[GH-ISSUE #3215] Clicking an URL in Dino launches Firefox with new profile #2013

New issue

Closed

opened 2026-05-05 08:40:53 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented 2026-05-05 08:40:53 -06:00

Owner

Copy link

Originally created by @ericschdt on GitHub (Feb 9, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3215

As Dino has the same issues, I tried the same solution as in https://github.com/netblue30/firejail/issues/2892, i.e. I added

noblacklist ${HOME}/.cache/mozilla 
noblacklist ${HOME}/.mozilla 
whitelist ${HOME}/.cache/mozilla/firefox 
whitelist ${HOME}/.mozilla 

to dino.profile, but now I only see the Firefox Icon at the mouse cursor and after a few seconds it vanishes and that's it.

Then I tried to add
include firefox-common.profile and private-bin firefox as well, but with no improvements overall.

Any idea?

Originally created by @ericschdt on GitHub (Feb 9, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3215 As Dino has the same issues, I tried the same solution as in https://github.com/netblue30/firejail/issues/2892, i.e. I added ``` noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla ``` to `dino.profile`, but now I only see the Firefox Icon at the mouse cursor and after a few seconds it vanishes and that's it. Then I tried to add `include firefox-common.profile` and `private-bin firefox` as well, but with no improvements overall. Any idea?

gitea-mirror closed this issue 2026-05-05 08:40:54 -06:00

gitea-mirror commented 2026-05-05 08:40:56 -06:00

Author

Owner

Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

Current dino.profile:

# Firejail profile for dino
# Description: Modern XMPP Chat Client using GTK+/Vala
# This file is overwritten after every install/update
# Persistent local customizations
include dino.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.local/share/dino

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

mkdir ${HOME}/.local/share/dino
whitelist ${HOME}/.local/share/dino
whitelist ${HOME}/.local/share/dino/files
whitelist ${DOWNLOADS}
include whitelist-common.inc

# Firefox
noblacklist ${HOME}/.cache/mozilla 
noblacklist ${HOME}/.mozilla 
noblacklist ${HOME}/.mozilla/firefox
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox
include firefox-common.profile


caps.drop all
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none

disable-mnt
#private-bin dino,gio-launch-desktop,gwenview
private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail,firefox
private-dev
# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
private-tmp

<!-- gh-comment-id:583856879 --> @ericschdt commented on GitHub (Feb 9, 2020): Current dino.profile: ``` # Firejail profile for dino # Description: Modern XMPP Chat Client using GTK+/Vala # This file is overwritten after every install/update # Persistent local customizations include dino.local # Persistent global definitions include globals.local noblacklist ${HOME}/.local/share/dino include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino/files whitelist ${DOWNLOADS} include whitelist-common.inc # Firefox noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.mozilla/firefox whitelist ${HOME}/.cache/mozilla whitelist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox include firefox-common.profile caps.drop all netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp shell none disable-mnt #private-bin dino,gio-launch-desktop,gwenview private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail,firefox private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection private-tmp ```

gitea-mirror commented 2026-05-05 08:40:57 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 9, 2020):

noblacklist must come before blacklist.

=> Move you firefox block over the include disable-*-block.

<!-- gh-comment-id:583858220 --> @rusty-snake commented on GitHub (Feb 9, 2020): `noblacklist` **must** come before `blacklist`. => Move you firefox block over the `include disable-*`-block.

gitea-mirror commented 2026-05-05 08:40:58 -06:00

Author

Owner

Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

Done and restarted dino but the issue persists.

<!-- gh-comment-id:583859061 --> @ericschdt commented on GitHub (Feb 9, 2020): Done and restarted dino but the issue persists.

gitea-mirror commented 2026-05-05 08:40:59 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 9, 2020):

Is firefox running when you try to open links? Is anything in the journal?

If firefox is not already running, it is started in the sandbox. But the dino profile is to restrictive to start firefox.

<!-- gh-comment-id:583859557 --> @rusty-snake commented on GitHub (Feb 9, 2020): Is firefox running when you try to open links? Is anything in the journal? If firefox is not already running, it is started in the sandbox. But the dino profile is to restrictive to start firefox.

gitea-mirror commented 2026-05-05 08:40:59 -06:00

Author

Owner

Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

Is firefox running when you try to open links?

Firefox is already running.

Is anything in the journal?

You mean journalctl -fa? Nope, or where should I look?
Also firejail --debug dino does not give a hint when I click a link.

Here's the Dino debug log: dino_debug.log

<!-- gh-comment-id:583859996 --> @ericschdt commented on GitHub (Feb 9, 2020): > Is firefox running when you try to open links? Firefox is already running. > Is anything in the journal? You mean `journalctl -fa`? Nope, or where should I look? Also `firejail --debug dino` does not give a hint when I click a link. Here's the Dino debug log: [dino_debug.log](https://github.com/netblue30/firejail/files/4177123/dino_debug.log)

gitea-mirror commented 2026-05-05 08:41:00 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 9, 2020):

For me firejail firefox-wayland --new-tab example.com is broken, can you try this also on your system. If this does not work, the issue isn't in the dino profile.

<!-- gh-comment-id:583863040 --> @rusty-snake commented on GitHub (Feb 9, 2020): For me `firejail firefox-wayland --new-tab example.com` is broken, can you try this also on your system. If this does not work, the issue isn't in the dino profile.

gitea-mirror commented 2026-05-05 08:41:00 -06:00

Author

Owner

Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

I'm not on wayland, but under X11 firejail firefox --new-tab example.com works for me.

firejail firefox --new-tab example.com
Reading profile /home/user/.config/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /home/user/.config/firejail/firefox-common.profile
Reading profile /home/user/.config/firejail/firefox-common-addons.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5737, child pid 5738
12 programs installed in 46.96 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 295.59 ms

Parent is shutting down, bye...

<!-- gh-comment-id:583863239 --> @ericschdt commented on GitHub (Feb 9, 2020): I'm not on wayland, but under X11 `firejail firefox --new-tab example.com` works for me. ``` firejail firefox --new-tab example.com Reading profile /home/user/.config/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /home/user/.config/firejail/firefox-common.profile Reading profile /home/user/.config/firejail/firefox-common-addons.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 5737, child pid 5738 12 programs installed in 46.96 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 295.59 ms Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 08:41:01 -06:00

Author

Owner

Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

Not sure what actually did it, but Dino seems to be pretty happy with the following profile

# Firejail profile for dino
# Description: Modern XMPP Chat Client using GTK+/Vala
# This file is overwritten after every install/update
# Persistent local customizations
include dino.local
# Persistent global definitions
include globals.local

# Dino
noblacklist ${HOME}/.local/share/dino

# Firefox
noblacklist ${HOME}/.cache/mozilla 
noblacklist ${HOME}/.mozilla 
noblacklist ${HOME}/.mozilla/firefox
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox
include firefox-common.profile

# disable-*
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

# Dino specific
mkdir ${HOME}/.local/share/dino
whitelist ${HOME}/.local/share/dino
whitelist ${HOME}/.local/share/dino/files
whitelist ${DOWNLOADS}

caps.drop all
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none

disable-mnt
private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail
private-dev
private-tmp

<!-- gh-comment-id:583866271 --> @ericschdt commented on GitHub (Feb 9, 2020): Not sure what actually did it, but Dino seems to be pretty happy with the following profile ``` # Firejail profile for dino # Description: Modern XMPP Chat Client using GTK+/Vala # This file is overwritten after every install/update # Persistent local customizations include dino.local # Persistent global definitions include globals.local # Dino noblacklist ${HOME}/.local/share/dino # Firefox noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.mozilla/firefox whitelist ${HOME}/.cache/mozilla whitelist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox include firefox-common.profile # disable-* include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc # Dino specific mkdir ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino/files whitelist ${DOWNLOADS} caps.drop all netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp shell none disable-mnt private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail private-dev private-tmp ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2013

No description provided.