Firetools - I just don't get it

[Goatmilk]

These days I've installed Firejail, and since I'm not really comfortable with command line stuff only, I also got Firetools, which are said to make it all easy for folks like me.

So, Firetools installed and looked like this:

And I could do exactly nothing with it. The menu structure and listed programs do not even correspond to my actual drive.

So I went to this site https://commandmasters.com/commands/firejail-linux/

and ran
$ sudo firecfg

Result:

$ sudo firecfg
[sudo] password for owl:   
Removing all firejail symlinks:

Configuring symlinks in /usr/local/bin based on firecfg.config
   VirtualBox created
   ark created
   audacity created
   avidemux3_cli created
   avidemux3_jobs_qt5 created
   avidemux3_qt5 created
   baloo_file created
   baloo_filemetadata_temp_extractor created
   bluefish created
   calibre created
   clementine created
   conky created
   cvlc created
   dig created
   display created
   display-im6.q16 created
   dnsmasq created
   ebook-convert created
   ebook-edit created
   ebook-meta created
   ebook-polish created
   ebook-viewer created
   elinks created
   ffmpegthumbnailer created
   ffplay created
   ffprobe created
   firefox created
   ftp created
   gapplication created
   gimp created
   gimp-2.10 created
   gthumb created
   host created
   k3b created
   kate created
   kcalc created
   keepassxc created
   keepassxc-cli created
   keepassxc-proxy created
   ktorrent created
   kwrite created
   libreoffice created
   librewolf created
   lobase created
   localc created
   lodraw created
   loffice created
   lofromtemplate created
   loimpress created
   lomath created
   loweb created
   lowriter created
   man created
   mpg123 created
   mpg123-alsa created
   mpg123.bin created
   mpg123-id3dump created
   mpg123-jack created
   mpg123-nas created
   mpg123-openal created
   mpg123-oss created
   mpg123-portaudio created
   mpg123-pulse created
   mpg123-strip created
   nslookup created
   okular created
   out123 created
   patch created
   pavucontrol created
   pdftotext created
   ping created
   qt-faststart created
   soffice created
   spectacle created
   ssh created
   strings created
   telnet created
   thunderbird created
   virtualbox created
   vlc created
   wget created
   whois created
   xcalc created
   zim created

Adding user owl to Firejail access database in /etc/firejail/firejail.users
Creating /etc/firejail/firejail.users

Fixing desktop files in /home/owl/.local/share/applications
   org.kde.plasma.browser_integration.host.desktop created
   vlc.desktop created
   librewolf.desktop created
   org.kde.spectacle.desktop created
   thunderbird.desktop created
owl@Max:~
$

So it seems Firejail sandboxed everything that couldn't run fast enough and that was that.

I really have no other chance to tell if anything is sandboxed than that list above. The only difference I noted was on my Google Drive - it seems I cannot upload files from any odd folder anymore. The only folder that is accessible from Google Drive is the download folder. Which is a rather nifty thing, I guess. Seems Firejail works just fine.

But, no change in Firetools. It looks exactly the same as it did the day I installed it, the exact same icons in the box, and it's exactly as useless.

Tried to get a new list of sandboxed programs:

$ firejail --list
2692:owl::/usr/bin/firejail /usr/bin/conky -c /home/owl/.conky/MX-Flair/System_flair_Updated
3720:owl::/usr/bin/firejail /usr/bin/firefox

So I have two sandboxes now? Why? Or are only the Conky tidbit and Firefox sandboxed? But, Librewolf had the same effect that Firefox had, Google Drive could only access the download folder. Or is that a Linux thing, and I just didn't know that because I've never uploaded anything on Google Drive with the Linux laptop before? While I used to surf with the Linux laptop, I still used to shove files around with Win7.

According to the videos I've watched, I should have access and insight into all of this with Firetools. Only I haven't. Firetools just sits there and doesn't even seem to have a connection to Firejail.

So, my daily question: What went wrong?

And what should I do to get on top of that?
(Other than reading the man pages, which I did or at least tried and where everything just went straight over my head. Heck, there is a reason I wanted Firetools....)

 

[Trml]

So I have two sandboxes now? Why? Or are only the Conky tidbit and Firefox sandboxed?

The two you see are the sandboxed running applications. If you had started okular at the same time, it would be in the list.

What firetools did earlier was symlink the application binaries it found on your system.

You then have the option in the GUI to create a profile for an application. In the profile you could, for example, whitelist access of Okular to its configuration directory, or allow google drive network access to your cloud. These specifics don't seem to be configured by default, that's why you had the okular and google drive problems.

The man page is overwhelming, yes. A good start with firejail is to start with individual applications that access the internet, like a webbrowser: https://commandmasters.com/commands/firejail-linux/#opening-a-restricted-mozilla-firefox

If firefox starts like that, you will see it in the sandbox list again. If there are problems with it, firejail needs parameters, but it can be used perfectly for single applications and do its sandboxing for them.

Try if it does, for example, can a 'firejail firefox' still open your home documents folder, or not.
Then, follow the tutorial on from that and try its second firefox example.

 

[Goatmilk]

I did, and the effect was like before: Google Drive couldn't access anything but the download directory (whereas before, when all of Firejail was disabled, it could get anywhere).

However, it seems all is not well in Firejail land...

$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 18329, child pid 18332
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 187.58 ms
libva info: VA-API version 1.18.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_17
libva info: va_openDriver() returns 0
[Parent 9, Main Thread] WARNING: g_object_set_is_valid_property: object class 'GtkImage' has no property named 'padding': 'glib warning', file /builds/worker/checkouts/gecko/toolkit/xre/nsSigHandlers.cpp:201

(firefox:9): GLib-GObject-WARNING **: 13:33:23.430: g_object_set_is_valid_property: object class 'GtkImage' has no property named 'padding'
[Parent 9, Unnamed thread 7ff97a453820] WARNING: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown: 'glib warning', file /builds/worker/checkouts/gecko/toolkit/xre/nsSigHandlers.cpp:201

(firefox:9): dconf-WARNING **: 13:33:29.696: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown

... and it isn't finished yet, as the owl@Max prompt is still missing. I've let it struggle on for a while, but I guess I'll break the process and look up the website again which had a detailed instruction how to uninstall Firejail safely.

Seems yesterday's adventures left some rabble, and it's probably better to clean it out properly.

 

[Goatmilk]

So, I've followed the routine laid out by the author of this website:
My Time with Firejail: How to Uninstall Without Blowing Up Your System – MIKEY SAN'S BLOG

and set out to uninstall Firejail.

Went like this for a while:

owl@Max:~
$ sudo firecfg --clean
[sudo] password for owl:
Removing all firejail symlinks:

owl@Max:~
$ firejail --list
owl@Max:~
$ ls -la ~/.local/share/applications/
total 8
drwxr-xr-x  2 owl owl 4096 Oct 19 13:15 .
drwxr-xr-x 44 owl owl 4096 Oct 19 13:48 ..
owl@Max:~
$ mkdir ~/desktop-backup
mv ~/.local/share/applications/*.desktop ~/desktop-backup/
mkdir: cannot create directory ‘/home/owl/desktop-backup’: File exists
mv: cannot stat '/home/owl/.local/share/applications/*.desktop': No such file or directory
owl@Max:~
$ cat /etc/firejail/firejail.users
owl
owl@Max:~
$ sudo rm /etc/firejail/firejail.users
owl@Max:~
$ cat /etc/firejail/firejail.users
cat: /etc/firejail/firejail.users: No such file or directory
owl@Max:~
$ ls -la /usr/local/bin/ | grep firejail
owl@Max:~
$ which -a firefox spectacle
/usr/bin/firefox
/bin/firefox
/usr/bin/spectacle
/bin/spectacle
owl@Max:~
$ sudo pacman -Rns firejail
sudo: pacman: command not found
owl@Max:~
$

Then it stopped, because little Max did not know what "pacman" means. Neither did I, and I think the website guy probably has a different Linux.

So I used MX Package Installer to uninstall Firejail, Firejail-profiles and Firetools

Then got back into the dos box:

owl@Max:~
$ which firejail
owl@Max:~
$ find /etc -name "*firejail*" 2>/dev/null
/etc/apparmor.d/firejail-default
/etc/apparmor.d/abstractions/base.d/firejail-base
/etc/apparmor.d/local/firejail-default
/etc/firejail
/etc/firejail/firejail.config
owl@Max:~
$ find /usr -name "*firejail*" 2>/dev/null
/usr/share/icons/Papirus/16x16/apps/firejail-ui.svg
/usr/share/icons/Papirus/48x48/apps/firejail-ui.svg
/usr/share/icons/Papirus/32x32/apps/firejail-ui.svg
/usr/share/icons/Papirus/22x22/apps/firejail-ui.svg
/usr/share/icons/Papirus/24x24/apps/firejail-ui.svg
/usr/share/icons/Papirus/64x64/apps/firejail-ui.svg
owl@Max:~
$

As you see, some things still were left.

Followed the instruction to restart, as the site said: "Log out and back in, or reboot. This ensures no firejail processes linger and all changes take effect."

Then tried again:

$ sudo apt autoremove && sudo apt autopurge && sudo apt autoclean
[sudo] password for owl:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
owl@Max:~
$ find /etc -name "*firejail*" 2>/dev/null
/etc/apparmor.d/firejail-default
/etc/apparmor.d/abstractions/base.d/firejail-base
/etc/apparmor.d/local/firejail-default
/etc/firejail
/etc/firejail/firejail.config
owl@Max:~
$ find /usr -name "*firejail*" 2>/dev/null
/usr/share/icons/Papirus/16x16/apps/firejail-ui.svg
/usr/share/icons/Papirus/48x48/apps/firejail-ui.svg
/usr/share/icons/Papirus/32x32/apps/firejail-ui.svg
/usr/share/icons/Papirus/22x22/apps/firejail-ui.svg
/usr/share/icons/Papirus/24x24/apps/firejail-ui.svg
/usr/share/icons/Papirus/64x64/apps/firejail-ui.svg
owl@Max:~
$ which firejail
owl@Max:~
$

In spite of the restart and a cleaning, the last remains of Firejail as listed in those two $ find commands are still there. The /usr stuff seem to be just a few leftover icons, probably harmless, but I don't understand the /etc. I never had apparmor installed.

Anyhow, Google Drive - probably going nuts right now whith its "someone logged into your account..."-yammering - can poke around in whichever folder it pleases, and Calibre works like a charm.

Now I'm wondering about the leftovers in /etc and /usr. Can I just go and delete them in Dolphin Manager?


I don't think I'm totally giving up on Firejail, I was truly impressed about its locking down the folders in Firefox/Librewolf. But I guess I'll put it back on the shelf for now until I'm a little bit more familiar with Linux and the way it works. Maybe I find something easier, or I finally get more used to using the terminal. After all, Firetools was bloody useless until the end.

 

[Mike-BTU]

Pacman is the Manjaro package manager.

 

[Goatmilk]

Aha! So the guy has Manjaro Linux...

Question: why call up the package manager to delete something when you're already puttering around in the terminal and obviously know what you're doing?

I went to MX package manager because I'm clueless and had no idea what to write. Probably something like 'remove' or 'delete', I might have looked it up. Or would it have taken 1000 commands and it's just easier to call the package manager?

 

[Trml]

Well done with the testing.

... and it isn't finished yet, as the owl@Max prompt is still missing.

This is normal. Try starting firefox in a terminal, close it again after starting and then start it like firefox &
The ambersand makes the command return to the command line in your terminal

The /usr stuff seem to be just a few leftover icons, probably harmless, but I don't understand the /etc. I never had apparmor installed.

pacman only uses the terminal, same as the dnf package manager on your MX (I think, not sure if MX uses dnf or still rpm). A

dnf remove firejail-package-name

should do the same. I'm unsure about the /etc files, but after remove you can delete leftovers manually, if you so wish.

I guess I'll put it back on the shelf for now until I'm a little bit more familiar with Linux and the way it works.

Yes, I think the best strategy is to try firejail with an application it it very useful on (e.g. internet software), but one you don't rely on. For example, you could use it with one webbrowser you have installed, but not a second - which you can always fall back to. This way you can return to learning how to use firejail, but it won't be disruptive for regular usage. Your problem started with the sudo firecfg tool, which automatically enabled firejail for everything it could find.

 

[osprey]

, not sure if MX uses dnf or still rpm).

MX is debian derived, so uses apt and dpkg

 

[Mike-BTU]

Aha! So the guy has Manjaro Linux...

Either Manjaro, Arch, or a derivative thereof.

 

[PuppyHome]

Google Drive couldn't access anything but the download directory (whereas before, when all of Firejail was disabled, it could get anywhere).

Congrats! Firejail works. This is perfectly normal. Firejail RESTRICTS applications. That's what it does.

Firefox for example also only has access to the downloads folder.
After reading all you posted including the outputs I see nothing unusual regarding Firejail.

This is what it does and it does it very, very well.

 

[PuppyHome]

Also read this : Firejail website