#1449 - [GH-ISSUE #2137] Browser trouble - whitelisting ${HOME}-directories issue - github-starred/firejail

gitea-mirror commented

2026-05-05 08:06:36 -06:00

Owner

Originally created by @varfoer on GitHub (Oct 4, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2137

Originally assigned to: @smitsohu on GitHub.

Hello,
for some days now Chromium as well as Firefox, Netsurf and Midori are not starting with firejail (guess I did an update). I am using the default profiles. Problem seems to be with whitelisting folders in the home-directory (.cache/, .config/ and Downloads/). Commenting those lines in the profile starts the Browsers (with complete access to the home-directory). --noprofile also works. This is the error-message I get:

Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3573, child pid 3574
Error: invalid whitelist path /home/foo//Downloads
Error: proc 3573 cannot sync with peer: unexpected EOF
Peer 3574 unexpectedly exited with status 1

Same error for Chroumium and Firefox with the .cache/ and .config/ dirs.
firejail --version gives:

firejail version 0.9.56

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

firejail --debug midori:

Reading profile /etc/firejail/midori.profile
Autoselecting /bin/zsh as shell
Building quoted command line: 'midori' 
Command name #midori#
Found midori profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
DISPLAY=:0 parsed as 0
Parent pid 6849, child pid 6850
Using the local network stack
Debug 405: new_name #/home/foo//Downloads#, whitelist
Debug 505: fname #/home/foo/Downloads#, cfg.homedir #/home/foo/#
Error: invalid whitelist path /home/foo//Downloads
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /mnt
Disable /run/mount
Directory ${DOWNLOADS} resolved as Downloads
Error: proc 6849 cannot sync with peer: unexpected EOF
Peer 6850 unexpectedly exited with status 1

OS: Arch
Many thanks!

Originally created by @varfoer on GitHub (Oct 4, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2137 Originally assigned to: @smitsohu on GitHub. Hello, for some days now Chromium as well as Firefox, Netsurf and Midori are not starting with firejail (guess I did an update). I am using the default profiles. Problem seems to be with whitelisting folders in the home-directory (.cache/, .config/ and Downloads/). Commenting those lines in the profile starts the Browsers (with complete access to the home-directory). `--noprofile` also works. This is the error-message I get: ```Reading profile /etc/firejail/midori.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 3573, child pid 3574 Error: invalid whitelist path /home/foo//Downloads Error: proc 3573 cannot sync with peer: unexpected EOF Peer 3574 unexpectedly exited with status 1 ``` Same error for Chroumium and Firefox with the `.cache/` and `.config/` dirs. `firejail --version` gives: ``` firejail version 0.9.56 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` `firejail --debug midori`: ``` Reading profile /etc/firejail/midori.profile Autoselecting /bin/zsh as shell Building quoted command line: 'midori' Command name #midori# Found midori profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc DISPLAY=:0 parsed as 0 Parent pid 6849, child pid 6850 Using the local network stack Debug 405: new_name #/home/foo//Downloads#, whitelist Debug 505: fname #/home/foo/Downloads#, cfg.homedir #/home/foo/# Error: invalid whitelist path /home/foo//Downloads Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Build protocol filter: unix,inet,inet6,netlink sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /mnt Disable /run/mount Directory ${DOWNLOADS} resolved as Downloads Error: proc 6849 cannot sync with peer: unexpected EOF Peer 6850 unexpectedly exited with status 1 ``` **OS:** Arch Many thanks!

gitea-mirror

2026-05-05 08:06:36 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 08:06:39 -06:00

Author

Owner

@veloute commented on GitHub (Oct 4, 2018):

and these are with the default profiles - no changes by you?

@veloute commented on GitHub (Oct 4, 2018): and these are with the default profiles - no changes by you?

gitea-mirror commented

2026-05-05 08:06:40 -06:00

Author

Owner

@varfoer commented on GitHub (Oct 4, 2018):

No changes so far. I even reinstalled firejail, so that all configurations have been overridden. Other programs like gimp and sylpheed that do not whitelist any specific home-directory in the .profile are working with firejail.

@varfoer commented on GitHub (Oct 4, 2018): No changes so far. I even reinstalled firejail, so that all configurations have been overridden. Other programs like gimp and sylpheed that do not whitelist any specific home-directory in the .profile are working with firejail.

gitea-mirror commented

2026-05-05 08:06:42 -06:00

Author

Owner

@smitsohu commented on GitHub (Oct 5, 2018):

Error: invalid whitelist path /home/foo//Downloads

Can you please check /etc/passwd if your home directory ends with a / character?
You can also run:
A=$(getent passwd $UID); B=$(awk -F: '{printf $6}' <<< $A); echo $B

Thanks.
If there is a trailing /, removing it should fix this issue. Maybe this was also the background of #2123.

@smitsohu commented on GitHub (Oct 5, 2018): > Error: invalid whitelist path /home/foo//Downloads Can you please check /etc/passwd if your home directory ends with a `/` character? You can also run: `A=$(getent passwd $UID); B=$(awk -F: '{printf $6}' <<< $A); echo $B` Thanks. If there is a trailing `/`, removing it should fix this issue. Maybe this was also the background of #2123.

gitea-mirror commented

2026-05-05 08:06:43 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 5, 2018):

Problem seems to be with whitelisting folders in the home-directory (.cache/, .config/ and Downloads/)

Are these directories actually symlinks pointing outside your home directory? For archiving or for other reasons, some people use to store configuration/downloads/etc. in a different place in the file system.

@netblue30 commented on GitHub (Oct 5, 2018): > Problem seems to be with whitelisting folders in the home-directory (.cache/, .config/ and Downloads/) Are these directories actually symlinks pointing outside your home directory? For archiving or for other reasons, some people use to store configuration/downloads/etc. in a different place in the file system.

gitea-mirror commented

2026-05-05 08:06:44 -06:00

Author

Owner

@varfoer commented on GitHub (Oct 5, 2018):

If there is a trailing /, removing it should fix this issue. Maybe this was also the background of #2123.

Damn, that really did it. Thanks for this. I have already been on that but seems it was not enough effort ("double slashes work in bash-scripts, why should it be any different here" I thought...). Anyways, thanks and closed!

@varfoer commented on GitHub (Oct 5, 2018): > If there is a trailing `/`, removing it should fix this issue. Maybe this was also the background of #2123. Damn, that really did it. Thanks for this. I have already been on that but seems it was not enough effort ("double slashes work in bash-scripts, why should it be any different here" I thought...). Anyways, thanks and closed!

gitea-mirror commented

2026-05-05 08:06:45 -06:00

Author

Owner

@smitsohu commented on GitHub (Oct 5, 2018):

@netblue30 Should we strip trailing slashes from the home directory?

It is my understanding that they appear only when /etc/passwd is edited manually, adduser/useradd never add a trailing slash.

@smitsohu commented on GitHub (Oct 5, 2018): @netblue30 Should we strip trailing slashes from the home directory? It is my understanding that they appear only when /etc/passwd is edited manually, adduser/useradd never add a trailing slash.

gitea-mirror commented

2026-05-05 08:06:46 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 6, 2018):

Yes, let's put it in.

@netblue30 commented on GitHub (Oct 6, 2018): Yes, let's put it in.

gitea-mirror commented

2026-05-05 08:06:47 -06:00

Author

Owner

@smitsohu commented on GitHub (Oct 7, 2018):

Only in case no one else already worked on this, I would like to assign it to myself.

@smitsohu commented on GitHub (Oct 7, 2018): Only in case no one else already worked on this, I would like to assign it to myself.

gitea-mirror commented

2026-05-05 08:06:48 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 8, 2018):

all yours :)

@netblue30 commented on GitHub (Oct 8, 2018): all yours :)

gitea-mirror referenced this issue

2026-05-05 10:11:25 -06:00

[PR #1449] [CLOSED] Add License field to Debian control file #3972

Rows
Columns

[GH-ISSUE #2137] Browser trouble - whitelisting ${HOME}-directories issue #1449