27.9.1 Won't start with Firejail

[Amii_Leigh]

Trying to start Palemoon:

Code: Select all

$ firejail palemoon
Reading profile /etc/firejail/palemoon.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 27197, child pid 27198
TESTING warning: noblacklist /home/amii/.moonchild productions/pale moon not matched by a proper blacklist command in disable*.inc
Blacklist violations are logged to syslog
Child process initialized in 80.64 ms

There it hangs. I don't know how to write or change code, but I do like Palemoon. I just updated my Firejail to

Code: Select all

firejail version 0.9.52

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

So, I was hoping this could be fixed? Or could someone tell me what to do to get firejail to play nice with Palemoon again?

[VITecNet]

I have exactly the same problem.

[New Tobin Paradigm]

I don't know what you expect us to do about it.. We didn't create nor have any ties to firejail.. Have you asked them? Also, sandboxing Pale Moon is a terrible idea.. It can cause issues.

[Amii_Leigh]

I only experienced this issue AFTER I 'upgraded' Palemoon. I had upgraded my Firejail before that, but Palemoon worked with the newer edition of Firejail just fine.

[Moonraker]

I don't know what you expect us to do about it.. We didn't create nor have any ties to firejail.. Have you asked them? Also, sandboxing Pale Moon is a terrible idea.. It can cause issues.

Strange answer.
Why would sandboxing pale moon be a bad idea and not for other browsers.?.That is exactly what firejail is designed to do so your response is puzzling to say the least.
Best wishes.

[Moonchild]

Why would sandboxing pale moon be a bad idea and not for other browsers.?.That is exactly what firejail is designed to do so your response is puzzling to say the least.

Sandboxing any browser is a bad idea. Browsers have their own advanced security measures because they are designed to load and display untrusted remote content -- as a result it's a similar situation as running multiple antivirus suites concurrently.

[Amii_Leigh]

Thank You, kind sir.

[CdeMills]

Hello,
to elaborate a bit:
1) yes, it was reported on firejail BTS. A person with the same avatar as the first poster of this thread
2) in fact, palemoon is started and runs, but the main window never opens
3) given ALL the dirty tricks used to collect personal data from GAFA and associated enterprises, I have one separate profile for each of them; while the non-firejailed version never got any cookie or login or password from them.

Do you have any idea of changes between 27.9 and 27.9.1 which could have broken the GUI interface ? It is the first time this occurs since I use firejail.

Regards

Pascal

[Moonraker]

Could somebody be so kind as to elaborate just what firejail is actually for and its purpose,.?
Judging by previous posts it would appear sandboxing/firejailing a browser is not a good idea.So if sandboxing a browser is a bad idea then why would we assume any form of sandboxing is a good idea.?does this not put the actual usefulness and purpose of the program into question.

[CdeMills]

Hello,
to my eyes, the important point is that the target program, whatever it is, runs in a chrooted environment. In the case of a browser, I use a chrooted env for specific sessions. When the browser starts in such a fresh environment, there is no single trace (history, cookies, ...) of previous browsing. Even no settings nor extensions. This makes cross-sites information leakage impossible, as one session can not play with cookies from another session. There is insulation at the file system level. The number of extensions is kept at a minimum, to counteract browser fingerprinting.

So I use palemoon inside a firejail environment to protect my privacy. I live in Europe. I had concerns since a long time about Facebook and its "interesting" content. I believed it was some way to make the visit longer and serve you more ads. In the previous month, with the Cambridge Analytica revelations, it appears that the "interesting" content was just psychological tests in disguise. As a scientist, I have no concerns participating in a test conducted with ethic, meaning e.a. informing the patient. In the case of Facebook, firejail permitted me to pro-actively defend myself against this data collection.

Another issue is about travel site looking at your previous browsing history. You go there ? We have the right car and the right hotel. Cross-site and cookies interchange. Once again solved by firejail.

Basically, I consider Palemoon as a very good browser and that all due diligence is made about safety. But there are so many companies targeting your personal information in hidden ways or using regular cookies that browser security is not enough. Forcing amnesia between sessions is another line of defense.

Regards

Pascal

[CdeMills]

Now a side question. I looked at the changes between 27.9 and 27.9.1. I noticed there are two changes about cairo in Windows. But then, under linux, "ldd `which palemoon`" shows no trace of calls to libcairo. In linux, do you use your own embedded lib or the system-wide lib ?

Regards

Pascal

[Moonraker]

Hello,
to my eyes, the important point is that the target program, whatever it is, runs in a chrooted environment. In the case of a browser, I use a chrooted env for specific sessions. When the browser starts in such a fresh environment, there is no single trace (history, cookies, ...) of previous browsing. Even no settings nor extensions. This makes cross-sites information leakage impossible, as one session can not play with cookies from another session. There is insulation at the file system level. The number of extensions is kept at a minimum, to counteract browser fingerprinting.

So I use palemoon inside a firejail environment to protect my privacy. I live in Europe. I had concerns since a long time about Facebook and its "interesting" content. I believed it was some way to make the visit longer and serve you more ads. In the previous month, with the Cambridge Analytica revelations, it appears that the "interesting" content was just psychological tests in disguise. As a scientist, I have no concerns participating in a test conducted with ethic, meaning e.a. informing the patient. In the case of Facebook, firejail permitted me to pro-actively defend myself against this data collection.

Another issue is about travel site looking at your previous browsing history. You go there ? We have the right car and the right hotel. Cross-site and cookies interchange. Once again solved by firejail.

Basically, I consider Palemoon as a very good browser and that all due diligence is made about safety. But there are so many companies targeting your personal information in hidden ways or using regular cookies that browser security is not enough. Forcing amnesia between sessions is another line of defense.

Regards

Pascal

I thank you sincerely for that long and very informative reply.

[Nightbird]

https://github.com/netblue30/firejail/issues/1930

The problem and perhaps the solution.

[Moonchild]

Apologies about the assumption that firejail was just for Firefox; it isn't. However, the profile in use for Pale Moon is a firefox-based profile, which may or may not work as-is.

So, the solution is apparently changing something in the configuration of the Pale Moon profile in firejail.

Commenting out the "tracelog" line apparently fixes the hangup.

[Walter Dnes]

Hello,
to my eyes, the important point is that the target program, whatever it is, runs in a chrooted environment. In the case of a browser, I use a chrooted env for specific sessions. When the browser starts in such a fresh environment, there is no single trace (history, cookies, ...) of previous browsing. Even no settings nor extensions. This makes cross-sites information leakage impossible, as one session can not play with cookies from another session. There is insulation at the file system level. The number of extensions is kept at a minimum, to counteract browser fingerprinting.

This can be accomplished by using separate profiles for separate forums. E.g. to launch the profile for this forum, I run palemoon -new-instance -p palemoon Note that you have to create a "palemoon" profile ahead of time. The "-new-instance" insures that the correct profile is launched. Since each profile is a separate directory in "$HOME/.moonchild productions", cookies cannot be linked between profiles, of which I have approx 20. Note that "-no-remote" can be used instead of "-new-instance". In Pale Moon Tools/Preferences"Home Page" you can specify a list of URLs for the profile separated by space-pipe-space; e.g. the following is one long line for my "palemoon" profile...

http://www.palemoon.org/ | https://forum.palemoon.org | https://github.com/MoonchildProductions/Pale-Moon.git | viewforum.php?f=1 | viewforum.php?f=37 | viewforum.php?f=40

To block Facebook, in iptables block the following ranges input and output

• 31.13.24.0/21
• 31.13.64.0/18
• 66.220.144.0/20
• 69.63.176.0/20
• 69.171.224.0/19
• 74.119.76.0/22
• 103.4.96.0/22
• 173.252.64.0/18
• 204.15.20.0/22

The one(s) that you actually see traffic for will depend on where you are on the planet.

[mrabc]

https://github.com/netblue30/firejail/issues/1930

The problem and perhaps the solution.

Thank you for this link.

Is it the case that resolving the failure of Pale Moon 27.9.1 to work with Firejail will remain entirely the responsibility of individual users or is there likely to be an official solution in the next version of Pale Moon?

[Moonchild]

Is it the case that resolving the failure of Pale Moon 27.9.1 to work with Firejail will remain entirely the responsibility of individual users or is there likely to be an official solution in the next version of Pale Moon?

It will remain the case for the individual users to fix until firejail fixes this on their end.
We can't do anything about this. There's nothing wrong with Pale Moon.

[mrabc]

Is it the case that resolving the failure of Pale Moon 27.9.1 to work with Firejail will remain entirely the responsibility of individual users or is there likely to be an official solution in the next version of Pale Moon?

It will remain the case for the individual users to fix until firejail fixes this on their end.
We can't do anything about this. There's nothing wrong with Pale Moon.

Ok.

Thanks for the heads up.