[GH-ISSUE #1929] FJ + Thunderbird + GPG + Keycard

gitea-mirror commented

2026-05-05 07:48:34 -06:00

Owner

Originally created by @cyrinux on GitHub (May 8, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1929

Hi,
I'm running archlinux with hardened kernel and apparmor enabled.
I use a yubikey for sign with gpg my mail in thunderbird, I speak the day to try to make it working sign in firejail.
The problem seems to be the pinentry program. By default it find my pinentrey-gnome3 which say "No Gcr System Prompter available, falling back to curses" and seems fallback to ncurse but i can see it. For resume I have no prompt for enter card pin and this fail quickly.
Gcr is:
❯ pacman -Qi gcr Name : gcr Version : 3.28.0-3 Description : A library for bits of crypto UI and parsing Architecture : x86_64 URL : https://git.gnome.org/browse/gcr Licenses : GPL2 Groups : None Provides : None Depends On : dconf gtk3 libgcrypt p11-kit Optional Deps : None Required By : gnome-keyring gnome-online-accounts gvfs libcryptui nm-connection-editor Optional For : pinentry Conflicts With : None Replaces : None Installed Size : 5.44 MiB Packager : Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> Build Date : Thu 03 May 2018 01:22:39 AM CEST Install Date : Sat 05 May 2018 07:38:59 PM CEST Install Reason : Installed as a dependency for another package Install Script : No Validated By : Signature

If I force pinentry to pinentry-gtk-2 I have not this error but can find the problem.
Do you have an idea?

Regards

Originally created by @cyrinux on GitHub (May 8, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1929 Hi, I'm running archlinux with hardened kernel and apparmor enabled. I use a yubikey for sign with gpg my mail in thunderbird, I speak the day to try to make it working sign in firejail. The problem seems to be the pinentry program. By default it find my pinentrey-gnome3 which say "No Gcr System Prompter available, falling back to curses" and seems fallback to ncurse but i can see it. For resume I have no prompt for enter card pin and this fail quickly. Gcr is: `❯ pacman -Qi gcr Name : gcr Version : 3.28.0-3 Description : A library for bits of crypto UI and parsing Architecture : x86_64 URL : https://git.gnome.org/browse/gcr Licenses : GPL2 Groups : None Provides : None Depends On : dconf gtk3 libgcrypt p11-kit Optional Deps : None Required By : gnome-keyring gnome-online-accounts gvfs libcryptui nm-connection-editor Optional For : pinentry Conflicts With : None Replaces : None Installed Size : 5.44 MiB Packager : Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> Build Date : Thu 03 May 2018 01:22:39 AM CEST Install Date : Sat 05 May 2018 07:38:59 PM CEST Install Reason : Installed as a dependency for another package Install Script : No Validated By : Signature` If I force pinentry to pinentry-gtk-2 I have not this error but can find the problem. Do you have an idea? Regards

gitea-mirror closed this issue

2026-05-05 07:48:36 -06:00

gitea-mirror commented

2026-05-05 07:48:39 -06:00

Author

Owner

@Vincent43 commented on GitHub (May 8, 2018):

First of all try running firejail --noprofile thunderbird and check if it works.

After that look at /etc/firejail/thunderbird.profile. Copy it to ~/.config/firejail/thunderbird.profile and try disabling some options until you find what causes breakage.

If you run thunderbird from console you may check if it print any useful messages.

@Vincent43 commented on GitHub (May 8, 2018): First of all try running `firejail --noprofile thunderbird` and check if it works. After that look at `/etc/firejail/thunderbird.profile`. Copy it to `~/.config/firejail/thunderbird.profile` and try disabling some options until you find what causes breakage. If you run thunderbird from console you may check if it print any useful messages.

gitea-mirror commented

2026-05-05 07:48:40 -06:00

Author

Owner

@cyrinux commented on GitHub (May 8, 2018):

Works with --noprofile and with removing firefox.profile include in tb profile.
But so then seems very light and I can open a link :)
Thus, i would like to use chromium instead of firefox.
If I include chromium profile instead of firefox this doesn't work too.
I have no readable error in console :/
If I understand correctly all TB and FF stuff are in firefox-common, and breaking option are inside.

@cyrinux commented on GitHub (May 8, 2018): Works with `--noprofile` and with removing firefox.profile include in tb profile. But so then seems very light and I can open a link :) Thus, i would like to use chromium instead of firefox. If I include chromium profile instead of firefox this doesn't work too. I have no readable error in console :/ If I understand correctly all TB and FF stuff are in firefox-common, and breaking option are inside.

gitea-mirror commented

2026-05-05 07:48:42 -06:00

Author

Owner

@cyrinux commented on GitHub (May 8, 2018):

So, I have replace include of firefox by chromium profile, then update chromium-common I have allow dbus and add capability
CAP_NET_BIND_SERVICE Bind a socket to Internet domain privileged ports (port numbers less than 1024).

This works but seems I raise a lot the attack surface with dbus and net_bind_service in TB and Chromium.

What is the way to make this only for thunderbird binary and keep chromium by default?

@cyrinux commented on GitHub (May 8, 2018): So, I have replace include of firefox by chromium profile, then update chromium-common I have allow dbus and add capability `CAP_NET_BIND_SERVICE Bind a socket to Internet domain privileged ports (port numbers less than 1024). ` This works but seems I raise a lot the attack surface with dbus and net_bind_service in TB and Chromium. What is the way to make this only for thunderbird binary and keep chromium by default?

gitea-mirror commented

2026-05-05 07:48:43 -06:00

Author

Owner

@Vincent43 commented on GitHub (May 8, 2018):

Instead of include you can copy chromium/firefox profile contents into thunderbird profile. This way you can tweak it without modifying chromium/firefox behavior. For better security you may consider resigning from direct opening links from thunderbird in browser and copy-paste links manually instead. That way you may create more fine grained thunderbird profile. Example:

# ~/.config/firejail/thunderbird.profile

# Firejail profile for thunderbird
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/thunderbird.local
# Persistent global definitions
include /etc/firejail/globals.local

# Users have thunderbird set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories

noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.gnupg
# noblacklist ${HOME}/.icedove
noblacklist ${HOME}/.thunderbird

mkdir ${HOME}/.cache/thunderbird
mkdir ${HOME}/.gnupg
# mkdir ${HOME}/.icedove
mkdir ${HOME}/.thunderbird
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.gnupg
# whitelist ${HOME}/.icedove
whitelist ${HOME}/.thunderbird

# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
ignore private-tmp
# machine-id breaks audio in browsers; enable it when sound is not required
# machine-id
read-only ${HOME}/.config/mimeapps.list
# writable-run-user is needed for signing and encrypting emails
writable-run-user

# allow browsers
# Redirect
# include /etc/firejail/firefox.profile

# custom
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6
seccomp
shell none
tracelog

disable-mnt
private-dev

noexec ${HOME}
noexec /tmp

@Vincent43 commented on GitHub (May 8, 2018): Instead of `include` you can copy chromium/firefox profile contents into thunderbird profile. This way you can tweak it without modifying chromium/firefox behavior. For better security you may consider resigning from direct opening links from thunderbird in browser and copy-paste links manually instead. That way you may create more fine grained thunderbird profile. Example: ``` # ~/.config/firejail/thunderbird.profile # Firejail profile for thunderbird # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/thunderbird.local # Persistent global definitions include /etc/firejail/globals.local # Users have thunderbird set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories noblacklist ${HOME}/.cache/thunderbird noblacklist ${HOME}/.gnupg # noblacklist ${HOME}/.icedove noblacklist ${HOME}/.thunderbird mkdir ${HOME}/.cache/thunderbird mkdir ${HOME}/.gnupg # mkdir ${HOME}/.icedove mkdir ${HOME}/.thunderbird whitelist ${HOME}/.cache/thunderbird whitelist ${HOME}/.gnupg # whitelist ${HOME}/.icedove whitelist ${HOME}/.thunderbird # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE ignore private-tmp # machine-id breaks audio in browsers; enable it when sound is not required # machine-id read-only ${HOME}/.config/mimeapps.list # writable-run-user is needed for signing and encrypting emails writable-run-user # allow browsers # Redirect # include /etc/firejail/firefox.profile # custom caps.drop all netfilter nodvd nogroups nonewprivs noroot notv protocol unix,inet,inet6 seccomp shell none tracelog disable-mnt private-dev noexec ${HOME} noexec /tmp ```

gitea-mirror commented

2026-05-05 07:48:45 -06:00

Author

Owner

@cyrinux commented on GitHub (May 9, 2018):

Thanks @Vincent43 , I see, there is no magic inside ... If I allow dbus, I can't also filter dbus event I imagine :)

@cyrinux commented on GitHub (May 9, 2018): Thanks @Vincent43 , I see, there is no magic inside ... If I allow dbus, I can't also filter dbus event I imagine :)

gitea-mirror commented

2026-05-05 07:48:47 -06:00

Author

Owner

@Vincent43 commented on GitHub (May 9, 2018):

Yeah, dbus support can be only toggled on/off. Flatpak filters dbus access so you may try it instead.

@Vincent43 commented on GitHub (May 9, 2018): Yeah, dbus support can be only toggled on/off. Flatpak filters dbus access so you may try it instead.

gitea-mirror commented

2026-05-05 07:48:48 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 26, 2018):

Closing, as this seems to be resolved? @cyrinux If you have some enhancement requests, please open a new ticket (e.g. filtering specific dbus requests).

@chiraag-nataraj commented on GitHub (Jul 26, 2018): Closing, as this seems to be resolved? @cyrinux If you have some enhancement requests, please open a new ticket (e.g. filtering specific dbus requests).

Rows
Columns

[GH-ISSUE #1929] FJ + Thunderbird + GPG + Keycard #1291