[GH-ISSUE #5086] palemoon: cannot open meeting links in Teams desktop app

gitea-mirror commented

2026-05-05 09:32:00 -06:00

Owner

Originally created by @GFNIAE on GitHub (Mar 31, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5086

Description

On antiX 21 (debian 11 based), fluxbox desktop, firejail version 0.9.64.4.
I use palemoon (29.4.4) as a browser and teams desktop application (1.3). I need that when I click a teams meeting link in the browser, it is opened by teams desktop app. This is what happens when palemoon is not firejailed.

But it does not happen as soon as you use a network namespace (--net=eth0 or wlan0)

Steps to Reproduce

Run firejail --net=eth0 palemoon
Click on a teams meeting link in palemoon browser

Expected behavior

Teams desktop app pops up and let you connect to the meeting

Actual behavior

Teams desktop app DOES NOT pop up and let you connect to the meeting

Error with dbus are displayed with no palemoon.local file, about /run/firejail/mnt/dbus/user not being allowed.
No error is displayed with "ignore nogroups" in a palemoon.local file (but teams does not pop up either)

Additional context

I tried ignore dbus-user none, ignore disable-mnt, whitelist /run/firejail/mnt/dbus/user with no luck.

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[?] The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[-] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @GFNIAE on GitHub (Mar 31, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5086 ### Description On antiX 21 (debian 11 based), fluxbox desktop, firejail version 0.9.64.4. I use palemoon (29.4.4) as a browser and teams desktop application (1.3). I need that when I click a teams meeting link in the browser, it is opened by teams desktop app. This is what happens when palemoon is not firejailed. But it does not happen as soon as you use a network namespace (--net=eth0 or wlan0) ### Steps to Reproduce Run firejail --net=eth0 palemoon Click on a teams meeting link in palemoon browser ### Expected behavior Teams desktop app pops up and let you connect to the meeting ### Actual behavior Teams desktop app DOES NOT pop up and let you connect to the meeting Error with dbus are displayed with no palemoon.local file, about /run/firejail/mnt/dbus/user not being allowed. No error is displayed with "ignore nogroups" in a palemoon.local file (but teams does not pop up either) ### Additional context I tried ignore dbus-user none, ignore disable-mnt, whitelist /run/firejail/mnt/dbus/user with no luck. ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [?] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [-] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror added the

sandbox-ipc

label 2026-05-05 09:32:00 -06:00

gitea-mirror commented

2026-05-05 09:32:01 -06:00

Author

Owner

@ghost commented on GitHub (Apr 1, 2022):

Never used palemoon but I notice that our profile for it doesn't use any D-Bus filtering like we do in firefox.profile. What happens when you add those same filtering rules in your palemoon.local? For testing you can copy that block verbatim like below. Check with an app like d-feet what specific D-Bus address palemoon uses by default, I just assume it uses the same one as 'regular' Firefox from Mozilla here. If this works we can start checking if palemoon needs anything more specific later.

dbus-user filter
dbus-user.own org.mozilla.Firefox.*
dbus-user.own org.mozilla.firefox.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
# Add the next line to your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your firefox.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your firefox.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your firefox.local to allow screen sharing under wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
ignore dbus-user none

@ghost commented on GitHub (Apr 1, 2022): Never used palemoon but I notice that our profile for it doesn't use any D-Bus filtering like we do in [firefox.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/firefox.profile#L49-L66). What happens when you add those same filtering rules in your `palemoon.local`? For testing you can copy that block verbatim like below. Check with an app like [d-feet](https://wiki.gnome.org/Apps/DFeet) what specific D-Bus address palemoon uses by default, I just assume it uses the same one as 'regular' Firefox from Mozilla here. If this works we can start checking if palemoon needs anything more specific later. ``` dbus-user filter dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* # Add the next line to your firefox.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications # Add the next line to your firefox.local to allow inhibiting screensavers. #dbus-user.talk org.freedesktop.ScreenSaver # Add the next lines to your firefox.local for plasma browser integration. #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver # Add the next line to your firefox.local to allow screen sharing under wayland. #dbus-user.talk org.freedesktop.portal.Desktop # Add the next line to your firefox.local if screen sharing sharing still does not work # with the above lines (might depend on the portal implementation). #ignore noroot ignore dbus-user none ```

gitea-mirror commented

2026-05-05 09:32:02 -06:00

Author

Owner

@ghost commented on GitHub (Apr 1, 2022):

UPDATE: just installed palemoon to check how it acts when running firejailed. Forget the above, IMO the problem might be in the teams.profile. I didn't check that properly, but it has a comment '# Disabled until someone reported positive feedback' and (amongst other options) disables including whitelist-runuser-common.inc. Try including that in a teams.local:

ignore ignore include whitelist-runuser-common.inc

The double ignore isn't a typo. Just a (clumsy) way to undo what is ignored in teams.profile. You could enable the other 'unconfirmed' options too, but whitelist-runuser-common.inc is the important one in this context, as it whitelists ${RUNUSER}/bus.

@ghost commented on GitHub (Apr 1, 2022): UPDATE: just installed palemoon to check how it acts when running firejailed. Forget the above, IMO the problem might be in the [teams.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/teams.profile#L9-L14). I didn't check that properly, but it has a comment '# Disabled until someone reported positive feedback' and (amongst other options) disables including `whitelist-runuser-common.inc`. Try including that in a `teams.local`: ``` ignore ignore include whitelist-runuser-common.inc ``` The double `ignore` isn't a typo. Just a (clumsy) way to undo what is ignored in teams.profile. You could enable the other 'unconfirmed' options too, but whitelist-runuser-common.inc is the important one in this context, as it whitelists ${RUNUSER}/bus.

gitea-mirror commented

2026-05-05 09:32:03 -06:00

Author

Owner

@GFNIAE commented on GitHub (Apr 1, 2022):

Hello and thanks for your help,
I don't use firejail for teams - so here we deal with a firejail - palemoon issue.

I installed d-feet and could see some dbus interfaces associated with "palemoon":

dbus-user.talk com.canonical.dbusmenu
dbus-user.own org.gtk.gio.DesktopAppInfo
dbus-user.talk org.gnome.GConf.Database
dbus-user.talk org.gnome.GConf.Server
dbus-user.talk org.freedesktop.DBus.*

But what looks strange is that when I add in palemoon.local:

ignore dbus-user none
dbus-user filter

I get a firejail error: "DBus user socket was not found."

@GFNIAE commented on GitHub (Apr 1, 2022): Hello and thanks for your help, I don't use firejail for teams - so here we deal with a firejail - palemoon issue. I installed d-feet and could see some dbus interfaces associated with "palemoon": ``` dbus-user.talk com.canonical.dbusmenu dbus-user.own org.gtk.gio.DesktopAppInfo dbus-user.talk org.gnome.GConf.Database dbus-user.talk org.gnome.GConf.Server dbus-user.talk org.freedesktop.DBus.* ``` But what looks strange is that when I add in palemoon.local: ``` ignore dbus-user none dbus-user filter ``` I get a firejail error: "DBus user socket was not found."

gitea-mirror commented

2026-05-05 09:32:04 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 1, 2022):

I get a firejail error : "DBus user socket was not found."

Make sure your environment is setup correctly. #3769

@rusty-snake commented on GitHub (Apr 1, 2022): > I get a firejail error : "DBus user socket was not found." Make sure your environment is setup correctly. #3769

gitea-mirror commented

2026-05-05 09:32:05 -06:00

Author

Owner

@ghost commented on GitHub (Apr 1, 2022):

On antiX 21 (debian 11 based), fluxbox desktop, firejail version 0.9.64.4.

Firejail 0.9.64.4 is over a year old now. Check if you can install the latest stable release.

@ghost commented on GitHub (Apr 1, 2022): > On antiX 21 (debian 11 based), fluxbox desktop, firejail version 0.9.64.4. Firejail 0.9.64.4 is over a year old now. Check if you can [install](https://github.com/netblue30/firejail#installing) the [latest stable release](https://github.com/netblue30/firejail/releases/tag/0.9.68).

gitea-mirror commented

2026-05-05 09:32:06 -06:00

Author

Owner

@GFNIAE commented on GitHub (Apr 4, 2022):

Hello,

I installed last stable Firejail 0.9.68 (through manual download and dpkg -i)
Thanks rusty-snake for the link. It seems the very same issue but I did not succeed in "unlocking" the link between (sandboxed) palemoon and (not sandboxed) teams :

as exposed in the #3769 issue, I had no DBUS_SESSION_BUS_ADDRESS set.
however in ~/.dbus/session-bus I can see a lot of files with ugly numbers as a name, and inside lines like these :

# This file allows processes on the machine with id 2ba77152071c9e4rt174fb156238c127 using 
# display :0.0 to find the D-Bus session bus with the below address.
# If the `DBUS_SESSION_BUS_ADDRESS` environment variable is set, it will
# be used rather than this file.
# See "man dbus-launch" for more details.
DBUS_SESSION_BUS_ADDRESS='unix:abstract=/tmp/dbus-RB9sf4D5bS,guid=eead5644820cd62d334e874f624ac762'
DBUS_SESSION_BUS_PID=3976
DBUS_SESSION_BUS_WINDOWID=8388609

I checked my startup scripts. Under antiX there is a ~/.desktop-session file, in which there are some preconfigured options. Among them :

#Session load of dbus-launch
#This will make it possible to start a session bus instance of dbus-daemon with the window manager
#Options: true | false
DBUS_SESSION_LAUNCH="false"

I set this option to "true". As a consequence I have now a non empty DBUS_SESSION_BUS_ADDRESS in my session (I guess this last option lets execute some kind of :
source ~/.dbus/session-bus/more-recent-file && export DBUS_SESSION_BUS_ADDRESS).

However even with this change, firejail palemoon does not allow to call teams from a link in palemoon.
There is no written error in the shell, it just does not work.
When I check firejail --audit palemoon, I can see there is a DBUS_SESSION_BUS_ADDRESS env variable not empty and readable from the sandbox.
I tried without any palemoon.local, as well as with such a file and various options (ignore nogroups, ignore noroot, noblacklist+whitelist ${HOME}/.config/teams, noblacklist+whitelist ${HOME}/.config/Microsoft...)

Have you got any clue about what I could check/try ?

@GFNIAE commented on GitHub (Apr 4, 2022): Hello, 1. I installed last stable Firejail 0.9.68 (through manual download and `dpkg -i`) 2. Thanks rusty-snake for the link. It seems the very same issue but I did not succeed in "unlocking" the link between (sandboxed) palemoon and (not sandboxed) teams : - as exposed in the #3769 issue, I had no `DBUS_SESSION_BUS_ADDRESS` set. - however in ~/.dbus/session-bus I can see a lot of files with ugly numbers as a name, and inside lines like these : ```sh # This file allows processes on the machine with id 2ba77152071c9e4rt174fb156238c127 using # display :0.0 to find the D-Bus session bus with the below address. # If the `DBUS_SESSION_BUS_ADDRESS` environment variable is set, it will # be used rather than this file. # See "man dbus-launch" for more details. DBUS_SESSION_BUS_ADDRESS='unix:abstract=/tmp/dbus-RB9sf4D5bS,guid=eead5644820cd62d334e874f624ac762' DBUS_SESSION_BUS_PID=3976 DBUS_SESSION_BUS_WINDOWID=8388609 ``` - I checked my startup scripts. Under antiX there is a ~/.desktop-session file, in which there are some preconfigured options. Among them : ```sh #Session load of dbus-launch #This will make it possible to start a session bus instance of dbus-daemon with the window manager #Options: true | false DBUS_SESSION_LAUNCH="false" ``` I set this option to "true". As a consequence I have now a non empty `DBUS_SESSION_BUS_ADDRESS` in my session (I guess this last option lets execute some kind of : `source ~/.dbus/session-bus/more-recent-file && export DBUS_SESSION_BUS_ADDRESS`). However even with this change, `firejail palemoon` does not allow to call teams from a link in palemoon. There is no written error in the shell, it just does not work. When I check `firejail --audit palemoon`, I can see there is a `DBUS_SESSION_BUS_ADDRESS` env variable not empty and readable from the sandbox. I tried without any palemoon.local, as well as with such a file and various options (ignore nogroups, ignore noroot, noblacklist+whitelist ${HOME}/.config/teams, noblacklist+whitelist ${HOME}/.config/Microsoft...) Have you got any clue about what I could check/try ?

gitea-mirror commented

2026-05-05 09:32:07 -06:00

Author

Owner

@GFNIAE commented on GitHub (Apr 4, 2022):

Hello,
I just checked with chromium : same results. A teams link is open on teams app if chromium is launched without firejail. It fails if chromium is sandboxed, without any dbus-related errors displayed.

@GFNIAE commented on GitHub (Apr 4, 2022): Hello, I just checked with chromium : same results. A teams link is open on teams app if chromium is launched without firejail. It fails if chromium is sandboxed, without any dbus-related errors displayed.

gitea-mirror commented

2026-05-05 09:32:07 -06:00

Author

Owner

@GFNIAE commented on GitHub (Apr 4, 2022):

I could check something else : the issue arises with or without --net option. It seems not to be linked with network namespace.

@GFNIAE commented on GitHub (Apr 4, 2022): I could check something else : the issue arises with or without --net option. It seems not to be linked with network namespace.

Rows
Columns

[GH-ISSUE #5086] palemoon: cannot open meeting links in Teams desktop app #2874

Description

Steps to Reproduce

Expected behavior

Actual behavior

Additional context

Checklist