github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 22:01:33 -06:00

[GH-ISSUE #4380] Tor Browser with 0.9.66 #2643

New issue

Closed

opened 2026-05-05 09:18:16 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:18:16 -06:00

Owner

Originally created by @mattrattus on GitHub (Jul 2, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4380

Bug and expected behavior

Describe the bug.
Error: no suitable ./start-tor-browser executable found
What did you expect to happen?
Start Tor Browser using the firejail profile - start-tor-browser.profile
What changed calling firejail --noprofile /path/to/program in a terminal?
Only in this way I can start Tor Browser.

Reproduce
Download file from torbrowser website, I extracted and use
firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser when I'm in tor-browser directory.

Additional context
Before update 0.9.64.4-1 -> 0.9.66-1 I use the above command
Now I see that profiles for Tor have been changed.
The last profile that implements the assumptions is torbrowser-launcher.profile but it refers to the installed version of browser.

Environment

Linux distribution
Arch Linux
Firejail version
0.9.66

Question
Is it no longer possible to use Tor Browser by downloading it yourself and using firejail along with it?

Checklist

The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
I have performed a short search for similar issues (to avoid opening a duplicate).
If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

output

Reading profile /etc/firejail/start-tor-browser.profile
Reading profile /etc/firejail/start-tor-browser.desktop.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 15838, child pid 15839
89 programs installed in 112.48 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 32.58 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 274.37 ms
Error: no suitable ./start-tor-browser executable found

Parent is shutting down, bye...

Originally created by @mattrattus on GitHub (Jul 2, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4380 **Bug and expected behavior** - Describe the bug. Error: no suitable ./start-tor-browser executable found - What did you expect to happen? Start Tor Browser using the firejail profile - start-tor-browser.profile - What changed calling `firejail --noprofile /path/to/program` in a terminal? Only in this way I can start Tor Browser. **Reproduce** Download file from torbrowser website, I extracted and use firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser when I'm in tor-browser directory. **Additional context** Before update 0.9.64.4-1 -> 0.9.66-1 I use the above command Now I see that profiles for Tor have been changed. The last profile that implements the assumptions is torbrowser-launcher.profile but it refers to the installed version of browser. **Environment** - Linux distribution Arch Linux - Firejail version 0.9.66 **Question** Is it no longer possible to use Tor Browser by downloading it yourself and using firejail along with it? **Checklist** - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. <details><summary> output </summary> ``` Reading profile /etc/firejail/start-tor-browser.profile Reading profile /etc/firejail/start-tor-browser.desktop.profile Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 15838, child pid 15839 89 programs installed in 112.48 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 32.58 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 274.37 ms Error: no suitable ./start-tor-browser executable found Parent is shutting down, bye... ``` </details>

gitea-mirror

2026-05-05 09:18:16 -06:00

closed this issue
added the
stale
label

gitea-mirror commented

2026-05-05 09:18:20 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 2, 2021):

Download file from torbrowser website, I extracted and use
firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser when I'm in tor-browser directory.

Where did you extracted it? It must be a one of the ${HOME}/.tor-browser* listed in the profile. Or you need to add a .local and whitelist the path where you extracted it.

firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser

FYI

Use profile names, it's shorter: firejail --profile=start-tor-browser ./start-tor-browser
If the program and the name match, skip it: firejail ./start-tor-browser

Is it no longer possible to use Tor Browser by downloading it yourself and using firejail along with it?

Still possible. You just need to know how, see https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#tor-browser-home-install or https://github.com/rusty-snake/firejailed-tor-browser.

Before update 0.9.64.4-1 -> 0.9.66-1 I use the above command
Now I see that profiles for Tor have been changed.
The last profile that implements the assumptions is torbrowser-launcher.profile but it refers to the installed version of browser.

You can not install the tor-browser system-wide. torbrowser-launcher is just a wrapper that automates the steps (download, verify, extract to home) to install the tor-browser.

What changed, is that there are no longer three profiles for the same software (which is difficult and risky to maintain). start-tor-browser.profile was a blacklisting profile before 0.9.66, now it is a whitelisting one 🎉.

@rusty-snake commented on GitHub (Jul 2, 2021): > Download file from torbrowser website, I extracted and use firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser when I'm in tor-browser directory. Where did you extracted it? It must be a one of the `${HOME}/.tor-browser*` listed in the profile. Or you need to add a .local and whitelist the path where you extracted it. > firejail --profile=/etc/firejail/start-tor-browser.profile ./start-tor-browser FYI 1. Use profile names, it's shorter: `firejail --profile=start-tor-browser ./start-tor-browser` 2. If the program and the name match, skip it: `firejail ./start-tor-browser` > Is it no longer possible to use Tor Browser by downloading it yourself and using firejail along with it? Still possible. You just need to know how, see https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#tor-browser-home-install or https://github.com/rusty-snake/firejailed-tor-browser. > Before update 0.9.64.4-1 -> 0.9.66-1 I use the above command Now I see that profiles for Tor have been changed. The last profile that implements the assumptions is torbrowser-launcher.profile but it refers to the installed version of browser. You can not install the tor-browser system-wide. torbrowser-launcher is just a wrapper that automates the steps (download, verify, extract to home) to install the tor-browser. What changed, is that there are no longer three profiles for the same software (which is difficult and risky to maintain). start-tor-browser.profile was a blacklisting profile before 0.9.66, now it is a whitelisting one :tada:.

gitea-mirror commented

2026-05-05 09:18:21 -06:00

Author

Owner

@mattrattus commented on GitHub (Jul 2, 2021):

Where did you extracted it? It must be a one of the ${HOME}/.tor-browser* listed in the profile. Or you need to add a .local and whitelist the path where you extracted it.

Before last update I just extract to ${HOME}/tor-browser* - without dot (not hide directory) and everything work fine.

Like you suggest I mv to dot directory, go inside and use:
firejail --profile=start-tor-browser ./start-tor-browser
Still got the same results:
Error: no suitable ./start-tor-browser executable found

Still possible. You just need to know how, see https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#tor-browser-home-install

I didn't pay attention to this solution, because before last update, I didn't need it.
My solution with long profile (not perfect like you suggest) but it worked as I expected

Now when I use
firejail --private=~/tor-browser* ./start-tor-browser.desktop
it's ok.
But only in this way. Using your first proposal still give the same error.

You can not install the tor-browser system-wide. torbrowser-launcher is just a wrapper that automates the steps (download, verify, extract to home) to install the tor-browser.

Yes I know :) That's what I had "in mind" mentioning the installation.

@mattrattus commented on GitHub (Jul 2, 2021): > Where did you extracted it? It must be a one of the ${HOME}/.tor-browser* listed in the profile. Or you need to add a .local and whitelist the path where you extracted it. Before last update I just extract to ${HOME}/tor-browser* - without dot (not hide directory) and everything work fine. Like you suggest I mv to dot directory, go inside and use: firejail --profile=start-tor-browser ./start-tor-browser Still got the same results: **Error: no suitable ./start-tor-browser executable found** > Still possible. You just need to know how, see https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#tor-browser-home-install I didn't pay attention to this solution, because before last update, I didn't need it. My solution with long profile (not perfect like you suggest) but it worked as I expected Now when I use firejail --private=~/tor-browser* ./start-tor-browser.desktop it's ok. But only in this way. Using your first proposal still give the same error. > You can not install the tor-browser system-wide. torbrowser-launcher is just a wrapper that automates the steps (download, verify, extract to home) to install the tor-browser. Yes I know :) That's what I had "in mind" mentioning the installation.

gitea-mirror commented

2026-05-05 09:18:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 3, 2021):

Like you suggest I mv to dot directory, go inside and use:
firejail --profile=start-tor-browser ./start-tor-browser
Still got the same results:
Error: no suitable ./start-tor-browser executable found

If it is really in one of

0562ceb658/etc/profile-m-z/start-tor-browser.desktop.profile (L11-L73)

start firejail --ignore=private-bin --profile=start-tor-browser ls -l to see if the file is present and readable.

Before last update I just extract to ${HOME}/tor-browser* - without dot (not hide directory) and everything work fine.

You can keep this by using locals

start-tor-browser.local:

noblacklist ${HOME}/tor-browser
whitelist ${HOME}/tor-browser

disable-common.local:

blacklist ${HOME}/tor-browser

@rusty-snake commented on GitHub (Jul 3, 2021): > Like you suggest I mv to dot directory, go inside and use: firejail --profile=start-tor-browser ./start-tor-browser Still got the same results: Error: no suitable ./start-tor-browser executable found If it is really in one of https://github.com/netblue30/firejail/blob/0562ceb658efff25583ff619846ef2c0ab697e37/etc/profile-m-z/start-tor-browser.desktop.profile#L11-L73 start `firejail --ignore=private-bin --profile=start-tor-browser ls -l` to see if the file is present and readable. > Before last update I just extract to ${HOME}/tor-browser* - without dot (not hide directory) and everything work fine. You can keep this by using locals `start-tor-browser.local`: ``` noblacklist ${HOME}/tor-browser whitelist ${HOME}/tor-browser ``` `disable-common.local`: ``` blacklist ${HOME}/tor-browser ```

gitea-mirror commented

2026-05-05 09:18:23 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 16, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

@rusty-snake commented on GitHub (Jul 16, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2643

No description provided.

Rows
Columns