github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4127] [SOLVED] Firefox has different audio backend when started with custom profile #2545

New issue

Closed

opened 2026-05-05 09:13:19 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:13:19 -06:00

Owner

Originally created by @omega3 on GitHub (Mar 22, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4127

Why when I start Firefox in Firejail like this:
firejail --private=/home/user/jail/ /usr/lib/firefox/firefox

And a new Firefox profile is created in /home/user/jail/.mozilla/firefox/
I have in Firefox about:support → media: audio backend pulse-rust.

When I delete this Firefox profile from /home/user/jail/.mozilla/firefox/

And when I run it with custom profile:
firejail --private=/home/user/jail/ --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox
new Firefox profile is created and when I run Firefox I have in about:support → media: audio backend alsa.

My config firefox.local contains only this

whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server

It has nothing to do with sound.
Should I whitelist something that is related to pulse-rust?

Recently Manjaro switch to pipewire and it appeared that when there is alsa in about:support → media: audio backend in Firefox I can't hear sound. And it looks like the cause of the trouble is how Firefox profile is created with when Firefox is in Firejail with local settings.

Environment
Operating System: Manjaro Linux
KDE Plasma Version: 5.21.3
KDE Frameworks Version: 5.80.0
Qt Version: 5.15.2
Kernel Version: 5.11.6-1-MANJARO
OS Type: 64-bit
Graphics Platform: X11

firejail --version
firejail version 0.9.65

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Originally created by @omega3 on GitHub (Mar 22, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4127 Why when I start Firefox in Firejail like this: `firejail --private=/home/user/jail/ /usr/lib/firefox/firefox` And a new Firefox profile is created in `/home/user/jail/.mozilla/firefox/` I have in Firefox about:support → media: audio backend pulse-rust. When I delete this Firefox profile from `/home/user/jail/.mozilla/firefox/` And when I run it with custom profile: `firejail --private=/home/user/jail/ --profile=/home/user/jail/.config/firejail/firefox.local /usr/lib/firefox/firefox` new Firefox profile is created and when I run Firefox I have in about:support → media: audio backend alsa. My config firefox.local contains only this ``` whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server ``` It has nothing to do with sound. Should I whitelist something that is related to pulse-rust? Recently Manjaro switch to pipewire and it appeared that when there is alsa in about:support → media: audio backend in Firefox I can't hear sound. And it looks like the cause of the trouble is how Firefox profile is created with when Firefox is in Firejail with local settings. **Environment** Operating System: Manjaro Linux KDE Plasma Version: 5.21.3 KDE Frameworks Version: 5.80.0 Qt Version: 5.15.2 Kernel Version: 5.11.6-1-MANJARO OS Type: 64-bit Graphics Platform: X11 ``` firejail --version firejail version 0.9.65 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ```

gitea-mirror

2026-05-05 09:13:19 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 09:13:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 22, 2021):

--profile=/home/user/jail/.config/firejail/firefox.local means you use only these two line which restrict access to /run/user/$UID. You have NO seccomp, nonewprivs, caps.drop all, disable-mnt or dbus-user filter. Are you sure you want this?

Regarding your question: If firefox can not access the pulseaudio/pipewire socket, it uses alsa as fallback.

@rusty-snake commented on GitHub (Mar 22, 2021): `--profile=/home/user/jail/.config/firejail/firefox.local` means you use only these two line which restrict access to `/run/user/$UID`. You have NO `seccomp`, `nonewprivs`, `caps.drop all`, `disable-mnt` or `dbus-user filter`. Are you sure you want this? Regarding your question: If firefox can not access the pulseaudio/pipewire socket, it uses alsa as fallback.

gitea-mirror commented

2026-05-05 09:13:23 -06:00

Author

Owner

@omega3 commented on GitHub (Mar 22, 2021):

Are you sure you want this?

I don't even understand what it means. So far didn't I use local profile but there were changes in Keepassxc so I had to use it.

If firefox can not access the pulseaudio/pipewire socket,

So I need to add my local profile whitelist to Firefox profile or copy from Firefox profile to local profile all else?

Edition:

Ok. This worked. I copied from /etc/firejail/firefox.profile
to local profile so it looks like this:

whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server

# Firejail profile for firefox
# Description: Safe and easy web browser from Mozilla
# This file is overwritten after every install/update
# Persistent local customizations
include firefox.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla

whitelist /usr/share/doc
whitelist /usr/share/firefox
whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist /usr/share/gtk-doc/html
whitelist /usr/share/mozilla
whitelist /usr/share/webext
include whitelist-usr-share-common.inc

# firefox requires a shell to launch on Arch.
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
# Fedora use shell scripts to launch firefox, at least this is required
#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
# private-etc must first be enabled in firefox-common.profile
#private-etc firefox

dbus-user filter
dbus-user.own org.mozilla.Firefox.*
dbus-user.own org.mozilla.firefox.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
# Uncomment or put in your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Uncomment or put in your firefox.local to allow to inhibit screensavers
#dbus-user.talk org.freedesktop.ScreenSaver
# Uncomment or put in your firefox.local for plasma browser integration
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
ignore dbus-user none

# Redirect
include firefox-common.profile

It works but it looks a different from
https://github.com/netblue30/firejail/blob/master/etc-fixes/0.9.52/firefox.profile

Maybe my is older. Are profiles in /etc/firejail/ updated when Firejail is updated? Maybe that is a stupid question but is it ok to run Firefox with such profile?

@omega3 commented on GitHub (Mar 22, 2021): > Are you sure you want this? I don't even understand what it means. So far didn't I use local profile but there were changes in Keepassxc so I had to use it. > If firefox can not access the pulseaudio/pipewire socket, So I need to add my local profile whitelist to Firefox profile or copy from Firefox profile to local profile all else? Edition: Ok. This worked. I copied from /etc/firejail/firefox.profile to local profile so it looks like this: ``` whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server # Firejail profile for firefox # Description: Safe and easy web browser from Mozilla # This file is overwritten after every install/update # Persistent local customizations include firefox.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla mkdir ${HOME}/.cache/mozilla/firefox mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla whitelist /usr/share/doc whitelist /usr/share/firefox whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini whitelist /usr/share/gtk-doc/html whitelist /usr/share/mozilla whitelist /usr/share/webext include whitelist-usr-share-common.inc # firefox requires a shell to launch on Arch. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which # Fedora use shell scripts to launch firefox, at least this is required #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname # private-etc must first be enabled in firefox-common.profile #private-etc firefox dbus-user filter dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* # Uncomment or put in your firefox.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications # Uncomment or put in your firefox.local to allow to inhibit screensavers #dbus-user.talk org.freedesktop.ScreenSaver # Uncomment or put in your firefox.local for plasma browser integration #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver ignore dbus-user none # Redirect include firefox-common.profile ``` It works but it looks a different from https://github.com/netblue30/firejail/blob/master/etc-fixes/0.9.52/firefox.profile Maybe my is older. Are profiles in /etc/firejail/ updated when Firejail is updated? Maybe that is a stupid question but is it ok to run Firefox with such profile?

gitea-mirror commented

2026-05-05 09:13:24 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 22, 2021):

looks a different from https:/github.com/netblue30/firejail/blob/master/etc-fixes/0.9.52/firefox.profile

You are at 0.9.65. 🤔 The git-master profile is at https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/firefox.profile.

Are profiles in /etc/firejail/ updated when Firejail is updated?

Yes. apt, dnf, pacman update /etc/firejail/* if you update firejail/firejail-profiles.

I copied from /etc/firejail/firefox.profile

You can simply add these two whitelist (for kpxc) to ~/.config/firejail/firefox.local and start you sandbox with firejail --private=~/jail /usr/bin/firefox. Furthermore you can even more the private ${HOME}/jail to firefox.local.

@rusty-snake commented on GitHub (Mar 22, 2021): > looks a different from https:/github.com/netblue30/firejail/blob/master/etc-fixes/**0.9.52**/firefox.profile You are at 0.9.65.   :thinking:   The git-master profile is at https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/firefox.profile. > Are profiles in /etc/firejail/ updated when Firejail is updated? Yes. apt, dnf, pacman update `/etc/firejail/*` if you update firejail/firejail-profiles. > I copied from /etc/firejail/firefox.profile You can simply add these two whitelist (for kpxc) to `~/.config/firejail/firefox.local` and start you sandbox with `firejail --private=~/jail /usr/bin/firefox`. Furthermore you can even more the `private ${HOME}/jail` to `firefox.local`.

gitea-mirror commented

2026-05-05 09:13:25 -06:00

Author

Owner

@omega3 commented on GitHub (Mar 22, 2021):

Ok. Thank you very much. It is solved.

@omega3 commented on GitHub (Mar 22, 2021): Ok. Thank you very much. It is solved.

gitea-mirror referenced this issue

2026-05-05 10:19:16 -06:00

[PR #2545] [MERGED] More alphabetical ordering of firecfg.config #4395

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2545

No description provided.

Rows
Columns