github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4728] firefox: webcam and 2fa keys connected after starting don't work #2766

New issue
Open
opened 2026-05-05 09:25:39 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 09:25:39 -06:00
Owner
Copy link

Originally created by @WhyNotHugo on GitHub (Nov 30, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4728

Description

Any webcam or 2fa key connected after starting firefox won't work unless I restart it.

Steps to Reproduce

  1. Run firefox with the supplied profile
  2. Connect a webcam
  3. https://mozilla.github.io/webrtc-landing/gum_test.html

Expected behavior

The connected webcam should show up

Actual behavior

The connected webcm does not show up.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?

Additional context

Since this happens for both webcams and 2fa keys, I'm guessing it's related to how /dev is mounted...?

Environment

  • Archlinux
firejail version 0.9.66

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

Log

No relevant details in logs.

Originally created by @WhyNotHugo on GitHub (Nov 30, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4728 ### Description Any webcam or 2fa key connected _after_ starting firefox won't work unless I restart it. ### Steps to Reproduce 1. Run `firefox` with the supplied profile 2. Connect a webcam 3. https://mozilla.github.io/webrtc-landing/gum_test.html ### Expected behavior The connected webcam should show up ### Actual behavior The connected webcm does not show up. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ ### Additional context Since this happens for both webcams and 2fa keys, I'm guessing it's related to how `/dev` is mounted...? ### Environment - Archlinux ``` firejail version 0.9.66 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. ### Log No relevant details in logs.
gitea-mirror added the
needinfo
 label 2026-05-05 09:25:39 -06:00
gitea-mirror commented 2026-05-05 09:25:41 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 30, 2021):

Add ignore private-dev if you need to plug-in devices while the sandbox is running.

2fa keys connected after starting don't work

I'm sure they do in firejail 0.9.66 if you allowed them.

<!-- gh-comment-id:982848037 --> @rusty-snake commented on GitHub (Nov 30, 2021): Add `ignore private-dev` if you need to plug-in devices while the sandbox is running. > 2fa keys connected after starting don't work I'm sure they do in firejail 0.9.66 if you allowed them.
gitea-mirror commented 2026-05-05 09:25:43 -06:00
Author
Owner
Copy link

@WhyNotHugo commented on GitHub (Nov 30, 2021):

I'm sure they do in firejail 0.9.66 if you allowed them.

They only work if I connect them before starting firefox.

<!-- gh-comment-id:982892360 --> @WhyNotHugo commented on GitHub (Nov 30, 2021): > I'm sure they do in firejail 0.9.66 if you allowed them. They only work if I connect them before starting firefox.
gitea-mirror commented 2026-05-05 09:25:44 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 30, 2021):

Can you then try to find out which command is breaking it.

<!-- gh-comment-id:982899264 --> @rusty-snake commented on GitHub (Nov 30, 2021): Can you then try to find out which command is breaking it.
gitea-mirror commented 2026-05-05 09:25:44 -06:00
Author
Owner
Copy link

@WhyNotHugo commented on GitHub (Nov 30, 2021):

ignore private-dev makes the u2f key kinda work.

If I plug it in after the browser prompts me, it's not picked up, but if I cancel the prompt and retry, it works.

<!-- gh-comment-id:982910783 --> @WhyNotHugo commented on GitHub (Nov 30, 2021): `ignore private-dev` makes the u2f key _kinda_ work. If I plug it in after the browser prompts me, it's not picked up, but if I cancel the prompt and retry, it works.
gitea-mirror commented 2026-05-05 09:25:46 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 30, 2021):

If I plug it in after the browser prompts me, it's not picked up, but if I cancel the prompt and retry, it works.

Does this work w/o firejail?

ignore private-dev makes the u2f key kinda work.

a67bb37b0d/etc/profile-a-l/firefox-common.profile (L54)

<!-- gh-comment-id:982912868 --> @rusty-snake commented on GitHub (Nov 30, 2021): > If I plug it in after the browser prompts me, it's not picked up, but if I cancel the prompt and retry, it works. Does this work w/o firejail? > ignore private-dev makes the u2f key kinda work. https://github.com/netblue30/firejail/blob/a67bb37b0ddac080008cd5cf494aaaf8531f45c0/etc/profile-a-l/firefox-common.profile#L54
gitea-mirror commented 2026-05-05 09:25:47 -06:00
Author
Owner
Copy link

@WhyNotHugo commented on GitHub (Nov 30, 2021):

I added ignore nou2f, but I'm now realising that I need ignore private-dev too, thanks.

Does this work w/o firejail?

Yes, the exact steps are:

  1. Open a website that prompts for u2f
  2. Actually get prompted for it
  3. Plug in the device
  4. Tap button (if applicable)

With firejail, the device won't work until I cancel the prompt and retry.
Without firejail, it works right away.

<!-- gh-comment-id:982938854 --> @WhyNotHugo commented on GitHub (Nov 30, 2021): I added `ignore nou2f`, but I'm now realising that I need `ignore private-dev` too, thanks. > Does this work w/o firejail? Yes, the exact steps are: 1. Open a website that prompts for u2f 2. Actually get prompted for it 2. Plug in the device 3. Tap button (if applicable) With firejail, the device won't work until I cancel the prompt and retry. Without firejail, it works right away.
gitea-mirror commented 2026-05-05 09:25:47 -06:00
Author
Owner
Copy link

@WhyNotHugo commented on GitHub (Sep 17, 2022):

Any further suggestions here?

<!-- gh-comment-id:1250150617 --> @WhyNotHugo commented on GitHub (Sep 17, 2022): Any further suggestions here?
gitea-mirror commented 2026-05-05 09:25:48 -06:00
Author
Owner
Copy link

@WhyNotHugo commented on GitHub (Sep 17, 2022):

If I understand correctly, individual devices are bind-mounted into the sandbox's filesystem tree, right?

Is it possible that Firefox isn't receiving some event when the device is connected? Or that the event notifying it of a new device arrives before the bind-mount happens?

I'm not sure how to debug this TBH.

<!-- gh-comment-id:1250150878 --> @WhyNotHugo commented on GitHub (Sep 17, 2022): If I understand correctly, individual devices are bind-mounted into the sandbox's filesystem tree, right? Is it possible that Firefox isn't receiving some event when the device is connected? Or that the event notifying it of a new device arrives before the bind-mount happens? I'm not sure how to debug this TBH.
gitea-mirror commented 2026-05-05 09:25:49 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Sep 18, 2022):

@WhyNotHugo commented on Sep 17:

If I understand correctly, individual devices are bind-mounted into the
sandbox's filesystem tree, right?

Is it possible that Firefox isn't receiving some event when the device is
connected? Or that the event notifying it of a new device arrives before the
bind-mount happens?

I'm not sure how to debug this TBH.

When using private-dev, this is roughly what happens AFAIK:

  • A dummy directory is created in /run/firejail (let's call it "dummydev")
  • Every allowed path that currently exists in /dev is bind-mounted into
    dummydev
  • dummydev is bind-mounted into /dev in the sandbox
  • Privileges are dropped, etc
  • The target program is started in the sandbox

This means that the paths inside dummydev are fixed as of when the target
program is started, as the real /dev (and thus any new device that would appear
in it) is not visible anymore. There is no way to keep bind-mounting more
paths, as the privileges will have already been dropped and firejail will have
finished running by the time the target program is executed.

So I don't see how bind-mounting new devices into the sandbox could work
without having something like a privileged daemon running in the background.

Currently, the alternative would be to only blacklist paths in /dev, as the
original /dev would still be used in this case (that is, no dummydev bind
mount). Though note that in this case firejail cannot block any new devices
that show up. For example, nou2f would be unable to blacklist any U2F keys
that show up after the sandbox was started.

Note: The steps in the list above are likely similar for the other private-
commands and for whitelist.

Note2: The actual dummydev path is something like /run/firejail/mnt/dev; see
rundefs.h.

<!-- gh-comment-id:1250249377 --> @kmk3 commented on GitHub (Sep 18, 2022): @WhyNotHugo commented [on Sep 17](https://github.com/netblue30/firejail/issues/4728#issuecomment-1250150878): > If I understand correctly, individual devices are bind-mounted into the > sandbox's filesystem tree, right? > > Is it possible that Firefox isn't receiving some event when the device is > connected? Or that the event notifying it of a new device arrives before the > bind-mount happens? > > I'm not sure how to debug this TBH. When using `private-dev`, this is roughly what happens AFAIK: * A dummy directory is created in /run/firejail (let's call it "dummydev") * Every allowed path _that currently exists_ in /dev is bind-mounted into dummydev * dummydev is bind-mounted into /dev in the sandbox * Privileges are dropped, etc * The target program is started in the sandbox This means that the paths inside dummydev are fixed as of when the target program is started, as the real /dev (and thus any new device that would appear in it) is not visible anymore. There is no way to keep bind-mounting more paths, as the privileges will have already been dropped and firejail will have finished running by the time the target program is executed. So I don't see how bind-mounting new devices into the sandbox could work without having something like a privileged daemon running in the background. Currently, the alternative would be to only blacklist paths in /dev, as the original /dev would still be used in this case (that is, no dummydev bind mount). Though note that in this case firejail cannot block any new devices that show up. For example, `nou2f` would be unable to blacklist any U2F keys that show up after the sandbox was started. Note: The steps in the list above are likely similar for the other `private-` commands and for `whitelist`. Note2: The actual dummydev path is something like /run/firejail/mnt/dev; see rundefs.h.
gitea-mirror commented 2026-05-05 09:25:50 -06:00
Author
Owner
Copy link

@WhyNotHugo commented on GitHub (Sep 18, 2022):

But the device does show up -- if I cancel the u2f prompt on firefox and retry, it does work.

So this works both with and without firejail:

  1. Connect the u2f device (e.g.: yubikey)
  2. Try to use an u2f token on a webpage.
  3. Firefox prompts to tap the device.
  4. Tap it

But this only works without firejail:

  1. Disconnect the u2f device
  2. Try to use an u2f token on a webpage.
  3. Firefox prompts to connect and tap the device.
  4. Plug in the device
  5. Tap it
<!-- gh-comment-id:1250251555 --> @WhyNotHugo commented on GitHub (Sep 18, 2022): But the device does show up -- if I cancel the u2f prompt on firefox and retry, it _does_ work. So this works both **with** and **without** firejail: 1. Connect the u2f device (e.g.: yubikey) 1. Try to use an u2f token on a webpage. 2. Firefox prompts to tap the device. 4. Tap it But this only works **without** firejail: 0. Disconnect the u2f device 1. Try to use an u2f token on a webpage. 2. Firefox prompts to connect and tap the device. 3. Plug in the device 4. Tap it
gitea-mirror commented 2026-05-05 09:25:50 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Sep 18, 2022):

@WhyNotHugo commented on Sep 18:

But the device does show up -- if I cancel the u2f prompt on firefox and
retry, it does work.

So this works both with and without firejail:

  1. Connect the u2f device (e.g.: yubikey)
  2. Try to use an u2f token on a webpage.
  3. Firefox prompts to tap the device.
  4. Tap it

Was firejail started before or after step 1?

But this only works without firejail:

  1. Disconnect the u2f device
  2. Try to use an u2f token on a webpage.
  3. Firefox prompts to connect and tap the device.
  4. Plug in the device
  5. Tap it

Was firejail started before or after step 0?

Does it work with firejail without private-dev?

If so, then my previous comment applies.

If not, then how does Firefox access the device? Examples: Raw access in /dev,
authentication service/socket, dbus.

Does it show up in /dev inside the sandbox? This can be tested in a separate
shell instance with firejail --join.

<!-- gh-comment-id:1250315687 --> @kmk3 commented on GitHub (Sep 18, 2022): @WhyNotHugo commented [on Sep 18](https://github.com/netblue30/firejail/issues/4728#issuecomment-1250251555): > But the device does show up -- if I cancel the u2f prompt on firefox and > retry, it _does_ work. > > So this works both **with** and **without** firejail: > > 1. Connect the u2f device (e.g.: yubikey) > 2. Try to use an u2f token on a webpage. > 3. Firefox prompts to tap the device. > 4. Tap it Was firejail started before or after step 1? > But this only works **without** firejail: > > 0. Disconnect the u2f device > 1. Try to use an u2f token on a webpage. > 2. Firefox prompts to connect and tap the device. > 3. Plug in the device > 4. Tap it Was firejail started before or after step 0? Does it work with firejail without `private-dev`? If so, then my previous comment applies. If not, then how does Firefox access the device? Examples: Raw access in /dev, authentication service/socket, dbus. Does it show up in /dev inside the sandbox? This can be tested in a separate shell instance with `firejail --join`.
gitea-mirror commented 2026-05-05 09:25:51 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Sep 18, 2022):

@WhyNotHugo commented on Sep 17:

I'm not sure how to debug this TBH.

@WhyNotHugo commented on Nov 30, 2021:

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?

Following the template would be a start.

If it works without a profile, then try commenting parts of the profiles being
used to find out which commands are causing the issue.

If not and if the issue is being caused by the lack of access to a path, then
the following might help find it:

  • Run firejail --build firefox
  • Perform the relevant actions
  • Close Firefox

This builds a profile based on which paths Firefox accesses (among other
things) and prints it to stdout.

<!-- gh-comment-id:1250319352 --> @kmk3 commented on GitHub (Sep 18, 2022): @WhyNotHugo commented [on Sep 17](https://github.com/netblue30/firejail/issues/4728#issuecomment-1250150878): > I'm not sure how to debug this TBH. @WhyNotHugo commented [on Nov 30, 2021](https://github.com/netblue30/firejail/issues/4728#issue-1067480020): > ### Behavior without a profile > > _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Following the template would be a start. If it works without a profile, then try commenting parts of the profiles being used to find out which commands are causing the issue. If not and if the issue is being caused by the lack of access to a path, then the following might help find it: * Run `firejail --build firefox` * Perform the relevant actions * Close Firefox This builds a profile based on which paths Firefox accesses (among other things) and prints it to stdout.
gitea-mirror commented 2026-05-05 09:25:52 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 18, 2022):

Remember that devices have not only the API provided by dev-nodes in /dev with open,write,read,ioctl,... but also one in /sys and APIs provided by udev and similar wrappers.

<!-- gh-comment-id:1250332987 --> @rusty-snake commented on GitHub (Sep 18, 2022): Remember that devices have not only the API provided by dev-nodes in `/dev` with open,write,read,ioctl,... but also one in `/sys` and APIs provided by udev and similar wrappers.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2766
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?