github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4784] telegram: cannot open links in browser #2776

New issue

Closed

opened 2026-05-05 09:26:19 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:26:19 -06:00

Owner

Originally created by @YorkZ on GitHub (Dec 19, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4784

Description

Unable to open hyperlinks in Telegram

Steps to Reproduce

Run in bash telegram-desktop
Click on a hyperlink in any chat

Expected behavior

The link should be opened in the web browser.

Actual behavior

The link isn't opened

Behavior without a profile

The link gets opened in the web browser when clicking it in Telegram.

Additional context

The issue went away after noblacklist bash and sh:

noblacklist ${PATH}/bash
noblacklist ${PATH}/sh

And I've open PR #4783 as a proposal to address the issue.

Environment

Linux distribution and version: Arch Linux
Firejail version: 0.9.66

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail telegram-desktop

Reading profile /etc/firejail/telegram-desktop.profile
Reading profile /etc/firejail/telegram.profile
Reading profile ~/.config/firejail/telegram.local
Reading profile ~/.config/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Ignoring "dbus-user.talk org.freedesktop.Notifications" and 3 other dbus-user filter rules.
Parent pid 58643, child pid 58644
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode
Warning: skipping pki for private /etc
Private /etc installed in 30.81 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 220.47 ms
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. /usr/bin/telegram-desktop will run without any additional sandboxing features

(telegram-desktop:20): Telegram-WARNING **: 21:12:37.431: Application was built without embedded fonts, this may lead to font issues.
[ALSOFT] (EE) Failed to set real-time priority for thread: Operation not permitted (1)
error: : cannot open
error: : cannot open
error: : cannot open
Failed to establish dbus connectionqt.svg: Error while inflating gzip file: SVG format check failed
Corrupt JPEG data: premature end of data segment
Launch failed (/usr/bin/xdg-open https://images.app.goo.gl/s6pqdz6AApaaNWTF6)

Originally created by @YorkZ on GitHub (Dec 19, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4784 ### Description Unable to open hyperlinks in Telegram ### Steps to Reproduce 1. Run in bash `telegram-desktop` 2. Click on a hyperlink in any chat ### Expected behavior The link should be opened in the web browser. ### Actual behavior The link isn't opened ### Behavior without a profile The link gets opened in the web browser when clicking it in Telegram. ### Additional context The issue went away after `noblacklist` `bash` and `sh`: noblacklist ${PATH}/bash noblacklist ${PATH}/sh And I've open PR #4783 as a proposal to address the issue. ### Environment - Linux distribution and version: Arch Linux - Firejail version: 0.9.66 ### Checklist - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [X] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail telegram-desktop</code></summary> <p> ``` Reading profile /etc/firejail/telegram-desktop.profile Reading profile /etc/firejail/telegram.profile Reading profile ~/.config/firejail/telegram.local Reading profile ~/.config/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Ignoring "dbus-user.talk org.freedesktop.Notifications" and 3 other dbus-user filter rules. Parent pid 58643, child pid 58644 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping crypto-policies for private /etc Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode Warning: skipping pki for private /etc Private /etc installed in 30.81 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 220.47 ms Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default Warning: an existing sandbox was detected. /usr/bin/telegram-desktop will run without any additional sandboxing features (telegram-desktop:20): Telegram-WARNING **: 21:12:37.431: Application was built without embedded fonts, this may lead to font issues. [ALSOFT] (EE) Failed to set real-time priority for thread: Operation not permitted (1) error: : cannot open error: : cannot open error: : cannot open Failed to establish dbus connectionqt.svg: Error while inflating gzip file: SVG format check failed Corrupt JPEG data: premature end of data segment Launch failed (/usr/bin/xdg-open https://images.app.goo.gl/s6pqdz6AApaaNWTF6) ``` </p> </details>

gitea-mirror

2026-05-05 09:26:19 -06:00

closed this issue
added the
sandbox-ipc
label

gitea-mirror commented

2026-05-05 09:26:22 -06:00

Author

Owner

@ghost commented on GitHub (Dec 19, 2021):

Aha, I think I see where the confusion discussed in PR #4783 stems from. As you state, your using firejail 0.9.66 on Arch Linux. That version indeed does not have private-bin enabled. That's brought in recently via this commit, so my earlier assumptions were off here. There have been other changes to telegram.profile since 0.9.66-3 from the official Arch Linux repo, regarding D-Bus. Here's my suggestion. Until we cut a new release you can add your needed fixes to a telegram.local override. For the PR you'll need to additionally add bash, sh and xdg-open to the now enabled private-bin. I'll add a comment about this to the PR too.

Hope this clears up the confusion. And thanks for reporting!

@ghost commented on GitHub (Dec 19, 2021): Aha, I think I see where the confusion discussed in PR #4783 stems from. As you state, your using firejail 0.9.66 on Arch Linux. That version indeed does not have `private-bin` enabled. That's brought in recently via this [commit](https://github.com/netblue30/firejail/commit/3492d15b77de60bce87c1e2ae0c9be2db3166823#diff-c3a5169dd043c70b61fc3b488ea507fbf0148e83154227981ec025349afb3d4a), so my earlier assumptions were off here. There have been other changes to telegram.profile since 0.9.66-3 from the official Arch Linux repo, regarding D-Bus. Here's my suggestion. Until we cut a new release you can add your needed fixes to a telegram.local override. For the PR you'll need to additionally add `bash`, `sh` and `xdg-open` to the now enabled `private-bin`. I'll add a comment about this to the PR too. Hope this clears up the confusion. And thanks for reporting!

gitea-mirror commented

2026-05-05 09:26:23 -06:00

Author

Owner

@YorkZ commented on GitHub (Dec 19, 2021):

@glitsj16 Yep, I figured this out and have updated in the PR #4783 discussion. Could you check my comments there?

@YorkZ commented on GitHub (Dec 19, 2021): @glitsj16 Yep, I figured this out and have updated in the PR #4783 discussion. Could you check my comments there?

gitea-mirror commented

2026-05-05 09:26:24 -06:00

Author

Owner

@ghost commented on GitHub (Dec 19, 2021):

@YorkZ I just merged your PR and added credits to the README. Thanks again for your efforts and reporting. I'll close this but feel free to re-open if the issue returns.

Regards

@ghost commented on GitHub (Dec 19, 2021): @YorkZ I just merged your PR and added credits to the README. Thanks again for your efforts and reporting. I'll close this but feel free to re-open if the issue returns. Regards

gitea-mirror commented

2026-05-05 09:26:25 -06:00

Author

Owner

@YorkZ commented on GitHub (Dec 19, 2021):

@YorkZ I just merged your PR and added credits to the README. Thanks again for your efforts and reporting. I'll close this but feel free to re-open if the issue returns.

Thanks a lot for your help.

@YorkZ commented on GitHub (Dec 19, 2021): > @YorkZ I just merged your PR and added credits to the README. Thanks again for your efforts and reporting. I'll close this but feel free to re-open if the issue returns. Thanks a lot for your help.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2776

No description provided.

Rows
Columns