnu/libz.so.1.2.8 /usr/lib/libz.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libICE.so.6.3.0 /usr/lib/libICE.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libSM.so.6.0.1 /usr/lib/libSM.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0 /usr/lib/libX11.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 /usr/lib/libXau.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXcomposite.so.1.0.0 /usr/lib/libXcomposite.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXcursor.so.1.0.2 /usr/lib/libXcursor.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0 /usr/lib/libXdamage.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 /usr/lib/libXdmcp.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0 /usr/lib/libXext.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0 /usr/lib/libXfixes.so.3 --ro-bind /usr/lib/x86_64-linux-gnu/libXi.so.6.1.0 /usr/lib/libXi.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0 /usr/lib/libXinerama.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0 /usr/lib/libXrandr.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0 /usr/lib/libXrender.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libXt.so.6.0.0 /usr/lib/libXt.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0 /usr/lib/libasound.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0.21409.1 /usr/lib/libatk-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0 /usr/lib/libcairo.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libdatrie.so.1.3.1 /usr/lib/libdatrie.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2.2.2 /usr/lib/libdbus-glib-1.so.2 --ro-bind /usr/lib/x86_64-linux-gnu/libffi.so.6.0.2 /usr/lib/libffi.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0 /usr/lib/libfontconfig.so.1 --ro-bind /usr/lib/x86_64-linux-gnu/libfreetype.so.6.11.1 /usr/lib/libfreetype.so.6 --ro-bind /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0.2400.25 /usr/lib/libgdk-x11-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3100.1 /usr/lib/libgdk_pixbuf-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4200.1 /usr/lib/libgio-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.4200.1 /usr/lib/libgmodule-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4200.1 /usr/lib/libgobject-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgraphite2.so.3.0.1 /usr/lib/libgraphite2.so.3 --ro-bind /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0.4200.1 /usr/lib/libgthread-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.25 /usr/lib/libgtk-x11-2.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0.935.0 /usr/lib/libharfbuzz.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0.3600.8 /usr/lib/libpango-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0.3600.8 /usr/lib/libpangocairo-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0.3600.8 /usr/lib/libpangoft2-1.0.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6 /usr/lib/libpixman-1.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libthai.so.0.2.0 /usr/lib/libthai.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb-render.so.0.0.0 /usr/lib/libxcb-render.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0.0.0 /usr/lib/libxcb-shm.so.0 --ro-bind /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0 /usr/lib/libxcb.so.1 --symlink /lib /lib64 --symlink /usr/lib /usr/lib64 --setenv LD_LIBRARY_PATH /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/TorBrowser/Tor:/usr/lib --file 7 /etc/passwd --file 8 /etc/group --file 9 /var/lib/dbus/machine-id --symlink /var/lib/dbus/machine-id /etc/machine-id]
2016/12/25 05:35:20 sandbox: bwrap pid is: 16202
2016/12/25 05:35:20 sandbox: child pid is: 16203
2016/12/25 05:35:20 launch: Complete.
2016/12/25 05:35:20 firefox: Can't mount proc on /newroot/proc
2016/12/25 05:35:20 firefox: : Operation not permitted
2016/12/25 05:35:20 fatal error in the user interface: waitid: no child processes

A simple test bwrap --ro-bind / / --proc /proc --dev /dev /bin/bash worked for me.

Outside of Qubes, i.e. in a Non-Qubes Debian jessie (VirtualBox) VM sandboxed-tor-browser works fine.

So I guess "something that Qubes does breaks bubblewrap". Could you help us please making this more specific?

I've been advised to:

  • Rebuild bubblewrap with strategic debugging instrumentation added.
  • Use ptrace/ltrace/gdb to figure out what's actually going on.

Do you know why this is happening? How to fix this? Want any debug output? If you like a rebuild how bubblewrap with debugging enabled, where do you find build instructions?

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 26, 2016

Looks like the combination of --unshare-user, --unshare-pid, and --proc /proc is causing this. Test case:

bwrap --ro-bind / /  --unshare-user --unshare-pid   --proc /proc  /bin/bash

If I remove any of those options, /bin/bash is started. Otherwise, it throws an error:

Can't mount proc on /newroot/proc: Operation not permitted

Running with strace doesn't say much more - indeed mount syscall fails with EPERM:

mount("proc", "/newroot/proc", "proc", MS_MGC_VAL|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)

Any idea?

marmarek commented Dec 26, 2016

Looks like the combination of --unshare-user, --unshare-pid, and --proc /proc is causing this. Test case:

bwrap --ro-bind / /  --unshare-user --unshare-pid   --proc /proc  /bin/bash

If I remove any of those options, /bin/bash is started. Otherwise, it throws an error:

Can't mount proc on /newroot/proc: Operation not permitted

Running with strace doesn't say much more - indeed mount syscall fails with EPERM:

mount("proc", "/newroot/proc", "proc", MS_MGC_VAL|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)

Any idea?

@alexlarsson

This comment has been minimized.

Show comment
Hide comment
@alexlarsson

alexlarsson Dec 29, 2016

Member

So, the kernel disallows mounting proc in the user + pid namespace. That is weird. Clearly it has mount capabilieites, because earlier mounts succeeded.

In the upstream kernel, procfs has:

static struct file_system_type proc_fs_type = {
        .name           = "proc",
        .mount          = proc_mount,
        .kill_sb        = proc_kill_sb,
        .fs_flags       = FS_USERNS_MOUNT,
};

This flag (FS_USERNS_MOUNT) should allow mounting a new proc instance in a user namespace. Does the qubes kernel change this in any way?

Member

alexlarsson commented Dec 29, 2016

So, the kernel disallows mounting proc in the user + pid namespace. That is weird. Clearly it has mount capabilieites, because earlier mounts succeeded.

In the upstream kernel, procfs has:

static struct file_system_type proc_fs_type = {
        .name           = "proc",
        .mount          = proc_mount,
        .kill_sb        = proc_kill_sb,
        .fs_flags       = FS_USERNS_MOUNT,
};

This flag (FS_USERNS_MOUNT) should allow mounting a new proc instance in a user namespace. Does the qubes kernel change this in any way?

@alexlarsson

This comment has been minimized.

Show comment
Hide comment
@alexlarsson

alexlarsson Dec 29, 2016

Member

And anyway, the debian build of bubblewrap uses setuid, so it should have capabilities in the parent namespace too. Very weird.

Does qubes itself use namespaces?

Member

alexlarsson commented Dec 29, 2016

And anyway, the debian build of bubblewrap uses setuid, so it should have capabilities in the parent namespace too. Very weird.

Does qubes itself use namespaces?

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 29, 2016

marmarek commented Dec 29, 2016

@alexlarsson

This comment has been minimized.

Show comment
Hide comment
@alexlarsson

alexlarsson Jan 11, 2017

Member

I wonder if its related to this: https://lwn.net/Articles/644932/
I.e. maybe your /proc has some mount flag, or some covering mount.
How does your /proc/self/mounts look?

Member

alexlarsson commented Jan 11, 2017

I wonder if its related to this: https://lwn.net/Articles/644932/
I.e. maybe your /proc has some mount flag, or some covering mount.
How does your /proc/self/mounts look?

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jan 11, 2017

How does your /proc/self/mounts look?

sudo cat /proc/self/mounts
/dev/mapper/dmroot / ext4 rw,noatime,data=ordered 0 0
/dev/xvdd /lib/modules/4.4.31-11.pvops.qubes.x86_64 ext3 ro,relatime,data=ordered 0 0
sysfs /sys sysfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
devtmpfs /dev devtmpfs rw,nosuid,size=149600k,nr_inodes=37400,mode=755 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,size=1048576k,nr_inodes=39133 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,size=156532k,nr_inodes=39133,mode=755 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,nr_inodes=39133 0 0
tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,size=156532k,nr_inodes=39133,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct 0 0
tmpfs /tmp tmpfs rw,size=1048576k,nr_inodes=39133 0 0
mqueue /dev/mqueue mqueue rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
configfs /sys/kernel/config configfs rw,relatime 0 0
xen /proc/xen xenfs rw,relatime 0 0
/dev/xvdb /rw ext4 rw,relatime,discard,data=ordered 0 0
/dev/xvdb /home ext4 rw,relatime,discard,data=ordered 0 0
/dev/xvdb /var/spool/cron ext4 rw,relatime,discard,data=ordered 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=31308k,nr_inodes=39134,mode=700,uid=1000,gid=1000 0 0

adrelanos commented Jan 11, 2017

How does your /proc/self/mounts look?

sudo cat /proc/self/mounts
/dev/mapper/dmroot / ext4 rw,noatime,data=ordered 0 0
/dev/xvdd /lib/modules/4.4.31-11.pvops.qubes.x86_64 ext3 ro,relatime,data=ordered 0 0
sysfs /sys sysfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
devtmpfs /dev devtmpfs rw,nosuid,size=149600k,nr_inodes=37400,mode=755 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,size=1048576k,nr_inodes=39133 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,size=156532k,nr_inodes=39133,mode=755 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,nr_inodes=39133 0 0
tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,size=156532k,nr_inodes=39133,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct 0 0
tmpfs /tmp tmpfs rw,size=1048576k,nr_inodes=39133 0 0
mqueue /dev/mqueue mqueue rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
configfs /sys/kernel/config configfs rw,relatime 0 0
xen /proc/xen xenfs rw,relatime 0 0
/dev/xvdb /rw ext4 rw,relatime,discard,data=ordered 0 0
/dev/xvdb /home ext4 rw,relatime,discard,data=ordered 0 0
/dev/xvdb /var/spool/cron ext4 rw,relatime,discard,data=ordered 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=31308k,nr_inodes=39134,mode=700,uid=1000,gid=1000 0 0
@alexlarsson

This comment has been minimized.

Show comment
Hide comment
@alexlarsson

alexlarsson Jan 11, 2017

Member

I don't have a xen build, but reading the code it seems this is the problem:

xen /proc/xen xenfs rw,relatime 0 0

This is created if you have the XEN_COMPAT_XENFS config on in the kernel, and it is created by:

        proc_mkdir("xen", NULL);

However, as far as I can see in the kernel that isn't enough to make it realize that this is an "empty" directory, and thus the /proc/xen mount is not covering anything. It should really call proc_create_mount_point("xen") for this to work.

Can you try disabling that kernel config option? (or fixing the mountpoint as per the above).

Member

alexlarsson commented Jan 11, 2017

I don't have a xen build, but reading the code it seems this is the problem:

xen /proc/xen xenfs rw,relatime 0 0

This is created if you have the XEN_COMPAT_XENFS config on in the kernel, and it is created by:

        proc_mkdir("xen", NULL);

However, as far as I can see in the kernel that isn't enough to make it realize that this is an "empty" directory, and thus the /proc/xen mount is not covering anything. It should really call proc_create_mount_point("xen") for this to work.

Can you try disabling that kernel config option? (or fixing the mountpoint as per the above).

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 11, 2017

Indeed after unmounting /proc/xen it does work. I wonder if anything still use /proc/xen in Qubes... AFAIR it's legacy location and the new one is /dev/xen. There were more problems with /proc/xen (where "normal files" behaves like character devices...). The fact that I could unmount it without killing anything suggests it isn't used anymore :)

marmarek commented Jan 11, 2017

Indeed after unmounting /proc/xen it does work. I wonder if anything still use /proc/xen in Qubes... AFAIR it's legacy location and the new one is /dev/xen. There were more problems with /proc/xen (where "normal files" behaves like character devices...). The fact that I could unmount it without killing anything suggests it isn't used anymore :)

@cgwalters cgwalters changed the title from bubblewrap Sandboxed Tor Browser fails to start in Qubes Debian jessie based AppVM - firefox: Can't mount proc on /newroot/proc to breaks with /proc/xen mounted (QubesOS) Jan 17, 2017

@cgwalters

This comment has been minimized.

Show comment
Hide comment
@cgwalters

cgwalters Jan 30, 2017

Member

If you want to be conservative, it might work to add a patch to bwrap to unmount it?

Member

cgwalters commented Jan 30, 2017

If you want to be conservative, it might work to add a patch to bwrap to unmount it?

@cgwalters

This comment has been minimized.

Show comment
Hide comment
@cgwalters

cgwalters Jan 30, 2017

Member

(Just in the new mount namespace)

Member

cgwalters commented Jan 30, 2017

(Just in the new mount namespace)

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jan 31, 2017

adrelanos commented Jan 31, 2017

@alexlarsson

This comment has been minimized.

Show comment
Hide comment
@alexlarsson

alexlarsson Jan 31, 2017

Member

No, we can't unmount it. Thats the problem essentially. If /foo and /foo/bar are mountpoints when we create an unprivileged user namespace, then we get the two inherited as a unit, and we cannot unmount /foo/bar, because that may expose files under it that was not visible in the parent namespace. The same actually is true for mounting a new procfs instance, if /proc/foo was overmounted in the host, then we can't mount a fresh /proc, because we can see into foo where we couldn't before.

Of course in some cases we know it is safe, because foo is always empty, because the only reason its there is as a mountpoint. In such cases the kernel marks these directories as "always-empty", and mounts on top of them is not considered to cover anything, thus allowing a fresh proc to be mounted.

Changing proc_mkdir("xen", NULL) to proc_create_mount_point("xen") in the kernel would fix it, as the xen directory is then not considered covered.

Member

alexlarsson commented Jan 31, 2017

No, we can't unmount it. Thats the problem essentially. If /foo and /foo/bar are mountpoints when we create an unprivileged user namespace, then we get the two inherited as a unit, and we cannot unmount /foo/bar, because that may expose files under it that was not visible in the parent namespace. The same actually is true for mounting a new procfs instance, if /proc/foo was overmounted in the host, then we can't mount a fresh /proc, because we can see into foo where we couldn't before.

Of course in some cases we know it is safe, because foo is always empty, because the only reason its there is as a mountpoint. In such cases the kernel marks these directories as "always-empty", and mounts on top of them is not considered to cover anything, thus allowing a fresh proc to be mounted.

Changing proc_mkdir("xen", NULL) to proc_create_mount_point("xen") in the kernel would fix it, as the xen directory is then not considered covered.

@DemiMarie

This comment has been minimized.

Show comment
Hide comment
@DemiMarie

DemiMarie Oct 24, 2017

@alexlarsson Can we take advantage of the fact that we are suid to forcibly unmount /proc/xen in the child? That does mean hardcoding /proc/xen, but I consider that safe.

DemiMarie commented Oct 24, 2017

@alexlarsson Can we take advantage of the fact that we are suid to forcibly unmount /proc/xen in the child? That does mean hardcoding /proc/xen, but I consider that safe.

@cgwalters

This comment has been minimized.

Show comment
Hide comment
@cgwalters

cgwalters Oct 24, 2017

Member

The suid path isn't the future though. Based on comment #134 (comment) it sounds like Qubes is going to disable the legacy mountpoint which should address this issue, right?

Member

cgwalters commented Oct 24, 2017

The suid path isn't the future though. Based on comment #134 (comment) it sounds like Qubes is going to disable the legacy mountpoint which should address this issue, right?

@cgwalters

This comment has been minimized.

Show comment
Hide comment
@cgwalters

cgwalters Oct 24, 2017

Member

A quick git log -G proc.*mkdir.*xen hits this commit which is in 4.10. So - anyone affected, upgrade your kernel.

Member

cgwalters commented Oct 24, 2017

A quick git log -G proc.*mkdir.*xen hits this commit which is in 4.10. So - anyone affected, upgrade your kernel.

@DemiMarie

This comment has been minimized.

Show comment
Hide comment
@DemiMarie

DemiMarie Oct 25, 2017

@cgwalters bwrap is suid at least on my system, and it would be nice to use it to solve this problem.

DemiMarie commented Oct 25, 2017

@cgwalters bwrap is suid at least on my system, and it would be nice to use it to solve this problem.

@DemiMarie

This comment has been minimized.

Show comment
Hide comment
@DemiMarie

DemiMarie Oct 25, 2017

Also apparently several legacy scripts in Quebes rely on /proc/xen.

DemiMarie commented Oct 25, 2017

Also apparently several legacy scripts in Quebes rely on /proc/xen.

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Oct 25, 2017

Also apparently several legacy scripts in Quebes rely on /proc/xen.

Not that many. There is only one thing that is still used from that - /proc/xen/capabilities, to detect dom0. Once replaced, we can get rid of /proc/xen mount.

marmarek commented Oct 25, 2017

Also apparently several legacy scripts in Quebes rely on /proc/xen.

Not that many. There is only one thing that is still used from that - /proc/xen/capabilities, to detect dom0. Once replaced, we can get rid of /proc/xen mount.

@Rudd-O

This comment has been minimized.

Show comment
Hide comment
@Rudd-O

Rudd-O Aug 10, 2018

This is still broken as of today in Qubes 3.2 with Fedora 27 template. Notably, it breaks video thumbnailing in Nautilus (and presumably other programs, whose video thumbnails do not show up):

[pid  8531] execve("/usr/bin/bwrap", ["bwrap", "--ro-bind", "/usr", "/usr", "--ro-bind", "/lib", "/lib", "--ro-bind", "/lib64", "/lib64", "--proc", "/proc", "--dev", "/dev", "--symlink", "usr/bin", "/bin", "--symlink", "usr/sbin", "/sbin", "--chdir", "/", "--setenv", "GIO_USE_VFS", "local", "--unshare-all", "--die-with-parent", "--bind", "/tmp/gnome-desktop-thumbnailer-0"..., "/tmp", "--ro-bind", "/home/user/sshfs/WhatsApp/Media/"..., ...], 0x58e7594331f0 /* 17 vars */ <unfinished ...>
[pid  3896] write(6, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3896] write(6, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3896] write(23, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3948] write(23, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3896] write(6, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3948] write(4, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  8531] <... execve resumed> )      = 0
strace: Process 8532 attached
[pid  8531] write(5, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  8532] write(6, "0 1000 1\n", 9)   = 9
[pid  8532] write(6, "deny\n", 5)       = 5
[pid  8532] write(6, "0 1000 1\n", 9)   = 9
[pid  8532] write(2, "bwrap: ", 7)      = 7
[pid  8532] write(2, "Can't mount proc on /newroot/pro"..., 33) = 33
[pid  8532] write(2, ": Operation not permitted\n", 26) = 26
[pid  8532] +++ exited with 1 +++
[pid  8531] +++ exited with 1 +++
[pid  3947] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=8531, si_uid=1000, si_status=1, si_utime=0, si_stime=0} ---

Please fix this.

Rudd-O commented Aug 10, 2018

This is still broken as of today in Qubes 3.2 with Fedora 27 template. Notably, it breaks video thumbnailing in Nautilus (and presumably other programs, whose video thumbnails do not show up):

[pid  8531] execve("/usr/bin/bwrap", ["bwrap", "--ro-bind", "/usr", "/usr", "--ro-bind", "/lib", "/lib", "--ro-bind", "/lib64", "/lib64", "--proc", "/proc", "--dev", "/dev", "--symlink", "usr/bin", "/bin", "--symlink", "usr/sbin", "/sbin", "--chdir", "/", "--setenv", "GIO_USE_VFS", "local", "--unshare-all", "--die-with-parent", "--bind", "/tmp/gnome-desktop-thumbnailer-0"..., "/tmp", "--ro-bind", "/home/user/sshfs/WhatsApp/Media/"..., ...], 0x58e7594331f0 /* 17 vars */ <unfinished ...>
[pid  3896] write(6, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3896] write(6, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3896] write(23, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3948] write(23, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3896] write(6, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  3948] write(4, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  8531] <... execve resumed> )      = 0
strace: Process 8532 attached
[pid  8531] write(5, "\1\0\0\0\0\0\0\0", 8) = 8
[pid  8532] write(6, "0 1000 1\n", 9)   = 9
[pid  8532] write(6, "deny\n", 5)       = 5
[pid  8532] write(6, "0 1000 1\n", 9)   = 9
[pid  8532] write(2, "bwrap: ", 7)      = 7
[pid  8532] write(2, "Can't mount proc on /newroot/pro"..., 33) = 33
[pid  8532] write(2, ": Operation not permitted\n", 26) = 26
[pid  8532] +++ exited with 1 +++
[pid  8531] +++ exited with 1 +++
[pid  3947] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=8531, si_uid=1000, si_status=1, si_utime=0, si_stime=0} ---

Please fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment