[GH-ISSUE #2952] chromium and custom URL protocol handler in KDE

gitea-mirror commented

2026-05-05 08:30:48 -06:00

Owner

Originally created by @AloisJanicek on GitHub (Sep 9, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2952

System information

Arch Linux
default kernel
firejail-git
desktop: KDE Plasma 5.16.5
KDE Applications: 19.08
KDE Frameworks 5.61
chromium 76.0.3809.132

firejail version 0.9.61

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

$ aa-enabled 
Yes

$ uname -a
Linux 5.2.13-arch1-1-ARCH #1 SMP PREEMPT Fri Sep 6 17:52:33 UTC 2019 x86_64 GNU/Linux

Background info

In chromium, I am using this little user script to generate URLs which starts with org-protocol:// to capture URLs into emacs.

(following setup is based on org-capture-extension's README)

I have ~/.local/share/applications/emacs-capture.desktop file which points to ~/.local/bin/emacs-capture bash script.

emacs-capture.desktop looks like this: (I omitted irrelevant lines)

Exec=$HOME/.local/bin/emacs-capture "%u"
MimeType=x-scheme-handler/org-protocol;

and emacs-capture script like this

url=$(echo "$1" | sed -E 's/[[:space:]]+/%20/g')
emacsclient "$url"

This setup works flawlessly without firejail and delivers URL from browser to emacs.

Issue

With firejail I get following error popup when trying open org-protocol URL:

---- Error - Kio Client ----
Could not find any application or handler for org-protocol://store-link?url=https%3A%2F%2Fgithub.com%2Fnetblue30%2Ffirejail%2Fissues&title=Issues · netblue30%2Ffirejail

So I started to investigate and for now end up with ~/.config/firejail/chromium.profile like this:

include /etc/firejail/chromium.profile
# bash script which runs sed on its argument and launches emacsclient
whitelist ${HOME}/.local/bin/emacs-capture
# this was needed as whole because I could not figure out which folder exactly
whitelist ${HOME}/.cache/

Now I am able to successfully execute xdg-open URL or kioclient5 exec URL when joining chromium's firejail jail on command line, but it still doesn't work from running chromium GUI itself.

for example commands like this works as expected:

firejail --join=65652 kioclient5 exec "org-protocol://store-link?url=https%3A%2F%2Fwww.google.cz%2Fsearch%3Fq%3Dkde%2Bregister%2Bprotocol%26oq%3Dkde%2Bregister%2Bprotocol%26aqs%3Dchrome..69i57.6128j0j0%26sourceid%3Dchrome%26ie%3DUTF-8&title=kde register protocol - Google Search"

firejail --join=57768 xdg-open "org-protocol://store-link?url=https%3A%2F%2Fwww.google.cz%2Fsearch%3Fq%3Dkde%2Bregister%2Bprotocol%26oq%3Dkde%2Bregister%2Bprotocol%26aqs%3Dchrome..69i57.6128j0j0%26sourceid%3Dchrome%26ie%3DUTF-8&title=kde register protocol - Google Search"

Questions

Why is this working on command line and not from application itself? Is there something I can change in configuration to get this working?

Originally created by @AloisJanicek on GitHub (Sep 9, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2952 <details> <summary>System information</summary> - Arch Linux - default kernel - firejail-git - desktop: KDE Plasma 5.16.5 - KDE Applications: 19.08 - KDE Frameworks 5.61 - chromium 76.0.3809.132 ``` firejail version 0.9.61 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled $ aa-enabled Yes $ uname -a Linux 5.2.13-arch1-1-ARCH #1 SMP PREEMPT Fri Sep 6 17:52:33 UTC 2019 x86_64 GNU/Linux ``` </details> ### Background info In chromium, I am using [this little user script ](https://gist.github.com/AloisJanicek/38b81be358d90f63c1fd2236411b2368) to generate URLs which starts with `org-protocol://` to capture URLs into emacs. (following setup is based on [org-capture-extension's README](https://github.com/sprig/org-capture-extension#set-up-org-protocol)) I have `~/.local/share/applications/emacs-capture.desktop` file which points to `~/.local/bin/emacs-capture` bash script. `emacs-capture.desktop` looks like this: (I omitted irrelevant lines) ``` Exec=$HOME/.local/bin/emacs-capture "%u" MimeType=x-scheme-handler/org-protocol; ``` and `emacs-capture` script like this ``` url=$(echo "$1" | sed -E 's/[[:space:]]+/%20/g') emacsclient "$url" ``` This setup works flawlessly without `firejail` and delivers URL from browser to emacs. ### Issue With `firejail` I get following error popup when trying open `org-protocol` URL: ``` ---- Error - Kio Client ---- Could not find any application or handler for org-protocol://store-link?url=https%3A%2F%2Fgithub.com%2Fnetblue30%2Ffirejail%2Fissues&title=Issues · netblue30%2Ffirejail ``` So I started to investigate and for now end up with `~/.config/firejail/chromium.profile` like this: ``` include /etc/firejail/chromium.profile # bash script which runs sed on its argument and launches emacsclient whitelist ${HOME}/.local/bin/emacs-capture # this was needed as whole because I could not figure out which folder exactly whitelist ${HOME}/.cache/ ``` Now I am able to successfully execute `xdg-open URL` or `kioclient5 exec URL` when joining chromium's firejail jail on command line, but it still doesn't work from running chromium GUI itself. for example commands like this works as expected: ``` firejail --join=65652 kioclient5 exec "org-protocol://store-link?url=https%3A%2F%2Fwww.google.cz%2Fsearch%3Fq%3Dkde%2Bregister%2Bprotocol%26oq%3Dkde%2Bregister%2Bprotocol%26aqs%3Dchrome..69i57.6128j0j0%26sourceid%3Dchrome%26ie%3DUTF-8&title=kde register protocol - Google Search" firejail --join=57768 xdg-open "org-protocol://store-link?url=https%3A%2F%2Fwww.google.cz%2Fsearch%3Fq%3Dkde%2Bregister%2Bprotocol%26oq%3Dkde%2Bregister%2Bprotocol%26aqs%3Dchrome..69i57.6128j0j0%26sourceid%3Dchrome%26ie%3DUTF-8&title=kde register protocol - Google Search" ``` ### Questions Why is this working on command line and not from application itself? Is there something I can change in configuration to get this working?

gitea-mirror

2026-05-05 08:30:48 -06:00

closed this issue
added the
stale
label

gitea-mirror commented

2026-05-05 08:30:51 -06:00

Author

Owner

@AloisJanicek commented on GitHub (Sep 16, 2019):

I just got it work, it boils down essentially to three issues:

private-etc
apparmor
whitelist script path

In /etc/firejail/chromium.profile, file chromium.local is included. This file has following private-etc declaration:

private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime

which somehow prevents KDE's kio or xdg to correctly determine default application for org-protocol://

I disabled this include, but definitely better would be to add what is needed instead of disabling it completely.

Disabling apparmor support allowed my script to be executed by bash. Again it would be better to somehow whitelist this functionality.

Finally whitelisting script location was needed.

whitelist ${HOME}/.local/bin/emacs-capture

@AloisJanicek commented on GitHub (Sep 16, 2019): I just got it work, it boils down essentially to three issues: - private-etc - apparmor - whitelist script path In `/etc/firejail/chromium.profile`, file `chromium.local` is included. This file has following `private-etc` declaration: ``` private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime ``` which somehow prevents KDE's kio or xdg to correctly determine default application for `org-protocol://` I disabled this `include`, but definitely better would be to add what is needed instead of disabling it completely. Disabling `apparmor` support allowed my script to be executed by `bash`. Again it would be better to somehow whitelist this functionality. Finally whitelisting script location was needed. ``` whitelist ${HOME}/.local/bin/emacs-capture ```

gitea-mirror commented

2026-05-05 08:30:52 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 17, 2019):

Maybe xdg fix the private-etc issue. https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template#L155-L166

@rusty-snake commented on GitHub (Sep 17, 2019): Maybe `xdg` fix the `private-etc` issue. https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template#L155-L166

gitea-mirror commented

2026-05-05 08:30:53 -06:00

Author

Owner

@AloisJanicek commented on GitHub (Sep 17, 2019):

~~sadly just adding xdg folder to private-etc didn't fix it+~~ edit: it actually worked, see bellow

@AloisJanicek commented on GitHub (Sep 17, 2019): ~~sadly just adding `xdg` folder to `private-etc` didn't fix it+~~ edit: it actually worked, see bellow

gitea-mirror commented

2026-05-05 08:30:54 -06:00

Author

Owner

@Vincent43 commented on GitHub (Sep 17, 2019):

In order to make it work with AppArmor you may try using Exec=bash $HOME/.local/bin/emacs-capture "%u" in emacs-capture.desktop

@Vincent43 commented on GitHub (Sep 17, 2019): In order to make it work with AppArmor you may try using `Exec=bash $HOME/.local/bin/emacs-capture "%u"` in `emacs-capture.desktop`

gitea-mirror commented

2026-05-05 08:30:55 -06:00

Author

Owner

@AloisJanicek commented on GitHub (Sep 17, 2019):

Thank you both, I got it working without compromising security. exec=bash was essential for apparmor and adding xdg to private-etc for xdg-open

now my ~/.config/firejail/chromium is simple:

include /etc/firejail/chromium.profile
whitelist ${HOME}/.local/bin/emacs-capture
private-etc xdg,firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime

Can I append to private-etc declaration instead of copying and editing it?

@AloisJanicek commented on GitHub (Sep 17, 2019): Thank you both, I got it working without compromising security. `exec=bash` was essential for `apparmor` and adding `xdg` to `private-etc` for `xdg-open` now my `~/.config/firejail/chromium` is simple: ``` include /etc/firejail/chromium.profile whitelist ${HOME}/.local/bin/emacs-capture private-etc xdg,firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime ``` Can I append to `private-etc` declaration instead of copying and editing it?

gitea-mirror commented

2026-05-05 08:30:56 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 24, 2019):

Can I append to private-etc declaration instead of copying and editing it?

Try it out 😉. It should work.

BTW: If you use ~/.config/firejail/chromium.local insted of ~/.config/firejail/chromium.profile, you can skip the include /etc/firejail/chromium.profile line.

@rusty-snake commented on GitHub (Sep 24, 2019): > Can I append to `private-etc` declaration instead of copying and editing it? Try it out :wink:. It should work. BTW: If you use `~/.config/firejail/chromium.local` insted of `~/.config/firejail/chromium.profile`, you can skip the `include /etc/firejail/chromium.profile` line.

gitea-mirror commented

2026-05-05 08:30:56 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 13, 2019):

@AloisJanicek
I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Oct 13, 2019): @AloisJanicek I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:14:18 -06:00

[PR #1919] [MERGED] Add --keep-var-tmp and associated profile option #4129

Rows
Columns

[GH-ISSUE #2952] chromium and custom URL protocol handler in KDE #1845

Background info

Issue

Questions