github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3048] Need help for Opera Firejail Profile #1913

New issue

Closed

opened 2026-05-05 08:34:40 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:34:40 -06:00

Owner

Originally created by @ghost on GitHub (Nov 20, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3048

Hi again!

I need help for that to fix it:

[10:10:1120/170309.471623:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/x86_64-linux-gnu/opera/opera_sandbox is owned by root and has mode 4755.
While handling crash: can't execute crash inspector.

The binary "opera_sandbox" is root.

I did:
chmod 4755 /usr/lib/x86_64-linux-gnu/opera/opera_sandbox

run opera with firejail profile again.
The error on top this post appears again.

I added to Opera Firejail profile:
whitelist /usr/lib/x86_64-linux-gnu/opera/opera_sandbox

Output in terminal:
Reading profile /etc/firejail/opera.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 23602, child pid 23603

DNS server 84.200.69.80
DNS server 84.200.70.40

Private /etc installed in 23.43 ms
Error: invalid whitelist path /usr/lib/x86_64-linux-gnu/opera/opera_sandbox
Error: proc 23602 cannot sync with peer: unexpected EOF
Peer 23603 unexpectedly exited with status 1

How can I whitelist the Opera sandbox?

Originally created by @ghost on GitHub (Nov 20, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3048 Hi again! I need help for that to fix it: [10:10:1120/170309.471623:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/x86_64-linux-gnu/opera/opera_sandbox is owned by root and has mode 4755. While handling crash: can't execute crash inspector. The binary "opera_sandbox" is root. I did: chmod 4755 /usr/lib/x86_64-linux-gnu/opera/opera_sandbox run opera with firejail profile again. The error on top this post appears again. I added to Opera Firejail profile: whitelist /usr/lib/x86_64-linux-gnu/opera/opera_sandbox Output in terminal: Reading profile /etc/firejail/opera.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 23602, child pid 23603 DNS server 84.200.69.80 DNS server 84.200.70.40 Private /etc installed in 23.43 ms Error: invalid whitelist path /usr/lib/x86_64-linux-gnu/opera/opera_sandbox Error: proc 23602 cannot sync with peer: unexpected EOF Peer 23603 unexpectedly exited with status 1 How can I whitelist the Opera sandbox?

gitea-mirror closed this issue

2026-05-05 08:34:40 -06:00

gitea-mirror commented

2026-05-05 08:34:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 20, 2019):

I did:
chmod 4755 /usr/lib/x86_64-linux-gnu/opera/opera_sandbox

Since this is caust by firejail you don't need to change anything on your host.

These are the profile files for opera on master (opera includes chromium-common).
https://github.com/netblue30/firejail/blob/master/etc/opera.profile
https://github.com/netblue30/firejail/blob/master/etc/chromium-common.profile

Sound for me like #2946. Can you try firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot.

@rusty-snake commented on GitHub (Nov 20, 2019): > I did: chmod 4755 /usr/lib/x86_64-linux-gnu/opera/opera_sandbox Since this is caust by firejail you don't need to change anything on your host. ---- These are the profile files for opera on master (opera includes chromium-common). https://github.com/netblue30/firejail/blob/master/etc/opera.profile https://github.com/netblue30/firejail/blob/master/etc/chromium-common.profile ---- Sound for me like #2946. Can you try `firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot`.

gitea-mirror commented

2026-05-05 08:34:42 -06:00

Author

Owner

@ghost commented on GitHub (Nov 20, 2019):

Works with thiscommand:

firejail --ignore=caps.drop --caps.keep=sys_admin,sys_chroot

Opera.profile:
caps.drop all
machine-id
netfilter
nodvd
nogroups

#nonewprivs
#noroot
notv
#seccomp

private-dev
private-etc fonts
private-tmp

disable-mnt
noexec /tmp

Is it secure to run Opera with command:

firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot
?

@ghost commented on GitHub (Nov 20, 2019): Works with thiscommand: firejail --ignore=caps.drop --caps.keep=sys_admin,sys_chroot Opera.profile: caps.drop all machine-id netfilter nodvd nogroups #nonewprivs #noroot notv #seccomp private-dev private-etc fonts private-tmp disable-mnt noexec /tmp Is it secure to run Opera with command: firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot ?

gitea-mirror commented

2026-05-05 08:34:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 20, 2019):

Works with thiscommand:
firejail --ignore=caps.drop --caps.keep=sys_admin,sys_chroot opera

Replace caps.drop all with caps.keep sys_admin,syschroot in your profile

Is it secure to run Opera with command:

It is necessary. See discussions in some linked issues in #2946.

@rusty-snake commented on GitHub (Nov 20, 2019): > Works with thiscommand: firejail --ignore=caps.drop --caps.keep=sys_admin,sys_chroot _opera_ Replace `caps.drop all` with `caps.keep sys_admin,syschroot` in your profile > Is it secure to run Opera with command: It is necessary. See discussions in some linked issues in #2946.

gitea-mirror commented

2026-05-05 08:34:45 -06:00

Author

Owner

@ghost commented on GitHub (Nov 21, 2019):

Ok, thanks!

Is it possible to start Opera without root rights with Sandbox?

When i add this to my Opera FireJail profile, Opera don't start:
nonewprivs
noroot

Can I disable the Sandbox feature in Opera because I start Opera with FireJail?

@ghost commented on GitHub (Nov 21, 2019): Ok, thanks! Is it possible to start Opera without root rights with Sandbox? When i add this to my Opera FireJail profile, Opera don't start: nonewprivs noroot Can I disable the Sandbox feature in Opera because I start Opera with FireJail?

gitea-mirror commented

2026-05-05 08:34:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 21, 2019):

Is it possible to start Opera without root rights with Sandbox?

To setup a sandbox you need to have root rights.

Can I disable the Sandbox feature in Opera because I start Opera with FireJail?

IDK, try opera --no-sandbox.

@rusty-snake commented on GitHub (Nov 21, 2019): > Is it possible to start Opera without root rights with Sandbox? To setup a sandbox you need to have root rights. > Can I disable the Sandbox feature in Opera because I start Opera with FireJail? IDK, try `opera --no-sandbox`.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1913

No description provided.

Rows
Columns