vscodium: crashes due to seccomp

[mYnDstrEAm]

Codium (v1.58.2) doesn't run with firejail anymore.

When I run firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium I get:

Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid [...], child pid [...]
Child process initialized in [...] ms

Parent is shutting down, bye...

with the only thing in syslog being this:
kernel: [...] traps: codium[...] trap int3 ip:... sp:... error:0 in codium[...]

Furthermore, the profile should be renamed to codium.profile as vscodium has been renamed: #3871.

Bug and expected behavior
I expected it to start VsCodium like it used to but it didn't.

No profile and disabling firejail

Reproduce
Steps to reproduce the behavior:

1. Run firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium

Environment

• Debian 10 stable with KDE
• Firejail version 0.9.64.4

Additional context

Checklist

• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• I have performed a short search for similar issues (to avoid opening a duplicate).
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

debug output

[...]
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/codium
Child process initialized in ... ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 6

Sandbox monitor: waitpid 6 retval 6 status 0
Sandbox monitor: monitoring 23
monitoring pid 23

Sandbox monitor: waitpid 23 retval 23 status 5
Sandbox monitor: monitoring 25
monitoring pid 25

Sandbox monitor: waitpid 25 retval 25 status 0

Parent is shutting down, bye...

[rusty-snake]

I've no idea, looks like you need to comment the profile and uncomment it like for line.

disable-common.local

What's in it.

[mYnDstrEAm]

a few blacklist ${HOME}/... and caps.drop all. I'll try removing the latter even though I don't know why it worked earlier in that case.
Edit: Commenting out caps.drop all didn't make the profile work and I think it should probably not be removed.

[rusty-snake]

caps.drop all […] I think it should probably not be removed.

well

$ grep -L "^caps.drop all$" $(grep -l "^include disable-common.inc$" /etc/firejail/*.profile)
/etc/firejail/bitlbee.profile
/etc/firejail/chromium-common.profile
/etc/firejail/dnscrypt-proxy.profile
/etc/firejail/dnsmasq.profile
/etc/firejail/electron.profile
/etc/firejail/fdns.profile
/etc/firejail/gnome-nettool.profile
/etc/firejail/gnome-schedule.profile
/etc/firejail/k3b.profile
/etc/firejail/ping.profile
/etc/firejail/qupzilla.profile
/etc/firejail/server.profile
/etc/firejail/spectre-meltdown-checker.profile
/etc/firejail/tcpdump.profile
/etc/firejail/tor.profile
/etc/firejail/unbound.profile
/etc/firejail/virtualbox.profile
/etc/firejail/vmware.profile
/etc/firejail/wireshark.profile

[mYnDstrEAm]

I added noblacklist ${HOME}/.config/VSCodium to code.local but it still doesn't start with no error message getting displayed that's useful for solving it.

[rusty-snake]

I've no idea, looks like you need to comment the profile and uncomment it like for line.

[mYnDstrEAm]

What's the point of sandboxing if you have to disable all of it at least once to get things working?
Also I had to comment out so many things this can't be fine. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?
Furthermore, there probably should / could be error messages which provide some info about why something is failing / which sandboxing rules are causing the shutdown.

I could get it to work by commenting out these:

#caps.drop all
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp

in code.profile and #caps.drop all in disable-common.local

[mYnDstrEAm]

Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik.

There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start.

[rusty-snake]

I could get it to work by commenting out these:

#caps.drop all
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp

in code.profile and #caps.drop all in disable-common.local

Duplicate of #4408. Fixed by 8f867d0

• The profile (and redirect profile if exists) hasn't already been fixed upstream.

8f867d0

Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik.

See above

There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start.

Nope.

Read #3754, #2946, #2933, #4087, #3871.

Summary: The electron sandbox requires the chroot syscall. And if you disable unprivileged userns it also needs to execute a SUID => you can not use seccomp and nnp. And you need to keep some caps.

It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?

Looks like VsCodium has updated the electron version they use.

What's the point of sandboxing if you have to disable all of it at least once to get things working?

What's the reason you do sandboxing?

[rusty-snake]

What's the point of sandboxing if you have to disable all of it at least once to get things working? Also I had to comment out so many things this can't be fine. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?

TBH code.profile does to have whitelist ${HOME}/.../read-only ${HOME}/private nor does it have dbus-{user,system} (filter|none). It's already a weak profile that can be escaped easily. Furthermore it has no net IFACE/net none and it also to execute program from ${HOME}. You only need to drop "advanced" sandbox features that protect kernel/root/system in a sandbox that already lacks escape protection.

I recommend to set sysctl kernel.unprivileged_userns_clone=1

[mYnDstrEAm]

So the weak sandboxing profile for Codium and its further weakening are due to Electron and changes to Electron and the solution you propose for that would be setting sysctl kernel.unprivileged_userns_clone=1. Did I understand that right? After setting that would all Electron-using packages run fine?

[rusty-snake]

With kernel.unprivileged_userns_clone=1 you can include chromium-common-hardened.inc (Attention: In firejail 0.9.66 and above it is include chromium-common-hardened.inc.profile) in electron.local and chromium-common.local.
https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/electron.profile#L21-L23
https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/chromium-common.profile#L33-L35

Which will set

caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroot

https://github.com/netblue30/firejail/blob/0.9.64.4/etc/inc/chromium-common-hardened.inc

And you can remove the sudi bit from chrome-sandbox and bwrap.