New profile: gnome-boxes

[Rosika2]

Hi all, 👋

I´m trying to create a firejail profile for gnome-boxes. However I continually seem to be running into some difficulties. This is what it looks like at present:

# Custom Firejail profile for Gnome-Boxes
# This file is overwritten after every install/update
# Persistent local customizations
include default.local
# Persistent global definitions
include globals.local

# generic GUI profile
# depending on your usage, you can enable some of the commands below:

noblacklist ${HOME}/.config/gnome-boxes/
noblacklist ${HOME}/.config/libvirt/

include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
include disable-programs.inc
# include disable-shell.inc
# include disable-write-mnt.inc
# include disable-xdg.inc

include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
ipc-namespace
machine-id
net none
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
# nosound
# notv
# nou2f
novideo
protocol unix,inet,inet6
# seccomp
shell none
# tracelog

# disable-mnt
# private
# private-bin program
private-cache
private-dev
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
private-etc alternatives,fonts,machine-id
private-lib
private-opt none
private-tmp

dbus-user none
dbus-system none

# deterministic-shutdown
memory-deny-write-execute
# read-only ${HOME}
restrict-namespaces

But it seems to be of no use as the GUI always gives me an "empty" window, as if no VMs were installed in gnome-boxes.
But there are. I´ve 3 of them at my disposal. 🤔

If I use a dedicated profile containing just:

noblacklist ${HOME}/.config/gnome-boxes/
noblacklist ${HOME}/.config/libvirt/

and nothing else, the installed VMs can be seen by gnome-boxes. Of course that alone wouldn´t be good enough for sandboxing purposes.

Plus: closing the gnome-boxes window wouldn´t shut down the firejailed instance by itself.
lnav hints towards that:

│Feb 19 15:54:00 rosika-Lenovo-H520e libvirtd[1132]: End of file while reading data: Input/output error │
│Feb 19 15:54:00 rosika-Lenovo-H520e libvirtd[79144]: End of file while reading data: Input/output error

That would also be the case when issuing the command firejail --noprofile gnome-boxes.

Can anyone help?

Many thanks in advance and many greetings from Rosika 🙂

[glitsj16]

Hi Rosika, just a few quick pointers.

• if you want a whitelisting profile, add the mkdir foo and mkfile bar options and whitelist those paths
• ipc-namespace is advised for CLI apps only;
• machine-id can break sound;
• net none and netfilter together don't make sense; you'll definately want networking access here, so drop the first;
• no3d will break any hw-accel/GPU niceties;
• nogroups, nonewprivs, noroot, protocol, private-dev: VM managers are picky beasts, IMO this will break GB;
• private-lib: needs to be opt-in while compiling, it's disabled by default + it will drain RAM so be aware of that;
• memory-deny-write-execute: breaks GUI apps;

If it was me I'd try to get some inspiration by looking at a profile for a program that offers similar functionality. In this case: virtualbox.profile.

That's all for now, need to get the children from school.
Have fun!

[Rosika2]

Hi @glitsj16: 👋

thanks so much for your advice. ❤️

So I took the virtualbox.profile and looked at the points you mentioned.
My new gnome-boxes.profile looks like this now:

# Firejail profile for gnome-boxes
# Description: x86 virtualization solution
# This file is overwritten after every install/update
# Persistent local customizations
include virtualbox.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.VirtualBox
noblacklist ${HOME}/.config/VirtualBox
noblacklist ${HOME}/VirtualBox VMs
# noblacklist /usr/bin/virtualbox
noblacklist /usr/lib/virtualbox
noblacklist /usr/lib64/virtualbox
noblacklist ${HOME}/.config/gnome-boxes/
noblacklist ${HOME}/.config/libvirt/
noblacklist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2/

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.config/VirtualBox
mkdir ${HOME}/VirtualBox VMs
whitelist ${HOME}/.config/VirtualBox
whitelist ${HOME}/VirtualBox VMs
whitelist ${DOWNLOADS}
whitelist /usr/share/virtualbox
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
whitelist ${HOME}/.config/gnome-boxes/
whitelist ${HOME}/.config/libvirt/
whitelist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2/

# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630

apparmor
caps.keep net_raw,sys_nice
netfilter
nodvd
# nogroups
notv
tracelog

# disable-mnt
# private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
private-cache
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl
private-tmp

dbus-user none
dbus-system none

I added

noblacklist ${HOME}/.config/gnome-boxes/
noblacklist ${HOME}/.config/libvirt/
whitelist ${HOME}/.config/gnome-boxes/
whitelist ${HOME}/.config/libvirt/
noblacklist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2/
whitelist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2/

for my purposes and also tried all variations with the other settings by commenting them out.
But neither of the possibilities could get gnome-boxes to see the already installed VM images.

The only thing I didn´t do was:

if you want a whitelisting profile, add the mkdir foo and mkfile bar options and whitelist those paths

The options I added are:

noblacklist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2/ and
whitelist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2/

Those paths already exist. So would I still need to make mkdir and mkfile for those paths ❓
And if so: how would the exact syntax be? Sorry, I don´t seem to get it completely.

Thank you very much for your kind help.

Cheers from Rosika 🙂

P.S.:

That's all for now, need to get the children from school.

That´s really nice of you. 👍 ❤️

[rusty-snake]

Previouds attempt #1139 (comment)

[Rosika2]

Hi @rusty-snake, 👋

Thanks for the link.

Cheers from Rosika

[glitsj16]

Previouds attempt #1139 (comment)

I've installed gnome-boxes on a Ubuntu 22.04 LTS and with --noprofile it works, even without --writable-var. It never coredumped during testing and shuts down properly AFAICT.

Here's a working profile - left it logically ordered for now - and functionally it seems to do the job:

$ cat ~/.config/firejail/gnome-boxes
# Firejail profile for gnome-boxes
# Description: Simple GNOME application to access virtual systems
# This file is overwritten after every install/update
# Persistent local customizations
include gnome-boxes.local
# Persistent global definitions
include globals.local

# GNOME Boxes
noblacklist ${HOME}/.cache/gnome-boxes
noblacklist ${HOME}/.config/gnome-boxes
noblacklist ${HOME}/.local/share/gnome-boxes

# libvirt
noblacklist ${HOME}/.cache/libvirt
noblacklist ${HOME}/.config/libvirt
noblacklist ${RUNUSER}/libvirt
noblacklist /var/cache/libvirt
noblacklist /var/lib/libvirt
noblacklist /var/log/libvirt

noblacklist ${HOME}/.local/share/gvfs-metadata
noblacklist /sbin
#noblacklist /usr/local/sbin
noblacklist /usr/sbin

# for @Rosika2 only:
# if you never blacklisted the below path (like in a disable-common.local) the line can be dropped
# otherwise uncomment it
#noblacklist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# breaks app
#include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

# GNOME Boxes
mkdir ${HOME}/.cache/gnome-boxes
mkdir ${HOME}/.config/gnome-boxes
mkdir ${HOME}/.local/share/gnome-boxes
whitelist ${HOME}/.cache/gnome-boxes
whitelist ${HOME}/.config/gnome-boxes
whitelist ${HOME}/.local/share/gnome-boxes

# libvirt
mkdir ${HOME}/.cache/libvirt
mkdir ${HOME}/.config/libvirt
whitelist ${HOME}/.cache/libvirt
whitelist ${HOME}/.config/libvirt
whitelist ${RUNUSER}/libvirt
whitelist /run/libvirt

whitelist ${DOWNLOADS}
# for @Rosika2 only:
# uncomment the below while testing this profile
#whitelist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2
whitelist /usr/share/gnome-boxes
whitelist /usr/share/libvirt
whitelist /usr/share/qemu
whitelist /usr/share/seabios
whitelist /usr/share/vala*
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630

apparmor
caps.keep net_raw,sys_nice
netfilter
nodvd
notv
tracelog

#disable-mnt
#private-bin gnome-boxes,libvirtd,qemu*
private-cache
# uncomment the below if you're on 0.9.72
#private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl
# uncomment the below if you're on 0.9.73 (firejail-git)
#private-etc @network,@sound,@tls-ca,@x11
private-tmp

dbus-user filter
dbus-user.own org.gnome.Boxes
dbus-user.talk ca.desrt.dconf
dbus-system none

deterministic-shutdown
restrict-namespaces
#writable-var

I'll do some more testing, but my hardware is limited. HTH!

[Rosika2]

Hi @glitsj16, 👋

thank you so much for putting a lot of time and effort into helping me. ❤️

I tried the profile you kindly provided and uncommented:

noblacklist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2
and
whitelist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2

The profile now worked very much better, as it for the first time displayed all of the available VM images.
I was in high spirits about it.

However a new problem came up when trying to fire up any of the Vms.
They never booted. While the "ball" within the circle in gnome-boxes was turning for one or two seconds it came to a halt and after about 10 - 15 seconds later the gnome-boxes process was killed and the sandbox wa shut down.

The terminal said:

gnome-boxes:10): Boxes-CRITICAL **: 16:35:08.801: libvirt-machine.vala:157: Failed to open graphics for Arch-Linux-x86_64-basic-20220127: Unable to open graphics: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

and a lot more of the same kind. It was just the 16:35:08.801 part that changed. Otherwise the message was the same.

I also took a look at what lnav said:

          │
│Feb 20 16:29:02 rosika-Lenovo-H520e libvirtd[15665]: message repeated 7474 times: [ internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS]    │
│Feb 20 16:29:02 rosika-Lenovo-H520e libvirtd[15665]: End of file while reading data: Input/output error                                                                          

Such a shame. It almost worked.

Thank you so much for your kind help. ❤️

Many greetings from Rosika 🙂

[glitsj16]

Ohh, we can fix that! I took another shot at it and changed some of the earlier options. If you're still up for another round of testing, please do. I think we nailed it 👯 You can add your specifics for 0.9.72 and /media/rosika/... exactly like above.

Here's the improved version (downloads are also working properly with this one):

$ cat ~/.config/firejail/gnome-boxes.profile

# Firejail profile for gnome-boxes
# Description: Simple GNOME application to access virtual systems
# This file is overwritten after every install/update
# Persistent local customizations
include gnome-boxes.local
# Persistent global definitions
include globals.local

# GNOME Boxes
noblacklist ${HOME}/.cache/gnome-boxes
noblacklist ${HOME}/.config/gnome-boxes
noblacklist ${HOME}/.local/share/gnome-boxes

# libvirt
noblacklist ${HOME}/.cache/libvirt
noblacklist ${HOME}/.config/libvirt
noblacklist ${RUNUSER}/libvirt
noblacklist /var/cache/libvirt
noblacklist /var/lib/libvirt
noblacklist /var/log/libvirt

noblacklist ${HOME}/.local/share/gvfs-metadata
noblacklist /sbin
#noblacklist /usr/local/sbin
noblacklist /usr/sbin

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# breaks app
#include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

# GNOME Boxes
mkdir ${HOME}/.cache/gnome-boxes
mkdir ${HOME}/.config/gnome-boxes
mkdir ${HOME}/.local/share/gnome-boxes
whitelist ${HOME}/.cache/gnome-boxes
whitelist ${HOME}/.config/gnome-boxes
whitelist ${HOME}/.local/share/gnome-boxes

# libvirt
mkdir ${HOME}/.cache/libvirt
mkdir ${HOME}/.config/libvirt
whitelist ${HOME}/.cache/libvirt
whitelist ${HOME}/.config/libvirt
whitelist ${RUNUSER}/libvirt
whitelist /run/libvirt

# qemu
#whitelist /run/qemu

whitelist ${DOWNLOADS}
whitelist /usr/libexec/gnome-boxes*
whitelist /usr/share/gnome-boxes
whitelist /usr/share/libvirt
whitelist /usr/share/osinfo
whitelist /usr/share/qemu
whitelist /usr/share/seabios
whitelist /usr/share/vala*
# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
whitelist /var/lib/usbutils/usb.ids
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# breaks app
#apparmor
# For host-only network sys_admin is needed.
# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
caps.keep net_raw,sys_nice
#caps.keep net_raw,sys_admin
netfilter
nodvd
notv
tracelog

private-cache
private-etc @network,@sound,@tls-ca,@x11
private-tmp
writable-var

dbus-user filter
dbus-user.own org.gnome.Boxes
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.Notifications
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.Tracker3
dbus-system none

deterministic-shutdown
# breaks app
#restrict-namespaces

HTH

Edit: The profile was added in:

• New profile: gnome-boxes #6226

[Rosika2]

Hi @glitsj16, 👋

If you're still up for another round of testing, please do.

Of course I am. Thank you so much ❤️
You nailed it indeed. You´re an absolute genius. 🎆

Hooray. The new profile works perfectly. 👍

You can add your specifics for 0.9.72 and /media/rosika/... exactly like above.

That I did. Now the firejailed instance of gnome-boxes not only sees all of the installed VMs but it can also get them running. Phantastic ❣️

As I was very much interested what the difference between the first profile you provided and the most topical one may be I first sorted the two profiles:
sort gnome-boxes.profile > s_gnome-boxes.profile
and
sort vgl_old_GB.profile > s_vgl_old_GB.profile
and then diffed them: diff s_gnome-boxes.profile s_vgl_alt_GB.profile

I got these differences:

14,15c14,15
< ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
< #apparmor
---
> $ cat ~/.config/firejail/gnome-boxes
> apparmor
17,19d16
< # breaks app
< # breaks app
< #caps.keep net_raw,sys_admin
25,26d21
< dbus-user.talk org.freedesktop.Notifications
< dbus-user.talk org.freedesktop.Tracker3
28a24
> #disable-mnt
30c26
< # For host-only network sys_admin is needed.
---
> # For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
76a73
> #private-bin gnome-boxes,libvirtd,qemu*
78c75
< private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl
---
> #private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl
80d76
< private-etc @network,@sound,@tls-ca,@x11
82,84c78
< # qemu
< #restrict-namespaces
< # See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
---
> restrict-namespaces
90d83
< # /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
100,101d92
< #whitelist /run/qemu
< whitelist /usr/libexec/gnome-boxes*
104d94
< whitelist /usr/share/osinfo
108,109c98
< whitelist /var/lib/usbutils/usb.ids
< writable-var
---
> #writable-var

To be honest, I´ve no idea which of these entries made it work in the end. That´s well beyond my expertise. 😉

One thing is certain, however: I wouldn´t have been able to solve the problem, not in a thousand years.

I admire your immense knowledge, dear @glitsj16 . 👍

Now that you put so much time and effort into coming up with a perfectly working gnome-boxes.profile wouldn´t it make sense to include it in /etc/firejail a later version of firejail?
I´m almost sure I´m not the only one interested in a profile for gnome-boxes. Just a thought.

Thank you very much for all the hard work you put into helping me. It´s highly appreciated. ❤️

All the best to you and your family.
Many greetings from Rosika 🙂

P.S.:

Update:

After having used the profile successfully I curiously ran into something weird.

I started gnome-boxes the usual way: firejail gnome-boxes , and suddenly I was presented with the "empty" boxes layout, as if now VMs were installed.
I don´t understand whay that is, as boxes saw the 3 VMs which I have at my disposal the last few times I ran the command.

So I took a look at lnav to see whether there were any logs regarding the scenario. I found this:

            │
│Feb 22 18:02:41 rosika-Lenovo-H520e libvirtd[28742]: libvirt version: 8.0.0, package: 1ubuntu7.8 (Lena Voytek <[email protected]> Wed, 29 Nov 2023 14:52:52 -0700)                 │
│Feb 22 18:02:41 rosika-Lenovo-H520e libvirtd[28742]: hostname: rosika-Lenovo-H520e                                                                                                         │
│Feb 22 18:02:41 rosika-Lenovo-H520e libvirtd[28742]: Failed to find user record for uid '1000': No such file or directory                                                                  │
│Feb 22 18:02:41 rosika-Lenovo-H520e libvirtd[28742]: internal error: Unable to get system bus connection: Could not connect: Permission denied                                             │
│Feb 22 18:02:41 rosika-Lenovo-H520e libvirtd[28742]: DBus not available, disabling firewalld support in bridge_network_driver: internal error: Unable to get system bus connection: Could n│
ot connect: Permission denied                                                                                                                                                               ┤
│Feb 22 18:02:41 rosika-Lenovo-H520e libvirtd[28742]: Failed to open a VPD file '/sys/bus/pci/devices/0000:02:00.0/vpd': Operation not permitted                                            │
│Feb 22 18:02:42 rosika-Lenovo-H520e libvirtd[28742]: internal error: Unable to get session bus connection: Cannot spawn a message bus without a machine-id: Unable to load /var/lib/dbus/ma│
chine-id or /etc/machine-id: Failed to open file “/var/lib/dbus/machine-id”: No such file or directory                                                                                      │
│Feb 22 18:02:42 rosika-Lenovo-H520e libvirtd[28742]: internal error: Unable to get system bus connection: Could not connect: Permission denied                                             │
│Feb 22 18:02:42 rosika-Lenovo-H520e libvirtd[28742]: Failed to find user record for uid '1000': No such file or directory                                                                  │
│Feb 22 18:02:42 rosika-Lenovo-H520e libvirtd[28742]: End of file while reading data: Input/output error                                                                                    │
│Feb 22 18:02:42 rosika-Lenovo-H520e libvirtd[28742]: Failed to find user record for uid '1000': No such file or directory        

Even more curious: After that I started gnome-boxes the normal way without firejail and it could see the VMs.
Then I shut it down and tried firejail gnome-boxes again. Now it could see (and run) the VMs as well . 😲

So every now then and firejailed gnome boxes doesn´t seem to have access to the already installed VMs.
But that´s not a consistent behaviour. At other times it works... 🤔 .

Does the lnav output provide something useful ❓

Thanks so much.

P.S. 2:

Even if firejail gnome-boxes succeeds in seeing and accessing the VMs lanv says:

                                                                                            │
│Feb 22 18:30:31 rosika-Lenovo-H520e libvirtd[30998]: End of file while reading data: Input/output error                                                                                    │
│Feb 22 18:30:31 rosika-Lenovo-H520e libvirtd[1144]: End of file while reading data: Input/output error 

[glitsj16]

@Rosika2

The new profile works perfectly.

Aha, that's good news indeed.

To be honest, I've no idea which of these entries made it work in the end.

It was a combination of things that eventually did it. A few extra paths need whitelisting in /usr/share and dropping apparmor and restrict namespaces. I tried some AppArmor rules in an attempt to keep that option in the sandbox but never succeeded in running gnome-boxes succesfully in such scenario's. I'm aware of it and might try again later, after digging through some AA docs. On the Ubuntu 22.04 machine I worked on this, libvirtd (that does the heavy-lifting behind the gnome-boxes GUI) comes with a dedicated apparmor profile of itself. Complexities :-). But the resulting sandbox is pretty tight nonetheless, I'm happy about it now.

Now that you put so much time and effort into coming up with a perfectly working gnome-boxes.profile wouldn´t it make sense to include it in /etc/firejail a later version of firejail?

It would and I will add the working profile soonish in a PR. Just wanted to have your feedback before rushing things in. Thank you for being persistent and posting your findings, appreciated!When accepted it will hopefully get into the upcoming 0.9.74 release. Stay tuned, because when it does you'll need to rearrange your gnome-boxes.local accordingly.

After having used the profile successfully I curiously ran into something weird.

The best guesses I have right now on these observations are

• the sandbox isn't being shutdown properly
  The deterministic-shutdown option is important in this context. Things can get racy though, not sure why you see the unpredictable behaviour. But according to your posted output this might be due to the communication between GB and libvirt. Which leads to...
• D-Bus filtering might be too tight
  Try the profile without the dbus-filter blabla and dbus-system none options and check if that makes this behaviour go away.

Regardless of the above, what you always can do is ensuring your commands to start gnome-boxes all use the firejail <CLI-options> /full/path/to/gnome-boxes, be it in shell wrapper scripts you might have or in org.gnome.Boxes.desktop GUI launchers. From the firejail side that's pretty much all you can do.

There could be other things in play here come to think of it. I never activated the gnome-boxes option to keep VM's running in the background and I always made sure the VM was powered down properly after I crashed gnome-boxes during testing.

I'd really appreciate if you could keep eyes on this during your VM use over a few days and report back if it keeps showing that weird behaviour, regardless of proper shutdown procedures. I'll do the same on my end too and report back here.

Thanks for your kind appreciations, keep well!

[Rosika2]

Hi @glitsj16, 👋

thank you so much for your persistent help. ❤️

A few extra paths need whitelisting in /usr/share and dropping apparmor and restrict namespaces.

Thanks for the info.

Thank you for being persistent and posting your findings, appreciated!

You´re very welcome. But it´s rather me who has to be thankful for the great help I´m getting from you.

Here´s some new info:

When running gnome-boxes outside of firejail I still get lnav´s log messages:

                                    │
│Feb 23 14:45:21 rosika-Lenovo-H520e libvirtd[6616]: internal error: Unable to get session bus connection: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: A│
n AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBu┤
s" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)                                                              │
│Feb 23 14:45:39 rosika-Lenovo-H520e libvirtd[6616]: End of file while reading data: Input/output error                                                          ┤
│Feb 23 14:45:39 rosika-Lenovo-H520e libvirtd[1143]: End of file while reading data: Input/output error                    

Still, boxes work as expected this way.
So this doesn´t seem to have anything to do with firejail. I should´ve checked that already yesterday. Sorry for the delay.

Now I modified gnome-boxes.profile this way:

[...]
#dbus-user filter
#dbus-user.own org.gnome.Boxes
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
#dbus-user.talk org.freedesktop.Tracker3
#dbus-system none
[...]
deterministic-shutdown  # I kept it this way

Alas the outcome seem to be the same.
Boxes doesn´t see the installed VMs. 😦

Here are lnav´s messages:

• starting firejail gnome-boxes:

                                ┤
│Feb 23 14:59:41 rosika-Lenovo-H520e libvirtd[9493]: libvirt version: 8.0.0, package: 1ubuntu7.8 (Lena Voytek <[email protected]> Wed, 29 Nov 2023 14:52:│
52 -0700)                                                                                                                                                        │
│Feb 23 14:59:41 rosika-Lenovo-H520e libvirtd[9493]: hostname: rosika-Lenovo-H520e                                                                               ┤
│Feb 23 14:59:41 rosika-Lenovo-H520e libvirtd[9493]: Failed to find user record for uid '1000': No such file or directory                                        │
│Feb 23 14:59:41 rosika-Lenovo-H520e libvirtd[9493]: Failed to open a VPD file '/sys/bus/pci/devices/0000:02:00.0/vpd': Operation not permitted                  │
│Feb 23 14:59:42 rosika-Lenovo-H520e dbus-daemon[1561]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org│
.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=9493 label="libvirtd" peer_label="unconfined"                                      ┤
│Feb 23 14:59:42 rosika-Lenovo-H520e libvirtd[9493]: internal error: Unable to get session bus connection: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: A│
n AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBu│
s" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)                                                              │
│Feb 23 14:59:42 rosika-Lenovo-H520e libvirtd[9493]: Failed to find user record for uid '1000': No such file or directory                                        ┤
│Feb 23 14:59:42 rosika-Lenovo-H520e libvirtd[9493]: End of file while reading data: Input/output error                                                          │
│Feb 23 14:59:42 rosika-Lenovo-H520e libvirtd[9493]: Failed to find user record for uid '1000': No such file or directory                                        ┤
│Feb 23 14:59:42 rosika-Lenovo-H520e NetworkManager[933]: <info>  [1708696782.8089] dhcp6 (enx001e101f0000): state changed new lease, address=2a02:3032:303:929a:│
10:2030:4050:2                                                                                                                

• messages when shutting it down: no additional messages any more

No idea whether it helps at all... 🤔

But the fact remains:
If I start gnome-boxes within firejail after having started it the unboxed way and then shut it down firejailed gnome-boxes sees and has access to the VMs.
I can do this a few times more after that. However, let 5 or more minutes elapse, then firejailed sandbox is back to it´s "faulty" behaviour of not seeing the VMs. 😲

Curious thing: what kind of "timeout" might be at work here? That´s really beyond me.

Thank you so much for your kind help, dear @glitsj16 . It´s greatly appreciated. ❤️

Many greetings from Rosika 🙂

P.S.:

I never activated the gnome-boxes option to keep VM's running in the background

Me neither. So we can rule out this one.

[glitsj16]

I´d like to try that. But I´m unsure as how to do it.

You're still on 0.9.72 so you will need to use the format for private-etc that is supported in that version. The new format is easy to spot, it has @foo entrees (called groups):

private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,passwd,pki,pulse,resolv.conf,ssl

HTH, enjoy the weekend!

[Rosika2]

Dear @glitsj16, 👋

thank you very much for your new reply.

Those are the private-etc entries with me:

private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl

private-etc @network,@sound,@tls-ca,@x11

In your reply you referred to the first one.

The second one has the @ entries.

Seems I´m a bit slow today. Sorry.
Could you help?
How should I add missing passwd item? I´m not sure about the syntax.

Have a nice weekend.
Many greetings from Rosika 🙂

[glitsj16]

Remove or comment the second one with the @ entries, that's not supported in 0.9.72.

How should I add missing passwd item? I´m not sure about the syntax.

Several options here, because private-etc supports globbing and is cumulative. Meaning if you would add private-etc passwd on a separate line, Firejail adds it to the stack. We tend to aplphabetically order lots of stuff in profiles and elsewhere. Keeps things nice and tidy. But again, that's not going to break a profile if one doesn't follow that convention. Just make sure you don't have a gap in between items, a or items not being separated from eachother by a comma , will break it.

On a side-note: I'm getting slightly more familiar with virtualization managers day by day. Shared folder & clipboard support for gnome-boxes should be ready after the weekend, with some hardenings on top. Stay tuned!

Ciao

[Rosika2]

Hi @glitsj16 , 👋

thanks so much again for your help. ❤️

O.K., I did what you suggested and the relevant part of the config file looks like this now:

[...]
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl
# uncomment the below if you're on 0.9.73 (firejail-git)
#private-etc @network,@sound,@tls-ca,@x11
private-tmp
writable-var
private-etc passwd
[...]

I´m sorry to say nothing seems to have changed. firejail gnome-boxes still doesn´t see my VMs unless I started and shut down gnome-boxes (unjailed) before.

This time I issued the command

tail -f /var/log/syslog | batcat --paging=never -l log

for logging purposes to make sure I wouldn´t miss anything. These are the logs referring to the start of firjail gnome-boxes now:

  11   │ Feb 25 14:39:01 rosika-Lenovo-H520e libvirtd[9147]: libvirt version: 8.0.0, package: 1ubuntu7.8 (Lena Voytek <[email protected]> Wed, 29 Nov 2023 1
       │ 4:52:52 -0700)
  12   │ Feb 25 14:39:01 rosika-Lenovo-H520e libvirtd[9147]: hostname: rosika-Lenovo-H520e
  13   │ Feb 25 14:39:01 rosika-Lenovo-H520e libvirtd[9147]: Failed to find group record for gid '1000': No such file or directory
  14   │ Feb 25 14:39:01 rosika-Lenovo-H520e libvirtd[9147]: Failed to open a VPD file '/sys/bus/pci/devices/0000:02:00.0/vpd': Operation not permitted
  15   │ Feb 25 14:39:02 rosika-Lenovo-H520e dbus-daemon[1626]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface
       │ ="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=9147 label="libvirtd" peer_label="unconfined"
  16   │ Feb 25 14:39:02 rosika-Lenovo-H520e libvirtd[9147]: internal error: Unable to get session bus connection: GDBus.Error:org.freedesktop.DBus.Error.AccessDeni
       │ ed: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.free
       │ desktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
  17   │ Feb 25 14:39:02 rosika-Lenovo-H520e libvirtd[9147]: Failed to find group record for gid '1000': No such file or directory
  18   │ Feb 25 14:39:02 rosika-Lenovo-H520e libvirtd[9147]: End of file while reading data: Input/output error
  19   │ Feb 25 14:39:02 rosika-Lenovo-H520e libvirtd[9147]: Failed to find group record for gid '1000': No such file or directory

No extra logs when shutting down the process.

I´m so sorry to give you so much trouble. 😞

Thanks a lot for your kind help. Have a nice weekend.

Cheers from Rosika 🙂

Update:

Seems we finally got the solution:

My good friend Neville (https://itsfoss.community/u/nevj/summary and https://github.com/nevillejackson ), who´s been following our discussion, came up with the solution:

It needs group added to the private-etc line
Now it works … I get Boxes started with my VM’s listed.

So I did just that in my profile as well. The relevant part looks like this now:

private-cache
# uncomment the below if you're on 0.9.72
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl,group,passwd
# uncomment the below if you're on 0.9.73 (firejail-git)
#private-etc @network,@sound,@tls-ca,@x11
private-tmp
writable-var

Now firejailed gnome-boxes sees all the installed VMs right from the start and has access to them. 😃 🎆

Thank you so much for your persistent help, @glitsj16 ❤️

All the best from Rosika 🙂

[glitsj16]

It needs group added to the private-etc line

Indeed it does. The new format makes this a lot easier. It uses saner defaults and groups, see this for reference.

Glad you finally got it working! I'll open a PR for adding gnome-boxes.profile shortly, my testing has settled over the weekend. Here's my 'end-result', tightened things down a bit. Feel free to test if with that all the features you expect from the app are working (including sharing a folder and clipboard between host and guest).

$ cat ~/.config/firejail/gnome-boxes.profile

# Firejail profile for gnome-boxes
# Description: Simple GNOME application to access virtual systems
# This file is overwritten after every install/update
# Persistent local customizations
include gnome-boxes.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/gnome-boxes
noblacklist ${HOME}/.config/gnome-boxes
noblacklist ${HOME}/.local/share/gnome-boxes
noblacklist ${RUNUSER}/libvirt

noblacklist /sbin
noblacklist /usr/sbin

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# breaks app
#include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/gnome-boxes
mkdir ${HOME}/.config/gnome-boxes
mkdir ${HOME}/.local/share/gnome-boxes
whitelist ${HOME}/.cache/gnome-boxes
whitelist ${HOME}/.config/gnome-boxes
whitelist ${HOME}/.local/share/gnome-boxes
whitelist ${RUNUSER}/libvirt
whitelist /run/libvirt

whitelist ${DOWNLOADS}
whitelist /usr/libexec/gnome-boxes*
whitelist /usr/share/gnome-boxes
whitelist /usr/share/libvirt
whitelist /usr/share/osinfo
whitelist /usr/share/qemu
whitelist /usr/share/seabios
whitelist /usr/share/vala*
# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
whitelist /var/lib/usbutils/usb.ids
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# breaks app
#apparmor
# For host-only network sys_admin is needed.
# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
caps.keep net_raw,sys_nice
#caps.keep net_raw,sys_admin
netfilter
nodvd
notv
tracelog

private-cache
# uncomment the below if you're on 0.9.72
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,group,hostname,hosts,ld.so.cache,ld.so.preload,localtime,passwd,pki,pulse,resolv.conf,ssl
# uncomment the below if you're on 0.9.73 (firejail-git)
#private-etc @network,@sound,@tls-ca,@x11
private-tmp

dbus-user filter
dbus-user.own org.gnome.Boxes
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.Notifications
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-system none

deterministic-shutdown
# breaks app
#restrict-namespaces

Thanks for all the feed-back!

[Rosika2]

Hi @glitsj16 👋

Thanks so much for the hard work you put into the new profile. ❤️
Also: thanks for the link.

Feel free to test it

O.K. I´ll gladly do that....

O.K. In the meantime I tested it. Here´s your latest profile and I added my personal noblacklist and whitelist path to my VMs:

# Firejail profile for gnome-boxes
# Description: Simple GNOME application to access virtual systems
# This file is overwritten after every install/update
# Persistent local customizations
include gnome-boxes.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/gnome-boxes
noblacklist ${HOME}/.config/gnome-boxes
noblacklist ${HOME}/.local/share/gnome-boxes
noblacklist ${RUNUSER}/libvirt

noblacklist /sbin
noblacklist /usr/sbin

# for @Rosika2 only:
# if you never blacklisted the below path (like in a disable-common.local) the line can be dropped
# otherwise uncomment it
noblacklist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# breaks app
#include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/gnome-boxes
mkdir ${HOME}/.config/gnome-boxes
mkdir ${HOME}/.local/share/gnome-boxes
whitelist ${HOME}/.cache/gnome-boxes
whitelist ${HOME}/.config/gnome-boxes
whitelist ${HOME}/.local/share/gnome-boxes
whitelist ${RUNUSER}/libvirt
whitelist /run/libvirt

whitelist ${DOWNLOADS}
# for @Rosika2 only:
# uncomment the below while testing this profile
whitelist /media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/für_qemu2
whitelist /usr/libexec/gnome-boxes*
whitelist /usr/share/gnome-boxes
whitelist /usr/share/libvirt
whitelist /usr/share/osinfo
whitelist /usr/share/qemu
whitelist /usr/share/seabios
whitelist /usr/share/vala*
# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
whitelist /var/lib/usbutils/usb.ids
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# breaks app
#apparmor
# For host-only network sys_admin is needed.
# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
caps.keep net_raw,sys_nice
#caps.keep net_raw,sys_admin
netfilter
nodvd
notv
tracelog

private-cache
# uncomment the below if you're on 0.9.72
private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,group,hostname,hosts,ld.so.cache,ld.so.preload,localtime,passwd,pki,pulse,resolv.conf,ssl
# uncomment the below if you're on 0.9.73 (firejail-git)
#private-etc @network,@sound,@tls-ca,@x11
private-tmp

dbus-user filter
dbus-user.own org.gnome.Boxes
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.Notifications
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-system none

deterministic-shutdown
# breaks app
#restrict-namespaces

Well, I´m sorry to say I´m back to the initial problem again. 🙍‍♀️
gnome-boxes opens up but it cannot see the already installed VMs.

I diffed the two profiles after having sorted them.
new.txt being the most recent profile you provided, old.txt is the one which already worked with me.

Here are the differences:

diff new.txt old.txt:

11c11,14
< ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
---
> 
> 
> 
> #?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
18,22c21,26
< dbus-system none
< dbus-user filter
< dbus-user.own org.gnome.Boxes
< dbus-user.talk ca.desrt.dconf
< dbus-user.talk org.freedesktop.Notifications
---
> #dbus-system none
> #dbus-user filter
> #dbus-user.own org.gnome.Boxes
> #dbus-user.talk ca.desrt.dconf
> #dbus-user.talk org.freedesktop.Notifications
> #dbus-user.talk org.freedesktop.Tracker3
28a33,34
> # GNOME Boxes
> # GNOME Boxes
43a50,51
> # libvirt
> # libvirt
44a53
> mkdir ${HOME}/.cache/libvirt
45a55
> mkdir ${HOME}/.config/libvirt
48a59
> noblacklist ${HOME}/.cache/libvirt
49a61
> noblacklist ${HOME}/.config/libvirt
50a63
> noblacklist ${HOME}/.local/share/gvfs-metadata
53a67
> #noblacklist /usr/local/sbin
54a69,71
> noblacklist /var/cache/libvirt
> noblacklist /var/lib/libvirt
> noblacklist /var/log/libvirt
61c78,79
< private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,group,hostname,hosts,ld.so.cache,ld.so.preload,localtime,passwd,pki,pulse,resolv.conf,ssl
---
> private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,pki,pulse,resolv.conf,ssl,group,passwd
> #private-etc @network,@sound,@tls-ca,@x11
63a82
> # qemu
73a93
> whitelist ${HOME}/.cache/libvirt
74a95
> whitelist ${HOME}/.config/libvirt
78a100
> #whitelist /run/qemu
86a109
> writable-var

No idea if it helps. 😐

Thanks again and many greetings from Rosika 🙂

[glitsj16]

Got a bit swamped, even with the extra leap year day... If I'm reading your diff correctly it seems something in the dbus options broke it for you? Please comment those all out, except dbus-system none and check if that returns it to a working profile.

Just for the record, the profile does work for me. It got merged and a few hours ago I opened a hardening PR for gnome-boxes. Leave all that out for now and try to post what you needed to change to return to a working profile. I used a voidlinux XFCE/musl during all my testing BTW (wanted to check that distro out anyway, just a personal preference).

[Rosika2]

Hi @glitsj16 👋

thank you so much.

Please comment those all out, except dbus-system none and check if that returns it to a working profile.

The relevant part of the profile looks like this now:

#dbus-user filter
#dbus-user.own org.gnome.Boxes
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
dbus-system none

But Boxes still don´t see the installed VMs. So sorry. 😞
Seems it must be something else.

Thanks again and cheers from Rosika 🙂