github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3912] Chrome not working due to symlink. #2452

New issue

Closed

opened 2026-05-05 09:08:21 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 09:08:21 -06:00

Owner

Originally created by @panbroggi on GitHub (Jan 23, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3912

Hi everyone!
I am using firejail version 0.9.64 with google-chrome-unstable with KaOS.
While the simple firejail --noprofile google-chrome-unstable works, the default command

firejail google-chrome-unstable

fails. The output is

Reading profile /etc/firejail/google-chrome-unstable.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 29605, child pid 29606
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Error: invalid whitelist path /home/panbroggi/Scaricati
Error: proc 29605 cannot sync with peer: unexpected EOF
Peer 29606 unexpectedly exited with status 1

The problem is that /home/panbroggi/Scaricati (which is the italian Download folder) is a symbolic link to /mnt/Storage/Scaricati. I've tried to edit the profile and if I replace
whitelist ${DOWNLOADS} with mkdir ${HOME}/Scaricati it starts, obviously without keeping the download folder.

I've tried using firetools and this configuration works:
https://imgur.com/a/GOHsh5Z

while this does not:
https://imgur.com/a/9hxYJjd

What should I do to set it up correctly?

Originally created by @panbroggi on GitHub (Jan 23, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3912 Hi everyone! I am using firejail version 0.9.64 with google-chrome-unstable with KaOS. While the simple `firejail --noprofile google-chrome-unstable` works, the default command ``` firejail google-chrome-unstable ``` fails. The output is ``` Reading profile /etc/firejail/google-chrome-unstable.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 29605, child pid 29606 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Error: invalid whitelist path /home/panbroggi/Scaricati Error: proc 29605 cannot sync with peer: unexpected EOF Peer 29606 unexpectedly exited with status 1 ``` The problem is that ``/home/panbroggi/Scaricati`` (which is the italian Download folder) is a symbolic link to ``/mnt/Storage/Scaricati``. I've tried to edit the profile and if I replace ``whitelist ${DOWNLOADS}`` with ``mkdir ${HOME}/Scaricati`` it starts, obviously without keeping the download folder. I've tried using firetools and this configuration works: https://imgur.com/a/GOHsh5Z while this does not: https://imgur.com/a/9hxYJjd What should I do to set it up correctly?

gitea-mirror closed this issue

2026-05-05 09:08:22 -06:00

gitea-mirror commented

2026-05-05 09:08:24 -06:00

Author

Owner

@smitsohu commented on GitHub (Jan 23, 2021):

/etc/firejail/firejail.config has a setting

# Follow symlink as user. While using --whitelist feature,
# symlinks pointing outside home directory are followed only
# if both the link and the real file are owned by the user.
# Enabled by default
# follow-symlink-as-user yes

Could that be the reason?

@smitsohu commented on GitHub (Jan 23, 2021): /etc/firejail/firejail.config has a setting ``` # Follow symlink as user. While using --whitelist feature, # symlinks pointing outside home directory are followed only # if both the link and the real file are owned by the user. # Enabled by default # follow-symlink-as-user yes ``` Could that be the reason?

gitea-mirror commented

2026-05-05 09:08:24 -06:00

Author

Owner

@panbroggi commented on GitHub (Jan 23, 2021):

This is the case. Changing the owner solves the problem.
Thank You!

@panbroggi commented on GitHub (Jan 23, 2021): This is the case. Changing the owner solves the problem. Thank You!

gitea-mirror commented

2026-05-05 09:08:25 -06:00

Author

Owner

@ghost commented on GitHub (Jan 24, 2021):

Closing here as the issue is fixed.

@ghost commented on GitHub (Jan 24, 2021): Closing here as the issue is fixed.

gitea-mirror commented

2026-05-05 09:08:26 -06:00

Author

Owner

@panbroggi commented on GitHub (Jan 30, 2021):

Updating to 0.9.64.2 broke the configuration. I tried to comment disable-mnt in the profile, but the browser sees the symlink (a 0 B file) and the content is no more accessible. Is it possible to adjust the settings or a downgrade is the only solution?

EDIT: commenting disable-mnt actually worked; I then manually blacklisted all the folders in /mnt/Storage except for the linked one.

@panbroggi commented on GitHub (Jan 30, 2021): Updating to 0.9.64.2 broke the configuration. I tried to comment ``disable-mnt`` in the profile, but the browser sees the symlink (a 0 B file) and the content is no more accessible. Is it possible to adjust the settings or a downgrade is the only solution? EDIT: commenting ``disable-mnt`` actually worked; I then manually blacklisted all the folders in /mnt/Storage except for the linked one.

gitea-mirror commented

2026-05-05 09:08:26 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 30, 2021):

commenting disable-mnt actually worked; I then manually blacklisted all the folders in /mnt/Storage except for the linked one.

Then you can add one of the following to your google-chrome-unstable.local.

ignore disable-mnt
noblacklist /mnt/Storage
noblacklist /mnt/Storage/Scaricati
blacklist /media
blacklist /mnt/*
blacklist /mnt/Storage/*
blacklist /run/mnt
blacklist /run/media

ignore disable-mnt
blacklist /media
blacklist /run/mnt
blacklist /run/media
whitelist /mnt/Storage/Scaricati

EDIT: fixed typo

@rusty-snake commented on GitHub (Jan 30, 2021): > commenting disable-mnt actually worked; I then manually blacklisted all the folders in /mnt/Storage except for the linked one. Then you can add one of the following to your `google-chrome-unstable.local`. ``` ignore disable-mnt noblacklist /mnt/Storage noblacklist /mnt/Storage/Scaricati blacklist /media blacklist /mnt/* blacklist /mnt/Storage/* blacklist /run/mnt blacklist /run/media ``` ``` ignore disable-mnt blacklist /media blacklist /run/mnt blacklist /run/media whitelist /mnt/Storage/Scaricati ``` EDIT: fixed typo

gitea-mirror commented

2026-05-05 09:08:27 -06:00

Author

Owner

@panbroggi commented on GitHub (Jan 30, 2021):

Oh, thanks! Adding the lines before including chromium-common.profile is actually the proper way.

In case someone needs to copy paste the code, there's a small typo: balcklist /media/ instead of blacklist /media/.

@panbroggi commented on GitHub (Jan 30, 2021): Oh, thanks! Adding the lines before including ``chromium-common.profile`` is actually the proper way. In case someone needs to copy paste the code, there's a small typo: ``balcklist /media/`` instead of ``blacklist /media/``.

gitea-mirror referenced this issue

2026-05-05 10:17:51 -06:00

[PR #2452] [MERGED] Harden clipit.profile #4320

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2452

No description provided.

Rows
Columns