github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3420] Firefox doesn't start on Ubuntu 20.04 #2147

New issue
Closed
opened 2026-05-05 08:49:19 -06:00 by gitea-mirror · 18 comments
gitea-mirror commented 2026-05-05 08:49:19 -06:00
Owner
Copy link

Originally created by @dlehmenk on GitHub (May 17, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3420

Bug and expected behavior
When starting firefox in firejail nothing happens (not even a crash, the program runs, but nothing is displayed).

No profile or disabling firejail

  • What changed calling firejail --noprofile PROGRAM in a shell?
  • What changed calling the program by path=without firejail (check whereis PROGRAM, firejail --list, stat $programpath)?

Both works fine.

Reproduce
Steps to reproduce the behavior:

  1. Run in bash firejail firefox
  2. See following messages:
$firejail firefox 
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 53252, child pid 53253
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 108.30 ms

Environment

  • Linux distribution and version (ie output of lsb_release -a)
    Ubuntu 20.04

  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
    firejail version 0.9.62

Additional context
I'm using home encryption with gocryptfs.

Checklist

  • The upstream profile (and redirect profile if exists) have no changes fixing it.
    There are changes to the profile here at github, for which I'm not sure what they do. The profile does not work anyways when I tried using it as local override.
  • The upstream profile exists (find / -name 'firejail' 2>/dev/null/fd firejail to locate profiles ie in /usr/local/etc/firejail/PROGRAM.profile)
  • Programs needed for interaction are listed.
  • Error was checked in search engine and on issue list without success.

debug output

on request

Originally created by @dlehmenk on GitHub (May 17, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3420 **Bug and expected behavior** When starting firefox in firejail nothing happens (not even a crash, the program runs, but nothing is displayed). **No profile or disabling firejail** - What changed calling `firejail --noprofile PROGRAM` in a shell? - What changed calling the program *by path*=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)? Both works fine. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail firefox` 2. See following messages: ``` $firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 53252, child pid 53253 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 108.30 ms ``` **Environment** - Linux distribution and version (ie output of `lsb_release -a`) Ubuntu 20.04 - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) firejail version 0.9.62 **Additional context** I'm using home encryption with [gocryptfs](https://nuetzlich.net/gocryptfs/). **Checklist** - [x] The upstream profile (and redirect profile if exists) have no changes fixing it. There are changes to the profile here at github, for which I'm not sure what they do. The profile does not work anyways when I tried using it as local override. - [x] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`) - [x] Programs needed for interaction are listed. - [x] Error was checked in search engine and on issue list without success. **debug output** on request
gitea-mirror commented 2026-05-05 08:49:22 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 17, 2020):

Warning: networking feature is disabled in Firejail configuration file

Without networking a web browser isn't of much use obviously. Did you disable networking in /etc/firejail/firejail.config?

<!-- gh-comment-id:629825750 --> @ghost commented on GitHub (May 17, 2020): > Warning: networking feature is disabled in Firejail configuration file Without networking a web browser isn't of much use obviously. Did you disable networking in /etc/firejail/firejail.config?
gitea-mirror commented 2026-05-05 08:49:22 -06:00
Author
Owner
Copy link

@dlehmenk commented on GitHub (May 17, 2020):

No, it's a fresh install. It failed on the first try.

<!-- gh-comment-id:629836591 --> @dlehmenk commented on GitHub (May 17, 2020): No, it's a fresh install. It failed on the first try.
gitea-mirror commented 2026-05-05 08:49:24 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 17, 2020):

Thanks for clearing that up. I did notice that Ubuntu packages that /etc/firejail/firejail.config file with two options changed to non-default settings: 'cgroup no' and restricted-network yes. The latter restricts using the netfilter option to root, so your regular user will not be allowed to use it, even though it is enabled in /etc/firejail/firefox-common.profile. Personally I don't know exactly why it is like that on your OS, I'll have to contact our Debian expert for his input. For now you can comment that option and check if it improves things.

@reinerh Can you make anything out of this?

<!-- gh-comment-id:629848113 --> @ghost commented on GitHub (May 17, 2020): Thanks for clearing that up. I did notice that Ubuntu packages that /etc/firejail/firejail.config file with two options changed to non-default settings: 'cgroup no' and `restricted-network yes`. The latter restricts using the `netfilter` option to root, so your regular user will not be allowed to use it, even though it is enabled in /etc/firejail/firefox-common.profile. Personally I don't know exactly why it is like that on your OS, I'll have to contact our Debian expert for his input. For now you can comment that option and check if it improves things. @reinerh Can you make anything out of this?
gitea-mirror commented 2026-05-05 08:49:25 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (May 17, 2020):

Yes, the two features are disabled by default in Debian (and therefore also Ubuntu), as it's more secure to keep them disabled (they can be used to circumvent other system-wide restrictions, e.g. packetfilters).
See also https://bugs.debian.org/916920

<!-- gh-comment-id:629850160 --> @reinerh commented on GitHub (May 17, 2020): Yes, the two features are disabled by default in Debian (and therefore also Ubuntu), as it's more secure to keep them disabled (they can be used to circumvent other system-wide restrictions, e.g. packetfilters). See also https://bugs.debian.org/916920
gitea-mirror commented 2026-05-05 08:49:26 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (May 17, 2020):

Having restricted-network on only means that the user can't for example set a custom packet filter.
It does not prevent any network connectivity, so this is probably not the reason for firefox not starting.

<!-- gh-comment-id:629850379 --> @reinerh commented on GitHub (May 17, 2020): Having restricted-network on only means that the user can't for example set a custom packet filter. It does not prevent any network connectivity, so this is probably not the reason for firefox not starting.
gitea-mirror commented 2026-05-05 08:49:26 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 17, 2020):

@reinerh Thanks for explaining, the referenced bug report is very informative. Not that it helps the OP, but I'll try installing Ubuntu 20.04 LTS and see if I can get a clearer view on the issue at hand.

<!-- gh-comment-id:629859817 --> @ghost commented on GitHub (May 17, 2020): @reinerh Thanks for explaining, the referenced bug report is very informative. Not that it helps the OP, but I'll try installing Ubuntu 20.04 LTS and see if I can get a clearer view on the issue at hand.
gitea-mirror commented 2026-05-05 08:49:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 18, 2020):

@karoshi42 anything in the journal/syslog?

<!-- gh-comment-id:630017439 --> @rusty-snake commented on GitHub (May 18, 2020): @karoshi42 anything in the journal/syslog?
gitea-mirror commented 2026-05-05 08:49:27 -06:00
Author
Owner
Copy link

@dlehmenk commented on GitHub (May 18, 2020):

The only line in the log is starting with audit: SECCOMP....

But I tested with different users and noticed: The error only happens when using a wayland session. If I choose 'GNOME on Xorg' during login, firejail works just as expected. Normally I'm using the plain GNOME session (not the Ubuntu one)

<!-- gh-comment-id:630447346 --> @dlehmenk commented on GitHub (May 18, 2020): The only line in the log is starting with ``audit: SECCOMP...``. But I tested with different users and noticed: The error only happens when using a wayland session. If I choose 'GNOME on Xorg' during login, firejail works just as expected. Normally I'm using the plain GNOME session (not the Ubuntu one)
gitea-mirror commented 2026-05-05 08:49:28 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 18, 2020):

The error only happens when using a wayland session. If I choose 'GNOME on Xorg' during login, firejail works just as expected. Normally I'm using the plain GNOME session (not the Ubuntu one)

Aha, that's important information indeed. What happens when you use the plain GNOME session and start Firefox via MOZ_ENABLE_WAYLAND=1 firejail firefox?

<!-- gh-comment-id:630461286 --> @ghost commented on GitHub (May 18, 2020): > The error only happens when using a wayland session. If I choose 'GNOME on Xorg' during login, firejail works just as expected. Normally I'm using the plain GNOME session (not the Ubuntu one) Aha, that's important information indeed. What happens when you use the plain GNOME session and start Firefox via `MOZ_ENABLE_WAYLAND=1 firejail firefox`?
gitea-mirror commented 2026-05-05 08:49:29 -06:00
Author
Owner
Copy link

@dlehmenk commented on GitHub (May 18, 2020):

Unfortunately that doesn't help. I also tried to comment out nodbus, because it was mentioned in #3290, but that also didn't work. I'm not quite sure though what @rusty-snake's last comment was about over there.

<!-- gh-comment-id:630470333 --> @dlehmenk commented on GitHub (May 18, 2020): Unfortunately that doesn't help. I also tried to comment out ``nodbus``, because it was mentioned in #3290, but that also didn't work. I'm not quite sure though what @rusty-snake's last comment was about over there.
gitea-mirror commented 2026-05-05 08:49:29 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 18, 2020):

What @rusty-snake asked for IMO is whether or not you notice any relevant warnings/errors in your systemd journal/syslog at the time you start Firefox. Assuming you're using systemd, open a second terminal window/tab and run journalctl -f, that will keep showing log output. Return to the previous terminal window/tab and just run firejail firefox again and check the log output in the other window/tab.

<!-- gh-comment-id:630479951 --> @ghost commented on GitHub (May 18, 2020): What @rusty-snake asked for IMO is whether or not you notice any relevant warnings/errors in your systemd journal/syslog at the time you start Firefox. Assuming you're using systemd, open a second terminal window/tab and run `journalctl -f`, that will keep showing log output. Return to the previous terminal window/tab and just run `firejail firefox` again and check the log output in the other window/tab.
gitea-mirror commented 2026-05-05 08:49:29 -06:00
Author
Owner
Copy link

@dlehmenk commented on GitHub (May 19, 2020):

Ah, sorry for my unclear wording, I meant the last comment in #3290. I already checked the log, which is mostly silent, apart from the aforementioned audit: SECCOMP line.

<!-- gh-comment-id:630972017 --> @dlehmenk commented on GitHub (May 19, 2020): Ah, sorry for my unclear wording, I meant the last comment in #3290. I already checked the log, which is mostly silent, apart from the aforementioned ``audit: SECCOMP`` line.
gitea-mirror commented 2026-05-05 08:49:30 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 23, 2020):

@karoshi42 which syscall is blocked?

<!-- gh-comment-id:633004814 --> @rusty-snake commented on GitHub (May 23, 2020): @karoshi42 which syscall is blocked?
gitea-mirror commented 2026-05-05 08:49:30 -06:00
Author
Owner
Copy link

@dlehmenk commented on GitHub (May 23, 2020):

The full line is

SECCOMP auid=1000 uid=1000 gid=1000 ses=3 pid=8592 comm="firefox" exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f0a07d6970d code=0x0

<!-- gh-comment-id:633025686 --> @dlehmenk commented on GitHub (May 23, 2020): The full line is `SECCOMP auid=1000 uid=1000 gid=1000 ses=3 pid=8592 comm="firefox" exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f0a07d6970d code=0x0`
gitea-mirror commented 2026-05-05 08:49:30 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 23, 2020):

#3219

<!-- gh-comment-id:633026487 --> @rusty-snake commented on GitHub (May 23, 2020): #3219
gitea-mirror commented 2026-05-05 08:49:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 23, 2020):

For now you can add seccomp !kcmp.

<!-- gh-comment-id:633026778 --> @rusty-snake commented on GitHub (May 23, 2020): For now you can add `seccomp !kcmp`.
gitea-mirror commented 2026-05-05 08:49:31 -06:00
Author
Owner
Copy link

@dlehmenk commented on GitHub (May 23, 2020):

Yes, that was the reason, thank you!

Only one question: If I add the seccomp line to a firefox.local file in .config, it does not seem to work. Do I have to add more there, or just copy the whole profile from /etc?

<!-- gh-comment-id:633028774 --> @dlehmenk commented on GitHub (May 23, 2020): Yes, that was the reason, thank you! Only one question: If I add the seccomp line to a firefox.local file in .config, it does not seem to work. Do I have to add more there, or just copy the whole profile from /etc?
gitea-mirror commented 2026-05-05 08:49:32 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 23, 2020):

You can also add it to /etc/firejail/firefox-common.profile because the next firejail release fix this.

<!-- gh-comment-id:633031375 --> @rusty-snake commented on GitHub (May 23, 2020): You can also add it to `/etc/firejail/firefox-common.profile` because the next firejail release fix this.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2147
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?