github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1885] Google-chrome does not open anymore. #1271

New issue
Closed
opened 2026-05-05 07:45:39 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 07:45:39 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Apr 12, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1885

Hi,

I executed sudo firecfg, and after a reboot, I can't launch google-chrome anymore.
I'm posting with chromium, which runs fine.

firejail version 0.9.53

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Distrib : Ubuntu 16.04 LTS
Google-chrome : Google Chrome 65.0.3325.181

firejail google-chrome


Reading profile /usr/local/etc/firejail/google-chrome.profile
Reading profile /usr/local/etc/firejail/chromium-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 4641, child pid 4642
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 88.85 ms
Warning: an existing sandbox was detected. /usr/bin/google-chrome will run without any additional sandboxing features
/usr/bin/google-chrome: line 45: /dev/fd/62: No such file or directory
/usr/bin/google-chrome: line 46: /dev/fd/62: No such file or directory

(google-chrome:6): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(google-chrome:6): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(google-chrome:6): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
[6:24:0412/200611.719344:ERROR:address_tracker_linux.cc(174)] Could not bind NETLINK socket: Address already in use (98)

EDIT : if I sudo firecfg --clean and run google-chrome without jail, it opens google-chrome window.
EDIT2 : same issue happens with chromium when I restarted the browser.

Any idea what is going wrong ?
(I'm using nvidia proprietary drivers)

Originally created by @ghost on GitHub (Apr 12, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1885 Hi, I executed `sudo firecfg`, and after a reboot, I can't launch google-chrome anymore. I'm posting with chromium, which runs fine. ``` firejail version 0.9.53 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` Distrib : Ubuntu 16.04 LTS Google-chrome : `Google Chrome 65.0.3325.181` ``` firejail google-chrome Reading profile /usr/local/etc/firejail/google-chrome.profile Reading profile /usr/local/etc/firejail/chromium-common.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Parent pid 4641, child pid 4642 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Child process initialized in 88.85 ms Warning: an existing sandbox was detected. /usr/bin/google-chrome will run without any additional sandboxing features /usr/bin/google-chrome: line 45: /dev/fd/62: No such file or directory /usr/bin/google-chrome: line 46: /dev/fd/62: No such file or directory (google-chrome:6): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (google-chrome:6): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (google-chrome:6): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed [6:24:0412/200611.719344:ERROR:address_tracker_linux.cc(174)] Could not bind NETLINK socket: Address already in use (98) ``` EDIT : if I `sudo firecfg --clean` and run `google-chrome` without jail, it opens google-chrome window. EDIT2 : same issue happens with chromium when I restarted the browser. Any idea what is going wrong ? (I'm using nvidia proprietary drivers)
gitea-mirror commented 2026-05-05 07:45:42 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Apr 13, 2018):

if you've run firecfg then doing firejail google-chrome is equlivant to firejail firejail /usr/bin/google-chrome

assuming running firejail /usr/bin/google-chrome still has issues:

  • commenting noroot is the fix for nvidia issues
  • commenting private-dev will fix those /dev/fd errors
  • the dbus errors are intended as part of nodbus
<!-- gh-comment-id:381166076 --> @SkewedZeppelin commented on GitHub (Apr 13, 2018): if you've run firecfg then doing `firejail google-chrome` is equlivant to `firejail firejail /usr/bin/google-chrome` assuming running `firejail /usr/bin/google-chrome` still has issues: - commenting `noroot` is the fix for nvidia issues - commenting `private-dev` will fix those /dev/fd errors - the dbus errors are intended as part of `nodbus`
gitea-mirror commented 2026-05-05 07:45:44 -06:00
Author
Owner
Copy link

@noahhaon commented on GitHub (Apr 13, 2018):

Adding the following lines to /etc/firejail/google-chrome.local fixed the issue for me on Ubuntu 16.04.4 LTS:

ignore private-dev
ignore nodbus
<!-- gh-comment-id:381237246 --> @noahhaon commented on GitHub (Apr 13, 2018): Adding the following lines to `/etc/firejail/google-chrome.local` fixed the issue for me on Ubuntu 16.04.4 LTS: ``` ignore private-dev ignore nodbus ```
gitea-mirror commented 2026-05-05 07:45:46 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 14, 2018):

@SkewedZeppelin : Yes, on the firejail google-chrome command, I had disable firecfg by executing sudo firecfg --clean, sorry that I didn't mention that, your assumption was good. :-)
Adding the parameters did not help me.

@noahhaon : I don't have a firejail folder in /etc.
So I executed ./configure && make && sudo make install-strip but still, no firejail folder in /etc.
After executing the installation command, I retried :
firejail google-chrome : it worked !
sudo firecfg + google-chrome : nope, just like before.
sudo firecfg --clean + firejail google-chrome : it worked !

Browser does start with firejail command, but does not start if I launch it after firecfg.

<!-- gh-comment-id:381341113 --> @ghost commented on GitHub (Apr 14, 2018): @SkewedZeppelin : Yes, on the `firejail google-chrome` command, I had disable firecfg by executing `sudo firecfg --clean`, sorry that I didn't mention that, your assumption was good. :-) Adding the parameters did not help me. @noahhaon : I don't have a firejail folder in /etc. So I executed `./configure && make && sudo make install-strip` but still, no firejail folder in /etc. After executing the installation command, I retried : `firejail google-chrome` : it worked ! `sudo firecfg` + `google-chrome` : nope, just like before. `sudo firecfg --clean` + `firejail google-chrome` : it worked ! Browser does start with firejail command, but does not start if I launch it after firecfg.
gitea-mirror commented 2026-05-05 07:45:47 -06:00
Author
Owner
Copy link

@joeygravlin commented on GitHub (Apr 18, 2018):

I'm having the same Could not bind NETLINK socket: Address already in use (98) error on Arch Linux. At any rate, downgrading the package from chromium-66.0.3359.117-1 - > chromium-65.0.3325.181-7 seems to resolve the issue on my machine.

The following chromium version segfaults both with{,out} firejail sandbox... Not sure whether this is a problem with upstream or with Arch's packaging...

Dmesg shows chromium-66.0.3359.117-1 segfaults both with{,out} firejail sandbox... Downgrading for the time being.

Running firejail --debug chromium gives:

...
starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/chromium
Child process initialized in 134.37 ms
monitoring pid 9

[9:19:0418/171130.317285:ERROR:address_tracker_linux.cc(175)] Could not bind NETLINK socket: Address already in use (98)
Sandbox monitor: waitpid 9 retval 9 status 139
Sandbox monitor: monitoring 11
monitoring pid 11

Sandbox monitor: waitpid 11 retval 11 status 0

Parent is shutting down, bye...

Here's my current ~/.config/firejail/chromium.profile:

# Firejail profile for chromium
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/chromium.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf
noblacklist ${HOME}/.pki

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc

mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf
whitelist ${HOME}/.pki
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.keep sys_chroot,sys_admin
netfilter
#nodbus
nodvd
nogroups
notv
shell none

disable-mnt
# private-bin chromium,chromium-browser,chromedriver
# private-dev disabled for u2f keys.
# private-dev
# private-tmp - problems with multiple browser sessions

noexec ${HOME}
noexec /tmp

# the file dialog needs to work without d-bus
#env NO_CHROME_KDE_FILE_DIALOG=1
<!-- gh-comment-id:382539460 --> @joeygravlin commented on GitHub (Apr 18, 2018): I'm having the same `Could not bind NETLINK socket: Address already in use (98)` error on Arch Linux. At any rate, downgrading the package from `chromium-66.0.3359.117-1` - > `chromium-65.0.3325.181-7` seems to resolve the issue on my machine. The following chromium version segfaults both with{,out} firejail sandbox... Not sure whether this is a problem with upstream or with Arch's packaging... Dmesg shows `chromium-66.0.3359.117-1` segfaults both with{,out} firejail sandbox... Downgrading for the time being. Running `firejail --debug chromium` gives: ``` ... starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/chromium Child process initialized in 134.37 ms monitoring pid 9 [9:19:0418/171130.317285:ERROR:address_tracker_linux.cc(175)] Could not bind NETLINK socket: Address already in use (98) Sandbox monitor: waitpid 9 retval 9 status 139 Sandbox monitor: monitoring 11 monitoring pid 11 Sandbox monitor: waitpid 11 retval 11 status 0 Parent is shutting down, bye... ``` Here's my current `~/.config/firejail/chromium.profile`: ```bash # Firejail profile for chromium # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/chromium.local # Persistent global definitions include /etc/firejail/globals.local noblacklist ${HOME}/.cache/chromium noblacklist ${HOME}/.config/chromium noblacklist ${HOME}/.config/chromium-flags.conf noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/chromium mkdir ${HOME}/.config/chromium mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf whitelist ${HOME}/.pki include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc caps.keep sys_chroot,sys_admin netfilter #nodbus nodvd nogroups notv shell none disable-mnt # private-bin chromium,chromium-browser,chromedriver # private-dev disabled for u2f keys. # private-dev # private-tmp - problems with multiple browser sessions noexec ${HOME} noexec /tmp # the file dialog needs to work without d-bus #env NO_CHROME_KDE_FILE_DIALOG=1 ```
gitea-mirror commented 2026-05-05 07:45:48 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 19, 2018):

@joeygravlin You also have last firejail version ?
Trying to run firejail chromium (or google-chrome) still doesn't work for me with last version.
If I downgrade firejail version to 0.9.38.10, it works with last google-chrome / chromium version.

<!-- gh-comment-id:382615781 --> @ghost commented on GitHub (Apr 19, 2018): @joeygravlin You also have last firejail version ? Trying to run firejail chromium (or google-chrome) still doesn't work for me with last version. If I downgrade firejail version to 0.9.38.10, it works with last google-chrome / chromium version.
gitea-mirror commented 2026-05-05 07:45:49 -06:00
Author
Owner
Copy link

@joeygravlin commented on GitHub (Apr 19, 2018):

I'm on firejail version 0.9.52 - the most recent release/non-dev version of firejail, and also the version currently maintained in the arch community repo.

I haven't tried downgrading firejail; in fact, v0.9.52 is the only version of firejail I've ever run to date, as there hasn't been a new release version since I've started using it. I haven't had an issue with chromium and firejail version 0.9.52 until now, and since chromium-66.0.3359.117-1 was segfault on its own (even without running inside a firejail sandbox), I'm inclined to think that the issue is with the latest chromium release.

I intend to investigate the issue further at some point next week (assuming it isn't resolved by a subsequent chromium update...), but it will have to wait, because I have final exams to contend with currently. Just figured I'd share what I'd found in the meantime / add another data point to the issue.

<!-- gh-comment-id:382910535 --> @joeygravlin commented on GitHub (Apr 19, 2018): I'm on `firejail version 0.9.52` - the most recent release/non-dev version of firejail, and also the version currently maintained in the [arch community repo](https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/firejail&id=4011e5b2196f5ca486bf05f15ebad88325f97a4a). I haven't tried downgrading firejail; in fact, `v0.9.52` is the only version of firejail I've ever run to date, as there hasn't been a new release version since I've started using it. I haven't had an issue with chromium and `firejail version 0.9.52` until now, and since `chromium-66.0.3359.117-1` was segfault on its own (even without running inside a firejail sandbox), I'm inclined to think that the issue is with the latest chromium release. I intend to investigate the issue further at some point next week (assuming it isn't resolved by a subsequent chromium update...), but it will have to wait, because I have final exams to contend with currently. Just figured I'd share what I'd found in the meantime / add another data point to the issue.
gitea-mirror commented 2026-05-05 07:45:50 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Apr 20, 2018):

I'm on Arch and latest Chrome (v66.0.3359.117) and I haven't had any crashes with Chrome either in or out of firejail. Right now it does sound like the issue is with chromium, not firejail. 😄

<!-- gh-comment-id:382925735 --> @Fred-Barclay commented on GitHub (Apr 20, 2018): I'm on Arch and latest Chrome (v66.0.3359.117) and I haven't had any crashes with Chrome either in or out of firejail. Right now it does sound like the issue is with chromium, not firejail. :smile:
gitea-mirror commented 2026-05-05 07:45:52 -06:00
Author
Owner
Copy link

@joeygravlin commented on GitHub (May 20, 2018):

On my machine, problem is resolved by mv ~/.config/chromium-flags.conf{,.bak}, as suggested by:
bugs.archlinux.org - FS#58269 - [chromium] crashes with: "Segmentation fault (core dumped)" on startup - #comment168669

<!-- gh-comment-id:390485978 --> @joeygravlin commented on GitHub (May 20, 2018): On my machine, problem is resolved by `mv ~/.config/chromium-flags.conf{,.bak}`, as suggested by: [bugs.archlinux.org - FS#58269 - [chromium] crashes with: "Segmentation fault (core dumped)" on startup - #comment168669](https://bugs.archlinux.org/task/58269#comment168669)
gitea-mirror commented 2026-05-05 07:45:53 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Dec 9, 2018):

OP has left Github and it looks like other posters have resolved the issues they had.

<!-- gh-comment-id:445541953 --> @chiraag-nataraj commented on GitHub (Dec 9, 2018): OP has left Github and it looks like other posters have resolved the issues they had.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1271
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?