Librewolf shows “some of LibreWolf’s security features may offer less protection on your current operating system”

I'm test driving Ubuntu after using Gentoo for years and found Librewolf gave me this warning banner.

“some of LibreWolf’s security features may offer less protection on your current operating system”

I searched a bit and found a Mozilla article but it wasn't quite right so I'm documenting here what it is on Ubuntu 24.10

open a terminal window

run

sudo vi /etc/apparmor.d/librewolf

 

and paste in this:

 

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile librewolf
/usr/share/librewolf/librewolf
flags=(unconfined) {
    userns,
    # Site-specific additions and overrides. See local/README for details.
    include if exists <.librewolf>
}

then run

 sudo systemctl restart apparmor.service

The warning banner should not be there next time you open Librewolf.

Gentoo grub-probe not working

 I have a bunch of history commands I run when I d a new kernel etc and one stopped working.

grub-mkconfig would fail with grub-probe for /.

 

I read about a simialr issue where you where supposed to have a link for /dev/root to your root device and that fixed it right up. 

grub-probe fails and I don't have /dev/root set

 

StudyPC /usr/src/linux # grub-probe /
grub-probe: error: cannot find a device for / (is /dev mounted?).
StudyPC /usr/src/linux # ls -l /dev/root
ls: cannot access '/dev/root': No such file or directory

 

Mount shows / is there and on sda2

StudyPC /usr/src/linux # mount
/dev/sda2 on / type btrfs (rw,noatime,ssd,discard,noacl,space_cache,subvolid=5,subvol=/)
..

waffle

..

 

So symlink that and try grub-mkconfig again

 

StudyPC /usr/src/linux # ln -s /dev/sda2 /dev/root
StudyPC /usr/src/linux # ls -l /dev/root
lrwxrwxrwx 1 root root 9 Mar 19 13:04 /dev/root -> /dev/sda2
StudyPC /usr/src/linux # grub-probe
No path or device is specified.
Usage: grub-probe [OPTION...] [OPTION]... [PATH|DEVICE]
Try 'grub-probe --help' or 'grub-probe --usage' for more information.
StudyPC /usr/src/linux # grub-probe /
btrfs

And we're good!  No more handcoding grub.cfg

Time for a change

 We're moving on a bit in life.  Got an empty house, got a stupid car.

So it's time to start tracking the stuff we watch and how good it was.

So let start with 

God Bless America

Classic movie.  This man gets all the things I hate. Social media is this generation's smoking.  It will get worse when we look back on it.

Solid 9/10

Blake's 7 the complete series.

This aged better than I thought it would. Loved this series as a child.  I tried to make the liberator so many times for art projects.

Decent 7/10

Cold Case

Really enjoyed this as my going to bed series.  So I may have missed a bit here and there.  A little samey but good arcs in the series and soem interesting back stories.

Decent 7/10

Nanomesher Weather Board tweak

 I've backed a number of Nanomesher's boards onn Kickstarter from the weather prodboard to different audio boards, and they've all been great.  The DAC2 in particular is a fantastic piece of kit.

I was playign with the Weather board and tweaked the script a bit to show the time and date rather than the default Nanomesher PiAirMon.

To do this vi the PiAirMon.py file and comment out the line with the old text and add the new lines:

 

        with canvas(device) as draw:
#            draw.text((1, 1), "Nanomesher Air Mon", font=font1, fill="white")
             now = datetime.datetime.now()
            draw.text((1, 1), now.strftime('%H:%M:%S %a %d %b'), font=font1, fill="white")

This shows in your locale the time, day, date and month.

So mine currently shows

14:37:29 Fri 02 Apr

 

This sits on the desk in front of me to remind me to open the window when the CO2 gets too high, and it's nice having a clock on it.

 

 

CS:GO on Linux not starting

Valve, for a company that supposedly loves Linux your support is terrible. I got pointed to a community forum for support when logging this with them. To top it off I paid for it a week before they made it free. Grr..

So I could get CS:GO to launch sometimes so it did work but rarely.

After some pretty extreme testing it seems you need to slow it down when launching.

I found sometime just alt tabbing repeatedly was enough but that was hard to replicate.

Ready for the most stupid work around ever?

Are you sitting down for this one?

I run Gentoo Linux so everything is compiled from scratch. You can see where this is going..

I start compiling something.  Mesa is my usual goto.  Once this is compiling it slows down the launch of CSGO enough that it works.

This is just insane. I tried changing versions of libraries, dependencies etc but none of this mattered just making the system loaded while launching works.


Edit:  turns out you can avoid all this by adding the -nojoy option in the command line options.

Postfix with ECDSA certificate not connecting

I was playing with this a while back and it didn't work and got forgotten about but this time I dug into it further.

There are lots of guides for setting this up such as

https://zhadum.org.uk/2015/07/25/ssl-certificate-agility-with-postfix/

but this did not work for me.  Using

openssl s_client -cipher ECDHE-ECDSA-AES128-SHA -connect localhost:25 -starttls smtp

CONNECTED(00000003)
1995830688:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent

failed and said it had no presented no cert.

After looking at my cert file I noticed:

 openssl x509 -text -noout
-----BEGIN CERTIFICATE-----
MIID9zCCA5ygAwIBAgIQJDK88IzKKF3Cva9HhMswejAKBggqhkjOPQQDAjCBkDEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMT

...

        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:24:64:3c:45:da:96:fe:eb:cd:0b:4c:9b:da:4f:
                    db:dd:0d:fa:e9:14:54:67:96:3e:81:3f:55:b8:1d:
                    36:0a:db:c7:a8:be:32:a2:5d:59:4c:dd:c6:11:78:
                    a4:cd:6b:12:c4:0d:76:af:6e:ef:8e:b5:78:4a:ae:
                    94:5a:90:ac:21:04:6a:f1:f2:6e:2e:8d:87:d8:46:
                    a3:54:f3:7e:f0:08:8e:81:3b:1c:0a:1d:ff:b8:a7:
                    fd:db:91:3a:b6:0b:48
                ASN1 OID: secp384r1
                NIST CURVE: P-384

from the postfix page

    smtpd_tls_eecdh_grade = strong | ultra

    # Underlying curves, best not changed:

    # tls_eecdh_strong_curve = prime256v1

    # tls_eecdh_ultra_curve = secp384r1

In my version 3.1 it defaults to strong

postconf -d | grep smtpd_tls_eecdh_grade

smtpd_tls_eecdh_grade = strong

but needs to be set to ultra to support sec384r1 which the cert was issued with. So adding the line

smtpd_tls_eecdh_grade = ultra

to main.cf made the cert work.

None of the other articles I have seen mention this so maybe it's not that common.

Switch your Raspberry Pi 3 to use a hard drive

I have a Pi 3 that is a DNS, web, email etc server and it's gone through a few SD cards and gets bogged down in high wait % in top sometimes.  It has a USB drive for storage for Storj etc and I was reading how you can boot a Pi 3 with a hard drive to speed things up and hopefully be a bit more reliable than the SD cards have been.

So I found this article

https://thepi.io/how-to-boot-your-raspberry-pi-from-a-usb-mass-storage-device/

Now a bunch of gotchas came up.

Firstly the boot USB option is a OTP setting.  This means once it's set, it for good on your device. Read up on this before doing it!

https://github.com/raspberrypi/documentation/blob/master/hardware/raspberrypi/bootmodes/bootflow.md

 I had a spare drive so I restored a Jessie image to the drive and plugged it in after  setting the option

program_usb_boot_mode=1

and it seem to boot (it's headless) but the drive was accessing, the network was flashing etc. Seems pretty easy.

Ok lets try and migrate the current SD card and drive to a new drive.

So some points to note here.  I tried the SDCard again to get DNS etc back up while I moved data around and it would not boot. Seems you need to remove the line we added earlier

program_usb_boot_mode=1

from /boot/config.txt or the SD card won't boot again. That's a bit annoying.

So I imaged the SDCard and restored this to the drive and tried to boot this and it started but then did not complete booting. OK silly move, need to modify the /etc/fstab on the root partition and the /boot/cmdline to say sda rather than the mmc device that is the SDCard.

Once that was done it booted OK.  We're getting there. Tried to use raspi-config to exapnd the root partition but that doesn't know what the drive is and only works on SDCards.  Doh. Back to the PC and expand with GParted and finish copying the data over and we're in business.

So in short to move you RaPi3 to a harddrive:

Image your SDCard and restore this to the new harddrive. 
Expand the harddrive root partiion with GParted or similar.
Modify the /etc/fstab and /boot/cmdline on the new drive to use sda rather than the mmc device ( I had 3 entries)
On the PI, set the "program_usb_boot_mode=1" option in /boot/config.txt and reboot.
Shut the Pi down and remove the SDCard and plug in the USB drive and it should boot.

Hope that saves some frustration :-)