github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 22:01:33 -06:00

[GH-ISSUE #3794] Trouble running Firefox Portable Dev Edition in firejail #2395

New issue

Closed

opened 2026-05-05 09:04:22 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 09:04:22 -06:00

Owner

Originally created by @jameshibbard on GitHub (Dec 7, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3794

Hi,

I installed firejail (sudo apt install firejail firejail-profiles) on a brand new Linux Mint 20.

I want to use firejail to run my portable version of Firefox Developer Edition.
This executable is located here: /home/jim/files/Portable/FirefoxDeveloperEdition/firefox.

Here are the steps I took:

I copied /etc/firejail/firefox-developer-edition.profile to /home/jim/.config/firejail
I added the following line to the bottom of /home/jim/.config/firejail/firefox-developer-edition.profile:
whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
I attempted to run the firejailed FF Dev Edition from a script, like so:

#!/bin/bash

firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.profile  /home/jim/files/Portable/FirefoxDeveloperEdition/firefox

When I run this however, I get the following error:

Reading profile /home/jim/.config/firejail/firefox-developer-edition.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2700815, child pid 2700816
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 93.49 ms
Exec failed with error: Permission denied

Parent is shutting down, bye...

If I comment out apparmor on line 32 of /etc/firejail/firefox-common.profile (this file is referenced by firefox.profile, which is referenced by firefox-developer-edition.profile), then everything works as expected.

The same issue is described here: https://unix.stackexchange.com/questions/587080/whitelist-a-directory-for-execution-with-firejail

When I run firejail --noprofile /home/jim/files/Portable/FirefoxDeveloperEdition/firefox, the program starts as expected.

When I disable firejail, the program also starts as expected.

I'm not sure if this is a bug, or if I am doing anything wrong. I would be happy to provide any details you might need.

Originally created by @jameshibbard on GitHub (Dec 7, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3794 Hi, I installed firejail (`sudo apt install firejail firejail-profiles`) on a brand new Linux Mint 20. I want to use firejail to run my portable version of Firefox Developer Edition. This executable is located here: `/home/jim/files/Portable/FirefoxDeveloperEdition/firefox`. Here are the steps I took: - I copied `/etc/firejail/firefox-developer-edition.profile` to `/home/jim/.config/firejail` - I added the following line to the bottom of `/home/jim/.config/firejail/firefox-developer-edition.profile`: `whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition` - I attempted to run the firejailed FF Dev Edition from a script, like so: ``` #!/bin/bash firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.profile /home/jim/files/Portable/FirefoxDeveloperEdition/firefox ``` When I run this however, I get the following error: ``` Reading profile /home/jim/.config/firejail/firefox-developer-edition.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 2700815, child pid 2700816 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 93.49 ms Exec failed with error: Permission denied Parent is shutting down, bye... ``` If I comment out `apparmor` on line 32 of `/etc/firejail/firefox-common.profile` (this file is referenced by `firefox.profile`, which is referenced by `firefox-developer-edition.profile`), then everything works as expected. The same issue is described here: https://unix.stackexchange.com/questions/587080/whitelist-a-directory-for-execution-with-firejail When I run `firejail --noprofile /home/jim/files/Portable/FirefoxDeveloperEdition/firefox`, the program starts as expected. When I disable firejail, the program also starts as expected. I'm not sure if this is a bug, or if I am doing anything wrong. I would be happy to provide any details you might need.

gitea-mirror

2026-05-05 09:04:22 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 09:04:25 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Dec 7, 2020):

You need to add
ignore noexec ${HOME}
to
.config/firejail/firefox-developer-edition.profile

@SkewedZeppelin commented on GitHub (Dec 7, 2020): You need to add ignore noexec ${HOME} to .config/firejail/firefox-developer-edition.profile

gitea-mirror commented

2026-05-05 09:04:26 -06:00

Author

Owner

@jameshibbard commented on GitHub (Dec 7, 2020):

I'm afraid that didn't help. I still get the same error message.

Here's my complete .config/firejail/firefox-developer-edition.profile:

# Firejail profile for firefox-developer-edition
# Description: Developer Edition of the popular Firefox web browser
# This file is overwritten after every install/update
# Persistent local customizations
include firefox-developer-edition.local
# Persistent global definitions
# added by included profile
#include globals.local

# Redirect
include firefox.profile

whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
ignore noexec ${HOME}

@jameshibbard commented on GitHub (Dec 7, 2020): I'm afraid that didn't help. I still get the same error message. Here's my complete `.config/firejail/firefox-developer-edition.profile`: ``` # Firejail profile for firefox-developer-edition # Description: Developer Edition of the popular Firefox web browser # This file is overwritten after every install/update # Persistent local customizations include firefox-developer-edition.local # Persistent global definitions # added by included profile #include globals.local # Redirect include firefox.profile whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition ignore noexec ${HOME} ```

gitea-mirror commented

2026-05-05 09:04:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 7, 2020):

apparmor and noexec ${HOME} (in disable-exec.inc) make $HOME noexec,nodev,nosuid. This is a good defense-in-depth for the most sandboxes. However, if you want to execute software from inside your home, you need to ignore noexec ${HOME} and ignore apparmor.

If you set browser-allow-drm yes in firejail.config, ignore noexec ${HOME} is implied (via condition).

To make it work, this should be enough:

cat > ~/.config/firejail/firefox-developer-edition.local <<EOF
ignore noexec ${HOME}
ignore apparmor
whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
EOF

Aside: Why does apparmor not break DRM?????!!!

@rusty-snake commented on GitHub (Dec 7, 2020): `apparmor` and `noexec ${HOME}` (in `disable-exec.inc`) make $HOME `noexec,nodev,nosuid`. This is a good defense-in-depth for the most sandboxes. However, if you want to execute software from inside your home, you need to `ignore noexec ${HOME}` and `ignore apparmor`. If you set `browser-allow-drm yes` in `firejail.config`, `ignore noexec ${HOME}` is implied (via condition). To make it work, this should be enough: ```bash cat > ~/.config/firejail/firefox-developer-edition.local <<EOF ignore noexec ${HOME} ignore apparmor whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition EOF ``` Aside: Why does `apparmor` not break DRM?????!!!

gitea-mirror commented

2026-05-05 09:04:29 -06:00

Author

Owner

@jameshibbard commented on GitHub (Dec 7, 2020):

It needs to be before any includes, I should've mentioned, eg.

I'm afraid that didn't work. I still get the same error message.

To make it work, this should be enough:

This worked. Thank you. Also, for the explanation.

So now I just have /home/jim/.config/firejail/firefox-developer-edition.local:

ignore noexec /home/jim
ignore apparmor
whitelist /home/jim/files/Portable/FirefoxDeveloperEdition

and I'm starting the application like so:

#!/bin/bash

firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.locale  /home/jim/files/Portable/FirefoxDeveloperEdition/firefox

Does that seem correct to you?

@jameshibbard commented on GitHub (Dec 7, 2020): > It needs to be before any includes, I should've mentioned, eg. I'm afraid that didn't work. I still get the same error message. > To make it work, this should be enough: This worked. Thank you. Also, for the explanation. So now I just have `/home/jim/.config/firejail/firefox-developer-edition.local`: ``` ignore noexec /home/jim ignore apparmor whitelist /home/jim/files/Portable/FirefoxDeveloperEdition ``` and I'm starting the application like so: ``` #!/bin/bash firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.locale /home/jim/files/Portable/FirefoxDeveloperEdition/firefox ``` Does that seem correct to you?

gitea-mirror commented

2026-05-05 09:04:30 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 7, 2020):

and I'm starting the application like so:
#!/bin/bash

firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.locale  /home/jim/files/Portable/FirefoxDeveloperEdition/firefox
Does that seem correct to you?

No, you lost all the security features. Right command: firejail --profile=firefox-developer-edition /home/jim/files/Portable/FirefoxDeveloperEdition/firefox.

PS: you can remove ~/.config/firejail/firefox-developer-edition.profile (dot profile).
PS2: If you use a wrapper script, you may want to add "$@".

#!/bin/bash
exec firejail --profile=firefox-developer-edition /home/jim/files/Portable/FirefoxDeveloperEdition/firefox "$@"

@rusty-snake commented on GitHub (Dec 7, 2020): > and I'm starting the application like so: > > ``` > #!/bin/bash > > firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.locale /home/jim/files/Portable/FirefoxDeveloperEdition/firefox > ``` > > Does that seem correct to you? No, you lost all the security features. Right command: `firejail --profile=firefox-developer-edition /home/jim/files/Portable/FirefoxDeveloperEdition/firefox`. PS: you can remove ~/.config/firejail/firefox-developer-edition.profile (**dot profile**). PS2: If you use a wrapper script, you may want to add `"$@"`. ```bash #!/bin/bash exec firejail --profile=firefox-developer-edition /home/jim/files/Portable/FirefoxDeveloperEdition/firefox "$@" ```

gitea-mirror commented

2026-05-05 09:04:32 -06:00

Author

Owner

@jameshibbard commented on GitHub (Dec 7, 2020):

Fantastic! Thanks for your help.

@jameshibbard commented on GitHub (Dec 7, 2020): Fantastic! Thanks for your help.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2395

No description provided.

Rows
Columns