[GH-ISSUE #4965] The latest stable chrome (98.0.4758.102) does not start with firejail. #2840

New issue

Closed

opened 2026-05-05 09:29:40 -06:00 by gitea-mirror · 15 comments

gitea-mirror commented 2026-05-05 09:29:40 -06:00

Owner

Copy link

Originally created by @reagentoo on GitHub (Feb 20, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4965

Description

Latest stable chrome (98.0.4758.102) does not start with firejail.

Steps to Reproduce

Steps to reproduce the behavior

1. Run chrome with wayland support or without it.

Expected behavior

Open browser.

Actual behavior

Browser does not start.

Behavior without a profile

Browser works without a profile.

Environment

Linux Gentoo ~amd64
firejail version 0.9.68
chrome 98.0.4758.102

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [?] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail --debug google-chrome-stable -ozone-platform=wayland

https://gist.github.com/reagentoo/b93887dde23d149b945b6e9c97760e20

Originally created by @reagentoo on GitHub (Feb 20, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4965 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Latest stable chrome (98.0.4758.102) does not start with firejail. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run chrome with wayland support or without it. ### Expected behavior Open browser. ### Actual behavior Browser does not start. ### Behavior without a profile Browser works without a profile. ### Environment Linux Gentoo ~amd64 firejail version 0.9.68 chrome 98.0.4758.102 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [?] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail --debug google-chrome-stable -ozone-platform=wayland</code></summary> <p> https://gist.github.com/reagentoo/b93887dde23d149b945b6e9c97760e20 </p> </details>

gitea-mirror 2026-05-05 09:29:40 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 09:29:42 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 20, 2022):

Duplicate of #4961/#4960 I guess. edit: no, duplicate of #4929.

Does firejail --ignore=nogroups /usr/bin/google-chrome-stable --ozone-platform=wayland work?

<!-- gh-comment-id:1046236239 --> @rusty-snake commented on GitHub (Feb 20, 2022): ~Duplicate of #4961/#4960 I guess.~ edit: no, duplicate of #4929. Does `firejail --ignore=nogroups /usr/bin/google-chrome-stable --ozone-platform=wayland` work?

gitea-mirror commented 2026-05-05 09:29:43 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Feb 20, 2022):

Does firejail --ignore=nogroups /usr/bin/google-chrome-stable --ozone-platform=wayland work?

Does not work.

<!-- gh-comment-id:1046237672 --> @reagentoo commented on GitHub (Feb 20, 2022): > Does `firejail --ignore=nogroups /usr/bin/google-chrome-stable --ozone-platform=wayland` work? Does not work.

gitea-mirror commented 2026-05-05 09:29:44 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 20, 2022):

Can you post /etc/firejail/chromium-common.profile.

<!-- gh-comment-id:1046238999 --> @rusty-snake commented on GitHub (Feb 20, 2022): Can you post `/etc/firejail/chromium-common.profile`.

gitea-mirror commented 2026-05-05 09:29:45 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Feb 20, 2022):

Can you post /etc/firejail/chromium-common.profile.

Output of cat /etc/firejail/chromium-common.profile

# Firejail profile for chromium-common
# This file is overwritten after every install/update
# Persistent local customizations
include chromium-common.local
# Persistent global definitions
# added by caller profile
#include globals.local

# noexec ${HOME} breaks DRM binaries.
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}

noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.pki
noblacklist /usr/lib/chromium/chrome-sandbox

# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
# to have access to Gnome extensions (extensions.gnome.org) via browser connector
#include allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.local/share/pki
mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.pki
whitelist /usr/share/mozilla/extensions
whitelist /usr/share/webext
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
#include chromium-common-hardened.inc.profile

apparmor
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv
?BROWSER_DISABLE_U2F: nou2f
shell none

disable-mnt
private-cache
?BROWSER_DISABLE_U2F: private-dev
#private-tmp - issues when using multiple browser sessions

blacklist ${PATH}/curl
blacklist ${PATH}/wget
blacklist ${PATH}/wget2

#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
dbus-system none

# The file dialog needs to work without d-bus.
?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1

<!-- gh-comment-id:1046244808 --> @reagentoo commented on GitHub (Feb 20, 2022): > Can you post `/etc/firejail/chromium-common.profile`. <details> <summary>Output of <code>cat /etc/firejail/chromium-common.profile</code></summary> <p> ``` # Firejail profile for chromium-common # This file is overwritten after every install/update # Persistent local customizations include chromium-common.local # Persistent global definitions # added by caller profile #include globals.local # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki noblacklist /usr/lib/chromium/chrome-sandbox # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser # to have access to Gnome extensions (extensions.gnome.org) via browser connector #include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.local/share/pki mkdir ${HOME}/.pki whitelist ${DOWNLOADS} whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.pki whitelist /usr/share/mozilla/extensions whitelist /usr/share/webext include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. #include chromium-common-hardened.inc.profile apparmor caps.keep sys_admin,sys_chroot netfilter nodvd nogroups noinput notv ?BROWSER_DISABLE_U2F: nou2f shell none disable-mnt private-cache ?BROWSER_DISABLE_U2F: private-dev #private-tmp - issues when using multiple browser sessions blacklist ${PATH}/curl blacklist ${PATH}/wget blacklist ${PATH}/wget2 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. dbus-system none # The file dialog needs to work without d-bus. ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 ``` </p> </details>

gitea-mirror commented 2026-05-05 09:29:45 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 20, 2022):

include whitelist-usr-share-common.inc

but it ever Found whitelist-usr-share-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist--usr-share-common.inc in the log or processing it.

<!-- gh-comment-id:1046246329 --> @rusty-snake commented on GitHub (Feb 20, 2022): > include whitelist-usr-share-common.inc but it ever `Found whitelist-usr-share-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist--usr-share-common.inc` in the log or processing it.

gitea-mirror commented 2026-05-05 09:29:46 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Feb 20, 2022):

/etc/firejail/whitelist-usr-share-common.inc exists, but it's really missing in the logs..

<!-- gh-comment-id:1046251636 --> @reagentoo commented on GitHub (Feb 20, 2022): `/etc/firejail/whitelist-usr-share-common.inc` exists, but it's really missing in the logs..

gitea-mirror commented 2026-05-05 09:29:46 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 20, 2022):

Because it's google-chrome and not chromium.

<!-- gh-comment-id:1046252315 --> @rusty-snake commented on GitHub (Feb 20, 2022): Because it's google-chrome and not chromium.

gitea-mirror commented 2026-05-05 09:29:47 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 20, 2022):

Duplicate of #4929

<!-- gh-comment-id:1046252360 --> @rusty-snake commented on GitHub (Feb 20, 2022): Duplicate of #4929

gitea-mirror commented 2026-05-05 09:29:47 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 20, 2022):

See https://github.com/netblue30/firejail/issues/4929#issuecomment-1036032104

<!-- gh-comment-id:1046252504 --> @rusty-snake commented on GitHub (Feb 20, 2022): See https://github.com/netblue30/firejail/issues/4929#issuecomment-1036032104

gitea-mirror commented 2026-05-05 09:29:48 -06:00

Author

Owner

Copy link

@reagentoo commented on GitHub (Feb 20, 2022):

Thanks!

echo 'ignore whitelist /usr/share/mozilla/extensions' >> ~/.config/firejail/google-chrome-stable.local
echo 'ignore whitelist /usr/share/webext' >> ~/.config/firejail/google-chrome-stable.local

it has resolved the problem

<!-- gh-comment-id:1046254706 --> @reagentoo commented on GitHub (Feb 20, 2022): Thanks! ``` echo 'ignore whitelist /usr/share/mozilla/extensions' >> ~/.config/firejail/google-chrome-stable.local echo 'ignore whitelist /usr/share/webext' >> ~/.config/firejail/google-chrome-stable.local ``` it has resolved the problem

gitea-mirror commented 2026-05-05 09:29:48 -06:00

Author

Owner

Copy link

@jose1711 commented on GitHub (Mar 4, 2022):

I have a similar problem. Arch Linux, google-chrome 99.0.4844.51-1, firejail 11af029. For me however the browser starts, I am able to select user profile, even loading pages but only those which use http:// protocol. For https:// I am getting:

This is what appears in the console:

[48:53:0304/092733.604017:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202
[48:53:0304/092734.764805:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202
[48:53:0304/092736.897605:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202
[48:53:0304/092740.293125:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202
[48:53:0304/092740.991840:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202
[6:43:0304/092745.481617:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for www.google.com failed:
----- Certificate i=3 (CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE) -----
ERROR: No matching issuer found

Removing lines

whitelist /usr/share/mozilla/extensions
whitelist /usr/share/webext

From chromium-common.profile fixes the problem.

<!-- gh-comment-id:1058992836 --> @jose1711 commented on GitHub (Mar 4, 2022): I have a similar problem. Arch Linux, `google-chrome 99.0.4844.51-1`, `firejail` 11af029. For me however the browser starts, I am able to select user profile, even loading pages but only those which use http:// protocol. For https:// I am getting:  This is what appears in the console: ``` [48:53:0304/092733.604017:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202 [48:53:0304/092734.764805:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202 [48:53:0304/092736.897605:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202 [48:53:0304/092740.293125:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202 [48:53:0304/092740.991840:ERROR:ssl_client_socket_impl.cc(995)] handshake failed; returned -1, SSL error code 1, net_error -202 [6:43:0304/092745.481617:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for www.google.com failed: ----- Certificate i=3 (CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE) ----- ERROR: No matching issuer found ``` Removing lines ``` whitelist /usr/share/mozilla/extensions whitelist /usr/share/webext ``` From `chromium-common.profile` fixes the problem.

gitea-mirror commented 2026-05-05 09:29:48 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 4, 2022):

Removing lines
whitelist /usr/share/mozilla/extensions
whitelist /usr/share/webext
From chromium-common.profile fixes the problem.

@jose1711 Nice to see you've found a fix. Those two lines moved from chromium.profile to chromium-common.profile in 0319fbdc4b. Not sure why, but @reinerh probably had good reasons to do so. Let's see if we can come up with a better compromise somehow.

<!-- gh-comment-id:1059155918 --> @ghost commented on GitHub (Mar 4, 2022): > Removing lines whitelist /usr/share/mozilla/extensions whitelist /usr/share/webext From chromium-common.profile fixes the problem. @jose1711 Nice to see you've found a fix. Those two lines moved from chromium.profile to chromium-common.profile in https://github.com/netblue30/firejail/commit/0319fbdc4beb95255efe672daf5bcd4f4d6e9445. Not sure why, but @reinerh probably had good reasons to do so. Let's see if we can come up with a better compromise somehow.

gitea-mirror commented 2026-05-05 09:29:49 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Mar 4, 2022):

See discussion in the PR #4828.
(other chromium-based browser also support webwext extensions)

<!-- gh-comment-id:1059158560 --> @reinerh commented on GitHub (Mar 4, 2022): See discussion in the PR #4828. (other chromium-based browser also support webwext extensions)

gitea-mirror commented 2026-05-05 09:29:49 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 4, 2022):

@reinerh Ah, now I remember, thanks for the link to the discussion. Just a thought, would adding:

ignore whitelist /usr/share/mozilla/extensions
ignore whitelist /usr/share/webext

to our google-chrome-* profiles interfer with Debian bug https://bugs.debian.org/1003234? If not it might be the best of both worlds :-)

<!-- gh-comment-id:1059173276 --> @ghost commented on GitHub (Mar 4, 2022): @reinerh Ah, now I remember, thanks for the link to the discussion. Just a thought, would adding: ``` ignore whitelist /usr/share/mozilla/extensions ignore whitelist /usr/share/webext ``` to our google-chrome-* profiles interfer with Debian bug https://bugs.debian.org/1003234? If not it might be the best of both worlds :-)

gitea-mirror commented 2026-05-05 09:29:50 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 4, 2022):

Still in my todo: https://github.com/netblue30/firejail/issues/4929#issuecomment-1036032104 (opera should be fine with #4999).
If someone else is faster, go for it.

<!-- gh-comment-id:1059346783 --> @rusty-snake commented on GitHub (Mar 4, 2022): Still in my todo: https://github.com/netblue30/firejail/issues/4929#issuecomment-1036032104 (opera should be fine with #4999). If someone else is faster, go for it.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2840

No description provided.