github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5095] tutanota-desktop: Cannot start application: Permission denied #2879

New issue

Closed

opened 2026-05-05 09:32:22 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:32:22 -06:00

Owner

Originally created by @NCLI on GitHub (Apr 6, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5095

debug.txt

Description

The tutanota-desktop client fails to launch using firejail.

Steps to Reproduce

Run in bash LC_ALL=C firejail /usr/bin/tutanota-desktop (LC_ALL=C to get a consistent output in English that can be understood by everybody)
See error Cannot start application: Permission denied

Expected behavior

The tutanota-desktop client window appears

Actual behavior

Fails with error "Cannot start application: Permission denied".

Behavior without a profile

The application launches correctly.

Additional context

The application is installed from the aur, using the 'tutanota-desktop' package.

Environment

Arch Linux
firejail version 0.9.68

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/tutanota-desktop.profile
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 249671, child pid 249672
Private /opt installed in 614.39 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 44.85 ms
Private /usr/etc installed in 0.01 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 848.17 ms
Cannot start application: Permission denied

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

See attachment.

Originally created by @NCLI on GitHub (Apr 6, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5095 [debug.txt](https://github.com/netblue30/firejail/files/8428946/debug.txt)  ### Description The tutanota-desktop client fails to launch using firejail. ### Steps to Reproduce 1. Run in bash `LC_ALL=C firejail /usr/bin/tutanota-desktop` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) 2. See error `Cannot start application: Permission denied` ### Expected behavior The tutanota-desktop client window appears ### Actual behavior Fails with error "Cannot start application: Permission denied". ### Behavior without a profile The application launches correctly. ### Additional context The application is installed from the aur, using the 'tutanota-desktop' package. ### Environment - Arch Linux - firejail version 0.9.68 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/tutanota-desktop.profile Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 249671, child pid 249672 Private /opt installed in 614.39 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Private /etc installed in 44.85 ms Private /usr/etc installed in 0.01 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 848.17 ms Cannot start application: Permission denied Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` See attachment. ``` </p> </details>

gitea-mirror

2026-05-05 09:32:22 -06:00

closed this issue
added the
stale

needinfo
labels

gitea-mirror commented

2026-05-05 09:32:25 -06:00

Author

Owner

@ghost commented on GitHub (Apr 8, 2022):

I think your issue is caused by including disable-shell.inc. The AUR package installs a shell wrapper in /usr/bin/tutanota-desktop and that needs bash. Also, the tutanota-desktop.desktop file installed by the AUR package refers directly to /opt/tutanota-desktop/tutanota-desktop, instead of refering to the wrapper. This could throw of firecfg I suppose. Another issue with the AUR packages IMO is that they don't install /opt/tutanota-desktop/chrome-sandbox as 4755, which cripples the internal sandbox. I've reported this to the AUR maintainer for both tutanota-desktop and tutanota-desktop-bin. We'll have to wait and see if there's any response.

But IMO you can try the below tutanota-desktop.local to fix things:

# Firejail profile for tutanota-desktop
# Persistent local customizations

## system-wide profile overrides
#+ This is the only option needed to fix your issue IMO.
#+ The rest are extra hardenings/functionality improvements, and you can comment/uncomment them while testing.
include allow-bin-sh.inc

## Might be nice to have access to the below dirs for attachments
ignore include disable-xdg.inc
whitelist ${DOCUMENTS}
whitelist ${MUSIC}
whitelist ${PICTURES}
whitelist ${VIDEOS}

## This isn't included by electron.profile.
include whitelist-run-common.inc

# Uncomment the next line if your kernel allows unprivileged userns clone for extra hardening.
#include chromium-common-hardened.inc.profile

## Drop netlink protocol
protocol unix,inet,inet6
ignore protocol

## Allow access to desktop notifications, keyring and Firefox hyperlink functionality.
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.secrets
dbus-user.talk org.gnome.keyring.SystemPrompter
dbus-user.talk org.mozilla.Firefox.*
dbus-user.talk org.mozilla.firefox.*
ignore dbus-user none

Can you test on your side if things improve when using the above tutanota-desktop.local? We can make the necessary changes to the profile later if it works. I only installed the package and it starts correctly, but I don't have any actual account to properly test it. Would be nice if you could check if all the basic functionality is working as expected.

@ghost commented on GitHub (Apr 8, 2022): I think your issue is caused by including disable-shell.inc. The AUR package installs a shell wrapper in /usr/bin/tutanota-desktop and that needs bash. Also, the tutanota-desktop.desktop file installed by the AUR package refers directly to /opt/tutanota-desktop/tutanota-desktop, instead of refering to the wrapper. This could throw of firecfg I suppose. Another issue with the AUR packages IMO is that they don't install /opt/tutanota-desktop/chrome-sandbox as 4755, which cripples the internal sandbox. I've reported this to the AUR maintainer for both [tutanota-desktop](https://aur.archlinux.org/packages/tutanota-desktop#comment-860254) and [tutanota-desktop-bin](https://aur.archlinux.org/packages/tutanota-desktop-bin#comment-860255). We'll have to wait and see if there's any response. But IMO you can try the below `tutanota-desktop.local` to fix things: ``` # Firejail profile for tutanota-desktop # Persistent local customizations ## system-wide profile overrides #+ This is the only option needed to fix your issue IMO. #+ The rest are extra hardenings/functionality improvements, and you can comment/uncomment them while testing. include allow-bin-sh.inc ## Might be nice to have access to the below dirs for attachments ignore include disable-xdg.inc whitelist ${DOCUMENTS} whitelist ${MUSIC} whitelist ${PICTURES} whitelist ${VIDEOS} ## This isn't included by electron.profile. include whitelist-run-common.inc # Uncomment the next line if your kernel allows unprivileged userns clone for extra hardening. #include chromium-common-hardened.inc.profile ## Drop netlink protocol protocol unix,inet,inet6 ignore protocol ## Allow access to desktop notifications, keyring and Firefox hyperlink functionality. dbus-user filter dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.secrets dbus-user.talk org.gnome.keyring.SystemPrompter dbus-user.talk org.mozilla.Firefox.* dbus-user.talk org.mozilla.firefox.* ignore dbus-user none ``` Can you test on your side if things improve when using the above `tutanota-desktop.local`? We can make the necessary changes to the profile later if it works. I only installed the package and it starts correctly, but I don't have any actual account to properly test it. Would be nice if you could check if all the basic functionality is working as expected.

gitea-mirror commented

2026-05-05 09:32:26 -06:00

Author

Owner

@ghost commented on GitHub (Apr 15, 2022):

UPDATE: the maintainer of the AUR packages has implemented proposed fixes and the latest tutanota-desktop package now symlinks /opt/tutanota-desktop/tutanota-desktop in /usr/bin/tutanota-desktop (https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=tutanota-desktop#n52). So things should work again without including allow-bin-sh.inc.

@ghost commented on GitHub (Apr 15, 2022): UPDATE: the maintainer of the AUR packages has implemented proposed fixes and the latest tutanota-desktop package now symlinks /opt/tutanota-desktop/tutanota-desktop in /usr/bin/tutanota-desktop (https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=tutanota-desktop#n52). So things should work again `without` including `allow-bin-sh.inc`.

gitea-mirror commented

2026-05-05 09:32:27 -06:00

Author

Owner

@ghost commented on GitHub (Apr 24, 2022):

@NCLI Do you still have this issue with the latest tutanota-desktop package?

@ghost commented on GitHub (Apr 24, 2022): @NCLI Do you still have this issue with the latest tutanota-desktop package?

gitea-mirror commented

2026-05-05 09:32:28 -06:00

Author

Owner

@ghost commented on GitHub (May 4, 2022):

Closing here due to inactivity. Issue should be solved anyway.

@ghost commented on GitHub (May 4, 2022): Closing here due to inactivity. Issue should be solved anyway.

gitea-mirror referenced this issue

2026-05-05 10:22:29 -06:00

[PR #2879] [MERGED] qpdfview: Fix issue when opening a file from file manager #4566

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2879

No description provided.

Rows
Columns