Standard notes not working

[Edu4rdSHL]

I'm trying to run standardnotes-desktop from ArchLinux and I got:

sechacklabs@SecHackLabs ~> standardnotes-desktop 
Reading profile /etc/firejail/standardnotes-desktop.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 22575, child pid 22576
Warning: skipping alternatives for private /etc
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 22.47 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 114.61 ms

Parent is shutting down, bye...

I tried removing unix from https://github.com/netblue30/firejail/blob/master/etc/standardnotes-desktop.profile#L36 but doesn't worked:

sechacklabs@SecHackLabs ~> standardnotes-desktop 
Reading profile /etc/firejail/standardnotes-desktop.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 22535, child pid 22536
Warning: skipping alternatives for private /etc
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 20.54 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 105.03 ms

Parent is shutting down, bye...

[rusty-snake]

@Edu4rdSHL What is in your globals.local?

removing unix

That will fully break standart-notes.

[veloute]

experiencing the same problem.
after a few minutes of playing around, seccomp and apparmor seem to have something to do with it.
try commenting both options out and see if that works for you (as a temp solution).

[rusty-snake]

Related to #2821:

riot-desktop and standartnotes-desktop use both electron, right?

electron recently had an update with fixes of his own sandbox [1, 2, 3].

Maybe all electron-apps now need the chroot syscall.

@Edu4rdSHL try commet apparmor and seccomp as @veloute proposed and add the following:

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

[veloute]

we should probably add an include line for the electron profile in standardnotes-desktop's profile, right?

[rusty-snake]

electron.profile also still have seccomp.

But Streamlineing all electron-app-profile would may good. (But there are more than only standartnotes-desktop. e.g. teams-for-linux, telegram-desktop, ...)

I think the most *-desktop and some more.

[veloute]

can confirm those changes are working for me; now just to wait for @Edu4rdSHL and make a pr with the changes if that's the fix needed.

[Edu4rdSHL]

Related to #2821:

riot-desktop and standartnotes-desktop use both electron, right?

electron recently had an update with fixes of his own sandbox [1, 2, 3].

Maybe all electron-apps now need the chroot syscall.

@Edu4rdSHL try commet apparmor and seccomp as @veloute proposed and add the following:

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

I tried it and worked, but now I've a question. In globals.local I had apparmor to enable it globally, now I need to remove it to get standard notes working.

Is not possible to have standard notes working with apparmor?

[veloute]

create a standardnotes-desktop.local file in either /etc/firejail/ or /home/$USER/.config/firejail/ with the line'ignore apparmor

[Edu4rdSHL]

@veloute thanks, I know that, but my question is if denitively isn't possible to have the standard notes app with apparmor.

[rusty-snake]

@Edu4rdSHL firejail-default is the apparmor profile that is used by firejail. Site-specific additions and overrides: local/firejail-local
Maybe this line in firejail-default causing the issue capability sys_chroot,.
I can' tell you more since I do not use AA.

EDIT: Why can I add reactions to my own posts ❓ 🤔

[veloute]

fixed with dae5a61

[Vincent43]

@Edu4rdSHL Please post journalctl --grep=DENIED after failed attempt with apparmor enabled.

Maybe this line in firejail-default causing the issue capability sys_chroot,

This line only allows sys_chroot capability so it can't really break anything.

[Edu4rdSHL]

Hello, @Vincent43 I got it:

Jul 13 13:58:42 SecHackLabs audit[3764]: AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/15/comm" pid=3764 comm="electron" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 13 13:58:42 SecHackLabs kernel: audit: type=1400 audit(1563044322.022:195): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/15/comm" pid=3764 comm="electron" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

[Vincent43]

@Edu4rdSHL Ok, try adding /proc/@{PID}/comm w, in /etc/apparmor.d/local/firejail-local and see if that helps.

You have to run apparmor_parser -r /etc/apparmor.d/firejail-default afterwards.

[Edu4rdSHL]

Worked, thanks.

[Vincent43]

@Edu4rdSHL I will add it in default apparmor profile and re-enable apparmor in standard-notes then.

[Vincent43]

Fixed with 2eca125 . I think everything is covered now.

[Edu4rdSHL]

Thanks for the fix.