[GH-ISSUE #1847] Firefox 60.0b (dev edition) can't display webpages when 'seccomp' or 'shell none' enabled #1252

New issue

Closed

opened 2026-05-05 07:43:45 -06:00 by gitea-mirror · 12 comments

gitea-mirror commented 2026-05-05 07:43:45 -06:00

Owner

Copy link

Originally created by @yourcelf on GitHub (Mar 29, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1847

Using firejail 0.9.52 on Ubuntu 16.04.4.

It looks like Firefox 60b Developer Edition (currently at 60.0b7) isn't working if seccomp or shell none are enabled (they are enabled by default in both firefox.profile and firefox-developer-edition.profile). Firefox will launch and display the window, but is unable to load any webpages or display tabs.

With shell none enabled, firefox prints the following errors in the console:

###!!! [Parent][MessageChannel] Error: (msgtype=0x15007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

IPDL protocol error: Handler returned error code!

###!!! [Parent][DispatchAsyncMessage] Error: PBackgroundStorage::Msg_ClearMatchingOriginAttributes Processing error: message was deserialized, but the handler returned false (indicating failure)

With just seccomp enabled but shell none disabled, no obvious errors are printed, but the same behavior applies (the main window shows, but is unable to load webpages or tabs).

Launching with firejail --noprofile or using a profile with seccomp and shell none removed works fine.

Originally created by @yourcelf on GitHub (Mar 29, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1847 Using firejail 0.9.52 on Ubuntu 16.04.4. It looks like Firefox 60b Developer Edition (currently at 60.0b7) isn't working if `seccomp` or `shell none` are enabled (they are enabled by default in both `firefox.profile` and `firefox-developer-edition.profile`). Firefox will launch and display the window, but is unable to load any webpages or display tabs. With `shell none` enabled, firefox prints the following errors in the console: ``` ###!!! [Parent][MessageChannel] Error: (msgtype=0x15007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv IPDL protocol error: Handler returned error code! ###!!! [Parent][DispatchAsyncMessage] Error: PBackgroundStorage::Msg_ClearMatchingOriginAttributes Processing error: message was deserialized, but the handler returned false (indicating failure) ``` With just `seccomp` enabled but `shell none` disabled, no obvious errors are printed, but the same behavior applies (the main window shows, but is unable to load webpages or tabs). Launching with `firejail --noprofile` or using a profile with `seccomp` and `shell none` removed works fine.

gitea-mirror closed this issue 2026-05-05 07:43:47 -06:00

gitea-mirror commented 2026-05-05 07:43:50 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Mar 29, 2018):

Perhaps duplicate of https://github.com/netblue30/firejail/issues/1765

<!-- gh-comment-id:377291252 --> @Vincent43 commented on GitHub (Mar 29, 2018): Perhaps duplicate of https://github.com/netblue30/firejail/issues/1765

gitea-mirror commented 2026-05-05 07:43:51 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Apr 1, 2018):

Works fine for me on Debian stable. They are enabling 3D acceleration by default in the browser.

@yourcelf what video card and video drivers do you have? Also try the following:

$ firejail --no3d firefox  ----> in this case Firefox should revert to regular no-3D browsing
$ firejail --ignore=shell --allow-debuggers firefox ---> some Nvidia drivers are getting kill making a call to ptrace

<!-- gh-comment-id:377810102 --> @netblue30 commented on GitHub (Apr 1, 2018): Works fine for me on Debian stable. They are enabling 3D acceleration by default in the browser. @yourcelf what video card and video drivers do you have? Also try the following: ````` $ firejail --no3d firefox ----> in this case Firefox should revert to regular no-3D browsing $ firejail --ignore=shell --allow-debuggers firefox ---> some Nvidia drivers are getting kill making a call to ptrace ````` `````

gitea-mirror commented 2026-05-05 07:43:53 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Apr 2, 2018):

$ lspci | grep VGA
00:02.0 VGA compatible controller: Intel Corporation Sky Lake Integrated Graphics (rev 07)
00:13.0 Non-VGA unclassified device: Intel Corporation Device 9d35 (rev 21)

After re-enabling seccomp and shell none, launching with --no3d and ignore=shell --allow-debuggers doesn't seem to fix the problem. Every attempt to load a tab displays "Gah. Your tab just crashed." With the --ignore=shell --allow-debuggers options, the crash message includes a feedback collector requesting that I submit a report to mozilla.

<!-- gh-comment-id:377953307 --> @yourcelf commented on GitHub (Apr 2, 2018): ``` $ lspci | grep VGA 00:02.0 VGA compatible controller: Intel Corporation Sky Lake Integrated Graphics (rev 07) 00:13.0 Non-VGA unclassified device: Intel Corporation Device 9d35 (rev 21) ``` After re-enabling `seccomp` and `shell none`, launching with `--no3d` and `ignore=shell --allow-debuggers` doesn't seem to fix the problem. Every attempt to load a tab displays "Gah. Your tab just crashed." With the `--ignore=shell --allow-debuggers` options, the crash message includes a feedback collector requesting that I submit a report to mozilla.

gitea-mirror commented 2026-05-05 07:43:54 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Apr 3, 2018):

Can you try if setting media.cubeb.sandbox to false in firefox about:config helps?

<!-- gh-comment-id:378306301 --> @Vincent43 commented on GitHub (Apr 3, 2018): Can you try if setting `media.cubeb.sandbox` to `false` in firefox `about:config` helps?

gitea-mirror commented 2026-05-05 07:43:55 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Apr 4, 2018):

@netblue30 to reproduce on Debian or Arch, try it with sudo sysctl kernel.unprivileged_userns_clone=1

<!-- gh-comment-id:378763148 --> @smitsohu commented on GitHub (Apr 4, 2018): @netblue30 to reproduce on Debian or Arch, try it with `sudo sysctl kernel.unprivileged_userns_clone=1`

gitea-mirror commented 2026-05-05 07:43:57 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Apr 5, 2018):

@Vincent43 With seccomp and shell none enabled, setting media.cubeb.sandbox=false and launching with --ignore=shell --allow-debuggers seems to work.

Just --ignore3d with media.cubeb.sandbox=false didn't seem to change anything.

<!-- gh-comment-id:378954565 --> @yourcelf commented on GitHub (Apr 5, 2018): @Vincent43 With `seccomp` and `shell none` enabled, setting `media.cubeb.sandbox=false` and launching with `--ignore=shell --allow-debuggers` seems to work. Just `--ignore3d` with `media.cubeb.sandbox=false` didn't seem to change anything.

gitea-mirror commented 2026-05-05 07:43:58 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Apr 5, 2018):

It's probably related to firefox own sandboxing so --no3d doesn't matter here. Do I understand correctly that --ignore=shell --allow-debuggers is still needed when media.cubeb.sandbox=false is used?

<!-- gh-comment-id:378979823 --> @Vincent43 commented on GitHub (Apr 5, 2018): It's probably related to firefox own sandboxing so `--no3d` doesn't matter here. Do I understand correctly that `--ignore=shell --allow-debuggers` is still needed when `media.cubeb.sandbox=false` is used?

gitea-mirror commented 2026-05-05 07:44:00 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Apr 5, 2018):

Yes -- with media.cubeb.sandbox=false but without --ignore=shell --allow-debuggers I still get "Gah. Your tab just crashed." on any attempt to load a page.

<!-- gh-comment-id:378980200 --> @yourcelf commented on GitHub (Apr 5, 2018): Yes -- with `media.cubeb.sandbox=false` but without `--ignore=shell --allow-debuggers` I still get "Gah. Your tab just crashed." on any attempt to load a page.

gitea-mirror commented 2026-05-05 07:44:01 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Apr 5, 2018):

Did you tried using only one of them (--ignore=shell or --allow-debuggers)?

<!-- gh-comment-id:378981073 --> @Vincent43 commented on GitHub (Apr 5, 2018): Did you tried using only one of them (`--ignore=shell` or `--allow-debuggers`)?

gitea-mirror commented 2026-05-05 07:44:02 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Apr 5, 2018):

Here's the behavior for each combination of --ignore=shell, --allow-debuggers, and media.cubeb.sandbox=false.

• "tabs don't load": means you can type an address and hit enter or press go, but the browser makes no apparent attempt to access the network or load the page.
• "tab crash (plain)": "Gah" message without feedback reporter.
  
• "tab crash (fancy)": "Gah" message with feedback reporter.
  

behavior          | --ignore=shell | --allow-debuggers | `media.cubeb.sandbox=false` |
--------------------------------------------------------------------------------------
tab crash (plain) |                |                   |                             |
--------------------------------------------------------------------------------------
tabs don't load   |       X        |                   |                             |
--------------------------------------------------------------------------------------
tab crash (plain) |                |         X         |                             |
--------------------------------------------------------------------------------------
tab crash (plain) |                |                   |             X               |
--------------------------------------------------------------------------------------
tab crash (fancy) |       X        |         X         |                             |
--------------------------------------------------------------------------------------
works!            |       X        |                   |             X               |
--------------------------------------------------------------------------------------
tab crash (plain) |                |         X         |             X               |
--------------------------------------------------------------------------------------
works!            |       X        |         X         |             X               |
--------------------------------------------------------------------------------------

<!-- gh-comment-id:378992867 --> @yourcelf commented on GitHub (Apr 5, 2018): Here's the behavior for each combination of `--ignore=shell`, `--allow-debuggers`, and `media.cubeb.sandbox=false`. - "tabs don't load": means you can type an address and hit enter or press go, but the browser makes no apparent attempt to access the network or load the page. - "tab crash (plain)": "Gah" message without feedback reporter.  - "tab crash (fancy)": "Gah" message with feedback reporter.  ``` behavior | --ignore=shell | --allow-debuggers | `media.cubeb.sandbox=false` | -------------------------------------------------------------------------------------- tab crash (plain) | | | | -------------------------------------------------------------------------------------- tabs don't load | X | | | -------------------------------------------------------------------------------------- tab crash (plain) | | X | | -------------------------------------------------------------------------------------- tab crash (plain) | | | X | -------------------------------------------------------------------------------------- tab crash (fancy) | X | X | | -------------------------------------------------------------------------------------- works! | X | | X | -------------------------------------------------------------------------------------- tab crash (plain) | | X | X | -------------------------------------------------------------------------------------- works! | X | X | X | -------------------------------------------------------------------------------------- ```

gitea-mirror commented 2026-05-05 07:44:03 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Apr 5, 2018):

So allow-debuggers doesn't matter here (it only allow triggering crash reporter which is useless here anyway). Best workaround for you would be probably to create /etc/firejail/firefox-common.local and add there:

ignore seccomp
ignore shell

lines while keeping media.cubeb.sandbox=true. We probably remove them from firefox profiles soon. Firefox is building its own sandbox which is a better fit than what we could do here. We will be still covering other things like files access.

<!-- gh-comment-id:379015011 --> @Vincent43 commented on GitHub (Apr 5, 2018): So `allow-debuggers` doesn't matter here (it only allow triggering crash reporter which is useless here anyway). Best workaround for you would be probably to create `/etc/firejail/firefox-common.local` and add there: ``` ignore seccomp ignore shell ``` lines while keeping `media.cubeb.sandbox=true`. We probably remove them from firefox profiles soon. Firefox is building its own sandbox which is a better fit than what we could do here. We will be still covering other things like files access.

gitea-mirror commented 2026-05-05 07:44:05 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Apr 7, 2018):

fixed in 0520814167, thanks for the bug report.

<!-- gh-comment-id:379507691 --> @smitsohu commented on GitHub (Apr 7, 2018): fixed in 052081416736808e6ec0dbd59aa01097c86c359e, thanks for the bug report.

gitea-mirror referenced this issue 2026-05-05 10:09:59 -06:00

[PR #1252] [MERGED] update k3b profile #3897

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1252

No description provided.