github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1972] [SOLVED] running chromium from snap in Firejail #1325

New issue

Closed

opened 2026-05-05 07:52:01 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:52:01 -06:00

Owner

Originally created by @omega3 on GitHub (May 31, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1972

I need support. Please explain it to me:

firejail version 0.9.18-rc1

Linux distribution: Kubuntu 14.04

firejail --noprofile chromium
Error: invalid --noprofile command line option

So far I used chromium installed from deb (on Ubuntu 14.04) and snadboxed it fith firejail. Chromium is not available from repositories as deb anymore. So, I installed chromium snap package.

So far I used firejail profile:

firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ chromium-browser

It worked. But after installing chromium from snap package I noticed that it has a long entry in startmenu:

env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /snap/bin/chromium %U

Combining those two like that:

firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /snap/bin/chromium %U

doesn't work.

This also doesn't work:

`firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ chromium %U
Reading /media/data/backup/jailkonf/.config/jail.profile
Reading /etc/firejail/disable-mgmt.inc
Reading /etc/firejail/disable-secret.inc
Parent pid 5456, child pid 5457
Interface           IP                  Mask                Status              
lo                  127.0.0.1           255.0.0.0           UP                  
eth0                1__.1__.0.10        255.255.255.0       UP                  

Child process initialized
need to run as root or suid

parent is shutting down, bye... `

I want to be able to use my old chromium profile with this snap version. How to do it?

How can I run chromium with firejail?

The second issue: isn't chromium as snap sandboxed anyway? Would running it with firejail make sense?

Originally created by @omega3 on GitHub (May 31, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1972 I need support. Please explain it to me: firejail version 0.9.18-rc1 Linux distribution: Kubuntu 14.04 firejail --noprofile chromium Error: invalid --noprofile command line option So far I used chromium installed from deb (on Ubuntu 14.04) and snadboxed it fith firejail. Chromium is not available from repositories as deb anymore. So, I installed chromium snap package. So far I used firejail profile: `firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ chromium-browser` It worked. But after installing chromium from snap package I noticed that it has a long entry in startmenu: `env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /snap/bin/chromium %U` Combining those two like that: `firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /snap/bin/chromium %U` doesn't work. This also doesn't work: ``` `firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ chromium %U Reading /media/data/backup/jailkonf/.config/jail.profile Reading /etc/firejail/disable-mgmt.inc Reading /etc/firejail/disable-secret.inc Parent pid 5456, child pid 5457 Interface IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0 1__.1__.0.10 255.255.255.0 UP Child process initialized need to run as root or suid parent is shutting down, bye... ` ``` I want to be able to use my old chromium profile with this snap version. How to do it? How can I run chromium with firejail? The second issue: isn't chromium as snap sandboxed anyway? Would running it with firejail make sense?

gitea-mirror

2026-05-05 07:52:01 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:52:06 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (May 31, 2018):

firejail version 0.9.18-rc1

First things first, please update your Firejail version, that is almost 4 years old (!) and has many known issues and vulnerabilities. Newer versions are available here. If possible I'd recommend upgrading your distribution as well, so you can use the packaged versions instead of ppas/snaps/etc.

Next you can try running it again, similar to what you used

BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ /snap/bin/chromium

however the profiles have changed dramatically since then and won't work, so try the following instead

BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop firejail --profile=/etc/firejail/chromium.profile --private=/media/data/backup/jail/ /snap/bin/chromium

The second issue: isn't chromium as snap sandboxed anyway? Would running it with firejail make sense?

Lastly, snaps/flatpaks do provide some sandboxing, however most do not take full advantage and are often not too strict, where as Firejail profiles are typically much stricter.

@SkewedZeppelin commented on GitHub (May 31, 2018): > firejail version 0.9.18-rc1 First things first, please update your Firejail version, that is almost 4 years old (!) and has many known issues and [vulnerabilities](https://firejail.wordpress.com/download-2/cve-status/). Newer versions are available [here](https://sourceforge.net/projects/firejail/files/firejail/). If possible I'd recommend upgrading your distribution as well, so you can use the packaged versions instead of ppas/snaps/etc. Next you can try running it again, similar to what you used ``` BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop firejail --profile=/media/data/backup/jailkonf/.config/jail.profile --seccomp --private=/media/data/backup/jail/ /snap/bin/chromium ``` however the profiles have changed dramatically since then and won't work, so try the following instead ``` BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop firejail --profile=/etc/firejail/chromium.profile --private=/media/data/backup/jail/ /snap/bin/chromium ``` > The second issue: isn't chromium as snap sandboxed anyway? Would running it with firejail make sense? Lastly, snaps/flatpaks do provide some sandboxing, however most do not take full advantage and are often not too strict, where as Firejail profiles are typically much stricter.

gitea-mirror commented

2026-05-05 07:52:08 -06:00

Author

Owner

@omega3 commented on GitHub (May 31, 2018):

I updated firejail to the newest deb.
BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop firejail --profile=/etc/firejail/chromium.profile --private=/media/data/backup/jail/ /snap/bin/chromium

returns

Reading /etc/firejail/chromium.profile 
Error: cannot open profile file

/media/dane/backup/jailkonf/.config/jail.profile

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
blacklist ${HOME}/
blacklist ${HOME}/.adobe
blacklist ${HOME}/.macromedia
blacklist ${HOME}/user_name
blacklist /media/data/firejail
blacklist /media/data/backup/jailkonf
blacklist /boot
caps
seccomp

This profile I have for non sudo user. So, it is second user account and it doesn't have sudo previliges.

Edit
After command
sudo snap connect chromium:removable-media
chromium can read / access other chromium profiles from /media/data
but error is still the same

Reading /etc/firejail/chromium.profile 
Error: cannot open profile file

Is it a bug that firejail cannot read profiles from /etc/firejail

@omega3 commented on GitHub (May 31, 2018): I updated firejail to the newest deb. `BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop firejail --profile=/etc/firejail/chromium.profile --private=/media/data/backup/jail/ /snap/bin/chromium` returns ``` Reading /etc/firejail/chromium.profile Error: cannot open profile file ``` /media/dane/backup/jailkonf/.config/jail.profile ``` # Firejail profile for Mozilla Firefox (Iceweasel in Debian) include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc blacklist ${HOME}/ blacklist ${HOME}/.adobe blacklist ${HOME}/.macromedia blacklist ${HOME}/user_name blacklist /media/data/firejail blacklist /media/data/backup/jailkonf blacklist /boot caps seccomp ``` This profile I have for non sudo user. So, it is second user account and it doesn't have sudo previliges. Edit After command `sudo snap connect chromium:removable-media` chromium can read / access other chromium profiles from /media/data but error is still the same ``` Reading /etc/firejail/chromium.profile Error: cannot open profile file ``` Is it a bug that firejail cannot read profiles from /etc/firejail

gitea-mirror commented

2026-05-05 07:52:10 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jun 4, 2018):

Lastly, snaps/flatpaks do provide some sandboxing, however most do not take full advantage and are often not too strict, where as Firejail profiles are typically much stricter.

Honestly, it's the opposite. Firejail can't match strictness and granularity of flatpak/snap sandboxing. The price for that is installing packages out of repos.

@omega3 Using firejail with snap/flatpak isn't what you want. Firejail will break their own sandboxes and decrease security. Don't do this. They're good on their own.

@Vincent43 commented on GitHub (Jun 4, 2018): > Lastly, snaps/flatpaks do provide some sandboxing, however most do not take full advantage and are often not too strict, where as Firejail profiles are typically much stricter. Honestly, it's the opposite. Firejail can't match strictness and granularity of flatpak/snap sandboxing. The price for that is installing packages out of repos. @omega3 Using firejail with snap/flatpak isn't what you want. Firejail will break their own sandboxes and decrease security. Don't do this. They're good on their own.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1325

No description provided.

Rows
Columns