github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3666] Torbrowser-launcher.profile doesn't launch without certain flags disabled #2309

New issue

Closed

opened 2026-05-05 08:59:51 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:59:51 -06:00

Owner

Originally created by @ghost on GitHub (Oct 13, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3666

I've actually had this issue for a while, and decided I would post an issue about it on here even though I don't think it is that terrible of an issue(?) Essentially, with the default torbrowser-launcher.profile located in /etc/firejail/, it will only actually work if the following calls are commented out: "apparmor," "protocol unix,inet,inet6," and "seccomp !chroot."

Interestingly, when I launch torbrowser-launcher, and check aa-status, it says that Apparmor is actually actively protecting, but it doesn't work when literally calling it with firejail. As for the other calls, I just am not sure. I have played around a ton with the profile to get it to work with the most calls allowed, and this is basically the result I got after disabling and enabling a ton of things one-by-one. No clue why it's happening, however.

Originally created by @ghost on GitHub (Oct 13, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3666 I've actually had this issue for a while, and decided I would post an issue about it on here even though I don't think it is that terrible of an issue(?) Essentially, with the default torbrowser-launcher.profile located in /etc/firejail/, it will only actually work if the following calls are commented out: "apparmor," "protocol unix,inet,inet6," and "seccomp !chroot." Interestingly, when I launch torbrowser-launcher, and check aa-status, it says that Apparmor is actually actively protecting, but it doesn't work when literally calling it with firejail. As for the other calls, I just am not sure. I have played around a ton with the profile to get it to work with the most calls allowed, and this is basically the result I got after disabling and enabling a ton of things one-by-one. No clue why it's happening, however.

gitea-mirror closed this issue

2026-05-05 08:59:52 -06:00

gitea-mirror commented

2026-05-05 08:59:53 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 13, 2020):

The torbrowser-launcher.profile here has no aaparmor, what is your firejail version, distro, torbrowser-launcher version? If you keep seccomp !chroot which syscall is logged in the syslog (journalctl --grep=SECCOMP)?

@rusty-snake commented on GitHub (Oct 13, 2020): The torbrowser-launcher.profile here has no `aaparmor`, what is your firejail version, distro, torbrowser-launcher version? If you keep `seccomp !chroot` which syscall is logged in the syslog (`journalctl --grep=SECCOMP`)?

gitea-mirror commented

2026-05-05 08:59:54 -06:00

Author

Owner

@ghost commented on GitHub (Oct 13, 2020):

The torbrowser-launcher.profile here has no aaparmor, what is your firejail version, distro, torbrowser-launcher version? If you keep seccomp !chroot which syscall is logged in the syslog (journalctl --grep=SECCOMP)?

Oops, I must've added the apparmor one in myself. My bad.

I'm on Parabola, using firejail 0.9.62.4-1 and torbrowser-launcher 0.3.2-6. I actually use OpenRC, so I am not entirely sure how to view the syscalls on here.

@ghost commented on GitHub (Oct 13, 2020): > The torbrowser-launcher.profile here has no `aaparmor`, what is your firejail version, distro, torbrowser-launcher version? If you keep `seccomp !chroot` which syscall is logged in the syslog (`journalctl --grep=SECCOMP`)? Oops, I must've added the apparmor one in myself. My bad. I'm on Parabola, using firejail 0.9.62.4-1 and torbrowser-launcher 0.3.2-6. I actually use OpenRC, so I am not entirely sure how to view the syscalls on here.

gitea-mirror commented

2026-05-05 08:59:55 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 14, 2020):

If your kernel has audit support, is is logged somewhere I think. (Mabye grep SECCOMP /var/log/* or grep syscall /var/log/*?).

Does this happen if you skip torbrowser-launcher?

$ cd ~/.local/share/torbrowser-launcher/...  (go in the directory where start-tor-browser.desktop is)
$ firejail --profile=torbrowser-launcher ./start-tor-browser.desktop

@rusty-snake commented on GitHub (Oct 14, 2020): If your kernel has audit support, is is logged somewhere I think. (Mabye `grep SECCOMP /var/log/*` or `grep syscall /var/log/*`?). Does this happen if you skip torbrowser-launcher? ``` $ cd ~/.local/share/torbrowser-launcher/... (go in the directory where start-tor-browser.desktop is) $ firejail --profile=torbrowser-launcher ./start-tor-browser.desktop ```

gitea-mirror commented

2026-05-05 08:59:56 -06:00

Author

Owner

@ghost commented on GitHub (Oct 15, 2020):

Yeah I'm not sure what to tell you, I don't know how to view the logs. Just forget it.

@ghost commented on GitHub (Oct 15, 2020): Yeah I'm not sure what to tell you, I don't know how to view the logs. Just forget it.

gitea-mirror commented

2026-05-05 08:59:57 -06:00

Author

Owner

@SjoerdV commented on GitHub (Jan 14, 2023):

If your kernel has audit support, is is logged somewhere I think. (Mabye grep SECCOMP /var/log/* or grep syscall /var/log/*?).

Does this happen if you skip torbrowser-launcher?
$ cd ~/.local/share/torbrowser-launcher/...  (go in the directory where start-tor-browser.desktop is)
$ firejail --profile=torbrowser-launcher ./start-tor-browser.desktop

This actually did work for me. So what I end up doing was creating my own launch script and desktop file. (I appended '-launcher' to my own file names)

create a bash script ~/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser-launcher.sh

#!/bin/bash
cd ~/.local/share/torbrowser/tbb/x86_64/tor-browser
firejail --profile=torbrowser-launcher ./start-tor-browser.desktop

Create/Modify the desktop file ~/.local/share/applications/start-tor-browser-launcher.desktop

[Desktop Entry]
Type=Application
Name=Tor Browser Launcher
GenericName=Web Browser
Comment=Tor Browser is +1 for privacy and −1 for mass surveillance
Categories=Network;WebBrowser;Security;
Exec=sh -c ~/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser-launcher.sh
Icon=torbrowser
StartupWMClass=Tor Browser Launcher
Terminal=false

@SjoerdV commented on GitHub (Jan 14, 2023): > If your kernel has audit support, is is logged somewhere I think. (Mabye `grep SECCOMP /var/log/*` or `grep syscall /var/log/*`?). > > Does this happen if you skip torbrowser-launcher? > > ``` > $ cd ~/.local/share/torbrowser-launcher/... (go in the directory where start-tor-browser.desktop is) > $ firejail --profile=torbrowser-launcher ./start-tor-browser.desktop > ``` This actually did work for me. So what I end up doing was creating my own launch script and desktop file. (I appended '-launcher' to my own file names) 1. create a bash script `~/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser-launcher.sh` ``` #!/bin/bash cd ~/.local/share/torbrowser/tbb/x86_64/tor-browser firejail --profile=torbrowser-launcher ./start-tor-browser.desktop ``` 2. Create/Modify the desktop file `~/.local/share/applications/start-tor-browser-launcher.desktop` ``` [Desktop Entry] Type=Application Name=Tor Browser Launcher GenericName=Web Browser Comment=Tor Browser is +1 for privacy and −1 for mass surveillance Categories=Network;WebBrowser;Security; Exec=sh -c ~/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser-launcher.sh Icon=torbrowser StartupWMClass=Tor Browser Launcher Terminal=false ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2309

No description provided.

Rows
Columns