github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4991] firefox: cannot access PGP card using GPG #2847

New issue
Open
opened 2026-05-05 09:29:59 -06:00 by gitea-mirror · 19 comments
gitea-mirror commented 2026-05-05 09:29:59 -06:00
Owner
Copy link

Originally created by @polcak on GitHub (Feb 28, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4991

Description

This is very likely a duplicate of #4107 or both bugs have the same root. I originally used Gentoo sys-apps/firejail-0.9.64.4 and recently updated to sys-apps/firejail-0.9.68. My gpg card used to work in Firefox with local profile. It does not work anymore (very likely after the update, let me know if I should check).

Steps to Reproduce

Steps to reproduce the behavior

  1. Start firejail --profile=firefox bash
  2. Run in bash gpg --card-status

Expected behavior

I see details about my card.

Actual behavior

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile gpg --card-status in a terminal?

I see details about my card.

Additional context

I tried to noblacklist and whitelist GPG commands listed by equery -C f app-crypt/gnupg. I added "ignore private-dev" to the local profile. I added 'ignore nou2f' suggested by keepassxc.profile (see also below).

I can see devices in /dev/ in the firefox profile but all are owned by nobody:nobody. Host /dev/usb/hiddev[0-9] as well as /dev/hidraw[0-9] devices are crw------- 1 root:root. I guess that there needs to be additional file accessible to the user.

Environment

  • Gentoo Firejail 0.9.68

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it). I can operate GPG card outside the sandbox.
  • I can reproduce the issue without custom modifications (e.g. globals.local). - Well, the default profile blacklists ~/.gnupg/, scdeamon, creates private-dev. The custom local modifications solve these problems. No custom modifications make the problem worse.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream. AFAIK upstream profile expects that I do not need to access GPG card from Firefox.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers. DRM is irrelevant in this case. I am trying to make a PGP card running not u2f, so that is also irrelevant but to be safe, I tried adding "ignore nou2f" as mentioned above.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages) I am trying to access PGP card from Firefox, so I am trying firefox profile.

Log

Output of LC_ALL=C firejail gpg --card-status 

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Originally created by @polcak on GitHub (Feb 28, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4991 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description This is very likely a duplicate of #4107 or both bugs have the same root. I originally used Gentoo sys-apps/firejail-0.9.64.4 and recently updated to sys-apps/firejail-0.9.68. My gpg card used to work in Firefox with local profile. It does not work anymore (very likely after the update, let me know if I should check). ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Start `firejail --profile=firefox bash` 2. Run in bash `gpg --card-status` ### Expected behavior I see details about my card. ### Actual behavior ``` gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device ``` ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile gpg --card-status` in a terminal?_ I see details about my card. ### Additional context I tried to noblacklist and whitelist GPG commands listed by `equery -C f app-crypt/gnupg`. I added "ignore private-dev" to the local profile. I added 'ignore nou2f' suggested by keepassxc.profile (see also below). I can see devices in /dev/ in the firefox profile but all are owned by nobody:nobody. Host /dev/usb/hiddev[0-9] as well as /dev/hidraw[0-9] devices are crw------- 1 root:root. I guess that there needs to be additional file accessible to the user. ### Environment - Gentoo Firejail 0.9.68 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). I can operate GPG card outside the sandbox. - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - Well, the default profile blacklists ~/.gnupg/, scdeamon, creates private-dev. The custom local modifications solve these problems. No custom modifications make the problem worse. - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). AFAIK upstream profile expects that I do not need to access GPG card from Firefox. - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. DRM is irrelevant in this case. I am trying to make a PGP card running not u2f, so that is also irrelevant but to be safe, I tried adding "ignore nou2f" as mentioned above. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) I am trying to access PGP card from Firefox, so I am trying firefox profile. ### Log <details> <summary>Output of <code>LC_ALL=C firejail gpg --card-status</code></summary> <p> ``` gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device ``` </p> </details>
gitea-mirror commented 2026-05-05 09:30:02 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 28, 2022):

owned by nobody:nobody

That because of noroot.

<!-- gh-comment-id:1054230615 --> @rusty-snake commented on GitHub (Feb 28, 2022): > owned by nobody:nobody That because of `noroot`.
gitea-mirror commented 2026-05-05 09:30:03 -06:00
Author
Owner
Copy link

@polcak commented on GitHub (Feb 28, 2022):

Thanks for the reply. ignore noroot made /dev files having original owners but gpg still does not see the card.

<!-- gh-comment-id:1054246991 --> @polcak commented on GitHub (Feb 28, 2022): Thanks for the reply. `ignore noroot` made /dev files having original owners but gpg still does not see the card.
gitea-mirror commented 2026-05-05 09:30:04 -06:00
Author
Owner
Copy link

@polcak commented on GitHub (Feb 28, 2022):

My local changes to the profile:

$ cat .config/firejail/firefox.profile
noblacklist ~/.gnupg
whitelist ~/.gnupg
read-only ~/.gnupg/*
blacklist ~/.gnupg/openpgp-revocs.d

noblacklist /usr/libexec
read-only /usr/libexec/*
noblacklist /usr/libexec/scdaemon
whitelist /usr/libexec/scdaemon
read-only /usr/libexec/scdaemon

noblacklist /usr/libexec/gpg-check-pattern
whitelist /usr/libexec/gpg-check-pattern
read-only /usr/libexec/gpg-check-pattern
noblacklist /usr/libexec/gpg-preset-passphrase
whitelist /usr/libexec/gpg-preset-passphrase
read-only /usr/libexec/gpg-preset-passphrase
noblacklist /usr/libexec/gpg-protect-tool
whitelist /usr/libexec/gpg-protect-tool
read-only /usr/libexec/gpg-protect-tool
noblacklist /usr/libexec/gpg-wks-client
whitelist /usr/libexec/gpg-wks-client
read-only /usr/libexec/gpg-wks-client
blacklist /usr/libexec/*

noblacklist /usr/sbin
read-only /usr/sbin/*

noblacklist /usr/sbin/addgnupghome
whitelist /usr/sbin/addgnupghome
read-only /usr/sbin/addgnupghome
noblacklist /usr/sbin/applygnupgdefaults
whitelist /usr/sbin/applygnupgdefaults
read-only /usr/sbin/applygnupgdefaults
blacklist /usr/sbin/*

ignore private-dev
ignore nou2f
ignore noroot

include /etc/firejail/firefox.profile
<!-- gh-comment-id:1054257608 --> @polcak commented on GitHub (Feb 28, 2022): My local changes to the profile: ``` $ cat .config/firejail/firefox.profile noblacklist ~/.gnupg whitelist ~/.gnupg read-only ~/.gnupg/* blacklist ~/.gnupg/openpgp-revocs.d noblacklist /usr/libexec read-only /usr/libexec/* noblacklist /usr/libexec/scdaemon whitelist /usr/libexec/scdaemon read-only /usr/libexec/scdaemon noblacklist /usr/libexec/gpg-check-pattern whitelist /usr/libexec/gpg-check-pattern read-only /usr/libexec/gpg-check-pattern noblacklist /usr/libexec/gpg-preset-passphrase whitelist /usr/libexec/gpg-preset-passphrase read-only /usr/libexec/gpg-preset-passphrase noblacklist /usr/libexec/gpg-protect-tool whitelist /usr/libexec/gpg-protect-tool read-only /usr/libexec/gpg-protect-tool noblacklist /usr/libexec/gpg-wks-client whitelist /usr/libexec/gpg-wks-client read-only /usr/libexec/gpg-wks-client blacklist /usr/libexec/* noblacklist /usr/sbin read-only /usr/sbin/* noblacklist /usr/sbin/addgnupghome whitelist /usr/sbin/addgnupghome read-only /usr/sbin/addgnupghome noblacklist /usr/sbin/applygnupgdefaults whitelist /usr/sbin/applygnupgdefaults read-only /usr/sbin/applygnupgdefaults blacklist /usr/sbin/* ignore private-dev ignore nou2f ignore noroot include /etc/firejail/firefox.profile ```
gitea-mirror commented 2026-05-05 09:30:05 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 28, 2022):

Any reason to use firefox.profile rather then firefox.local?

Why all these unnecessary read-only and blacklist commands?

I've no real idea but does it work if you add ignore nogroups? Do you use systemd? Or an other init like OpenRC? If so with elogind or similar?

<!-- gh-comment-id:1054262606 --> @rusty-snake commented on GitHub (Feb 28, 2022): Any reason to use `firefox.profile` rather then `firefox.local`? Why all these unnecessary `read-only` and `blacklist` commands? --- I've no real idea but does it work if you add `ignore nogroups`? Do you use systemd? Or an other init like OpenRC? If so with elogind or similar?
gitea-mirror commented 2026-05-05 09:30:06 -06:00
Author
Owner
Copy link

@polcak commented on GitHub (Feb 28, 2022):

Any reason to use firefox.profile rather then firefox.local?

You mean, I should do mv .config/firejail/firefox.profile .config/firejail/firefox.local and remove the include of the system profile. I did just that. I created the profile a long time ago and I do not remember why I used .config/firejail/firefox.profile instead of .config/firejail/firefox.local but I very likely misunderstood the docs or was not sure about the correct name and firefox.profile worked for me.

Why all these unnecessary read-only and blacklist commands?

read-only - safe programming, blacklist in the .gnupg directory to hide revocation keys, other blacklist because the directories were hidden by the current profile.

I've no real idea but does it work if you add ignore nogroups?

No change for gpg.

Do you use systemd? Or an other init like OpenRC? If so with elogind or similar?

OpenRC and elogind.

I simplified the config, so I am now with cat .config/firejail/firefox.local:

noblacklist ~/.gnupg
whitelist ~/.gnupg
blacklist ~/.gnupg/openpgp-revocs.d

noblacklist /usr/libexec
noblacklist /usr/libexec/scdaemon
whitelist /usr/libexec/scdaemon

noblacklist /usr/libexec/gpg-check-pattern
whitelist /usr/libexec/gpg-check-pattern
noblacklist /usr/libexec/gpg-preset-passphrase
whitelist /usr/libexec/gpg-preset-passphrase
noblacklist /usr/libexec/gpg-protect-tool
whitelist /usr/libexec/gpg-protect-tool
noblacklist /usr/libexec/gpg-wks-client
whitelist /usr/libexec/gpg-wks-client

noblacklist /usr/sbin
noblacklist /usr/sbin/addgnupghome
whitelist /usr/sbin/addgnupghome
noblacklist /usr/sbin/applygnupgdefaults
whitelist /usr/sbin/applygnupgdefaults

ignore private-dev
ignore nou2f
ignore noroot
ignore nogroups

I also noticed, that gnupg updated last week but there is no card status in firejail for both =app-crypt/gnupg-2.2.32-r1 and =app-crypt/gnupg-2.2.33-r1.

<!-- gh-comment-id:1054340655 --> @polcak commented on GitHub (Feb 28, 2022): > Any reason to use `firefox.profile` rather then `firefox.local`? You mean, I should do `mv .config/firejail/firefox.profile .config/firejail/firefox.local` and remove the include of the system profile. I did just that. I created the profile a long time ago and I do not remember why I used .config/firejail/firefox.profile instead of .config/firejail/firefox.local but I very likely misunderstood the docs or was not sure about the correct name and firefox.profile worked for me. > Why all these unnecessary `read-only` and `blacklist` commands? `read-only` - safe programming, `blacklist` in the .gnupg directory to hide revocation keys, other `blacklist` because the directories were hidden by the current profile. > I've no real idea but does it work if you add `ignore nogroups`? No change for gpg. Do you use systemd? Or an other init like OpenRC? If so with elogind or similar? OpenRC and elogind. I simplified the config, so I am now with `cat .config/firejail/firefox.local`: ``` noblacklist ~/.gnupg whitelist ~/.gnupg blacklist ~/.gnupg/openpgp-revocs.d noblacklist /usr/libexec noblacklist /usr/libexec/scdaemon whitelist /usr/libexec/scdaemon noblacklist /usr/libexec/gpg-check-pattern whitelist /usr/libexec/gpg-check-pattern noblacklist /usr/libexec/gpg-preset-passphrase whitelist /usr/libexec/gpg-preset-passphrase noblacklist /usr/libexec/gpg-protect-tool whitelist /usr/libexec/gpg-protect-tool noblacklist /usr/libexec/gpg-wks-client whitelist /usr/libexec/gpg-wks-client noblacklist /usr/sbin noblacklist /usr/sbin/addgnupghome whitelist /usr/sbin/addgnupghome noblacklist /usr/sbin/applygnupgdefaults whitelist /usr/sbin/applygnupgdefaults ignore private-dev ignore nou2f ignore noroot ignore nogroups ``` I also noticed, that gnupg updated last week but there is no card status in firejail for both =app-crypt/gnupg-2.2.32-r1 and =app-crypt/gnupg-2.2.33-r1.
gitea-mirror commented 2026-05-05 09:30:07 -06:00
Author
Owner
Copy link

@polcak commented on GitHub (Mar 4, 2022):

So I noticed that whitelist-run-common.inc despite its name disables a bunch of files and directories in /run. So when the include is commented out, I made GPG running. I am not sure what exactly is needed from /run, yet.

A question: Is there a configuration I can put to my firefox.local like:
ignore include whitelist-run-common.inc

Thanks

<!-- gh-comment-id:1058928990 --> @polcak commented on GitHub (Mar 4, 2022): So I noticed that whitelist-run-common.inc despite its name disables a bunch of files and directories in /run. So when the include is commented out, I made GPG running. I am not sure what exactly is needed from /run, yet. A question: Is there a configuration I can put to my firefox.local like: ignore include whitelist-run-common.inc Thanks
gitea-mirror commented 2026-05-05 09:30:08 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 4, 2022):

A question: Is there a configuration I can put to my firefox.local like:
ignore include whitelist-run-common.inc

That's indeed the correct syntax.

So when the include is commented out, I made GPG running. I am not sure what exactly is needed from /run, yet.

IMO you can keep whitelist-run-common.inc but you need to add a few things to your firefox.local:

whitelist ${RUNUSER}/gnupg
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2

Side-note. Our firefox.profile indeed has blacklist /usr/libexec. To undo that you're correct in adding noblacklist /usr/libexec. A basic profile rule is that you don't need to noblacklist paths that are never blacklisted anywhere, it has no effect whatsoever to do that. Same rationale for /usr/sbin. That one is blacklisted in disable-common.inc so you need the one noblacklist /usr/sbin. The rest you can safely drop:

noblacklist /usr/libexec/scdaemon
noblacklist /usr/libexec/gpg-check-pattern
noblacklist /usr/libexec/gpg-preset-passphrase
noblacklist /usr/libexec/gpg-protect-tool
noblacklist /usr/libexec/gpg-wks-client
noblacklist /usr/sbin/addgnupghome
noblacklist /usr/sbin/applygnupgdefaults

Maybe that's what @rusty-snake was hinting at above. We might want to create something like allow-gpg.inc containing what's needed for PGP cards. That would ease the burden on users, instead of them having to figure this out on their own.

<!-- gh-comment-id:1059088153 --> @ghost commented on GitHub (Mar 4, 2022): > A question: Is there a configuration I can put to my firefox.local like: ignore include whitelist-run-common.inc That's indeed the correct syntax. > So when the include is commented out, I made GPG running. I am not sure what exactly is needed from /run, yet. IMO you can keep whitelist-run-common.inc but you need to add a few things to your firefox.local: ``` whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 ``` Side-note. Our firefox.profile indeed has `blacklist /usr/libexec`. To undo that you're correct in adding `noblacklist /usr/libexec`. A basic profile rule is that you don't need to noblacklist paths that are never blacklisted anywhere, it has no effect whatsoever to do that. Same rationale for /usr/sbin. That one is blacklisted in disable-common.inc so you need the one `noblacklist /usr/sbin`. The rest you can safely drop: ``` noblacklist /usr/libexec/scdaemon noblacklist /usr/libexec/gpg-check-pattern noblacklist /usr/libexec/gpg-preset-passphrase noblacklist /usr/libexec/gpg-protect-tool noblacklist /usr/libexec/gpg-wks-client noblacklist /usr/sbin/addgnupghome noblacklist /usr/sbin/applygnupgdefaults ``` Maybe that's what @rusty-snake was hinting at above. We might want to create something like `allow-gpg.inc` containing what's needed for PGP cards. That would ease the burden on users, instead of them having to figure this out on their own.
gitea-mirror commented 2026-05-05 09:30:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 4, 2022):

whitelist ${RUNUSER}/gnupg
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2

Non of them are affected by wrc. But probably makes sense anyway to add them.

We might want to create something like allow-gpg.inc containing what's needed for PGP cards.

It's always difficult because of whitelisting, private-bin, ...
But we can add it with noblacklist commands and a comment what else might be necessary.

So I noticed that whitelist-run-common.inc despite its name disables a bunch of files and directories in /run.

That's what's the name says ;)

<!-- gh-comment-id:1059341106 --> @rusty-snake commented on GitHub (Mar 4, 2022): > whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 Non of them are affected by wrc. But probably makes sense anyway to add them. > We might want to create something like allow-gpg.inc containing what's needed for PGP cards. It's always difficult because of whitelisting, private-bin, ... But we can add it with `noblacklist` commands and a comment what else might be necessary. > So I noticed that whitelist-run-common.inc despite its name disables a bunch of files and directories in /run. That's what's the name says ;)
gitea-mirror commented 2026-05-05 09:30:10 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 4, 2022):

@polcak What does ls -la /run show?

<!-- gh-comment-id:1059341486 --> @rusty-snake commented on GitHub (Mar 4, 2022): @polcak What does `ls -la /run` show?
gitea-mirror commented 2026-05-05 09:30:11 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 4, 2022):

@rusty-snake All good arguments and ideas. I've added a few notes to my firejail-todo.md about 'allow-gpg.inc'. But in all honesty it's not high up, most of all because I don't have a yubikey or similar hw to do proper testing. Apologies to @polcak for side-tracking the issue.

<!-- gh-comment-id:1059357680 --> @ghost commented on GitHub (Mar 4, 2022): @rusty-snake All good arguments and ideas. I've added a few notes to my firejail-todo.md about 'allow-gpg.inc'. But in all honesty it's not high up, most of all because I don't have a yubikey or similar hw to do proper testing. Apologies to @polcak for side-tracking the issue.
gitea-mirror commented 2026-05-05 09:30:12 -06:00
Author
Owner
Copy link

@polcak commented on GitHub (Mar 7, 2022):

@ rusty-snake: ls -la /run shows just a couple of directories without ignore include whitelist-run-common.inc. When I do not include whitelist-run-common.inc, run is much more populated (very likely the original /run). That is (for me) confusing.

I went back to using only

ignore private-dev
ignore nou2f

So I removed:

ignore noroot
ignore nogroups

When I use:

whitelist ${RUNUSER}/gnupg
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2

and whitelist-run-common.inc activated, I get:

$ ls /run/user/1000/gnupg
ls: cannot open directory '/run/user/1000/gnupg': Permission denied

The directory exists but cannot be accessed because it is owned by root:root (readable by root, no other permissions).

If I include ignore include whitelist-run-common.inc, the GPG card works.

@glitsj16: I do not feel like the issue is side-tracked. The main issue is likely similar to users are confused how to enable GPG card in a built-in profile.

<!-- gh-comment-id:1060689778 --> @polcak commented on GitHub (Mar 7, 2022): @ rusty-snake: `ls -la /run` shows just a couple of directories without `ignore include whitelist-run-common.inc`. When I do not include `whitelist-run-common.inc`, run is much more populated (very likely the original /run). That is (for me) confusing. I went back to using only ``` ignore private-dev ignore nou2f ``` So I removed: ``` ignore noroot ignore nogroups ``` When I use: ``` whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 ``` and `whitelist-run-common.inc` activated, I get: ``` $ ls /run/user/1000/gnupg ls: cannot open directory '/run/user/1000/gnupg': Permission denied ``` The directory exists but cannot be accessed because it is owned by root:root (readable by root, no other permissions). If I include `ignore include whitelist-run-common.inc`, the GPG card works. @glitsj16: I do not feel like the issue is side-tracked. The main issue is likely similar to users are confused how to enable GPG card in a built-in profile.
gitea-mirror commented 2026-05-05 09:30:12 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 7, 2022):

ls -la /run

I meant outside the sandbox, can you post? Some of them will need a whitelist /run/foobar. Or you test for file in /run/.* /run/*; do echo "whitelist $file"; done > whitelist-run-full.inc and remove whitelistst until you find all necessary ones.

That is (for me) confusing.

If you have no whitelist /run/… at all, the only thing done in /run is blacklisting (i.e. enumeration of badness) but if you have at least one whitelist /run/… (even if the file does not exists), you switch to whitelisting (i.e. enumeration of goodness) only path with an explicit whitelist are visible/accessible (and /run/firejail, /run/user/$UID).

<!-- gh-comment-id:1060929691 --> @rusty-snake commented on GitHub (Mar 7, 2022): > ls -la /run I meant outside the sandbox, can you post? Some of them will need a `whitelist /run/foobar`. Or you test `for file in /run/.* /run/*; do echo "whitelist $file"; done > whitelist-run-full.inc` and remove whitelistst until you find all necessary ones. > That is (for me) confusing. If you have no `whitelist /run/…` at all, the only thing done in `/run` is `blacklist`ing (i.e. enumeration of badness) but if you have at least one `whitelist /run/…` (even if the file does not exists), you switch to `whitelist`ing (i.e. enumeration of goodness) only path with an explicit `whitelist` are visible/accessible (and `/run/firejail`, `/run/user/$UID`).
gitea-mirror commented 2026-05-05 09:30:13 -06:00
Author
Owner
Copy link

@dptpirate commented on GitHub (Aug 3, 2022):

Signing/encrypting emails with a smartcard is also broken with claws mail. It used to work.

<!-- gh-comment-id:1203894736 --> @dptpirate commented on GitHub (Aug 3, 2022): Signing/encrypting emails with a smartcard is also broken with claws mail. It used to work.
gitea-mirror commented 2026-05-05 09:30:13 -06:00
Author
Owner
Copy link

@danielkrajnik commented on GitHub (Jun 29, 2023):

I was also trying to solve this to no avail. Resorted to removing librewolf's profile altogether for now.

Does anyone know what may cause some directories to change owner from user to root/nobody? Adding ignore noroot doesn't work. I assume that's what causes lack of access to GPG agent (/run/user/1000/gnupg has gpg sockets inaccessible) in firefox/librewolf. This breaks browserpass extension.

I know that this has been discussed before, but has there ever been a solution? Here for example are described elaborate steps to make it work without explaining why - everyone's threat model is different so it would be good to have some explanation somewhere why ${RUNUSER}/gnupg is changed to root or nobody.

<!-- gh-comment-id:1613909948 --> @danielkrajnik commented on GitHub (Jun 29, 2023): I was also trying to solve this to no avail. Resorted to [removing librewolf's profile](https://github.com/netblue30/firejail/issues/5874) altogether for now. Does anyone know what may cause some directories to change owner from user to root/nobody? Adding `ignore noroot` doesn't work. I assume that's what causes lack of access to GPG agent (`/run/user/1000/gnupg` has gpg sockets inaccessible) in firefox/librewolf. This breaks browserpass extension. I know that this has been discussed before, but has there ever been a solution? [Here](https://vtimofeenko.com/posts/firefox-browserpass-with-firejail-and-apparmor/) for example are described elaborate steps to make it work without explaining why - everyone's threat model is different so it would be good to have some explanation somewhere why `${RUNUSER}/gnupg` is changed to `root` or `nobody`.
gitea-mirror commented 2026-05-05 09:30:13 -06:00
Author
Owner
Copy link

@danielkrajnik commented on GitHub (Jun 29, 2023):

the only thing done in /run is blacklisting (i.e. enumeration of badness)

@rusty-snake this doesn't appear to be correct - some directories change to root owner permissions instead of user (in firefox or librewolf profiles)

<!-- gh-comment-id:1613911421 --> @danielkrajnik commented on GitHub (Jun 29, 2023): > the only thing done in `/run` is blacklisting (i.e. enumeration of badness) @rusty-snake this doesn't appear to be correct - some directories change to root owner permissions instead of user (in firefox or librewolf profiles)
gitea-mirror commented 2026-05-05 09:30:14 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 30, 2023):

That's how blacklisting is implemented. The path is read-only bind-mounted over with a file of same type (dir, reg, sock, ...) that has 0xo000 permissions and is owned by root.

<!-- gh-comment-id:1614270954 --> @rusty-snake commented on GitHub (Jun 30, 2023): That's how blacklisting is implemented. The path is read-only bind-mounted over with a file of same type (dir, reg, sock, ...) that has `0xo000` permissions and is owned by root.
gitea-mirror commented 2026-05-05 09:30:14 -06:00
Author
Owner
Copy link

@danielkrajnik commented on GitHub (Jun 30, 2023):

thank you for explaining, that makes sense, but in that case I don't know why adding both whitelist and noblacklist options still causes that directory to be blacklisted (owned by root):

whitelist ${RUNUSER}/gnupg/
noblacklist ${RUNUSER}/gnupg/

Is there anything else that may blacklist gnupg? I've been grepping through all files in /etc/firejail and nothing seemed to affect this directory directly.

<!-- gh-comment-id:1614640283 --> @danielkrajnik commented on GitHub (Jun 30, 2023): thank you for explaining, that makes sense, but in that case I don't know why adding both whitelist and noblacklist options still causes that directory to be blacklisted (owned by root): ```` whitelist ${RUNUSER}/gnupg/ noblacklist ${RUNUSER}/gnupg/ ```` Is there anything else that may blacklist gnupg? I've been grepping through all files in `/etc/firejail` and nothing seemed to affect this directory directly.
gitea-mirror commented 2026-05-05 09:30:15 -06:00
Author
Owner
Copy link

@felix-walter commented on GitHub (Dec 7, 2023):

Just stumbled upon this and found the following option in the Manpage of firejail.profile:

writable-run-user
              Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.

Adding this option to the profile solves it for me.

<!-- gh-comment-id:1844843707 --> @felix-walter commented on GitHub (Dec 7, 2023): Just stumbled upon this and found the following option in the Manpage of `firejail.profile`: ``` writable-run-user Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg. ``` Adding this option to the profile solves it for me.
gitea-mirror commented 2026-05-05 09:30:15 -06:00
Author
Owner
Copy link

@mirko commented on GitHub (Jun 25, 2024):

This helped a lot so far and gpg can now access my SmartCard (YubiKey) when firejail'ed.

However the wrapper(-script) can not. Only gpg in $PATH appears to can.

Content of /opt/wrappers/gpg:

#!/bin/sh
exec gpg --homedir ${HOME}/.mozilla/firefox/browserpass/gnupg-homedir $@

user@computer:~$ firejail --profile=firefox-esr bash
Reading profile /home/user/.config/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 3013296, child pid 3013300
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 163.06 ms

user@computer:~$ ls -la /run/user/1000/gnupg
total 0
drwx------  7 user user 240 Jun 25 13:45 .
drwx------ 13 user user 480 Jun 24 19:01 ..
drwx------  2 user user  40 Jun 24 00:53 d.X7
drwx------  2 user user  40 Jun 21 16:14 d.Xk
drwx------  2 user user  40 Jun 25 13:47 d.Xr
drwx------  2 user user  40 Jun 25 03:45 d.Xs
drwx------  2 user user  40 Jun 24 00:53 d.Xy
srw-------  1 user user   0 Jun 12 23:39 S.dirmngr
srw-------  1 user user   0 Jun 12 23:39 S.gpg-agent
srw-------  1 user user   0 Jun 12 23:39 S.gpg-agent.browser
srw-------  1 user user   0 Jun 12 23:39 S.gpg-agent.extra
srw-------  1 user user   0 Jun 12 23:39 S.gpg-agent.ssh

user@computer:~$ /opt/wrappers/gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

user@computer:~$ /usr/bin/gpg --card-status
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: on
Signature key ....: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      created ....: 2024-06-22 12:24:21
Encryption key....: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
      created ....: 2024-06-22 12:26:16
Authentication key: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
      created ....: 2024-06-22 12:24:36
General key info..: [none]

gpg --homedir ${HOME}/.mozilla/firefox/browserpass/gnupg-homedir --card-status works btw, so it's the wrapper script. I was thinking about AppArmor profiles, but didn't find anything.

<!-- gh-comment-id:2188755956 --> @mirko commented on GitHub (Jun 25, 2024): This helped a lot so far and gpg can now access my SmartCard (YubiKey) when firejail'ed. *However* the _wrapper(-script)_ can not. Only `gpg` in `$PATH` appears to can. Content of `/opt/wrappers/gpg`: ``` #!/bin/sh exec gpg --homedir ${HOME}/.mozilla/firefox/browserpass/gnupg-homedir $@ ``` ``` user@computer:~$ firejail --profile=firefox-esr bash Reading profile /home/user/.config/firejail/firefox-esr.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.local Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3013296, child pid 3013300 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Child process initialized in 163.06 ms user@computer:~$ ls -la /run/user/1000/gnupg total 0 drwx------ 7 user user 240 Jun 25 13:45 . drwx------ 13 user user 480 Jun 24 19:01 .. drwx------ 2 user user 40 Jun 24 00:53 d.X7 drwx------ 2 user user 40 Jun 21 16:14 d.Xk drwx------ 2 user user 40 Jun 25 13:47 d.Xr drwx------ 2 user user 40 Jun 25 03:45 d.Xs drwx------ 2 user user 40 Jun 24 00:53 d.Xy srw------- 1 user user 0 Jun 12 23:39 S.dirmngr srw------- 1 user user 0 Jun 12 23:39 S.gpg-agent srw------- 1 user user 0 Jun 12 23:39 S.gpg-agent.browser srw------- 1 user user 0 Jun 12 23:39 S.gpg-agent.extra srw------- 1 user user 0 Jun 12 23:39 S.gpg-agent.ssh user@computer:~$ /opt/wrappers/gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device user@computer:~$ /usr/bin/gpg --card-status gpg: directory '/home/user/.gnupg' created gpg: keybox '/home/user/.gnupg/pubring.kbx' created Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Application type .: OpenPGP Version ..........: 3.4 Manufacturer .....: Yubico Serial number ....: XXXXXXXX Name of cardholder: [not set] Language prefs ...: [not set] Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: ed25519 cv25519 ed25519 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 KDF setting ......: on Signature key ....: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX created ....: 2024-06-22 12:24:21 Encryption key....: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY created ....: 2024-06-22 12:26:16 Authentication key: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ created ....: 2024-06-22 12:24:36 General key info..: [none] ``` `gpg --homedir ${HOME}/.mozilla/firefox/browserpass/gnupg-homedir --card-status` works btw, so it's the wrapper script. I was thinking about AppArmor profiles, but didn't find anything.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2847
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?