Anyone have any ideas how to get these applications to run under Bionicpup64 and other Puppies.
There have been discussions about firejail on the Forum. labbe5 has posted about it a couple of times. There are reports of it working fine under the debiandogs. I think I read of it working under FatDog64; and Puli's repo provides a Ubuntu deb. But, 'though woofed, FatDog isn't exactly a Puppy; and Puli is a highly modified one. Looking for a post about how to get it running or configure it under a Puppy, I can't find any.
Both firejail and firetools are easy to install via Bionicpup64's PPM. But those versions are now deprecated. They're almost as easy to install using the debs which following links from this website https://firejail.wordpress.com/download-2/ will locate. Either way, ldd reports no missing dependencies.
The only modifications I made to installing the debs was to edit the /usr/share/XXX.desktop files to spell out that their associated icons were pngs in /usr/share/pixmaps and that they should appear on the System Submenu. Neither change should have had any effect on the actual running of these applications.
Two menu items were created. Attempting to start it via the menu, Firetools complained "Cannot run firejail sandbox. You may not have permissions to access this program." That message persists even after firetools was configured to run as spot. Started via the terminal, the terminal reports: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-spot'
I'm don't know how to configure firetools to run without a sandbox; and especially don't think if that could be done it wouldn't cripple the very reason for using firejail.
Starting the other menu listing "firejail configuration wizard", a nice GUI appears. But after making a selection, nothing appears to happen. So I figured maybe it configured the system so that a designated application would be run 'in a firejail'. I first tried with Web-browsers as that category is actually the only one I'd want to run in a firejail. To do so I had to use the GUI's file-browser utility. Then, opening a terminal and typing without the quotes and using the binary or wrapper's name to call the binary --i.e. "firejail NAME"-- in all instances the terminal reported:
"root# firejail
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Error: cannot find the program in the path".
Well, my web-browsers are portables run from /mnt/home and Google-Chrome.sfs which locates it files in /home. So even though I have no interest in running them in a firejail, I figured the best way to see if something without those complications could be run in a firejail, I used the GUI to select mtpaint (a builtin) and xfe, an installed application, both of which had listing in the GUI's Right-panel. When those applications were selected, the GUI reported below the main panels that their binaries were in /usr/bin. Still nothing happened after "continue" was selected. And trying to start either via a terminal produced the above noted Error.
Any idea? Any interest in providing Puppy with a security device available in all other Linuxes?
firejail and firetools for Bionicpup64 and other PUPPIES
Morning Mikeslr
Following this. Here's my lay-man input.
No expert but "guessing" that the firejail failure has something to do with the root runtime environment (as puppy runs in root unless otherwise specified, right?)
Have been looking around a bit and all I know from firejail (regular user on non-puppies) it shouldn't (can't) be run under root. Could this be a part of the problem?
Link
Maybe this will help a little.
Following this. Here's my lay-man input.
No expert but "guessing" that the firejail failure has something to do with the root runtime environment (as puppy runs in root unless otherwise specified, right?)
Have been looking around a bit and all I know from firejail (regular user on non-puppies) it shouldn't (can't) be run under root. Could this be a part of the problem?
Link
Maybe this will help a little.
[size=75][i]~Brave puppies need Brave Browsers~[/i][/size]
[url=https://drive.google.com/file/d/1DyTvylADQqf567oY0SL4aHskDu_rxzqd/view?usp=sharing]Brave Browser 'Portable' Tarball[/url]
[url=https://drive.google.com/file/d/1DyTvylADQqf567oY0SL4aHskDu_rxzqd/view?usp=sharing]Brave Browser 'Portable' Tarball[/url]
Decided to attack this situation from a different angle: firejail apparently works under Puli, and Puli is now based on Bionicpup64. So what would happen if I borrowed the 'ubuntu firejail deb' used in Puli?
Trying to avoid the potential complexities I discussed in the OP, I ran "firejail rox-filer" via a terminal. The attempt ended after reporting something which lead me to a post suggesting that it happens when /var/run/utmp couldn't be found. Well, that was easy to fix. I file-browsed to /var/run and created a utmp folder. Restarting-x and trying again got me:
"Error mount tmpfs: fs_whitelist.c:774 fs_whitelist: No such file or directory"
Googling that got me, https://github.com/netblue30/firejail/issues/1590
And as I posted elsewhere, "I haven't yet got my head-around it, its implication for Puppy and --noting the date of that discussion-- what effect Puppy's recent adoption of FatDog's move of /spot from /root to /home/spot may have"... further considerations to be posted to this thread.
Thanks, bullpup for responding. The spot mechanism was developed so that, while Puppies usually run applications as Root, it would have the option of running some as a 'non-privileged user. Re-reading your post, and the questions I posed in the last paragraph reminded me that obviously rox-filer is an application set up to run as Root. What would happen if I tried Mike Walsh's Google-Chrome SFS, which is setup to run as spot? We'll see. Watch for my next post.
Trying to avoid the potential complexities I discussed in the OP, I ran "firejail rox-filer" via a terminal. The attempt ended after reporting something which lead me to a post suggesting that it happens when /var/run/utmp couldn't be found. Well, that was easy to fix. I file-browsed to /var/run and created a utmp folder. Restarting-x and trying again got me:
"Error mount tmpfs: fs_whitelist.c:774 fs_whitelist: No such file or directory"
Googling that got me, https://github.com/netblue30/firejail/issues/1590
And as I posted elsewhere, "I haven't yet got my head-around it, its implication for Puppy and --noting the date of that discussion-- what effect Puppy's recent adoption of FatDog's move of /spot from /root to /home/spot may have"... further considerations to be posted to this thread.
Thanks, bullpup for responding. The spot mechanism was developed so that, while Puppies usually run applications as Root, it would have the option of running some as a 'non-privileged user. Re-reading your post, and the questions I posed in the last paragraph reminded me that obviously rox-filer is an application set up to run as Root. What would happen if I tried Mike Walsh's Google-Chrome SFS, which is setup to run as spot? We'll see. Watch for my next post.
Well, you didn't have to wait long. Figured I'd better try before I forgot to.
Running from a terminal either root
# firejail /home/spot/chrome.sh ### or
root# firejail run-as-spot /home/spot/chrome.sh
Results in
Error mount bind utmp: fs_var.c:323 fs_var_utmp: Not a directory
Error: proc 7154 cannot sync with peer: unexpected EOF
Peer 7155 unexpectedly exited with status 1
Running from a terminal either root
# firejail /home/spot/chrome.sh ### or
root# firejail run-as-spot /home/spot/chrome.sh
Results in
Error mount bind utmp: fs_var.c:323 fs_var_utmp: Not a directory
Error: proc 7154 cannot sync with peer: unexpected EOF
Peer 7155 unexpectedly exited with status 1
