github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3007] Firenvim extension to firefox #1882

New issue

Closed

opened 2026-05-05 08:33:09 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:33:09 -06:00

Owner

Originally created by @b33rcity on GitHub (Oct 21, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3007

OS Version: Fedora 30
Browser Version: Firefox 69

I'm wondering if anyone has successfully used firenvim with a sandboxed Firefox?

I ran firefox in- and outside of a firejail sandbox and lsof on the nvim process to get some clues about what to whitelist. With sandbox:

COMMAND  PID USER   FD      TYPE DEVICE SIZE/OFF NODE NAME
nvim    3415   d9  cwd   unknown                      /proc/3415/cwd (readlink: Permission denied)
...

and a few dozen more /proc/<PID>/ entries with the same permission denied error when using the sandbox. Without the sandbox, there would be entries including the libraries nvim is linked against, nvim's own binary, a couple dozen unix sockets, and a TCP socket (firenvim uses a WebSocket to do RPC with nvim). This isn't surprising, of course--I'm just not sure what to do about it.

I created ~/.config/firejail/firefox.local with this content:

noblacklist ${HOME}/.config/nvim/
noblacklist ${HOME}/.local/share/nvim/
noblacklist ${HOME}/.local/share/firenvim
whitelist ${HOME}/.config/nvim/
whitelist ${HOME}/.local/share/nvim/
whitelist ${HOME}/.local/share/firenvim

and this allowed the extension itself to work. I suspect I would need to add private-lib and private-bin so the sandbox can access those, as well as some permissions for the TCP listener...

And before I go down that rabbit-hole, I figured I should see if my approach here is even a good one. That is, my idea here is to run the nvim instance inside the same sandbox as firefox by changing firenvim's shell script from exec nvim to exec firejail --join=firefox nvim. Should I be approaching this differently? Or am I just a couple more whitelists away from success?

Originally created by @b33rcity on GitHub (Oct 21, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3007  - OS Version: Fedora 30 - Browser Version: Firefox 69 I'm wondering if anyone has successfully used [firenvim](https://github.com/glacambre/firenvim) with a sandboxed Firefox? I ran firefox in- and outside of a firejail sandbox and lsof on the nvim process to get some clues about what to whitelist. With sandbox: ``` COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nvim 3415 d9 cwd unknown /proc/3415/cwd (readlink: Permission denied) ... ``` and a few dozen more `/proc/<PID>/` entries with the same permission denied error when using the sandbox. Without the sandbox, there would be entries including the libraries nvim is linked against, nvim's own binary, a couple dozen unix sockets, and a TCP socket (firenvim uses a WebSocket to do RPC with nvim). This isn't surprising, of course--I'm just not sure what to do about it. I created ~/.config/firejail/firefox.local with this content: ``` noblacklist ${HOME}/.config/nvim/ noblacklist ${HOME}/.local/share/nvim/ noblacklist ${HOME}/.local/share/firenvim whitelist ${HOME}/.config/nvim/ whitelist ${HOME}/.local/share/nvim/ whitelist ${HOME}/.local/share/firenvim ``` and this allowed the extension itself to work. I suspect I would need to add `private-lib` and `private-bin` so the sandbox can access those, as well as some permissions for the TCP listener... And before I go down that rabbit-hole, I figured I should see if my approach here is even a good one. That is, my idea here is to run the nvim instance inside the same sandbox as firefox by changing firenvim's shell script from `exec nvim` to `exec firejail --join=firefox nvim`. Should I be approaching this differently? Or am I just a couple more whitelists away from success?

gitea-mirror

2026-05-05 08:33:09 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:33:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 28, 2019):

Does it work with --noprofile?

@rusty-snake commented on GitHub (Oct 28, 2019): Does it work with `--noprofile`?

gitea-mirror commented

2026-05-05 08:33:13 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 14, 2019):

@b33rcity
I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Dec 14, 2019): @b33rcity I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:13:55 -06:00

[PR #1882] [MERGED] Fix profile for last version (musixmatch) #4107

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1882

No description provided.

Rows
Columns