[GH-ISSUE #22] Firefox crashes with default profile if Zotero addon is enabled #13

New issue

Closed

opened 2026-05-05 04:44:26 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented 2026-05-05 04:44:26 -06:00

Owner

Copy link

Originally created by @yourcelf on GitHub (Aug 13, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/22

Zotero is a commonly used free open source citation manager.

If the zotero addon is enabled, invoking firejail firefox results in firefox crashing on startup.

Originally created by @yourcelf on GitHub (Aug 13, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/22 [Zotero](https://www.zotero.org/) is a commonly used free open source citation manager. If the zotero addon is enabled, invoking `firejail firefox` results in firefox crashing on startup.

gitea-mirror closed this issue 2026-05-05 04:44:27 -06:00

gitea-mirror commented 2026-05-05 04:44:31 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 13, 2015):

What output and error messages does firejail produce? If you could copy and paste the output of the firejail run, that would really help.

<!-- gh-comment-id:130828712 --> @ghost commented on GitHub (Aug 13, 2015): What output and error messages does firejail produce? If you could copy and paste the output of the firejail run, that would really help.

gitea-mirror commented 2026-05-05 04:44:34 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Aug 13, 2015):

Not much help, I'm afraid:

firejail --debug firefox

Command name #firefox#
Found firefox profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Using the local network stack
Parent pid 3604, child pid 3605
Initializing child process
PID namespace installed
Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Mounting tmpfs on /tmp/firejail/mnt directory
Create the new utmp file
Mount the new utmp file
Disable /sbin
Disable /usr/sbin
Disable /bin/umount
Disable /bin/mount
Disable /bin/fusermount
Disable /bin/su
Disable /usr/bin/sudo
Disable /usr/bin/xinput
Disable /usr/bin/strace
Disable /home/username/.ssh
Mounting tmpfs on /home/username/.gnome2_private
Disable /home/username/.gnome2/keyrings
Disable /home/username/.pki/nssdb
Disable /home/username/.gnupg
Disable /home/username/.local/share/recently-used.xbel
Disable /home/username/.adobe
Disable /home/username/.macromedia
Disable /home/username/.thunderbird
Disable /home/username/.config/chromium
Disable /home/username/.filezilla
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /sys/kernel/uevent_helper
Disable /proc/irq
Disable /proc/bus
Disable /proc/kcore
Disable /proc/kallsyms
Mounting a new /boot directory
Disable /dev/port
Initialize seccomp filter
Blacklisting syscall 165 mount
Blacklisting syscall 166 umount2
Blacklisting syscall 101 ptrace
Blacklisting syscall 246 kexec_load
Blacklisting syscall 304 open_by_handle_at
Blacklisting syscall 175 init_module
Blacklisting syscall 176 delete_module
Blacklisting syscall 172 iopl
Blacklisting syscall 173 ioperm
Blacklisting syscall 167 swapon
Blacklisting syscall 168 swapoff
Blacklisting syscall 103 syslog
Blacklisting syscall 310 process_vm_readv
Blacklisting syscall 311 process_vm_writev
Blacklisting syscall 133 mknod
Blacklisting syscall 139 sysfs
Blacklisting syscall 156 _sysctl
Blacklisting syscall 159 adjtimex
Blacklisting syscall 305 clock_adjtime
Blacklisting syscall 212 lookup_dcookie
Blacklisting syscall 298 perf_event_open
Blacklisting syscall 300 fanotify_init
Ending syscall filter
SECCOMP Filter:
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCAL
  BLACKLIST 165 mount
  BLACKLIST 166 umount2
  BLACKLIST 101 ptrace
  BLACKLIST 246 kexec_load
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 175 init_module
  BLACKLIST 176 delete_module
  BLACKLIST 172 iopl
  BLACKLIST 173 ioperm
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 103 syslog
  BLACKLIST 310 process_vm_readv
  BLACKLIST 311 process_vm_writev
  BLACKLIST 133 mknod
  BLACKLIST 139 sysfs
  BLACKLIST 156 _sysctl
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 300 fanotify_init
  RETURN_ALLOW
Save seccomp filter, size 392 bytes
seccomp enabled
Droping all capabilities
User namespace (noroot) installed
Starting firefox 
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: firefox 
Child process initialized

(process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised

(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised

(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised

(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised

The GLib messages at the bottom are identical to what firefox prints on a run without firejail, when it runs successfully.

The firejail process remains running, but the firefox child process shows <defunct>:

ps aux | grep firefox

root      3604  0.0  0.0  16128  1048 pts/13   S+   14:33   0:00 firejail --debug firefox
username  3605 11.2  0.0      0     0 pts/13   Zl+  14:33   0:01 [firefox] <defunct>

<!-- gh-comment-id:130836609 --> @yourcelf commented on GitHub (Aug 13, 2015): Not much help, I'm afraid: `firejail --debug firefox` ``` Command name #firefox# Found firefox profile in /etc/firejail directory Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Using the local network stack Parent pid 3604, child pid 3605 Initializing child process PID namespace installed Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Mounting tmpfs on /var/cache/apache2 Mounting tmpfs on /tmp/firejail/mnt directory Create the new utmp file Mount the new utmp file Disable /sbin Disable /usr/sbin Disable /bin/umount Disable /bin/mount Disable /bin/fusermount Disable /bin/su Disable /usr/bin/sudo Disable /usr/bin/xinput Disable /usr/bin/strace Disable /home/username/.ssh Mounting tmpfs on /home/username/.gnome2_private Disable /home/username/.gnome2/keyrings Disable /home/username/.pki/nssdb Disable /home/username/.gnupg Disable /home/username/.local/share/recently-used.xbel Disable /home/username/.adobe Disable /home/username/.macromedia Disable /home/username/.thunderbird Disable /home/username/.config/chromium Disable /home/username/.filezilla Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /sys/kernel/uevent_helper Disable /proc/irq Disable /proc/bus Disable /proc/kcore Disable /proc/kallsyms Mounting a new /boot directory Disable /dev/port Initialize seccomp filter Blacklisting syscall 165 mount Blacklisting syscall 166 umount2 Blacklisting syscall 101 ptrace Blacklisting syscall 246 kexec_load Blacklisting syscall 304 open_by_handle_at Blacklisting syscall 175 init_module Blacklisting syscall 176 delete_module Blacklisting syscall 172 iopl Blacklisting syscall 173 ioperm Blacklisting syscall 167 swapon Blacklisting syscall 168 swapoff Blacklisting syscall 103 syslog Blacklisting syscall 310 process_vm_readv Blacklisting syscall 311 process_vm_writev Blacklisting syscall 133 mknod Blacklisting syscall 139 sysfs Blacklisting syscall 156 _sysctl Blacklisting syscall 159 adjtimex Blacklisting syscall 305 clock_adjtime Blacklisting syscall 212 lookup_dcookie Blacklisting syscall 298 perf_event_open Blacklisting syscall 300 fanotify_init Ending syscall filter SECCOMP Filter: VALIDATE_ARCHITECTURE EXAMINE_SYSCAL BLACKLIST 165 mount BLACKLIST 166 umount2 BLACKLIST 101 ptrace BLACKLIST 246 kexec_load BLACKLIST 304 open_by_handle_at BLACKLIST 175 init_module BLACKLIST 176 delete_module BLACKLIST 172 iopl BLACKLIST 173 ioperm BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 103 syslog BLACKLIST 310 process_vm_readv BLACKLIST 311 process_vm_writev BLACKLIST 133 mknod BLACKLIST 139 sysfs BLACKLIST 156 _sysctl BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 300 fanotify_init RETURN_ALLOW Save seccomp filter, size 392 bytes seccomp enabled Droping all capabilities User namespace (noroot) installed Starting firefox execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: firefox Child process initialized (process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised ``` The GLib messages at the bottom are identical to what firefox prints on a run without firejail, when it runs successfully. The firejail process remains running, but the firefox child process shows &lt;defunct&gt;: `ps aux | grep firefox` ``` root 3604 0.0 0.0 16128 1048 pts/13 S+ 14:33 0:00 firejail --debug firefox username 3605 11.2 0.0 0 0 pts/13 Zl+ 14:33 0:01 [firefox] <defunct> ```

gitea-mirror commented 2026-05-05 04:44:37 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 13, 2015):

Thanks for that! Can you confirm which version of firejail you're running, and also whether you compiled it yourself or downloaded a binary from somewhere?

<!-- gh-comment-id:130845234 --> @ghost commented on GitHub (Aug 13, 2015): Thanks for that! Can you confirm which version of firejail you're running, and also whether you compiled it yourself or downloaded a binary from somewhere?

gitea-mirror commented 2026-05-05 04:44:42 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Aug 13, 2015):

version 0.9.28, 64-bit deb installed from http://sourceforge.net/projects/firejail/files/firejail/firejail_0.9.28_1_amd64.deb. Installed on Ubuntu Trusty.

uname -a:

Linux hostname 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

<!-- gh-comment-id:130848178 --> @yourcelf commented on GitHub (Aug 13, 2015): version 0.9.28, 64-bit deb installed from http://sourceforge.net/projects/firejail/files/firejail/firejail_0.9.28_1_amd64.deb. Installed on Ubuntu Trusty. `uname -a`: ``` Linux hostname 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux ```

gitea-mirror commented 2026-05-05 04:44:46 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 13, 2015):

OK, I've reproduced this with the latest version of firejail from git, and Zotero downloaded from the link you gave. If you check the dmesg output it says something like this, showing that firejail has blocked a syscall:

21407.210759] type=1326 audit(1439502335.159:55): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=8521 comm="firefox" sig=31 syscall=133 compat=0 ip=0x7f456f86129d code=0x0

This shows syscall=133 which is mknod (see the debug output from firejail you sent). Basically this means that whatever this Zotero thing is, it's trying to create a device file in the filesystem - most probably a FIFO, as I can't see why it would need to create a block or character device.

If this is OK with you, you need to change the seccomp line in the file /etc/firejail/firefox.profile to allow mknod calls.

Basically firejail is working and is suspicious of Zotero, as by default it doesn't expect Zotero to be there. You have to reduce firejail's security to get it to run.

One thing I would say is that it wasn't obvious what's going on - firejail needs to handle it better when a syscall is blocked.

<!-- gh-comment-id:130860423 --> @ghost commented on GitHub (Aug 13, 2015): OK, I've reproduced this with the latest version of firejail from git, and Zotero downloaded from the link you gave. If you check the dmesg output it says something like this, showing that firejail has blocked a syscall: ``` 21407.210759] type=1326 audit(1439502335.159:55): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=8521 comm="firefox" sig=31 syscall=133 compat=0 ip=0x7f456f86129d code=0x0 ``` This shows `syscall=133` which is `mknod` (see the debug output from firejail you sent). Basically this means that whatever this Zotero thing is, it's trying to create a device file in the filesystem - most probably a FIFO, as I can't see why it would need to create a block or character device. If this is OK with you, you need to change the `seccomp` line in the file `/etc/firejail/firefox.profile` to allow mknod calls. Basically firejail is working and is suspicious of Zotero, as by default it doesn't expect Zotero to be there. You have to reduce firejail's security to get it to run. One thing I would say is that it wasn't obvious what's going on - firejail needs to handle it better when a syscall is blocked.

gitea-mirror commented 2026-05-05 04:44:50 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Aug 13, 2015):

Thanks, that makes sense. Zotero probably does this for inter-process communication with its standalone client and libreoffice plugin. Looking over the docs, I don't see a way to override the default list dropped by seccomp to just enable mknod -- following seccomp with seccomp.keep mknod appears to allow the mknod syscall and no others, preventing firefox from launching.

So I've tried removed argument-less seccomp line from /etc/firejail/firefox.profile and replaced it with:

seccomp.drop mount,umount2,ptrace,kexec_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp

That list is taken from the release notes on 0.9.24, with mknod removed. As long as the default blacklist doesn't change, should this have the same effect as seccomp alone, but enabling mknod?

<!-- gh-comment-id:130865598 --> @yourcelf commented on GitHub (Aug 13, 2015): Thanks, that makes sense. Zotero probably does this for inter-process communication with its standalone client and libreoffice plugin. Looking over the docs, I don't see a way to override the default list dropped by `seccomp` to just enable mknod -- following `seccomp` with `seccomp.keep mknod` appears to allow the `mknod` syscall and no others, preventing firefox from launching. So I've tried removed argument-less `seccomp` line from `/etc/firejail/firefox.profile` and replaced it with: ``` seccomp.drop mount,umount2,ptrace,kexec_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp ``` That list is taken from the [release notes on 0.9.24](https://l3net.wordpress.com/2015/04/05/firejail-0-9-24-release-announcement/), with `mknod` removed. As long as the default blacklist doesn't change, should this have the same effect as `seccomp` alone, but enabling `mknod`?

gitea-mirror commented 2026-05-05 04:44:53 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 13, 2015):

Yes, that looks correct to me - that should blacklist all the usual calls except mknod. Does that make it work correctly for you?

<!-- gh-comment-id:130866245 --> @ghost commented on GitHub (Aug 13, 2015): Yes, that looks correct to me - that should blacklist all the usual calls except `mknod`. Does that make it work correctly for you?

gitea-mirror commented 2026-05-05 04:44:56 -06:00

Author

Owner

Copy link

@yourcelf commented on GitHub (Aug 13, 2015):

It appears to, yes! Thank you.

<!-- gh-comment-id:130866329 --> @yourcelf commented on GitHub (Aug 13, 2015): It appears to, yes! Thank you.

gitea-mirror commented 2026-05-05 04:44:59 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Aug 18, 2015):

I have removed mknod from the default seccomp in the code for the upcoming 0.9.30 version.

<!-- gh-comment-id:132006177 --> @netblue30 commented on GitHub (Aug 18, 2015): I have removed mknod from the default seccomp in the code for the upcoming 0.9.30 version.

gitea-mirror referenced this issue 2026-05-05 10:02:39 -06:00

[PR #13] [MERGED] Fix potential null pointer dereference in netfilter #3504

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#13

No description provided.