github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2987] Issues with using Firefox addon VideoDownloadHelper's "companion app" #1868

New issue
Closed
opened 2026-05-05 08:32:08 -06:00 by gitea-mirror · 19 comments
gitea-mirror commented 2026-05-05 08:32:08 -06:00
Owner
Copy link

Originally created by @bobafetthotmail on GitHub (Oct 2, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2987

The popular extension VideoDownloadHelper (for both Firefox and Chrome) relies on an additional application https://www.downloadhelper.net/install-coapp?browser=firefox to be able to download high-resolution media.

I've extracted the archive in (HOME)/dwhelper/net.downloadhelper.coapp/ and ran the "user installation" (which is just generating a config file that links to the application, as I documented here https://github.com/mi-g/vdhcoapp/issues/47#issuecomment-537663897 )

These are the contents of that folder


ls -lR /home/alby/dwhelper/net.downloadhelper.coapp/
/home/alby/dwhelper/net.downloadhelper.coapp/:
total 28
drwxr-xr-x 1 alby users    82 28 lug  2018 bin
-rw-r--r-- 1 alby users   456  4 lug  2018 config.json
drwxr-xr-x 1 alby users    10 28 lug  2018 converter
-rw-r--r-- 1 alby users 18092 25 ott  2017 LICENSE.txt
-rw-r--r-- 1 alby users   571 25 ott  2017 README.txt

/home/alby/dwhelper/net.downloadhelper.coapp/bin:
total 56152
-rwxr-xr-x 1 alby users 57467401  4 lug  2018 net.downloadhelper.coapp-linux-64
-rwxr-xr-x 1 alby users    25047  4 lug  2018 xdg-open

/home/alby/dwhelper/net.downloadhelper.coapp/converter:
total 0
drwxr-xr-x 1 alby users 10  4 lug  2018 build

/home/alby/dwhelper/net.downloadhelper.coapp/converter/build:
total 0
drwxr-xr-x 1 alby users 4  4 lug  2018 linux

/home/alby/dwhelper/net.downloadhelper.coapp/converter/build/linux:
total 0
drwxr-xr-x 1 alby users 1136  4 lug  2018 64

/home/alby/dwhelper/net.downloadhelper.coapp/converter/build/linux/64:
total 34224
-rwxr-xr-x 1 alby users   255208 24 mag  2018 ffmpeg
-rwxr-xr-x 1 alby users   127656 24 mag  2018 ffplay
-rwxr-xr-x 1 alby users   147616 24 mag  2018 ffprobe
-rwxr-xr-x 1 alby users 13381168 24 mag  2018 libavcodec.so.58
-rwxr-xr-x 1 alby users    96512 24 mag  2018 libavdevice.so.58
-rwxr-xr-x 1 alby users  2730520 24 mag  2018 libavfilter.so.7
-rwxr-xr-x 1 alby users  2391392 24 mag  2018 libavformat.so.58
-rwxr-xr-x 1 alby users   129472 24 mag  2018 libavresample.so.4
-rwxr-xr-x 1 alby users   416528 24 mag  2018 libavutil.so.56
-rwxr-xr-x 1 alby users    66984 24 mag  2018 libbz2.so.1.0
-rwxr-xr-x 1 alby users   585392 24 mag  2018 libmp3lame.so.0
-rwxr-xr-x 1 alby users    44184 24 mag  2018 libnuma.so.1
-rwxr-xr-x 1 alby users    26888 24 mag  2018 libogg.so.0
-rwxr-xr-x 1 alby users   170104 24 mag  2018 libopencore-amrnb.so.0
-rwxr-xr-x 1 alby users    79920 24 mag  2018 libopencore-amrwb.so.0
-rw-r--r-- 1 alby users   307304 24 mag  2018 libopenjp2.so.7
-rwxr-xr-x 1 alby users   330136 24 mag  2018 libopus.so.0
-rwxr-xr-x 1 alby users   525360 24 mag  2018 liborc-0.4.so.0
-rwxr-xr-x 1 alby users    31152 24 mag  2018 liborc-test-0.4.so.0
-rwxr-xr-x 1 alby users   112912 24 mag  2018 libpostproc.so.55
-rwxr-xr-x 1 alby users   117152 24 mag  2018 libswresample.so.3
-rwxr-xr-x 1 alby users   526736 24 mag  2018 libswscale.so.5
-rwxr-xr-x 1 alby users    96656 24 mag  2018 libtheoradec.so.1
-rwxr-xr-x 1 alby users   260496 24 mag  2018 libtheoraenc.so.1
-rwxr-xr-x 1 alby users   305472 24 mag  2018 libtheora.so.0
-rwxr-xr-x 1 alby users   107248 24 mag  2018 libvo-amrwbenc.so.0
-rwxr-xr-x 1 alby users   706768 24 mag  2018 libvorbisenc.so.2
-rwxr-xr-x 1 alby users    39400 24 mag  2018 libvorbisfile.so.3
-rwxr-xr-x 1 alby users   232232 24 mag  2018 libvorbis.so.0
-rwxr-xr-x 1 alby users  3672648 24 mag  2018 libvpx.so.5
-rwxr-xr-x 1 alby users   215544 24 mag  2018 libwebpdecoder.so.3
-rwxr-xr-x 1 alby users    18640 24 mag  2018 libwebpdemux.so.2
-rwxr-xr-x 1 alby users    43360 24 mag  2018 libwebpmux.so.3
-rwxr-xr-x 1 alby users   416440 24 mag  2018 libwebp.so.7
-rwxr-xr-x 1 alby users   973784 24 mag  2018 libx264.so.152
-rwxr-xr-x 1 alby users  4679048 24 mag  2018 libx265.so.130
-rw-r--r-- 1 alby users   494792 24 mag  2018 libxvidcore.so.4
-rwxr-xr-x 1 alby users   113152 24 mag  2018 libz.so.1

and then tried adding things to the /etc/firejail/firefox-common-addons.inc
until I ended up with these additions

noblacklist ${HOME}/dwhelper
mkdir ${HOME}/dwhelper
whitelist ${HOME}/dwhelper

mkdir ${HOME}/dwhelper/net.downloadhelper.coapp/
mkdir ${HOME}/dwhelper/net.downloadhelper.coapp/bin
mkdir ${HOME}/dwhelper/net.downloadhelper.coapp/converter
whitelist ${HOME}/dwhelper/net.downloadhelper.coapp/
whitelist ${HOME}/dwhelper/net.downloadhelper.coapp/bin
whitelist ${HOME}/dwhelper/net.downloadhelper.coapp/converter

And each time I restarted Firefox. But it does not seem to work, the addon can't find its "companion app". Anyone has some advice?

EDIT: If I place the "companion app" in the /downloads folder (which is whitelisted and accessible by default) I get

Failed to execute command "/home/alby/Downloads/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64"

as error message in the addon when I ask it to detect the presence of its "companion app"

Originally created by @bobafetthotmail on GitHub (Oct 2, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2987 The popular extension VideoDownloadHelper (for both Firefox and Chrome) relies on an additional application https://www.downloadhelper.net/install-coapp?browser=firefox to be able to download high-resolution media. I've extracted the archive in (HOME)/dwhelper/net.downloadhelper.coapp/ and ran the "user installation" (which is just generating a config file that links to the application, as I documented here https://github.com/mi-g/vdhcoapp/issues/47#issuecomment-537663897 ) These are the contents of that folder ``` ls -lR /home/alby/dwhelper/net.downloadhelper.coapp/ /home/alby/dwhelper/net.downloadhelper.coapp/: total 28 drwxr-xr-x 1 alby users 82 28 lug 2018 bin -rw-r--r-- 1 alby users 456 4 lug 2018 config.json drwxr-xr-x 1 alby users 10 28 lug 2018 converter -rw-r--r-- 1 alby users 18092 25 ott 2017 LICENSE.txt -rw-r--r-- 1 alby users 571 25 ott 2017 README.txt /home/alby/dwhelper/net.downloadhelper.coapp/bin: total 56152 -rwxr-xr-x 1 alby users 57467401 4 lug 2018 net.downloadhelper.coapp-linux-64 -rwxr-xr-x 1 alby users 25047 4 lug 2018 xdg-open /home/alby/dwhelper/net.downloadhelper.coapp/converter: total 0 drwxr-xr-x 1 alby users 10 4 lug 2018 build /home/alby/dwhelper/net.downloadhelper.coapp/converter/build: total 0 drwxr-xr-x 1 alby users 4 4 lug 2018 linux /home/alby/dwhelper/net.downloadhelper.coapp/converter/build/linux: total 0 drwxr-xr-x 1 alby users 1136 4 lug 2018 64 /home/alby/dwhelper/net.downloadhelper.coapp/converter/build/linux/64: total 34224 -rwxr-xr-x 1 alby users 255208 24 mag 2018 ffmpeg -rwxr-xr-x 1 alby users 127656 24 mag 2018 ffplay -rwxr-xr-x 1 alby users 147616 24 mag 2018 ffprobe -rwxr-xr-x 1 alby users 13381168 24 mag 2018 libavcodec.so.58 -rwxr-xr-x 1 alby users 96512 24 mag 2018 libavdevice.so.58 -rwxr-xr-x 1 alby users 2730520 24 mag 2018 libavfilter.so.7 -rwxr-xr-x 1 alby users 2391392 24 mag 2018 libavformat.so.58 -rwxr-xr-x 1 alby users 129472 24 mag 2018 libavresample.so.4 -rwxr-xr-x 1 alby users 416528 24 mag 2018 libavutil.so.56 -rwxr-xr-x 1 alby users 66984 24 mag 2018 libbz2.so.1.0 -rwxr-xr-x 1 alby users 585392 24 mag 2018 libmp3lame.so.0 -rwxr-xr-x 1 alby users 44184 24 mag 2018 libnuma.so.1 -rwxr-xr-x 1 alby users 26888 24 mag 2018 libogg.so.0 -rwxr-xr-x 1 alby users 170104 24 mag 2018 libopencore-amrnb.so.0 -rwxr-xr-x 1 alby users 79920 24 mag 2018 libopencore-amrwb.so.0 -rw-r--r-- 1 alby users 307304 24 mag 2018 libopenjp2.so.7 -rwxr-xr-x 1 alby users 330136 24 mag 2018 libopus.so.0 -rwxr-xr-x 1 alby users 525360 24 mag 2018 liborc-0.4.so.0 -rwxr-xr-x 1 alby users 31152 24 mag 2018 liborc-test-0.4.so.0 -rwxr-xr-x 1 alby users 112912 24 mag 2018 libpostproc.so.55 -rwxr-xr-x 1 alby users 117152 24 mag 2018 libswresample.so.3 -rwxr-xr-x 1 alby users 526736 24 mag 2018 libswscale.so.5 -rwxr-xr-x 1 alby users 96656 24 mag 2018 libtheoradec.so.1 -rwxr-xr-x 1 alby users 260496 24 mag 2018 libtheoraenc.so.1 -rwxr-xr-x 1 alby users 305472 24 mag 2018 libtheora.so.0 -rwxr-xr-x 1 alby users 107248 24 mag 2018 libvo-amrwbenc.so.0 -rwxr-xr-x 1 alby users 706768 24 mag 2018 libvorbisenc.so.2 -rwxr-xr-x 1 alby users 39400 24 mag 2018 libvorbisfile.so.3 -rwxr-xr-x 1 alby users 232232 24 mag 2018 libvorbis.so.0 -rwxr-xr-x 1 alby users 3672648 24 mag 2018 libvpx.so.5 -rwxr-xr-x 1 alby users 215544 24 mag 2018 libwebpdecoder.so.3 -rwxr-xr-x 1 alby users 18640 24 mag 2018 libwebpdemux.so.2 -rwxr-xr-x 1 alby users 43360 24 mag 2018 libwebpmux.so.3 -rwxr-xr-x 1 alby users 416440 24 mag 2018 libwebp.so.7 -rwxr-xr-x 1 alby users 973784 24 mag 2018 libx264.so.152 -rwxr-xr-x 1 alby users 4679048 24 mag 2018 libx265.so.130 -rw-r--r-- 1 alby users 494792 24 mag 2018 libxvidcore.so.4 -rwxr-xr-x 1 alby users 113152 24 mag 2018 libz.so.1 ``` and then tried adding things to the **/etc/firejail/firefox-common-addons.inc** until I ended up with these additions ``` noblacklist ${HOME}/dwhelper mkdir ${HOME}/dwhelper whitelist ${HOME}/dwhelper mkdir ${HOME}/dwhelper/net.downloadhelper.coapp/ mkdir ${HOME}/dwhelper/net.downloadhelper.coapp/bin mkdir ${HOME}/dwhelper/net.downloadhelper.coapp/converter whitelist ${HOME}/dwhelper/net.downloadhelper.coapp/ whitelist ${HOME}/dwhelper/net.downloadhelper.coapp/bin whitelist ${HOME}/dwhelper/net.downloadhelper.coapp/converter ``` And each time I restarted Firefox. But it does not seem to work, the addon can't find its "companion app". Anyone has some advice? EDIT: If I place the "companion app" in the /downloads folder (which is whitelisted and accessible by default) I get `Failed to execute command "/home/alby/Downloads/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64"` as error message in the addon when I ask it to detect the presence of its "companion app"
gitea-mirror commented 2026-05-05 08:32:10 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 2, 2019):

  1. Do you include the firefox-common-addons.inc profile?
  2. No trailing slashes for mkdir/whitelist
  3. whitelist ${HOME}/dwhelper should be enought.
  4. Set browser-allow-drm yes in firejail.config
<!-- gh-comment-id:537690692 --> @rusty-snake commented on GitHub (Oct 2, 2019): 1. Do you include the firefox-common-addons.inc profile? 2. No trailing slashes for `mkdir`/`whitelist` 3. `whitelist ${HOME}/dwhelper` should be enought. 4. Set `browser-allow-drm yes` in `firejail.config`
gitea-mirror commented 2026-05-05 08:32:11 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 2, 2019):

firejail --whitelist='${HOME}/dwhelper --ignore='noexec ${HOME}' firefox

<!-- gh-comment-id:537691066 --> @rusty-snake commented on GitHub (Oct 2, 2019): `firejail --whitelist='${HOME}/dwhelper --ignore='noexec ${HOME}' firefox`
gitea-mirror commented 2026-05-05 08:32:13 -06:00
Author
Owner
Copy link

@bobafetthotmail commented on GitHub (Oct 2, 2019):

  1. I thought it was included, but you are right, it's not included. I have now uncommented its include line in firefox-common.inc

2 and 3. ok removing other lines

  1. done this too

As for your second post, I can't run firefox (or thunderbird) from commandline. Other applications (say filezilla) can be called from command line like that.

I converted the "ignore noexec" into configuration.

Now I have added only
whitelist ${HOME}/dwhelper
ignore noexec ${HOME}/dwhelper
to firefox-common-addons.inc

And something is different. Instead of giving "unknown issue" I get

Checking companion app returned: Failed to execute command "/home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64"

Closer, but still no cigar.

<!-- gh-comment-id:537701135 --> @bobafetthotmail commented on GitHub (Oct 2, 2019): 1. I thought it was included, but you are right, it's not included. I have now uncommented its include line in **firefox-common.inc** 2 and 3. ok removing other lines 4. done this too As for your second post, I can't run firefox (or thunderbird) from commandline. Other applications (say filezilla) can be called from command line like that. I converted the "ignore noexec" into configuration. Now I have added only `whitelist ${HOME}/dwhelper` `ignore noexec ${HOME}/dwhelper` to firefox-common-addons.inc And something is different. Instead of giving "unknown issue" I get `Checking companion app returned: Failed to execute command "/home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64"` Closer, but still no cigar.
gitea-mirror commented 2026-05-05 08:32:14 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 2, 2019):

ignore noexec ${HOME}/dwhelper -> ignore noexec ${HOME}
which firejail version?

BTW: ignore noexec ${HOME} and browser-allow-drm yes are the same.
`

<!-- gh-comment-id:537702618 --> @rusty-snake commented on GitHub (Oct 2, 2019): `ignore noexec ${HOME}/dwhelper` -> `ignore noexec ${HOME}` which firejail version? BTW: `ignore noexec ${HOME}` and `browser-allow-drm yes` are the same. `
gitea-mirror commented 2026-05-05 08:32:15 -06:00
Author
Owner
Copy link

@bobafetthotmail commented on GitHub (Oct 2, 2019):

Changed to ignore noexec ${HOME}, still the same error as above.

I'm running OpenSUSE Tumbleweed, and latest Firejail release, from what I can tell

firejail --version
firejail version 0.9.60

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled
<!-- gh-comment-id:537703676 --> @bobafetthotmail commented on GitHub (Oct 2, 2019): Changed to `ignore noexec ${HOME}`, still the same error as above. I'm running OpenSUSE Tumbleweed, and latest Firejail release, from what I can tell ``` firejail --version firejail version 0.9.60 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ```
gitea-mirror commented 2026-05-05 08:32:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 2, 2019):

NOTE: whitelist ${HOME}/dwhelper should already in firefox-common-addons.inc

Does net.downloadhelper.coapp-linux-64 need an interpreter like python? or is it an ELF file?

<!-- gh-comment-id:537704535 --> @rusty-snake commented on GitHub (Oct 2, 2019): NOTE: `whitelist ${HOME}/dwhelper` should already in firefox-common-addons.inc Does `net.downloadhelper.coapp-linux-64` need an interpreter like python? or is it an ELF file?
gitea-mirror commented 2026-05-05 08:32:17 -06:00
Author
Owner
Copy link

@bobafetthotmail commented on GitHub (Oct 2, 2019):

Yes it shows as ELF if I open it with a hex editor.
The application https://github.com/mi-g/vdhcoapp is actually javascript and very light, so I think that binary is an all-in-one javascript runtime + dependencies + application.

It seems to be "compiled" with npm (Node JS), only other application it needs is the (static? I don't know) ffmpeg it ships in its own folder
/home/alby/dwhelper/net.downloadhelper.coapp/converter/build/linux/64/

<!-- gh-comment-id:537708935 --> @bobafetthotmail commented on GitHub (Oct 2, 2019): Yes it shows as ELF if I open it with a hex editor. The application https://github.com/mi-g/vdhcoapp is actually javascript and very light, so I think that binary is an all-in-one javascript runtime + dependencies + application. It seems to be "compiled" with npm (Node JS), only other application it needs is the (static? I don't know) ffmpeg it ships in its own folder `/home/alby/dwhelper/net.downloadhelper.coapp/converter/build/linux/64/`
gitea-mirror commented 2026-05-05 08:32:17 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 2, 2019):

Can it be execute with firejail --profile=firefox /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64?

<!-- gh-comment-id:537710864 --> @rusty-snake commented on GitHub (Oct 2, 2019): Can it be execute with `firejail --profile=firefox /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64`?
gitea-mirror commented 2026-05-05 08:32:18 -06:00
Author
Owner
Copy link

@bobafetthotmail commented on GitHub (Oct 2, 2019):

It seems so. If started with no arguments it sits there not printing nothing on console until i Ctrl+C and then it closes, like it does if I invoke it without firejail.

firejail --profile=firefox /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/firefox-common-addons.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 21567, child pid 21568
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 129.31 ms
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

This is with the "install" command so it can actually answer something on the terminal, the

"VdhCoApp: VdhCoApp is ready to be used"

is the application output.

firejail --profile=firefox /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64 install --user
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/firefox-common-addons.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 21597, child pid 21598
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 132.44 ms
VdhCoApp: VdhCoApp is ready to be used

Parent is shutting down, bye...
<!-- gh-comment-id:537712165 --> @bobafetthotmail commented on GitHub (Oct 2, 2019): It seems so. If started with no arguments it sits there not printing nothing on console until i Ctrl+C and then it closes, like it does if I invoke it without firejail. ``` firejail --profile=firefox /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64 Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/firefox-common-addons.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 21567, child pid 21568 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 129.31 ms ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ``` This is with the "install" command so it can actually answer something on the terminal, the "VdhCoApp: VdhCoApp is ready to be used" is the application output. ``` firejail --profile=firefox /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64 install --user Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/firefox-common-addons.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 21597, child pid 21598 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 132.44 ms VdhCoApp: VdhCoApp is ready to be used Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 08:32:18 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 3, 2019):

Hmm, the profile allows executeing this file, but VDH can't execute it. Can you check if it works with firejail --noprofile firefox so we can see if we need to tune the profile or the issues is deeper.

<!-- gh-comment-id:537846982 --> @rusty-snake commented on GitHub (Oct 3, 2019): Hmm, the profile allows executeing this file, but VDH can't execute it. Can you check if it works with `firejail --noprofile firefox` so we can see if we need to tune the profile or the issues is deeper.
gitea-mirror commented 2026-05-05 08:32:19 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Oct 3, 2019):

It may be blocked by apparmor. Please try ignore apparmor in firefox.local.

<!-- gh-comment-id:537872976 --> @Vincent43 commented on GitHub (Oct 3, 2019): It may be blocked by apparmor. Please try `ignore apparmor` in `firefox.local`.
gitea-mirror commented 2026-05-05 08:32:19 -06:00
Author
Owner
Copy link

@bobafetthotmail commented on GitHub (Oct 5, 2019):

tried with ignore apparmor and no difference.

firejail --noprofile firefox works and the addon can detect its "companion app", as I understand this command is running with firejail disabled. I can also call firefox manually from its actual binary path and it also works fine.
I mean, it worked fine up and until I installed firejail and ran firecfg to create the symlinks, I'm pretty sure that the issue is in firejail or its profiles.

<!-- gh-comment-id:538637308 --> @bobafetthotmail commented on GitHub (Oct 5, 2019): tried with `ignore apparmor` and no difference. `firejail --noprofile firefox` works and the addon can detect its "companion app", as I understand this command is running with firejail disabled. I can also call firefox manually from its actual binary path and it also works fine. I mean, it worked fine up and until I installed firejail and ran firecfg to create the symlinks, I'm pretty sure that the issue is in firejail or its profiles.
gitea-mirror commented 2026-05-05 08:32:19 -06:00
Author
Owner
Copy link

@pizzadude commented on GitHub (Oct 5, 2019):

Can you try this? This works for me:

put this in ~/.config/firejail/firefox.local

noblacklist ~/net.downloadhelper.coapp
whitelist ~/net.downloadhelper.coapp

(Change the path to where you have it installed)
Also make sure you do this: ~/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64 install --user

It works since forever in firejail stable, and git versions (currently running from latest git)

<!-- gh-comment-id:538641129 --> @pizzadude commented on GitHub (Oct 5, 2019): Can you try this? This works for me: put this in ~/.config/firejail/firefox.local noblacklist ~/net.downloadhelper.coapp whitelist ~/net.downloadhelper.coapp (Change the path to where you have it installed) Also make sure you do this: ~/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64 install --user It works since forever in firejail stable, and git versions (currently running from latest git)
gitea-mirror commented 2026-05-05 08:32:20 -06:00
Author
Owner
Copy link

@bobafetthotmail commented on GitHub (Oct 5, 2019):

Hm, what you did isn't different from what I also tried (I just edited the main config files, that would be overwritten on update).

I just tried and your method does not work for me.

Maybe this is a distro default configuration of something? What is your distro?

<!-- gh-comment-id:538645189 --> @bobafetthotmail commented on GitHub (Oct 5, 2019): Hm, what you did isn't different from what I also tried (I just edited the main config files, that would be overwritten on update). I just tried and your method does not work for me. Maybe this is a distro default configuration of something? What is your distro?
gitea-mirror commented 2026-05-05 08:32:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 5, 2019):

@bobafetthotmail have you edited some thing else? e.g. private-bin

<!-- gh-comment-id:538646174 --> @rusty-snake commented on GitHub (Oct 5, 2019): @bobafetthotmail have you edited some thing else? e.g. `private-bin`
gitea-mirror commented 2026-05-05 08:32:21 -06:00
Author
Owner
Copy link

@pizzadude commented on GitHub (Oct 5, 2019):

@bobafetthotmail My distro is Fedora 31. I am running firejail from git.

<!-- gh-comment-id:538647484 --> @pizzadude commented on GitHub (Oct 5, 2019): @bobafetthotmail My distro is Fedora 31. I am running firejail from git.
gitea-mirror commented 2026-05-05 08:32:21 -06:00
Author
Owner
Copy link

@bobafetthotmail commented on GitHub (Oct 5, 2019):

No I didn't edit anything more than what I said here or you recommended. I rolled back any change to defaults when I tested @pizzadude firefox.local

But I tried adding ignore apparmor to @pizzadude firefox.local because of what I've seen below, and now it is working.

Any way forward?

@bobafetthotmail My distro is Fedora 31. I am running firejail from git.

Hm, Fedora uses SELinux and not AppArmor. The AppArmor config is getting in the way here.

In Yast (graphical system configuration manager for OpenSUSE) I see that AppArmor has an "audit module" and if I ask it to read the logs it does ask me to do something about the problem at hand.

Execute: /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64
Severity 0:

And then a row of buttons:

Inherit | Child | Profile | Named | Unconfined | X ix On | Deny | Abort | Finish

I don't know what I should answer, or if this is even supposed to happen (isn't firejail supposed to deal with apparmor on its own?) .

I've answered "Abort" and this closes the window without taking any decision.

Any ideas?

<!-- gh-comment-id:538663543 --> @bobafetthotmail commented on GitHub (Oct 5, 2019): No I didn't edit anything more than what I said here or you recommended. I rolled back any change to defaults when I tested @pizzadude firefox.local But I tried adding `ignore apparmor` to @pizzadude firefox.local because of what I've seen below, and now it is working. Any way forward? > @bobafetthotmail My distro is Fedora 31. I am running firejail from git. Hm, Fedora uses SELinux and not AppArmor. The AppArmor config is getting in the way here. In Yast (graphical system configuration manager for OpenSUSE) I see that AppArmor has an "audit module" and if I ask it to read the logs it does ask me to do something about the problem at hand. ``` Execute: /home/alby/dwhelper/net.downloadhelper.coapp/bin/net.downloadhelper.coapp-linux-64 Severity 0: ``` And then a row of buttons: `Inherit | Child | Profile | Named | Unconfined | X ix On | Deny | Abort | Finish` I don't know what I should answer, or if this is even supposed to happen (isn't firejail supposed to deal with apparmor on its own?) . I've answered "Abort" and this closes the window without taking any decision. Any ideas?
gitea-mirror commented 2026-05-05 08:32:21 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Oct 5, 2019):

You have two choices:

  1. Adding ignore apparmor to firefox.local
  2. Adding /home/alby/dwhelper/net.downloadhelper.coapp/bin/** ix, to /etc/apparmor.d/local/firejail-local and restart apparmor or reboot
<!-- gh-comment-id:538667565 --> @Vincent43 commented on GitHub (Oct 5, 2019): You have two choices: 1. Adding `ignore apparmor` to `firefox.local` 2. Adding `/home/alby/dwhelper/net.downloadhelper.coapp/bin/** ix,` to `/etc/apparmor.d/local/firejail-local` and restart apparmor or reboot
gitea-mirror commented 2026-05-05 08:32:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 10, 2019):

@bobafetthotmail
I'm closing here due to inactivity, please fell free to request reopen if you still have this issue.

<!-- gh-comment-id:552182346 --> @rusty-snake commented on GitHub (Nov 10, 2019): @bobafetthotmail I'm closing here due to inactivity, please fell free to request reopen if you still have this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1868
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?