[GH-ISSUE #2946] Electron & Chromium

gitea-mirror commented

2026-05-05 08:30:35 -06:00

Owner

Originally created by @rusty-snake on GitHub (Sep 6, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2946

There are serveral issues with the chromium sandbox (see below) which is also used in electron. If firejail breaks a electron-based program (or any other program internaly using chromium) and the problem can be fixed by adding seccomp !chroot to PROFILE.local, post here which program is affected. Note: If you are not using firejail lastet git, you must add the following to PROFILE.local to get the same effect:

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

If this doesn't work, but firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot PROGRAM works, say it here. Otherwise open a new issue.

If none of the commands works, open a new issue.

Some issues about the chromium-sandbox:
#2933 - skypeforlinux 8.51.0.86 now requires SYS_ADMIN, SYS_CHROOT capabilities
#2912 - Skypeforlinux 8.51.0.72 crashes on startup since it's not permitted to use the chroot syscall
#2945 - Signal 1.27 Fails to Start
#2866 - new version of Slack Desktop (4.0) not working
#2854 - Standard notes not working
#2901 - [Teamspeak 3] crashes on opening options window if seccomp is enabled
#2821 - /usr/bin/riot-desktop: line 3: 8 Trace/breakpoint trap (core dumped) electron /usr/lib/riot/ "$@"
#2943 - firejail - Ubuntu 19.10 snap chromium incompatibility
#2944 - Firejail breaks Brave browser default sandboxing

Three new issues in 10 hours 😱 .

Originally created by @rusty-snake on GitHub (Sep 6, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2946 There are serveral issues with the chromium sandbox (see below) which is also used in electron. If firejail breaks a electron-based program (or any other program internaly using chromium) and the problem can be fixed by adding `seccomp !chroot` to PROFILE.local, post here which program is affected. Note: If you are not using firejail lastet git, you must add the following to PROFILE.local to get the same effect: ``` ignore seccomp seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice ``` If this doesn't work, but `firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot PROGRAM` works, say it here. Otherwise open a new issue. If none of the commands works, open a new issue. ---- Some issues about the chromium-sandbox: #2933 - skypeforlinux 8.51.0.86 now requires SYS_ADMIN, SYS_CHROOT capabilities #2912 - Skypeforlinux 8.51.0.72 crashes on startup since it's not permitted to use the chroot syscall #2945 - Signal 1.27 Fails to Start #2866 - new version of Slack Desktop (4.0) not working #2854 - Standard notes not working #2901 - [Teamspeak 3] crashes on opening options window if seccomp is enabled #2821 - /usr/bin/riot-desktop: line 3: 8 Trace/breakpoint trap (core dumped) electron /usr/lib/riot/ "$@" #2943 - firejail - Ubuntu 19.10 snap chromium incompatibility #2944 - Firejail breaks Brave browser default sandboxing Three new issues in 10 hours :scream: . ![](https://gist.githubusercontent.com/rusty-snake/9741684540c099c0677f41facf100da4/raw/2b853a00aca20f8a524af078c52c720745d820ca/screenshot.png)

gitea-mirror

2026-05-05 08:30:35 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:30:39 -06:00

Author

Owner

@daks commented on GitHub (Oct 9, 2019):

Hi,

I again have a problem with slack after upgrading it to 4.1.1 on Debian 9.
I use firejail version from Debian, and created a slack.local with the private-etc tip from #2866

I tried to add to it the parameters indicated above, without change.

update not sure about the following, it may be because i use fish as a shell

I tried also the command firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot slack without success.

@daks commented on GitHub (Oct 9, 2019): Hi, I again have a problem with slack after upgrading it to 4.1.1 on Debian 9. I use firejail version from Debian, and created a `slack.local` with the `private-etc` tip from #2866 I tried to add to it the parameters indicated above, without change. **update** not sure about the following, it may be because i use fish as a shell I tried also the command `firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot slack` without success.

gitea-mirror commented

2026-05-05 08:30:40 -06:00

Author

Owner

@StarPicard commented on GitHub (Oct 13, 2019):

Hi,

Visual Studio Code won't start up at all under Archlinux.

firejail version 0.9.60

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

This is the output at startup:

Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-passwdmgr.local
Reading profile /etc/firejail/disable-programs.inc
Parent pid 4538, child pid 4539
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 56.81 ms

Tried both commands recommended at the top.

@StarPicard commented on GitHub (Oct 13, 2019): Hi, Visual Studio Code won't start up at all under Archlinux. ``` firejail version 0.9.60 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` This is the output at startup: ``` Reading profile /etc/firejail/code.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-passwdmgr.local Reading profile /etc/firejail/disable-programs.inc Parent pid 4538, child pid 4539 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 56.81 ms ``` Tried both commands recommended at the top.

gitea-mirror commented

2026-05-05 08:30:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 13, 2019):

@daks @StarPicard Can you guys open own issues for that. This issue is to catch the chromium sandbox on program update (I update the OP).

@StarPicard can you also post your globals.local.

@rusty-snake commented on GitHub (Oct 13, 2019): @daks @StarPicard Can you guys open own issues for that. This issue is to catch the chromium sandbox on program update (I update the OP). @StarPicard can you also post your globals.local.

gitea-mirror commented

2026-05-05 08:30:43 -06:00

Author

Owner

@daks commented on GitHub (Oct 15, 2019):

@rusty-snake done

@daks commented on GitHub (Oct 15, 2019): @rusty-snake done

gitea-mirror commented

2026-05-05 08:30:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 23, 2019):

All AppImages with chromium/electron programs are broken because --appimage force caps.drop=all but sys_admin,sys_chroot are needed.

@rusty-snake commented on GitHub (Dec 23, 2019): All AppImages with chromium/electron programs are broken because `--appimage` force `caps.drop=all` but `sys_admin,sys_chroot` are needed.

gitea-mirror commented

2026-05-05 08:30:45 -06:00

Author

Owner

@cyrinux commented on GitHub (Jan 15, 2020):

Hi, wire-desktop (electron6) got the problem.

@cyrinux commented on GitHub (Jan 15, 2020): Hi, wire-desktop (electron6) got the problem.

gitea-mirror commented

2026-05-05 08:30:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 16, 2020):

@cyrinux thx, can you confirm that this(27eb40b) works.

@rusty-snake commented on GitHub (Jan 16, 2020): @cyrinux thx, can you confirm that this(27eb40b) works.

gitea-mirror commented

2026-05-05 08:30:45 -06:00

Author

Owner

@cyrinux commented on GitHub (Jan 17, 2020):

Hi @rusty-snake it works like this with electron6 bin too in my case (under archlinux)

@cyrinux commented on GitHub (Jan 17, 2020): Hi @rusty-snake it works like this with electron6 bin too in my case (under archlinux)

gitea-mirror commented

2026-05-05 08:30:46 -06:00

Author

Owner

@setpill commented on GitHub (Mar 13, 2020):

Slack is broken, fixed when adding seccomp !chroot to ~/.config/firejail/slack.local

@setpill commented on GitHub (Mar 13, 2020): Slack is broken, fixed when adding `seccomp !chroot` to `~/.config/firejail/slack.local`

gitea-mirror commented

2026-05-05 08:30:46 -06:00

Author

Owner

@tscolari commented on GitHub (Apr 3, 2020):

I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the Creating Slack Application.

...
Child process initialized in 50.90 ms
Gtk-Message: 09:20:00.662: Failed to load module "unity-gtk-module"
Gtk-Message: 09:20:00.688: Failed to load module "unity-gtk-module"
Gtk-Message: 09:20:00.714: Failed to load module "unity-gtk-module"
Initializing local storage instance at path: /home/tiagohc/.config/Slack/local-settings.json

(slack:18): dconf-WARNING **: 09:20:00.807: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied
Creating Slack Application

@tscolari commented on GitHub (Apr 3, 2020): I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the `Creating Slack Application`. ``` ... Child process initialized in 50.90 ms Gtk-Message: 09:20:00.662: Failed to load module "unity-gtk-module" Gtk-Message: 09:20:00.688: Failed to load module "unity-gtk-module" Gtk-Message: 09:20:00.714: Failed to load module "unity-gtk-module" Initializing local storage instance at path: /home/tiagohc/.config/Slack/local-settings.json (slack:18): dconf-WARNING **: 09:20:00.807: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied Creating Slack Application ```

gitea-mirror commented

2026-05-05 08:30:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 3, 2020):

How do you installed slack? snap isn't supported by firejail.

@rusty-snake commented on GitHub (Apr 3, 2020): How do you installed slack? snap isn't supported by firejail.

gitea-mirror commented

2026-05-05 08:30:47 -06:00

Author

Owner

@tscolari commented on GitHub (Apr 11, 2020):

How do you installed slack? snap isn't supported by firejail.

I've installed it from the .deb file, not the snap store :(

@tscolari commented on GitHub (Apr 11, 2020): > How do you installed slack? snap isn't supported by firejail. I've installed it from the .deb file, not the snap store :(

gitea-mirror commented

2026-05-05 08:30:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 11, 2020):

Can you post your current profile.

@rusty-snake commented on GitHub (Apr 11, 2020): Can you post your current profile.

gitea-mirror commented

2026-05-05 08:30:48 -06:00

Author

Owner

@bbhtt commented on GitHub (Aug 17, 2020):

I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the Creating Slack Application.

I don't know what the issue is with slack but this profile seems to work for me on Arch using the AUR slack-desktop package, the sign-in won't work because that is a redirect to firefox, so one time setup without firejail and subsequent sessions can be firejailed https://imgur.com/pWZjW6x

This is more hardened than in master.

https://termbin.com/688p

@bbhtt commented on GitHub (Aug 17, 2020): > I've added the fixes but slack (4.4.0) is still not working. It got rid of the errors but get stuck in the Creating Slack Application. I don't know what the issue is with slack but this profile seems to work for me on Arch using the AUR [slack-desktop](https://aur.archlinux.org/packages/slack-desktop) package, the sign-in won't work because that is a redirect to firefox, so one time setup without firejail and subsequent sessions can be firejailed https://imgur.com/pWZjW6x This is more hardened than in master. https://termbin.com/688p

gitea-mirror referenced this issue

2026-05-05 10:13:28 -06:00

[PR #1840] [CLOSED] fix immutable settings #4086

Rows
Columns

[GH-ISSUE #2946] Electron & Chromium #1840