github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5081] Firefox DRM broken when using profile-sync-daemon because noexec is ignored #2873

New issue

Closed

opened 2026-05-05 09:32:00 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:32:00 -06:00

Owner

Originally created by @seonwoolee on GitHub (Mar 29, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5081

Description

When using Arch Linux's profile-sync-daemon (in overlay mode) and running Firefox in firejail, DRM video from Hulu does not play because the WidevineCDM crashes. I've enabled browser-allow-drm in /etc/firejail/firejail.config and with profile-sync-deamon disabled, it works fine.

If I use ignore noexec while using psd, it works fine. So there's something that needs exec permissions. But I don't want an unconditional ignore noexec. I've tried the following in firefox.local, all unsuccessfully (I have a separate Firefox profile for Hulu):

noblacklist ${RUNUSER}/*firefox*
whitelist ${RUNUSER}/*firefox*
ignore noexec ${RUNUSER}/*firefox*
ignore noexec /run/user/1000/seonwoo-firefox-Hulu
ignore noexec /run/user/1000/seonwoo-firefox-Hulu-rw
ignore noexec /run/user/1000/.seonwoo-firefox-Hulu

In my globals.local I added blacklist ${RUNUSER}/*firefox*

If I run firejail with debug, with the above noexec lines in firefox.local, I confusingly still get this

Mounting noexec /run/user/1000/.seonwoo-firefox-Hulu
12114 12028 0:73 /.seonwoo-firefox-Hulu /run/user/1000/.seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64
mountid=12114 fsname=/.seonwoo-firefox-Hulu dir=/run/user/1000/.seonwoo-firefox-Hulu fstype=tmpfs
Mounting noexec /run/user/1000/seonwoo-firefox-Hulu-rw
12115 12030 0:73 /seonwoo-firefox-Hulu-rw /run/user/1000/seonwoo-firefox-Hulu-rw rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64
mountid=12115 fsname=/seonwoo-firefox-Hulu-rw dir=/run/user/1000/seonwoo-firefox-Hulu-rw fstype=tmpfs
Mounting noexec /run/user/1000/seonwoo-firefox-Hulu
12116 12032 0:139 / /run/user/1000/seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:735 - overlay overlaid rw,lowerdir=/home/seonwoo/.mozilla/firefox/Hulu-backup,upperdir=/run/user/1000/seonwoo-firefox-Hulu-rw,workdir=/run/user/1000/.seonwoo-firefox-Hulu
mountid=12116 fsname=/ dir=/run/user/1000/seonwoo-firefox-Hulu fstype=overlay

Steps to Reproduce

Install and enable profile-sync-daemon for Firefox
Enable browser drm in firejail.config
Attempt to playback video from Hulu

Expected behavior

Video from Hulu plays

Actual behavior

Widevidecdm crashes

Behavior without a profile

Works perfectly. Even works perfectly with firejail, just not while using profile-sync-daemon

Additional context

Environment

Arch Linux
Firejail version 0.9.68

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/firefox.profile
Reading profile /home/seonwoo/.config/firejail/firefox.local
Reading profile /home/seonwoo/.config/firejail/globals.local
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /home/seonwoo/.config/firejail/firefox-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 2239994, child pid 2239997

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-2239994     d2:d1:41:a9:65:67  192.168.35.147   255.255.255.0    UP    
Default gateway 192.168.35.1
DNS server 10.8.8.1

Warning: cannot find /var/run/utmp
8 programs installed in 20.88 ms
Warning: skipping firefox for private /etc
Warning: skipping alternatives for private /etc
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pango for private /etc
Warning: skipping pki for private /etc
Warning: skipping selinux for private /etc
Private /etc installed in 32.56 ms
Warning: skipping firefox for private /usr/etc
Warning: skipping alternatives for private /usr/etc
Warning: skipping asound.conf for private /usr/etc
Warning: skipping ca-certificates for private /usr/etc
Warning: skipping crypto-policies for private /usr/etc
Warning: skipping dconf for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping group for private /usr/etc
Warning: skipping gtk-2.0 for private /usr/etc
Warning: skipping gtk-3.0 for private /usr/etc
Warning: skipping hostname for private /usr/etc
Warning: skipping hosts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.conf for private /usr/etc
Warning: skipping ld.so.conf.d for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping localtime for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Warning: skipping mailcap for private /usr/etc
Warning: skipping mime.types for private /usr/etc
Warning: skipping nsswitch.conf for private /usr/etc
Warning: skipping pango for private /usr/etc
Warning: skipping passwd for private /usr/etc
Warning: skipping pki for private /usr/etc
Warning: skipping pulse for private /usr/etc
Warning: skipping resolv.conf for private /usr/etc
Warning: skipping selinux for private /usr/etc
Warning: skipping ssl for private /usr/etc
Warning: skipping X11 for private /usr/etc
Warning: skipping xdg for private /usr/etc
Private /usr/etc installed in 0.15 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 1374.34 ms

###!!! [Parent][PGMPParent] Error: SendAndWait(msgname=PGMP::Msg_StartPlugin) Channel error: cannot send/recv


###!!! [Parent][PGMPParent] Error: Send(msgname=PGMP::Msg_InitProfiler) Channel error: cannot send/recv


###!!! [Parent][PGMPParent] Error: RunMessage(msgname=PGMP::Msg_InitCrashReporter) Channel error: cannot send/recv


###!!! [Parent][PGMPParent] Error: SendAndWait(msgname=PGMP::Msg_StartPlugin) Channel error: cannot send/recv


###!!! [Parent][PGMPParent] Error: RunMessage(msgname=PGMP::Msg_InitCrashReporter) Channel error: cannot send/recv


###!!! [Parent][PGMPParent] Error: Send(msgname=PGMP::Msg_InitProfiler) Channel error: cannot send/recv


###!!! [Parent][PImageBridgeParent] Error: RunMessage(msgname=PImageBridge::Msg_WillClose) Channel closing: too late to send/recv, messages will be lost


Parent is shutting down, bye...

The debug log is too long for a comment (exceeds 65536 characters), but this part seems relevant

Output of LC_ALL=C firejail --debug /path/to/program

Mounting noexec /run/user/1000/.seonwoo-firefox-Hulu
12114 12028 0:73 /.seonwoo-firefox-Hulu /run/user/1000/.seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64
mountid=12114 fsname=/.seonwoo-firefox-Hulu dir=/run/user/1000/.seonwoo-firefox-Hulu fstype=tmpfs
Mounting noexec /run/user/1000/seonwoo-firefox-Hulu-rw
12115 12030 0:73 /seonwoo-firefox-Hulu-rw /run/user/1000/seonwoo-firefox-Hulu-rw rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64
mountid=12115 fsname=/seonwoo-firefox-Hulu-rw dir=/run/user/1000/seonwoo-firefox-Hulu-rw fstype=tmpfs
Mounting noexec /run/user/1000/seonwoo-firefox-Hulu
12116 12032 0:139 / /run/user/1000/seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:735 - overlay overlaid rw,lowerdir=/home/seonwoo/.mozilla/firefox/Hulu-backup,upperdir=/run/user/1000/seonwoo-firefox-Hulu-rw,workdir=/run/user/1000/.seonwoo-firefox-Hulu
mountid=12116 fsname=/ dir=/run/user/1000/seonwoo-firefox-Hulu fstype=overlay

Originally created by @seonwoolee on GitHub (Mar 29, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5081 ### Description When using Arch Linux's profile-sync-daemon (in overlay mode) and running Firefox in firejail, DRM video from Hulu does not play because the WidevineCDM crashes. I've enabled `browser-allow-drm` in `/etc/firejail/firejail.config` and with profile-sync-deamon disabled, it works fine. If I use `ignore noexec` while using psd, it works fine. So there's something that needs exec permissions. But I don't want an unconditional `ignore noexec`. I've tried the following in `firefox.local`, all unsuccessfully (I have a separate Firefox profile for Hulu): ``` noblacklist ${RUNUSER}/*firefox* whitelist ${RUNUSER}/*firefox* ignore noexec ${RUNUSER}/*firefox* ignore noexec /run/user/1000/seonwoo-firefox-Hulu ignore noexec /run/user/1000/seonwoo-firefox-Hulu-rw ignore noexec /run/user/1000/.seonwoo-firefox-Hulu ``` In my `globals.local` I added `blacklist ${RUNUSER}/*firefox*` If I run firejail with debug, with the above noexec lines in `firefox.local`, I confusingly still get this ``` Mounting noexec /run/user/1000/.seonwoo-firefox-Hulu 12114 12028 0:73 /.seonwoo-firefox-Hulu /run/user/1000/.seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64 mountid=12114 fsname=/.seonwoo-firefox-Hulu dir=/run/user/1000/.seonwoo-firefox-Hulu fstype=tmpfs Mounting noexec /run/user/1000/seonwoo-firefox-Hulu-rw 12115 12030 0:73 /seonwoo-firefox-Hulu-rw /run/user/1000/seonwoo-firefox-Hulu-rw rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64 mountid=12115 fsname=/seonwoo-firefox-Hulu-rw dir=/run/user/1000/seonwoo-firefox-Hulu-rw fstype=tmpfs Mounting noexec /run/user/1000/seonwoo-firefox-Hulu 12116 12032 0:139 / /run/user/1000/seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:735 - overlay overlaid rw,lowerdir=/home/seonwoo/.mozilla/firefox/Hulu-backup,upperdir=/run/user/1000/seonwoo-firefox-Hulu-rw,workdir=/run/user/1000/.seonwoo-firefox-Hulu mountid=12116 fsname=/ dir=/run/user/1000/seonwoo-firefox-Hulu fstype=overlay ``` ### Steps to Reproduce 1. Install and enable profile-sync-daemon for Firefox 2. Enable browser drm in firejail.config 3. Attempt to playback video from Hulu ### Expected behavior Video from Hulu plays ### Actual behavior Widevidecdm crashes ### Behavior without a profile Works perfectly. Even works perfectly with firejail, just not while using profile-sync-daemon ### Additional context ### Environment - Arch Linux - Firejail version 0.9.68 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/firefox.profile Reading profile /home/seonwoo/.config/firejail/firefox.local Reading profile /home/seonwoo/.config/firejail/globals.local Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /home/seonwoo/.config/firejail/firefox-common.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 2239994, child pid 2239997 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-2239994 d2:d1:41:a9:65:67 192.168.35.147 255.255.255.0 UP Default gateway 192.168.35.1 DNS server 10.8.8.1 Warning: cannot find /var/run/utmp 8 programs installed in 20.88 ms Warning: skipping firefox for private /etc Warning: skipping alternatives for private /etc Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pango for private /etc Warning: skipping pki for private /etc Warning: skipping selinux for private /etc Private /etc installed in 32.56 ms Warning: skipping firefox for private /usr/etc Warning: skipping alternatives for private /usr/etc Warning: skipping asound.conf for private /usr/etc Warning: skipping ca-certificates for private /usr/etc Warning: skipping crypto-policies for private /usr/etc Warning: skipping dconf for private /usr/etc Warning: skipping fonts for private /usr/etc Warning: skipping group for private /usr/etc Warning: skipping gtk-2.0 for private /usr/etc Warning: skipping gtk-3.0 for private /usr/etc Warning: skipping hostname for private /usr/etc Warning: skipping hosts for private /usr/etc Warning: skipping ld.so.cache for private /usr/etc Warning: skipping ld.so.conf for private /usr/etc Warning: skipping ld.so.conf.d for private /usr/etc Warning: skipping ld.so.preload for private /usr/etc Warning: skipping localtime for private /usr/etc Warning: skipping machine-id for private /usr/etc Warning: skipping mailcap for private /usr/etc Warning: skipping mime.types for private /usr/etc Warning: skipping nsswitch.conf for private /usr/etc Warning: skipping pango for private /usr/etc Warning: skipping passwd for private /usr/etc Warning: skipping pki for private /usr/etc Warning: skipping pulse for private /usr/etc Warning: skipping resolv.conf for private /usr/etc Warning: skipping selinux for private /usr/etc Warning: skipping ssl for private /usr/etc Warning: skipping X11 for private /usr/etc Warning: skipping xdg for private /usr/etc Private /usr/etc installed in 0.15 ms Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: NVIDIA card detected, nogroups command ignored Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 1374.34 ms ###!!! [Parent][PGMPParent] Error: SendAndWait(msgname=PGMP::Msg_StartPlugin) Channel error: cannot send/recv ###!!! [Parent][PGMPParent] Error: Send(msgname=PGMP::Msg_InitProfiler) Channel error: cannot send/recv ###!!! [Parent][PGMPParent] Error: RunMessage(msgname=PGMP::Msg_InitCrashReporter) Channel error: cannot send/recv ###!!! [Parent][PGMPParent] Error: SendAndWait(msgname=PGMP::Msg_StartPlugin) Channel error: cannot send/recv ###!!! [Parent][PGMPParent] Error: RunMessage(msgname=PGMP::Msg_InitCrashReporter) Channel error: cannot send/recv ###!!! [Parent][PGMPParent] Error: Send(msgname=PGMP::Msg_InitProfiler) Channel error: cannot send/recv ###!!! [Parent][PImageBridgeParent] Error: RunMessage(msgname=PImageBridge::Msg_WillClose) Channel closing: too late to send/recv, messages will be lost Parent is shutting down, bye... ``` </p> </details> The debug log is too long for a comment (exceeds 65536 characters), but this part seems relevant <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` Mounting noexec /run/user/1000/.seonwoo-firefox-Hulu 12114 12028 0:73 /.seonwoo-firefox-Hulu /run/user/1000/.seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64 mountid=12114 fsname=/.seonwoo-firefox-Hulu dir=/run/user/1000/.seonwoo-firefox-Hulu fstype=tmpfs Mounting noexec /run/user/1000/seonwoo-firefox-Hulu-rw 12115 12030 0:73 /seonwoo-firefox-Hulu-rw /run/user/1000/seonwoo-firefox-Hulu-rw rw,nosuid,nodev,noexec,relatime master:552 - tmpfs tmpfs rw,size=6560744k,nr_inodes=1640186,mode=700,uid=1000,gid=100,inode64 mountid=12115 fsname=/seonwoo-firefox-Hulu-rw dir=/run/user/1000/seonwoo-firefox-Hulu-rw fstype=tmpfs Mounting noexec /run/user/1000/seonwoo-firefox-Hulu 12116 12032 0:139 / /run/user/1000/seonwoo-firefox-Hulu rw,nosuid,nodev,noexec,relatime master:735 - overlay overlaid rw,lowerdir=/home/seonwoo/.mozilla/firefox/Hulu-backup,upperdir=/run/user/1000/seonwoo-firefox-Hulu-rw,workdir=/run/user/1000/.seonwoo-firefox-Hulu mountid=12116 fsname=/ dir=/run/user/1000/seonwoo-firefox-Hulu fstype=overlay ``` </p> </details>

gitea-mirror

2026-05-05 09:32:00 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:32:02 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 29, 2022):

ignore noexec ${RUNUSER}/firefox
ignore noexec /run/user/1000/seonwoo-firefox-Hulu
ignore noexec /run/user/1000/seonwoo-firefox-Hulu-rw
ignore noexec /run/user/1000/.seonwoo-firefox-Hulu

Non of them is every noexeced.

Look at disable-exec.inc to find the noexec you need to ignore:

73756b41b9/etc/inc/disable-exec.inc (L6)

@rusty-snake commented on GitHub (Mar 29, 2022): > ignore noexec ${RUNUSER}/*firefox* > ignore noexec /run/user/1000/seonwoo-firefox-Hulu > ignore noexec /run/user/1000/seonwoo-firefox-Hulu-rw > ignore noexec /run/user/1000/.seonwoo-firefox-Hulu Non of them is every `noexec`ed. Look at `disable-exec.inc` to find the `noexec` you need to ignore: https://github.com/netblue30/firejail/blob/73756b41b91e2a0e26e5044e79b9dd6c972b5f28/etc/inc/disable-exec.inc#L6

gitea-mirror commented

2026-05-05 09:32:03 -06:00

Author

Owner

@seonwoolee commented on GitHub (Mar 29, 2022):

Gotcha. Thanks

@seonwoolee commented on GitHub (Mar 29, 2022): Gotcha. Thanks

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2873

No description provided.

Rows
Columns