Greetings all,
New here. Been using Cryptomator for awhile now though. Nice work to devs and community.
Just wondering if anyone here has had luck using Firejail on the linux appimage version of Cryptomator? It’s a linux sandbox that adds a nice extra layer of security.
I use firejail --appimage cryptomator.appimage and it opens fine, can create vaults, but cannot open them, I get java errors and FUSE mount denied errors.
FYI on the Firejail sandbox https://firejail.wordpress.com/
Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Errors while in Firejail sandbox.
in Cryptomator app when Unlocking a Vault
org.cryptomator.common.vaults.Volume$VolumeException: Unable to mount Filesystem
at org.cryptomator.common.vaults.FuseVolume.mount(FuseVolume.java:54)
at org.cryptomator.common.vaults.FuseVolume.mount(FuseVolume.java:41)
at org.cryptomator.common.vaults.Vault.unlock(Vault.java:151)
at org.cryptomator.ui.unlock.UnlockWorkflow.attemptUnlock(UnlockWorkflow.java:100)
at org.cryptomator.ui.unlock.UnlockWorkflow.call(UnlockWorkflow.java:81)
at org.cryptomator.ui.unlock.UnlockWorkflow.call(UnlockWorkflow.java:44)
at javafx.concurrent.Task$TaskCallable.call(Task.java:1425)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.cryptomator.frontend.fuse.mount.FuseMountException: ru.serce.jnrfuse.FuseException: Unable to mount FS
at org.cryptomator.frontend.fuse.mount.AbstractMounter.mount(AbstractMounter.java:46)
at org.cryptomator.frontend.fuse.mount.Mounter.mount(Mounter.java:15)
at org.cryptomator.common.vaults.FuseVolume.mount(FuseVolume.java:52)
… 12 more
Caused by: ru.serce.jnrfuse.FuseException: Unable to mount FS
at ru.serce.jnrfuse.AbstractFuseFS.mount(AbstractFuseFS.java:293)
at org.cryptomator.frontend.fuse.mount.AbstractMounter.lambda$mount$0(AbstractMounter.java:26)
… 1 more
Caused by: ru.serce.jnrfuse.FuseException: Unable to mount FS, return code = 1
at ru.serce.jnrfuse.AbstractFuseFS.mount(AbstractFuseFS.java:289)
… 2 more
in Firejail debug:
WARNING: Unsupported JavaFX configuration: classes were loaded from ‘unnamed module @43df23d3’
02:04:03.635 [JavaFX Application Thread] INFO o.c.ui.launcher.FxApplicationStarter - JavaFX Runtime started.
fuse: failed to exec fusermount: Permission denied
02:04:30.127 [fuseMount-0-main] INFO org.cryptomator.common.vaults.Vault - Unmounted vault ‘My_Documents’
02:04:30.137 [fuseMount-0-main] WARN org.cryptomator.common.vaults.Vault - Unexpected unmount and lock of vault My_Documents
ru.serce.jnrfuse.FuseException: Unable to mount FS
at ru.serce.jnrfuse.AbstractFuseFS.mount(AbstractFuseFS.java:293)
at org.cryptomator.frontend.fuse.mount.AbstractMounter.lambda$mount$0(AbstractMounter.java:26)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: ru.serce.jnrfuse.FuseException: Unable to mount FS, return code = 1
at ru.serce.jnrfuse.AbstractFuseFS.mount(AbstractFuseFS.java:289)
… 2 common frames omitted
02:04:40.088 [JavaFX Application Thread] INFO o.c.ui.unlock.UnlockWorkflow - Unlock of ‘My_Documents’ failed.
02:04:40.089 [JavaFX Application Thread] ERROR o.c.ui.unlock.UnlockWorkflow - Unlock failed for technical reasons.
org.cryptomator.common.vaults.Volume$VolumeException: Unable to mount Filesystem
at org.cryptomator.common.vaults.FuseVolume.mount(FuseVolume.java:54)
at org.cryptomator.common.vaults.FuseVolume.mount(FuseVolume.java:41)
at org.cryptomator.common.vaults.Vault.unlock(Vault.java:151)
at org.cryptomator.ui.unlock.UnlockWorkflow.attemptUnlock(UnlockWorkflow.java:100)
at org.cryptomator.ui.unlock.UnlockWorkflow.call(UnlockWorkflow.java:81)
at org.cryptomator.ui.unlock.UnlockWorkflow.call(UnlockWorkflow.java:44)
at javafx.concurrent.Task$TaskCallable.call(Task.java:1425)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.cryptomator.frontend.fuse.mount.FuseMountException: ru.serce.jnrfuse.FuseException: Unable to mount FS
at org.cryptomator.frontend.fuse.mount.AbstractMounter.mount(AbstractMounter.java:46)
at org.cryptomator.frontend.fuse.mount.Mounter.mount(Mounter.java:15)
at org.cryptomator.common.vaults.FuseVolume.mount(FuseVolume.java:52)
… 12 common frames omitted
Caused by: ru.serce.jnrfuse.FuseException: Unable to mount FS
at ru.serce.jnrfuse.AbstractFuseFS.mount(AbstractFuseFS.java:293)
at org.cryptomator.frontend.fuse.mount.AbstractMounter.lambda$mount$0(AbstractMounter.java:26)
… 1 common frames omitted
Caused by: ru.serce.jnrfuse.FuseException: Unable to mount FS, return code = 1
at ru.serce.jnrfuse.AbstractFuseFS.mount(AbstractFuseFS.java:289)
… 2 common frames omitted
I think I found the reason, as per Firejail notes section 3.6 EncFS and SSHFS for FUSE filesystems…
By default, all FUSE based filesystems are visible only to the user who mounted them. No other users (including root) can view the filesystem contents.
For various reasons, during sandbox setup Firejail handles EncFS filesystems (or any other FUSE file system like Cryptomator) as root user. FUSE will prevent the root access to user’s files and the sandbox will fail to start.
will play around further.
Thanks for sharing such experiments. Since FUSE relies on communicating between kernel and user-space processes, it doesn’t like to sit in a sandbox. Sadly, this is also the reason why we’re still failing to provide Cryptomator as a flatpak package.
Any further insights regarding FUSE and sandboxing are highly welcome! 