github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4190] brave profile blocks Tor #2574

New issue

Closed

opened 2026-05-05 09:14:42 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:14:42 -06:00

Owner

Originally created by @loveshack on GitHub (Apr 13, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4190

The Brave browser can open windows with Tor, but that's blocked by the firejail brave profile -- it just hangs trying to connect. (It's OK for me without the profile, of course.)

I'm confused because it's presumably due to this (repeating) error

LaunchProcess: failed to execvp:
/home/****/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.16/tor-0.4.5.7-linux-brave-1
[352:358:0413/215037.078723:ERROR:tor_launcher_impl.cc(203)] tor exit (127)

despite brave.profile containing

# TOR is installed in ${HOME}
ignore noexec ${HOME}

I'm happy to take suggestions for debugging if necessary.

Versions: firejail 0.9.64.4 (but it doesn't look as though there's any relevant profile change since) and brave 1.22.71 on Debian 10.

Originally created by @loveshack on GitHub (Apr 13, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4190 The Brave browser can open windows with Tor, but that's blocked by the firejail brave profile -- it just hangs trying to connect. (It's OK for me without the profile, of course.) I'm confused because it's presumably due to this (repeating) error ``` LaunchProcess: failed to execvp: /home/****/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.16/tor-0.4.5.7-linux-brave-1 [352:358:0413/215037.078723:ERROR:tor_launcher_impl.cc(203)] tor exit (127) ``` despite brave.profile containing ``` # TOR is installed in ${HOME} ignore noexec ${HOME} ``` I'm happy to take suggestions for debugging if necessary. Versions: firejail 0.9.64.4 (but it doesn't look as though there's any relevant profile change since) and brave 1.22.71 on Debian 10.

gitea-mirror closed this issue

2026-05-05 09:14:43 -06:00

gitea-mirror commented

2026-05-05 09:14:45 -06:00

Author

Owner

@ghost commented on GitHub (Apr 13, 2021):

Might be the apparmor option in /etc/firejail/chromium-common.profile. A quick and dirty check would be adding ignore apparmor to a chromium-common.local file. Or in a brave.local file if you want to keep any other chromium-based browsers you might use with an intact profile.

If the test confirms it is AppArmor that's the culprit, we can assist in designing a proper way to proceed that doesn't rely on disabling the apparmor option. That would involve making changes to your /etc/apparmor.d/local/firejail-default cfr. what the torbrowser-launcher.profile advises when you've got that installed under your ${HOME}. But let's confirm if disabling apparmor indeed makes TOR happy before diving into that.

@ghost commented on GitHub (Apr 13, 2021): Might be the `apparmor` option in /etc/firejail/chromium-common.profile. A quick and dirty check would be adding `ignore apparmor` to a `chromium-common.local` file. Or in a `brave.local` file if you want to keep any other chromium-based browsers you might use with an intact profile. _If_ the test confirms it is AppArmor that's the culprit, we can assist in designing a proper way to proceed that doesn't rely on disabling the apparmor option. That would involve making changes to your /etc/apparmor.d/local/firejail-default cfr. what the `torbrowser-launcher.profile` advises when you've got that installed under your ${HOME}. But let's confirm if disabling apparmor indeed makes TOR happy before diving into that.

gitea-mirror commented

2026-05-05 09:14:46 -06:00

Author

Owner

@ghost commented on GitHub (Apr 14, 2021):

UPDATE:
In the mean time I've installed Brave and can reproduce this issue. As I suspected the apparmor option in the included chromium-common.profile is responsible for blocking access to tor. I'll prepare a PR to fix this but until that gets into a new release on your Debian box here's what you can do right now. In fact, you have two options: (1) either add a brave.local file containing ignore apparmor OR (2) allow access to the tor path used by Brave in /etc/apparmor.d/local/firejail-default. The latter route assumes you have a fully configured and enabled AppArmor setup on your machine - consult the Debian wiki for that if you need to double-check stuff.

If you decide to go for this second option, compare the below /etc/apparmor.d/local/firejail-default example. You might already have extra rules in there. Just make sure to add a line for the brave path (uncommented). Once that's done, remove any existing AppArmor cache from your system and reboot. I've done the same for testing and confirmed the Brave + Tor setup works as expected via https://check.torproject.org.

# Site-specific additions and overrides for 'firejail-default'.
# For more details, please see /etc/apparmor.d/local/README.

# Here are some examples to allow running programs from home directory.
# Don't enable all of these, just pick a specific one or write a custom rule
# instead as done below for torbrowser-launcher.
#owner @HOME/** ix,
#owner @HOME/bin/** ix
#owner @HOME/.local/bin/** ix

# Uncomment to support apparmor for brave's integrated Tor functionality
owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,

# Uncomment to opt-in to apparmor for torbrowser-launcher
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,

HTH

@ghost commented on GitHub (Apr 14, 2021): UPDATE: In the mean time I've installed Brave and can reproduce this issue. As I suspected the `apparmor` option in the included chromium-common.profile is responsible for blocking access to tor. I'll prepare a PR to fix this but until that gets into a new release on your Debian box here's what you can do right now. In fact, you have two options: (1) either add a `brave.local` file containing `ignore apparmor` OR (2) allow access to the tor path used by Brave in /etc/apparmor.d/local/firejail-default. The latter route assumes you have a fully configured and enabled AppArmor setup on your machine - consult the Debian wiki for that if you need to double-check stuff. If you decide to go for this second option, compare the below /etc/apparmor.d/local/firejail-default example. You might already have extra rules in there. Just make sure to add a line for the brave path (uncommented). Once that's done, remove any existing AppArmor cache from your system and reboot. I've done the same for testing and confirmed the Brave + Tor setup works as expected via https://check.torproject.org. ``` # Site-specific additions and overrides for 'firejail-default'. # For more details, please see /etc/apparmor.d/local/README. # Here are some examples to allow running programs from home directory. # Don't enable all of these, just pick a specific one or write a custom rule # instead as done below for torbrowser-launcher. #owner @HOME/** ix, #owner @HOME/bin/** ix #owner @HOME/.local/bin/** ix # Uncomment to support apparmor for brave's integrated Tor functionality owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix, # Uncomment to opt-in to apparmor for torbrowser-launcher #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, ``` HTH

gitea-mirror commented

2026-05-05 09:14:47 -06:00

Author

Owner

@loveshack commented on GitHub (Apr 17, 2021):

I had replied by mail to say thanks for the excellent response, but that hasn't got through for some reason. Anyway, thank you!

@loveshack commented on GitHub (Apr 17, 2021): I had replied by mail to say thanks for the excellent response, but that hasn't got through for some reason. Anyway, thank you!

gitea-mirror commented

2026-05-05 09:14:48 -06:00

Author

Owner

@ghost commented on GitHub (Apr 17, 2021):

@loveshack No worries, it's not the first time I see differences between GitHub's web interface and mail correspondence. Glad to read this issue is fixed. It's thanks to your reporting that we became aware of the Brave + Tor + AppArmor situation, so thanks again for bringing it out here! Happy sandboxing.

I'll close this issue now, but feel free to reopen if you encounter other bumps on the road.

@ghost commented on GitHub (Apr 17, 2021): @loveshack No worries, it's not the first time I see differences between GitHub's web interface and mail correspondence. Glad to read this issue is fixed. It's thanks to your reporting that we became aware of the Brave + Tor + AppArmor situation, so thanks again for bringing it out here! Happy sandboxing. I'll close this issue now, but feel free to reopen if you encounter other bumps on the road.

gitea-mirror referenced this issue

2026-05-05 10:19:45 -06:00

[PR #2574] [MERGED] Add new profiles for lrzip and friends #4420

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2574

No description provided.

Rows
Columns