github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2026] Firejail breaks Gnome Shell connector #1365

New issue
Closed
opened 2026-05-05 07:55:50 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 07:55:50 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Jul 4, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2026

I was unable to check for extension updates via https://extensions.gnome.org as both Firefox and Chromium couldn't find a Gnome connector (Firefox: "native host connector is not detected", Chromium: "native host has exited").

Since chrome-gnome-shell (the connector) is already installed, I tried to run chromium from the terminal and I saw this:

LaunchProcess: failed to execvp:
/usr/bin/chrome-gnome-shell

If I delete the browser's symlink to firejail from /usr/local/bin the connector is detected and everything works.

I'm using firejail 0.9.54-1 on arch linux.

Originally created by @ghost on GitHub (Jul 4, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2026 I was unable to check for extension updates via https://extensions.gnome.org as both Firefox and Chromium couldn't find a Gnome connector (Firefox: "native host connector is not detected", Chromium: "native host has exited"). Since chrome-gnome-shell (the connector) is already installed, I tried to run chromium from the terminal and I saw this: > LaunchProcess: failed to execvp: > /usr/bin/chrome-gnome-shell If I delete the browser's symlink to firejail from /usr/local/bin the connector is detected and everything works. I'm using firejail 0.9.54-1 on arch linux.
gitea-mirror commented 2026-05-05 07:55:53 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 4, 2018):

Hmm, is there an active (not commented out) private-bin in your profile? The error would suggest that /usr/bin/chrome-gnome-shell isn't available in the sandbox (which would suggest that private-bin is active). Another possibility is that something like the seccomp filter is breaking it.

Since I don't use Gnome, I can't test this for you, but the easiest way of debugging this is to use --ignore=<blah> on the terminal or comment stuff out in the profile (maybe copy the system profile to ~/.config/firejail and modify that file so that you don't mess with the installed files) and see what breaks the connector.

<!-- gh-comment-id:402522597 --> @chiraag-nataraj commented on GitHub (Jul 4, 2018): Hmm, is there an active (not commented out) `private-bin` in your profile? The error would suggest that `/usr/bin/chrome-gnome-shell` isn't available in the sandbox (which would suggest that `private-bin` is active). Another possibility is that something like the `seccomp` filter is breaking it. Since I don't use Gnome, I can't test this for you, but the easiest way of debugging this is to use `--ignore=<blah>` on the terminal or comment stuff out in the profile (maybe copy the system profile to `~/.config/firejail` and modify that file so that you don't mess with the installed files) and see what breaks the connector.
gitea-mirror commented 2026-05-05 07:55:54 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 4, 2018):

Ok, some progress: if I comment out BOTH nodbus and the line include /etc/firejail/disable-interpreters.inc in firefox-common.profile and chromium-common.profile the problem goes away.

The above change also solved a problem I've been having recently (perhaps after an update), where my default browser, Firefox, kept warning it wasn't set as default, every single time I started it.

BTW, no private-bin is active anywhere in the profile files.

<!-- gh-comment-id:402530071 --> @ghost commented on GitHub (Jul 4, 2018): Ok, some progress: if I comment out BOTH `nodbus` and the line `include /etc/firejail/disable-interpreters.inc` in firefox-common.profile and chromium-common.profile the problem goes away. The above change also solved a problem I've been having recently (perhaps after an update), where my default browser, Firefox, kept warning it wasn't set as default, every single time I started it. BTW, no `private-bin` is active anywhere in the profile files.
gitea-mirror commented 2026-05-05 07:55:55 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 7, 2018):

Ok, so the offending code is the python3 block in disable-interpreters.inc (which makes sense because chome-gnome-shell uses python3), plus nodbus.

This problem is probably common to all Gnome users, but I guess users should decide whether take the risk and manually disable the extra protections provided by firejail. Feel free to close this issue if you agree.

<!-- gh-comment-id:403192558 --> @ghost commented on GitHub (Jul 7, 2018): Ok, so the offending code is the python3 block in `disable-interpreters.inc` (which makes sense because chome-gnome-shell uses python3), plus `nodbus`. This problem is probably common to all Gnome users, but I guess users should decide whether take the risk and manually disable the extra protections provided by firejail. Feel free to close this issue if you agree.
gitea-mirror commented 2026-05-05 07:55:58 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 8, 2018):

Hmmm, maybe we can leave a note in the profile so that affected users will know what to do?

<!-- gh-comment-id:403316556 --> @chiraag-nataraj commented on GitHub (Jul 8, 2018): Hmmm, maybe we can leave a note in the profile so that affected users will know what to do?
gitea-mirror commented 2026-05-05 07:56:02 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 11, 2018):

Seems reasonable to me.

<!-- gh-comment-id:404208337 --> @ghost commented on GitHub (Jul 11, 2018): Seems reasonable to me.
gitea-mirror commented 2026-05-05 07:56:03 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 21, 2018):

Since Firefox supports multiple user profiles, I was wondering if there is a way to make firejail use a different .profile file somehow, perhaps depending on command line parameters or something else?

That way one could have a secure browser instance for everyday use, and a "less secure" one for exceptions like gnome.

<!-- gh-comment-id:406785424 --> @ghost commented on GitHub (Jul 21, 2018): Since Firefox supports [multiple user profiles](https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles), I was wondering if there is a way to make firejail use a different .profile file somehow, perhaps depending on command line parameters or something else? That way one could have a secure browser instance for everyday use, and a "less secure" one for exceptions like gnome.
gitea-mirror commented 2026-05-05 07:56:06 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 21, 2018):

I would just set up scripts for that. You can use --profile= to tell firejail to use a specific profile file. If you created two profile files, one blacklisting dbus and python3 (say, firefox.profile) and without those blacklists (firefox-insecure.profile), then you could use firejail firefox as your regular command and firejail --profile=~/.config/firejail/firefox-insecure.profile firefox as your insecure version.

<!-- gh-comment-id:406818767 --> @chiraag-nataraj commented on GitHub (Jul 21, 2018): I would just set up scripts for that. You can use `--profile=` to tell `firejail` to use a specific profile file. If you created two profile files, one blacklisting `dbus` and `python3` (say, `firefox.profile`) and without those blacklists (`firefox-insecure.profile`), then you could use `firejail firefox` as your regular command and `firejail --profile=~/.config/firejail/firefox-insecure.profile firefox` as your insecure version.
gitea-mirror commented 2026-05-05 07:56:08 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 22, 2018):

Much simpler than I though. Thank you.

<!-- gh-comment-id:406841846 --> @ghost commented on GitHub (Jul 22, 2018): Much simpler than I though. Thank you.
gitea-mirror commented 2026-05-05 07:56:10 -06:00
Author
Owner
Copy link

@RedAtRareCandy commented on GitHub (Nov 19, 2018):

Hi all,

Thanks for the pointers on how to work-around this so Gnome Extensions works again.

I followed the firefox-insecure.profile suggestion (modified copy of firefox.profile), but found that the nodbus line was in the firefox-common.profile so rather than duplicate that too or edit it, I used ignore in my new profile instead. Had to add a few extra python3 noblacklist lines in as well. I'm not very familiar with correct practice of when to use ignore so hopefully this was acceptable and was the best approach :)

firefox-insecure.txt

<!-- gh-comment-id:439754130 --> @RedAtRareCandy commented on GitHub (Nov 19, 2018): Hi all, Thanks for the pointers on how to work-around this so Gnome Extensions works again. I followed the firefox-insecure.profile suggestion (modified copy of firefox.profile), but found that the nodbus line was in the firefox-common.profile so rather than duplicate that too or edit it, I used ignore in my new profile instead. Had to add a few extra python3 noblacklist lines in as well. I'm not very familiar with correct practice of when to use ignore so hopefully this was acceptable and was the best approach :) [firefox-insecure.txt](https://github.com/netblue30/firejail/files/2593575/firefox-insecure.txt)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1365
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?