Bug#1003234: marked as done (firejail-profiles: Chromium profile does not allow loading some webexts)

[Debian Bug Tracking System]

Your message dated Wed, 19 Jan 2022 18:48:50 +0000
with message-id <e1nag0o-0005wg...@fasolo.debian.org>
and subject line Bug#1003234: fixed in firejail 0.9.68~rc1-1
has caused the Debian Bug report #1003234,
regarding firejail-profiles: Chromium profile does not allow loading some 
webexts
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1003234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003234
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: firejail-profiles
Version: 0.9.66-2
Severity: normal

Dear Maintainer,

Chromium fails to load some webextensions (packages webext-*) when
launched with its current firejail profile, giving the error "Could not
load extension from: . Manifest file is missing or unreadable.".

It seems that some extensions are installed in '/usr/share/webext' and
symlinked in '/usr/share/mozilla/extensions'. However, the profile
'/etc/firejail/chromium.profile' whitelists only the latter, thus making
symlinks to folders inside the former path unreadable.

The problem can be easily reproduced:

1. Install webext-ublock-origin-chromium and webext-https-everywhere;
2. Run Chromium with 'firejail chromium';
3. See how Chromium manages to load uBlock Origin but fails to load
   HTTPS-everywhere;
4. Quit Chromium and run it again with
   'firejail --whitelist=/usr/share/webext chromium';
5. See how Chromium succeeds in loading both extensions.

The explanation being that the HTTPS-everywhere extension folder is a
symlink:

> $ ls /usr/share/mozilla/extensions/\{XXXXX\}/
> https-everywhere-...@eff.org -> ../../../webext/https-everywhere
> ublo...@raymondhill.net

Aforementioned paths are currently whitelisted in the following
profiles:

> $ grep webext /etc/firejail/*.profile
> /etc/firejail/firefox.profile:whitelist /usr/share/webext
> /etc/firejail/librewolf.profile:whitelist /usr/share/webext
> /etc/firejail/thunderbird.profile:whitelist /usr/share/webext
>
> $ grep mozilla/extensions /etc/firejail/*.profile
> /etc/firejail/chromium.profile:whitelist /usr/share/mozilla/extensions

and the Chromium profile does not whitelist '/usr/share/webext'.

Cheers


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail-profiles depends on:
ii  firejail  0.9.66-2

firejail-profiles recommends no packages.

firejail-profiles suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: firejail
Source-Version: 0.9.68~rc1-1
Done: Reiner Herrmann <rei...@reiner-h.de>

We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1003...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <rei...@reiner-h.de> (supplier of updated firejail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 19 Jan 2022 19:30:39 +0100
Source: firejail
Architecture: source
Version: 0.9.68~rc1-1
Distribution: experimental
Urgency: medium
Maintainer: Reiner Herrmann <rei...@reiner-h.de>
Changed-By: Reiner Herrmann <rei...@reiner-h.de>
Closes: 1002998 1003234 1003259
Changes:
 firejail (0.9.68~rc1-1) experimental; urgency=medium
 .
   * New upstream release candidate.
     - fix telegram-desktop profile (Closes: #1002998)
     - allow webext directory in chromium profile (Closes: #1003234)
     - blacklist rxvt when perl is blacklisted (Closes: #1003259)
   * Rename lintian tag in override: setuid-binary -> elevated-privileges.
   * Add lintian overrides for non-standard-executable-perm and
     executable-in-usr-lib.
   * Install new .config files.
   * Remove conffile: disable-passwdmgr.inc.
   * Document new copyright.
   * Bump Standards-Version to 4.6.0.
   * Bump copyright years to 2022.
Checksums-Sha1:
 9271874041d90b3f71b6fda876906c5714bc8371 2519 firejail_0.9.68~rc1-1.dsc
 86d7fb13d8b58736587f69889362461b4e05f29e 473308 firejail_0.9.68~rc1.orig.tar.xz
 6ac2f9b21c1773f50ec6a6e6ded9a2c771476014 488 
firejail_0.9.68~rc1.orig.tar.xz.asc
 b1f09230cadaa1105071de5d3cc9bbf799bd70e2 15036 
firejail_0.9.68~rc1-1.debian.tar.xz
 627554d08e87a34890dda4ddfdb8cc2417a3fe3e 7040 
firejail_0.9.68~rc1-1_source.buildinfo
Checksums-Sha256:
 fde7bffd164a9cf62c6457dfab645c880e525b93424d30444c64a902370535ac 2519 
firejail_0.9.68~rc1-1.dsc
 6fefaca39aea322a5e10f277de0ea024f4ac8d8a76aa930db16ed2a358133374 473308 
firejail_0.9.68~rc1.orig.tar.xz
 2adcf34265c1d5e0ffd01c078ffd7048619cd6a0487432ed359ad6e71cd11273 488 
firejail_0.9.68~rc1.orig.tar.xz.asc
 24778313712141c29f2e820e8595c6975fd6fe25c45ad2ca0d57948af8ec0370 15036 
firejail_0.9.68~rc1-1.debian.tar.xz
 03849b141c814c1ae3b05e24ff1df138fdef63e258bfe3ca8d6faa0cf54c182d 7040 
firejail_0.9.68~rc1-1_source.buildinfo
Files:
 d4308e2cf790f50a53f8643ec69195fc 2519 utils optional firejail_0.9.68~rc1-1.dsc
 142f2f77fbf66c4fc2e729e8119f2149 473308 utils optional 
firejail_0.9.68~rc1.orig.tar.xz
 73fe6b306e94d33647ddc51a2a43d212 488 utils optional 
firejail_0.9.68~rc1.orig.tar.xz.asc
 302341c5c263c8ac9e3dd347749b946e 15036 utils optional 
firejail_0.9.68~rc1-1.debian.tar.xz
 804e48bfff592b6b7190dd711c949b4f 7040 utils optional 
firejail_0.9.68~rc1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAmHoWVkACgkQzPBJKNsO
6qdEshAAy179+9YinuvUhAAsLTlYPSeDisIxFgtyJP4aAgMNEOYnYjBHrHiV9vpH
PBDLsChBm4M83jO7flSnESm8K0GOdbYvXUvjlMYLuar7i15kxmCDrdmzx2UU4hM0
355ZbBep1Zu0iAj1ohrKJHfZUCPRIm+agviV8xGs/zMLtztU44p+yFamR2tSK9IP
i3JOXthzNA7cst3pCftMTM9YH0w3dWxnY31rC2B9eHl5mguAaS2jWmtAjT0MC1Qd
94jR10EVtjI2ayjoBcHEGPTQzx0SeFPzLS7tEqsB8VpCfWv3hDzjm71W33RqEkKc
TbHR4rpbvlyMa2/EbQLo1tjrvBlHzS1frNIiP1fHLCUZums6S3h9VAbPm1zSQAif
z/qF+6Yj46sGMfEOSpJPyVtgmRCuVzmG3mDbiwTpaMmHNZZEvab8S1oCQMxEbDCX
zxRC7CEWFbtV2ZETI8XU+PFbiQ38f2xdZQ7405yc+jY691NhnRSodWNqmMgE4W/o
dcSavuX7SyODPFUBGPkAoIa6QPdf+Q06fuhCyyNm2mCxK9/HGl2CjjTlRsehrsek
tZ+Ut3OQSy/UIH1DM4wAxgis0EBu3Hu0cRA363a1VmNivJcHy4uu9aRik4IaNf//
QzshhunPWgutJpekHWhsNxMFsVGg0WFukiYTYZmvyOArjq/PhZA=
=7cU1
-----END PGP SIGNATURE-----

--- End Message ---