github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2961] Firefox and Thunderbird jails share some settings, if the other jail is "running" #1853

New issue
Closed
opened 2026-05-05 08:31:21 -06:00 by gitea-mirror · 21 comments
gitea-mirror commented 2026-05-05 08:31:21 -06:00
Owner
Copy link

Originally created by @HidingCherry on GitHub (Sep 13, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2961

Whenever I switch or change the VPN server, the gateway is changed too. (This happens whenever I my laptop goes into standby.)
Then Firefox and Thunderbird inside firejail are not able to connect to any server in the internet, as long as one of them is running while I changed the VPN server/gateway. (This is true for any jail.)

If I close both, Thunderbird and Firefox, each one of them, they can then connect to the internet again.

Thus, they share settings like the gateway-setting while one of the jails is running.

I think that the "Thunderbird forgets profiles"-issue (not an opened issue, just a name for the issue I mean) is bound to:

  1. running firefox
  2. running thunderbird - forgets profiles

Doing the other way around:

  1. running thunderbird
  2. running firefox

There are no issues.

Please confirm my issue(s).
I think the most important issue is the 1. firefox 2. thunderbird issue, then (with probably low priority) the gateway setting issue.

Originally created by @HidingCherry on GitHub (Sep 13, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2961 Whenever I switch or change the VPN server, the gateway is changed too. (This happens whenever I my laptop goes into standby.) Then Firefox and Thunderbird inside firejail are not able to connect to any server in the internet, as long as one of them is running while I changed the VPN server/gateway. (This is true for any jail.) If I close both, Thunderbird and Firefox, each one of them, they can then connect to the internet again. Thus, they share settings like the gateway-setting while one of the jails is running. I think that the "Thunderbird forgets profiles"-issue (not an opened issue, just a name for the issue I mean) is bound to: 1. running firefox 2. running thunderbird - forgets profiles Doing the other way around: 1. running thunderbird 2. running firefox There are no issues. Please confirm my issue(s). I think the most important issue is the 1. firefox 2. thunderbird issue, then (with probably low priority) the gateway setting issue.
gitea-mirror commented 2026-05-05 08:31:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 13, 2019):

Please confirm my issue(s).

  1. Not on my system.
  2. Don't using VPNs
<!-- gh-comment-id:541425031 --> @rusty-snake commented on GitHub (Oct 13, 2019): > Please confirm my issue(s). 1. Not on my system. 2. Don't using VPNs
gitea-mirror commented 2026-05-05 08:31:24 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Oct 13, 2019):

My gateway issue was gone, after I reinstalled my system (Parrot OS) and resolvconf.service seems to works correctly. It might've been a DNS issue, not gateway issue.
I have to further test that but I have no time for the moment.

The profile issue:
Thunderbird cannot access the default profile if firefox was started and is running before thunderbird was started.
I have this issue even after reinstalling my system.

<!-- gh-comment-id:541427829 --> @HidingCherry commented on GitHub (Oct 13, 2019): My gateway issue was gone, after I reinstalled my system (Parrot OS) and resolvconf.service seems to works correctly. It might've been a DNS issue, not gateway issue. I have to further test that but I have no time for the moment. The profile issue: Thunderbird cannot access the default profile if firefox was started and is running before thunderbird was started. I have this issue even after reinstalling my system.
gitea-mirror commented 2026-05-05 08:31:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 14, 2019):

@Loader009 still an issue?

<!-- gh-comment-id:565739507 --> @rusty-snake commented on GitHub (Dec 14, 2019): @Loader009 still an issue?
gitea-mirror commented 2026-05-05 08:31:27 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Dec 21, 2019):

@rusty-snake yes, sadly.

  1. close all firefox and thunderbird instances
  2. run firejail firefox in a terminal, let it open
  3. run firejail thunderbird in a terminal, thunderbird asks you to set up an account
┌─[anonymous@parrot]─[~]
└──╼ $firejail --list
30744:anonymous:firefox:firejail firefox 
31094:anonymous::firejail thunderbird
<!-- gh-comment-id:568168767 --> @HidingCherry commented on GitHub (Dec 21, 2019): @rusty-snake yes, sadly. 1. close all firefox and thunderbird instances 2. run `firejail firefox` in a terminal, let it open 3. run `firejail thunderbird` in a terminal, thunderbird asks you to set up an account ``` ┌─[anonymous@parrot]─[~] └──╼ $firejail --list 30744:anonymous:firefox:firejail firefox 31094:anonymous::firejail thunderbird ```
gitea-mirror commented 2026-05-05 08:31:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 21, 2019):

Distro? firejail-version? firejail-profile changes? Any other special things.

what happens if starting firefox w/o firejail and TB with FJ? What when starting FF with FJ and TB w/o FJ?

<!-- gh-comment-id:568175286 --> @rusty-snake commented on GitHub (Dec 21, 2019): Distro? firejail-version? firejail-profile changes? Any other special things. what happens if starting firefox w/o firejail and TB with FJ? What when starting FF with FJ and TB w/o FJ?
gitea-mirror commented 2026-05-05 08:31:28 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Dec 21, 2019):

Distro

ParrotOS (parrotlinux.org)
security focused rolling release distribution, based on debian

┌─[anonymous@parrot]─[~]
└──╼ $uname -a
Linux parrot 5.3.0-3parrot3-amd64 #1 SMP Parrot 5.3.9-3parrot3 (2019-11-23) x86_64 GNU/Linux

firejail-version

Version: 0.9.58.2-3parrot4

Maintainer: Reiner Herrmann ---email hidden---

firejail-profile changes

$ls /etc/firejail/*.local 
/etc/firejail/firefox.local

$cat /etc/firejail/firefox.local 
whitelist ${HOME}/eclipse-uni-SW-workspace

$ls ~/.config/firejail/
telegram.profile

no other changes or special things since my last complete reinstall (about 3 months ago)

Firefox w/o firejail - TB with firejail

Firefox starts with no issues
Thunderbird starts with no issues

$firejail --list
49069:anonymous:firefox:firejail thunderbird

Firefox with firejail - TB w/o firejail

Firefox starts with no issues
Thunderbird starts with no issues

$firejail --list
49226:anonymous:firefox:firejail firefox

comment

Mind the 49069:anonymous:firefox:firejail thunderbird thing, the profile "firefox" is being used for thunderbird.

<!-- gh-comment-id:568176589 --> @HidingCherry commented on GitHub (Dec 21, 2019): ### Distro ParrotOS (parrotlinux.org) security focused rolling release distribution, based on debian ``` ┌─[anonymous@parrot]─[~] └──╼ $uname -a Linux parrot 5.3.0-3parrot3-amd64 #1 SMP Parrot 5.3.9-3parrot3 (2019-11-23) x86_64 GNU/Linux ``` ### firejail-version Version: 0.9.58.2-3parrot4 Maintainer: Reiner Herrmann ---email hidden--- ### firejail-profile changes ``` $ls /etc/firejail/*.local /etc/firejail/firefox.local ``` ``` $cat /etc/firejail/firefox.local whitelist ${HOME}/eclipse-uni-SW-workspace ``` ``` $ls ~/.config/firejail/ telegram.profile ``` ### no other changes or special things since my last complete reinstall (about 3 months ago) ### Firefox w/o firejail - TB with firejail Firefox starts with no issues Thunderbird starts with no issues ``` $firejail --list 49069:anonymous:firefox:firejail thunderbird ``` ### Firefox with firejail - TB w/o firejail Firefox starts with no issues Thunderbird starts with no issues ``` $firejail --list 49226:anonymous:firefox:firejail firefox ``` ### comment Mind the `49069:anonymous:firefox:firejail thunderbird ` thing, the profile "firefox" is being used for thunderbird.
gitea-mirror commented 2026-05-05 08:31:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 21, 2019):

So, starting only one in FJ has no issue, right? => both must be firejailed to get this issue.

Mind the 49069:anonymous:firefox:firejail thunderbird thing, the profile "firefox" is being used for thunderbird

You set this up? What happens with firejail --profile=/etc/firejial/firefox.profile firefox and then firejail --profile=/etc/firejail/thunderbird.profile thunderbird? If you want that TB use the FF profile, you must whitelist additional paths.

<!-- gh-comment-id:568182234 --> @rusty-snake commented on GitHub (Dec 21, 2019): So, starting only one in FJ has no issue, right? => both must be firejailed to get this issue. > Mind the 49069:anonymous:firefox:firejail thunderbird thing, the profile "firefox" is being used for thunderbird You set this up? What happens with `firejail --profile=/etc/firejial/firefox.profile firefox` and then `firejail --profile=/etc/firejail/thunderbird.profile thunderbird`? If you want that TB use the FF profile, you must whitelist additional paths.
gitea-mirror commented 2026-05-05 08:31:30 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Dec 21, 2019):

So, starting only one in FJ has no issue, right? => both must be firejailed to get this issue.

Kinda correct, only happens whenever firefox is firejailed first.

You set this up?

No, all I do is firejail firefox or firejail thunderbird.

What happens with firejail --profile=/etc/firejial/firefox.profile firefox and then firejail --profile=/etc/firejail/thunderbird.profile thunderbird? If you want that TB use the FF profile, you must whitelist additional paths.

I don't want thunderbird to use the firefox profile, it happens "on its own", without my intervention.

Down there you see what happens when running the two.
The firejail of thunderbird tries to switch to the firefox firejail and fails.
This might happen because the firefox.profile is included in the thunderbird.profile -- this might be an outdated config?
source: https://nest.parrotsec.org/debian-packages/firejail/blob/master/etc/thunderbird.profile

I also noticed that I uncommented ignore nodbus, sorry, I forgot that change of my.

┌─[anonymous@parrot]─[~]
└──╼ $firejail --profile=/etc/firejail/firefox.profile firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 61433, child pid 61434
Warning: skipping pango for private /etc
Warning: skipping asound.conf for private /etc
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 100.92 ms
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 285.44 ms

###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost

┌─[anonymous@parrot]─[~]
└──╼ $firejail --profile=/etc/firejail/thunderbird.profile thunderbird
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 61434, the first child process inside the sandbox
Error: --shell=none configured, but no program specified

┌─[anonymous@parrot]─[~]
└──╼ $cat /etc/firejail/thunderbird.profile 
# Firejail profile for thunderbird
# Description: Email, RSS and newsgroup client with integrated spam filter
# This file is overwritten after every install/update
# Persistent local customizations
include thunderbird.local
# Persistent global definitions
include globals.local

# Users have thunderbird set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories

noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.gnupg
# noblacklist ${HOME}/.icedove
noblacklist ${HOME}/.thunderbird

# If you have setup Thunderbird to archive emails to a local folder,
# make sure you add the path to that folder to the mkdir and whitelist
# rules below. Otherwise they will be deleted when you close Thunderbird.
# See https://github.com/netblue30/firejail/issues/2357
mkdir ${HOME}/.cache/thunderbird
mkdir ${HOME}/.gnupg
# mkdir ${HOME}/.icedove
mkdir ${HOME}/.thunderbird
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.gnupg
# whitelist ${HOME}/.icedove
whitelist ${HOME}/.thunderbird

# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
ignore private-tmp
# machine-id breaks audio in browsers; enable it when sound is not required
# machine-id
read-only ${HOME}/.config/mimeapps.list
# writable-run-user is needed for signing and encrypting emails
writable-run-user

# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
# noblacklist /var/mail
# noblacklist /var/spool/mail
# writable-var

# allow browsers
# Redirect
# Uncomment if you use enigmail
ignore nodbus
include firefox.profile
<!-- gh-comment-id:568188285 --> @HidingCherry commented on GitHub (Dec 21, 2019): > So, starting only one in FJ has no issue, right? => both must be firejailed to get this issue. Kinda correct, only happens whenever firefox is firejailed first. > You set this up? No, all I do is `firejail firefox` or `firejail thunderbird`. > What happens with `firejail --profile=/etc/firejial/firefox.profile firefox` and then `firejail --profile=/etc/firejail/thunderbird.profile thunderbird`? If you want that TB use the FF profile, you must whitelist additional paths. I don't want thunderbird to use the firefox profile, it happens "on its own", without my intervention. Down there you see what happens when running the two. The firejail of thunderbird tries to switch to the firefox firejail and fails. This might happen because the firefox.profile is included in the thunderbird.profile -- this might be an outdated config? source: https://nest.parrotsec.org/debian-packages/firejail/blob/master/etc/thunderbird.profile I also noticed that I uncommented `ignore nodbus`, sorry, I forgot that change of my. ``` ┌─[anonymous@parrot]─[~] └──╼ $firejail --profile=/etc/firejail/firefox.profile firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.local Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 61433, child pid 61434 Warning: skipping pango for private /etc Warning: skipping asound.conf for private /etc Warning: skipping pki for private /etc Warning: skipping crypto-policies for private /etc Private /etc installed in 100.92 ms Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 285.44 ms ###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost ``` ``` ┌─[anonymous@parrot]─[~] └──╼ $firejail --profile=/etc/firejail/thunderbird.profile thunderbird Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.local Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Switching to pid 61434, the first child process inside the sandbox Error: --shell=none configured, but no program specified ``` ``` ┌─[anonymous@parrot]─[~] └──╼ $cat /etc/firejail/thunderbird.profile # Firejail profile for thunderbird # Description: Email, RSS and newsgroup client with integrated spam filter # This file is overwritten after every install/update # Persistent local customizations include thunderbird.local # Persistent global definitions include globals.local # Users have thunderbird set to open a browser by clicking a link in an email # We are not allowed to blacklist browser-specific directories noblacklist ${HOME}/.cache/thunderbird noblacklist ${HOME}/.gnupg # noblacklist ${HOME}/.icedove noblacklist ${HOME}/.thunderbird # If you have setup Thunderbird to archive emails to a local folder, # make sure you add the path to that folder to the mkdir and whitelist # rules below. Otherwise they will be deleted when you close Thunderbird. # See https://github.com/netblue30/firejail/issues/2357 mkdir ${HOME}/.cache/thunderbird mkdir ${HOME}/.gnupg # mkdir ${HOME}/.icedove mkdir ${HOME}/.thunderbird whitelist ${HOME}/.cache/thunderbird whitelist ${HOME}/.gnupg # whitelist ${HOME}/.icedove whitelist ${HOME}/.thunderbird # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE ignore private-tmp # machine-id breaks audio in browsers; enable it when sound is not required # machine-id read-only ${HOME}/.config/mimeapps.list # writable-run-user is needed for signing and encrypting emails writable-run-user # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: # noblacklist /var/mail # noblacklist /var/spool/mail # writable-var # allow browsers # Redirect # Uncomment if you use enigmail ignore nodbus include firefox.profile ```
gitea-mirror commented 2026-05-05 08:31:30 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 21, 2019):

grep "join-or-start" /etc/firejail/*?

<!-- gh-comment-id:568192207 --> @rusty-snake commented on GitHub (Dec 21, 2019): `grep "join-or-start" /etc/firejail/*`?
gitea-mirror commented 2026-05-05 08:31:31 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Dec 21, 2019):

yep, the firefox.profile contains a join-or-start.

┌─[anonymous@parrot]─[~]
└──╼ $grep "join-or-start" /etc/firejail/*
/etc/firejail/atom.profile:join-or-start atom
/etc/firejail/blender.profile:join-or-start blender
/etc/firejail/code.profile:join-or-start code
/etc/firejail/dolphin.profile:join-or-start dolphin
/etc/firejail/firefox.profile:join-or-start firefox
/etc/firejail/gimp.profile:join-or-start gimp
/etc/firejail/kate.profile:join-or-start kate
/etc/firejail/keepassxc.profile:join-or-start keepassxc
/etc/firejail/kwrite.profile:join-or-start kwrite
/etc/firejail/libreoffice.profile:join-or-start libreoffice
/etc/firejail/okular.profile:join-or-start okular
/etc/firejail/pluma.profile:join-or-start pluma
/etc/firejail/qbittorrent.profile:join-or-start qbittorrent
/etc/firejail/spotify.profile:join-or-start spotify
/etc/firejail/vlc.profile:join-or-start vlc
/etc/firejail/vscodium.profile:join-or-start vscodium
<!-- gh-comment-id:568213985 --> @HidingCherry commented on GitHub (Dec 21, 2019): yep, the firefox.profile contains a join-or-start. ``` ┌─[anonymous@parrot]─[~] └──╼ $grep "join-or-start" /etc/firejail/* /etc/firejail/atom.profile:join-or-start atom /etc/firejail/blender.profile:join-or-start blender /etc/firejail/code.profile:join-or-start code /etc/firejail/dolphin.profile:join-or-start dolphin /etc/firejail/firefox.profile:join-or-start firefox /etc/firejail/gimp.profile:join-or-start gimp /etc/firejail/kate.profile:join-or-start kate /etc/firejail/keepassxc.profile:join-or-start keepassxc /etc/firejail/kwrite.profile:join-or-start kwrite /etc/firejail/libreoffice.profile:join-or-start libreoffice /etc/firejail/okular.profile:join-or-start okular /etc/firejail/pluma.profile:join-or-start pluma /etc/firejail/qbittorrent.profile:join-or-start qbittorrent /etc/firejail/spotify.profile:join-or-start spotify /etc/firejail/vlc.profile:join-or-start vlc /etc/firejail/vscodium.profile:join-or-start vscodium ```
gitea-mirror commented 2026-05-05 08:31:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 21, 2019):

 # allow browsers  
 # Redirect
 # Uncomment if you use enigmail
 ignore nodbus
+ignore join-or-start
 include firefox.profile
<!-- gh-comment-id:568214657 --> @rusty-snake commented on GitHub (Dec 21, 2019): ```diff # allow browsers # Redirect # Uncomment if you use enigmail ignore nodbus +ignore join-or-start include firefox.profile ```
gitea-mirror commented 2026-05-05 08:31:32 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Dec 22, 2019):

This works, thank you.

Might the following way be better?

 # allow browsers  
 # Redirect
 # Uncomment if you use enigmail
 ignore nodbus
-include firefox.profile
+include firefox-common.profile

Based on this:
https://github.com/netblue30/firejail/blob/master/etc/thunderbird.profile

<!-- gh-comment-id:568242253 --> @HidingCherry commented on GitHub (Dec 22, 2019): This works, thank you. Might the following way be better? ```diff # allow browsers # Redirect # Uncomment if you use enigmail ignore nodbus -include firefox.profile +include firefox-common.profile ``` Based on this: https://github.com/netblue30/firejail/blob/master/etc/thunderbird.profile
gitea-mirror commented 2026-05-05 08:31:32 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 22, 2019):

No #2818.

<!-- gh-comment-id:568247323 --> @rusty-snake commented on GitHub (Dec 22, 2019): No #2818.
gitea-mirror commented 2026-05-05 08:31:32 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Dec 22, 2019):

I see, that commit is not merged in the parrot git, thus it would break thunderbird-link->firefox compatibility.
Thanks again.

I'll close this, because the issue is solved now.

<!-- gh-comment-id:568253975 --> @HidingCherry commented on GitHub (Dec 22, 2019): I see, that commit is not merged in the parrot git, thus it would break thunderbird-link->firefox compatibility. Thanks again. I'll close this, because the issue is solved now.
gitea-mirror commented 2026-05-05 08:31:33 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Mar 25, 2020):

@rusty-snake I might have another solution but this is out of firejails possibilities I think.
I modified ~/.local/share/applications/firefox.desktop to this:
Exec=firejail --profile=firefox --join-or-start=firefox firefox %u
And ~/.local/share/applications/thunderbird.desktop to this:
Exec=/usr/bin/firejail --profile=thunderbird --join-or-start=thunderbird thunderbird %u

After a restart of thunderbird it ran in a different jail than firefox but opened a link in the correct firefox window.

<!-- gh-comment-id:603724080 --> @HidingCherry commented on GitHub (Mar 25, 2020): @rusty-snake I might have another solution but this is out of firejails possibilities I think. I modified `~/.local/share/applications/firefox.desktop` to this: `Exec=firejail --profile=firefox --join-or-start=firefox firefox %u` And `~/.local/share/applications/thunderbird.desktop` to this: `Exec=/usr/bin/firejail --profile=thunderbird --join-or-start=thunderbird thunderbird %u` After a restart of thunderbird it ran in a different jail than firefox but opened a link in the correct firefox window.
gitea-mirror commented 2026-05-05 08:31:33 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 25, 2020):

FYI: #3294

or easier: echo "join-or-start firefox" >> "~/.config/firejail/firefox.local" and same for thunderbird.

PS: the --profile arguments are unnecessary.

<!-- gh-comment-id:603732092 --> @rusty-snake commented on GitHub (Mar 25, 2020): FYI: #3294 or easier: `echo "join-or-start firefox" >> "~/.config/firejail/firefox.local"` and same for thunderbird. PS: the `--profile` arguments are unnecessary.
gitea-mirror commented 2026-05-05 08:31:34 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Mar 25, 2020):

or easier: echo "join-or-start firefox" >> "~/.config/firejail/firefox.local" and same for thunderbird.

This would result in every firefox instance running in the jail "firefox", but I actually use a firefox-home and a firefox-uni (university) jail, that's why I can't do that.
(Soon I'll also do it for thunderbird.)

PS: the --profile arguments are unnecessary.

The --profile argument is (in my opinion) necessary because otherwise thunderbird has no jail in firejail --list.
Right now:

firejail --list
29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot 
38770:anonymous:thunderbird-home:/usr/bin/firejail --profile=thunderbird --join-or-start=thunderbird-home thunderbird
<!-- gh-comment-id:603742195 --> @HidingCherry commented on GitHub (Mar 25, 2020): > or easier: `echo "join-or-start firefox" >> "~/.config/firejail/firefox.local"` and same for thunderbird. This would result in every firefox instance running in the jail "firefox", but I actually use a firefox-home and a firefox-uni (university) jail, that's why I can't do that. (Soon I'll also do it for thunderbird.) > PS: the `--profile` arguments are unnecessary. The `--profile` argument is (in my opinion) necessary because otherwise thunderbird has no jail in firejail --list. Right now: ``` firejail --list 29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot 38770:anonymous:thunderbird-home:/usr/bin/firejail --profile=thunderbird --join-or-start=thunderbird-home thunderbird ```
gitea-mirror commented 2026-05-05 08:31:34 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 25, 2020):

but I actually use a firefox-home and a firefox-uni (university) jail,

Ok, thats a special case where it is easyer with the .desktop file. Only alternative would be --join-or-start=firefox-uni --ignore=join-or-start.

The --profile argument is (in my opinion) necessary

If you have Exec=firejail thunderbird firejail will automatic pick thunderbird.profile. --profile is only nessessary if you have firejail --profile=thunderbird bash or firejail --profile=thunderbrid thunderwird.wrapper.

<!-- gh-comment-id:603786834 --> @rusty-snake commented on GitHub (Mar 25, 2020): > but I actually use a firefox-home and a firefox-uni (university) jail, Ok, thats a special case where it is easyer with the .desktop file. Only alternative would be `--join-or-start=firefox-uni --ignore=join-or-start`. > The --profile argument is (in my opinion) necessary If you have `Exec=firejail thunderbird` firejail will automatic pick `thunderbird.profile`. `--profile` is only nessessary if you have `firejail --profile=thunderbird bash` or `firejail --profile=thunderbrid thunderwird.wrapper`.
gitea-mirror commented 2026-05-05 08:31:34 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Mar 25, 2020):

Ok, thats a special case where it is easyer with the .desktop file. Only alternative would be --join-or-start=firefox-uni --ignore=join-or-start.

Yeah, that's an idea.

The --profile argument is (in my opinion) necessary

If you have Exec=firejail thunderbird firejail will automatic pick thunderbird.profile. --profile is only nessessary if you have firejail --profile=thunderbird bash or firejail --profile=thunderbrid thunderwird.wrapper.

Sadly no. Look at this:
Before running firejail thunderbird

$firejail --list
29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot

After running firejail thunderbird

$firejail --list
29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot 
56082:anonymous::firejail thunderbird

Probably because of this in thunderbird.profile to get the initial issue of this ticket solved:

 # allow browsers  
 # Redirect
 # Uncomment if you use enigmail
 ignore nodbus
+ignore join-or-start
 include firefox.profile
<!-- gh-comment-id:604045757 --> @HidingCherry commented on GitHub (Mar 25, 2020): >Ok, thats a special case where it is easyer with the .desktop file. Only alternative would be --join-or-start=firefox-uni --ignore=join-or-start. Yeah, that's an idea. > > The --profile argument is (in my opinion) necessary > > If you have `Exec=firejail thunderbird` firejail will automatic pick `thunderbird.profile`. `--profile` is only nessessary if you have `firejail --profile=thunderbird bash` or `firejail --profile=thunderbrid thunderwird.wrapper`. Sadly no. Look at this: Before running `firejail thunderbird` ``` $firejail --list 29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot ``` After running `firejail thunderbird` ``` $firejail --list 29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot 56082:anonymous::firejail thunderbird ``` Probably because of this in thunderbird.profile to get the initial issue of this ticket solved: > ```diff > # allow browsers > # Redirect > # Uncomment if you use enigmail > ignore nodbus > +ignore join-or-start > include firefox.profile > ```
gitea-mirror commented 2026-05-05 08:31:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 25, 2020):

After running firejail thunderbird

this shows that TB is sandboxed. IDK what you mean with "therwise thunderbird has no jail in firejail --list."

<!-- gh-comment-id:604080182 --> @rusty-snake commented on GitHub (Mar 25, 2020): > After running firejail thunderbird this shows that TB is sandboxed. IDK what you mean with "therwise thunderbird has no jail in firejail --list."
gitea-mirror commented 2026-05-05 08:31:35 -06:00
Author
Owner
Copy link

@HidingCherry commented on GitHub (Mar 25, 2020):

Ok, then I missinterpreted it.
I thought the empty jailname meant that thunderbird was not jailed or not jailed correctly.

<!-- gh-comment-id:604090821 --> @HidingCherry commented on GitHub (Mar 25, 2020): Ok, then I missinterpreted it. I thought the empty jailname meant that thunderbird was not jailed or not jailed correctly.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1853
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?