github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5246] google-chrome: real home is accessible with --private= (dbus) #2934

New issue
Closed
opened 2026-05-05 09:35:43 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 09:35:43 -06:00
Owner
Copy link

Originally created by @lukypko on GitHub (Jul 12, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5246

Description

google-chrome is able to access file list when using --private=FOLDER option

Steps to Reproduce

  • download a google-chrome-stable_current_amd64.deb from https://google.com web page
  • install it using dpkg -i google-chrome-stable_current_amd64.deb
  • mkdir -p ~/temp/youtube (can be any folder, but I used this one)
  • cd ~/temp/youtube
  • no other google-chrome instances are running; ps aux|grep -i chrom[e]|wc -l = 0
  • run firejail --private=$(pwd) --noprofile /usr/bin/google-chrome-stable
  • in a running google-chrome press CTRL+O (to open a file dialog)
  • you can see list of files in your home directory and recently opened files (which is wrong)
  • when you try to open some file (for example image/txt/pdf file), error in google-chrome is showed:
    "Your file couldn’t be accessed,
    It may have been moved, edited, or deleted.,
    ERR_FILE_NOT_FOUND"
  • so files are not readable which is correct behavior

Expected behavior

When specify a command line option --private=$FOLDER, then only files from a $FOLDER should be visible in a $HOME folder, "recently opened files should be only from $FOLDER (if there were some files opened previously)

It looks like the issue is in "open file dialog" which have access to all files in my $HOME folder

Actual behavior

When specify a command line option --private=$FOLDER, then all files from $HOME folder are visible in "open file dialog" and I can select a file. google chrome then display an error that file is not readable
When trying to upload some file to virustotal, then file is uploaded successfully, but file size is 0 bytes (just to check whether it is possible read and upload a file using a javascript)

When open home folder as a URL in a google-chrome so /home/luky in my case, I see just expected content of my $FOLDER file, so this works correctly too

Running without any profiles

firejail --private=`pwd`  --noprofile /usr/bin/google-chrome-stable
Parent pid 3458157, child pid 3458158
Child process initialized in 35.11 ms
[4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
Fontconfig error: Cannot load default config file: No such file: (null)

Running using an existing profiles

firejail --private=`pwd` /usr/bin/google-chrome-stable
Reading profile /etc/firejail/google-chrome-stable.profile
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3460196, child pid 3460197
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 611.12 ms
[4:38:0712/120310.381051:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:38:0712/120310.381297:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967129:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967196:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967274:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.969111:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.969213:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
Fontconfig error: Cannot load default config file: No such file: (null)

Parent is shutting down, bye...
  • the issue is that google-chrome is able to get a list of files and traverse a whole $HOME dir, when you are using firejail option --private=FOLDER

Additional context

Maybe it is related just to open file dialog and its caching, because when I click on a image file in "open file dialog" on a right side I see a small image preview. So it looks like that "open file dialog" is able to access file list and read file content to make a small image preview, but google-chrome itself cannot access a file content (as running with --private=FOLDER command line option)

firefox is using the same "open file dialog" and when I run:

firejail --private=$(pwd) --noprofile firefox --no-remote

then "open file dialog" in a firefox is not showing files from original $HOME folder, it is showing files from --private=$FOLDER, which is correct behavior

So it looks like that google-chrome is using "open file dialog" a different way and can escape from firejail container, which is wrong

Environment

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Ubuntu 21.04"

kernel

Linux lukynb 5.11.0-40-generic #44-Ubuntu SMP Wed Oct 20 16:16:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

firejail version 0.9.70

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail --private=`pwd` --noprofile /usr/bin/google-chrome-stable 

Parent pid 3458157, child pid 3458158
Child process initialized in 35.11 ms
[4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
Fontconfig error: Cannot load default config file: No such file: (null)

Output of LC_ALL=C firejail --debug --private=`pwd` --noprofile /usr/bin/google-chrome-stable 

firejail --debug --private=`pwd`  --noprofile /usr/bin/google-chrome-stable
Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/google-chrome-stable' 
Command name #google-chrome-stable#
DISPLAY=:1 parsed as 1
Using the local network stack
Parent pid 3459610, child pid 3459611
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1762 1602 8:2 /etc /etc ro,noatime master:1 - ext4 /dev/sda2 rw
mountid=1762 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1767 1762 8:2 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw
mountid=1767 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1768 1602 8:2 /var /var ro,noatime master:1 - ext4 /dev/sda2 rw
mountid=1768 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
1778 1768 8:2 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw
mountid=1778 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
1779 1602 8:2 /usr /usr ro,noatime master:1 - ext4 /dev/sda2 rw
mountid=1779 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0
Mount-bind /home/luky/temp/youtube on top of /home/luky
1877 1808 8:2 /home/luky/temp/youtube /home/luky rw,noatime master:1 - ext4 /dev/sda2 rw
mountid=1877 fsname=/home/luky/temp/youtube dir=/home/luky fstype=ext4
Mounting a new /root directory
Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
rebuilding /etc directory
Creating empty /run/firejail/mnt/dns-etc/emacs directory
Creating empty /run/firejail/mnt/dns-etc/ipp-usb directory
Creating empty /run/firejail/mnt/dns-etc/sensors3.conf file
Creating empty /run/firejail/mnt/dns-etc/pipewire directory
Creating empty /run/firejail/mnt/dns-etc/logcheck directory
Creating empty /run/firejail/mnt/dns-etc/sysctl.d directory
Creating empty /run/firejail/mnt/dns-etc/issue file
Creating empty /run/firejail/mnt/dns-etc/networkd-dispatcher directory
Creating empty /run/firejail/mnt/dns-etc/services file
Creating empty /run/firejail/mnt/dns-etc/cron.daily directory
Creating empty /run/firejail/mnt/dns-etc/iproute2 directory
Creating empty /run/firejail/mnt/dns-etc/rarfiles.lst file
Creating empty /run/firejail/mnt/dns-etc/java-11-openjdk directory
Creating empty /run/firejail/mnt/dns-etc/default directory
Creating empty /run/firejail/mnt/dns-etc/apt directory
Creating empty /run/firejail/mnt/dns-etc/rc4.d directory
Creating empty /run/firejail/mnt/dns-etc/perl directory
Creating empty /run/firejail/mnt/dns-etc/python3.9 directory
Creating empty /run/firejail/mnt/dns-etc/passwd- file
Creating empty /run/firejail/mnt/dns-etc/apache2 directory
Creating empty /run/firejail/mnt/dns-etc/firebird directory
Creating empty /run/firejail/mnt/dns-etc/menu-methods directory
Creating empty /run/firejail/mnt/dns-etc/vulkan directory
Creating empty /run/firejail/mnt/dns-etc/netconfig file
Creating empty /run/firejail/mnt/dns-etc/sensors.d directory
Creating empty /run/firejail/mnt/dns-etc/dillo directory
Creating empty /run/firejail/mnt/dns-etc/debian_version file
Creating empty /run/firejail/mnt/dns-etc/xdg directory
Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file
Creating empty /run/firejail/mnt/dns-etc/mysql directory
Creating empty /run/firejail/mnt/dns-etc/dbus-1 directory
Creating empty /run/firejail/mnt/dns-etc/dkms directory
Creating empty /run/firejail/mnt/dns-etc/syslog.d directory
Creating empty /run/firejail/mnt/dns-etc/selinux directory
Creating empty /run/firejail/mnt/dns-etc/reader.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/.java directory
Creating empty /run/firejail/mnt/dns-etc/inputrc file
Creating empty /run/firejail/mnt/dns-etc/profile.d directory
Creating empty /run/firejail/mnt/dns-etc/cron.d directory
Creating empty /run/firejail/mnt/dns-etc/sudoers file
Creating empty /run/firejail/mnt/dns-etc/calendar directory
Creating empty /run/firejail/mnt/dns-etc/alsa directory
Creating empty /run/firejail/mnt/dns-etc/pm directory
Creating empty /run/firejail/mnt/dns-etc/resolv3.conf file
Creating empty /run/firejail/mnt/dns-etc/sane.d directory
Creating empty /run/firejail/mnt/dns-etc/modules file
Creating empty /run/firejail/mnt/dns-etc/rc3.d directory
Creating empty /run/firejail/mnt/dns-etc/sudoers.d directory
Creating empty /run/firejail/mnt/dns-etc/skel directory
Creating empty /run/firejail/mnt/dns-etc/GNUstep directory
Creating empty /run/firejail/mnt/dns-etc/alternatives directory
Creating empty /run/firejail/mnt/dns-etc/login.defs file
Creating empty /run/firejail/mnt/dns-etc/networks file
Creating empty /run/firejail/mnt/dns-etc/fuse.conf file
Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file
Creating empty /run/firejail/mnt/dns-etc/udev directory
Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file
Creating empty /run/firejail/mnt/dns-etc/ucf.conf file
Creating empty /run/firejail/mnt/dns-etc/legal file
Creating empty /run/firejail/mnt/dns-etc/syslog.conf file
Creating empty /run/firejail/mnt/dns-etc/dhcp directory
Creating empty /run/firejail/mnt/dns-etc/thunderbird directory
Creating empty /run/firejail/mnt/dns-etc/gnome directory
Creating empty /run/firejail/mnt/dns-etc/subuid- file
Creating empty /run/firejail/mnt/dns-etc/sudo_logsrvd.conf file
Creating empty /run/firejail/mnt/dns-etc/xattr.conf file
Creating empty /run/firejail/mnt/dns-etc/hostname file
Creating empty /run/firejail/mnt/dns-etc/hosts.deny file
Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory
Creating empty /run/firejail/mnt/dns-etc/modules-load.d directory
Creating empty /run/firejail/mnt/dns-etc/fstab file
Creating empty /run/firejail/mnt/dns-etc/network directory
Creating empty /run/firejail/mnt/dns-etc/smartd.conf file
Creating empty /run/firejail/mnt/dns-etc/libccid_Info.plist file
Creating empty /run/firejail/mnt/dns-etc/polkit-1 directory
Creating empty /run/firejail/mnt/dns-etc/ssh directory
Creating empty /run/firejail/mnt/dns-etc/pulse directory
Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf file
Creating empty /run/firejail/mnt/dns-etc/terminfo directory
Creating empty /run/firejail/mnt/dns-etc/ldap directory
Creating empty /run/firejail/mnt/dns-etc/firefox directory
Creating empty /run/firejail/mnt/dns-etc/firejail directory
Creating empty /run/firejail/mnt/dns-etc/shadow file
Creating empty /run/firejail/mnt/dns-etc/kernel directory
Creating empty /run/firejail/mnt/dns-etc/libblockdev directory
Creating empty /run/firejail/mnt/dns-etc/vdpau_wrapper.cfg file
Creating empty /run/firejail/mnt/dns-etc/java-8-openjdk directory
Creating empty /run/firejail/mnt/dns-etc/bash_completion file
Creating empty /run/firejail/mnt/dns-etc/tlp.conf file
Creating empty /run/firejail/mnt/dns-etc/modprobe.d directory
Creating empty /run/firejail/mnt/dns-etc/issue.net file
Creating empty /run/firejail/mnt/dns-etc/magic file
Creating empty /run/firejail/mnt/dns-etc/update-motd.d directory
Creating empty /run/firejail/mnt/dns-etc/timidity directory
Creating empty /run/firejail/mnt/dns-etc/shadow- file
Creating empty /run/firejail/mnt/dns-etc/depmod.d directory
Creating empty /run/firejail/mnt/dns-etc/snmp directory
Creating empty /run/firejail/mnt/dns-etc/timezone file
Creating empty /run/firejail/mnt/dns-etc/mime.types file
Creating empty /run/firejail/mnt/dns-etc/lsb-release file
Creating empty /run/firejail/mnt/dns-etc/java-16-openjdk directory
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/ImageMagick-6 directory
Creating empty /run/firejail/mnt/dns-etc/libreoffice directory
Creating empty /run/firejail/mnt/dns-etc/libnl-3 directory
Creating empty /run/firejail/mnt/dns-etc/ltrace.conf file
Creating empty /run/firejail/mnt/dns-etc/bash_completion.d directory
Creating empty /run/firejail/mnt/dns-etc/subuid file
Creating empty /run/firejail/mnt/dns-etc/manpath.config file
Creating empty /run/firejail/mnt/dns-etc/gshadow- file
Creating empty /run/firejail/mnt/dns-etc/X11 directory
Creating empty /run/firejail/mnt/dns-etc/samba directory
Creating empty /run/firejail/mnt/dns-etc/papersize file
Creating empty /run/firejail/mnt/dns-etc/group file
Creating empty /run/firejail/mnt/dns-etc/mc directory
Creating empty /run/firejail/mnt/dns-etc/webfsd.conf file
Creating empty /run/firejail/mnt/dns-etc/acpi directory
Creating empty /run/firejail/mnt/dns-etc/host.conf file
Creating empty /run/firejail/mnt/dns-etc/python2.7 directory
Creating empty /run/firejail/mnt/dns-etc/tlp.d directory
Creating empty /run/firejail/mnt/dns-etc/groff directory
Creating empty /run/firejail/mnt/dns-etc/hostapd directory
Creating empty /run/firejail/mnt/dns-etc/mpv directory
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file
Creating empty /run/firejail/mnt/dns-etc/udisks2 directory
Creating empty /run/firejail/mnt/dns-etc/debconf.conf file
Creating empty /run/firejail/mnt/dns-etc/hdparm.conf file
Creating empty /run/firejail/mnt/dns-etc/dictionaries-common directory
Creating empty /run/firejail/mnt/dns-etc/binfmt.d directory
Creating empty /run/firejail/mnt/dns-etc/ufw directory
Creating empty /run/firejail/mnt/dns-etc/smi.conf file
Creating empty /run/firejail/mnt/dns-etc/subgid- file
Creating empty /run/firejail/mnt/dns-etc/shells file
Creating empty /run/firejail/mnt/dns-etc/locale.gen file
Creating empty /run/firejail/mnt/dns-etc/security directory
Creating empty /run/firejail/mnt/dns-etc/mbuffer.rc file
Creating empty /run/firejail/mnt/dns-etc/gtk-3.0 directory
Creating empty /run/firejail/mnt/dns-etc/avahi directory
Creating empty /run/firejail/mnt/dns-etc/group- file
Creating empty /run/firejail/mnt/dns-etc/cups directory
Creating empty /run/firejail/mnt/dns-etc/mailcap.order file
Creating empty /run/firejail/mnt/dns-etc/rc6.d directory
Creating empty /run/firejail/mnt/dns-etc/ghostscript directory
Creating empty /run/firejail/mnt/dns-etc/sudo.conf file
Creating empty /run/firejail/mnt/dns-etc/init.d directory
Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf.dpkg-old file
Creating empty /run/firejail/mnt/dns-etc/grub.d directory
Creating empty /run/firejail/mnt/dns-etc/rpc file
Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file
Creating empty /run/firejail/mnt/dns-etc/minidlna.conf file
Creating empty /run/firejail/mnt/dns-etc/fonts directory
Creating empty /run/firejail/mnt/dns-etc/pam.conf file
Creating empty /run/firejail/mnt/dns-etc/magic.mime file
Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file
Creating empty /run/firejail/mnt/dns-etc/hp directory
Creating empty /run/firejail/mnt/dns-etc/rcS.d directory
Creating empty /run/firejail/mnt/dns-etc/protocols file
Creating empty /run/firejail/mnt/dns-etc/update-manager directory
Creating empty /run/firejail/mnt/dns-etc/console-setup directory
Creating empty /run/firejail/mnt/dns-etc/gai.conf file
Creating empty /run/firejail/mnt/dns-etc/initramfs-tools directory
Creating empty /run/firejail/mnt/dns-etc/schroot directory
Creating empty /run/firejail/mnt/dns-etc/deluser.conf file
Creating empty /run/firejail/mnt/dns-etc/logrotate.d directory
Creating empty /run/firejail/mnt/dns-etc/apport directory
Creating empty /run/firejail/mnt/dns-etc/matplotlibrc file
Creating empty /run/firejail/mnt/dns-etc/rc2.d directory
Creating empty /run/firejail/mnt/dns-etc/machine-id file
Creating empty /run/firejail/mnt/dns-etc/ethertypes file
Creating empty /run/firejail/mnt/dns-etc/glvnd directory
Creating empty /run/firejail/mnt/dns-etc/rearj.cfg file
Creating empty /run/firejail/mnt/dns-etc/subgid file
Creating empty /run/firejail/mnt/dns-etc/apparmor directory
Creating empty /run/firejail/mnt/dns-etc/pam.d directory
Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file
Creating empty /run/firejail/mnt/dns-etc/wgetrc file
Creating empty /run/firejail/mnt/dns-etc/smartmontools directory
Creating empty /run/firejail/mnt/dns-etc/profile file
Creating empty /run/firejail/mnt/dns-etc/libpaper.d directory
Creating empty /run/firejail/mnt/dns-etc/passwd file
Creating empty /run/firejail/mnt/dns-etc/gtk-2.0 directory
Creating empty /run/firejail/mnt/dns-etc/python3 directory
Creating empty /run/firejail/mnt/dns-etc/rc0.d directory
Creating empty /run/firejail/mnt/dns-etc/dpkg directory
Creating empty /run/firejail/mnt/dns-etc/mailcap file
Creating empty /run/firejail/mnt/dns-etc/wireshark directory
Creating empty /run/firejail/mnt/dns-etc/cron.weekly directory
Creating empty /run/firejail/mnt/dns-etc/apparmor.d directory
Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory
Creating empty /run/firejail/mnt/dns-etc/sysctl.conf file
Creating empty /run/firejail/mnt/dns-etc/gshadow file
Creating empty /run/firejail/mnt/dns-etc/environment file
Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file
Creating empty /run/firejail/mnt/dns-etc/openal directory
Creating empty /run/firejail/mnt/dns-etc/locale.alias file
Creating empty /run/firejail/mnt/dns-etc/nanorc file
Creating empty /run/firejail/mnt/dns-etc/gss directory
Creating empty /run/firejail/mnt/dns-etc/hosts file
Creating empty /run/firejail/mnt/dns-etc/libibverbs.d directory
Creating empty /run/firejail/mnt/dns-etc/dconf directory
Creating empty /run/firejail/mnt/dns-etc/icedtea-web directory
Creating empty /run/firejail/mnt/dns-etc/lighttpd directory
Creating empty /run/firejail/mnt/dns-etc/rc5.d directory
Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file
Creating empty /run/firejail/mnt/dns-etc/adduser.conf file
Creating empty /run/firejail/mnt/dns-etc/iwd directory
Creating empty /run/firejail/mnt/dns-etc/rc1.d directory
Creating empty /run/firejail/mnt/dns-etc/PackageKit directory
Creating empty /run/firejail/mnt/dns-etc/gdb directory
Creating empty /run/firejail/mnt/dns-etc/resolv.conf file
Creating empty /run/firejail/mnt/dns-etc/inetd.d directory
Creating empty /run/firejail/mnt/dns-etc/systemd directory
Creating empty /run/firejail/mnt/dns-etc/hosts.allow file
Creating empty /run/firejail/mnt/dns-etc/inetd.conf file
Creating empty /run/firejail/mnt/dns-etc/ssl directory
Mount-bind /run/firejail/mnt/dns-etc on top of /etc
Current directory: /home/luky/temp/youtube
DISPLAY=:1 parsed as 1
Masking all X11 sockets except /tmp/.X11-unix/X1
Mounting read-only /run/firejail/mnt/seccomp
2419 1744 0:78 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=2419 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             180 ..
-rw-r--r-- luky     luky             568 seccomp
-rw-r--r-- luky     luky             432 seccomp.32
-rw-r--r-- luky     luky               0 seccomp.postexec
-rw-r--r-- luky     luky               0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Running '/usr/bin/google-chrome-stable'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/usr/bin/google-chrome-stable' 
Child process initialized in 77.05 ms
monitoring pid 4

[4:118:0712/115244.283472:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:118:0712/115244.283812:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:118:0712/115244.284377:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
Fontconfig error: Cannot load default config file: No such file: (null)

Originally created by @lukypko on GitHub (Jul 12, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5246 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description google-chrome is able to access file list when using --private=FOLDER option ### Steps to Reproduce - download a `google-chrome-stable_current_amd64.deb` from https://google.com web page - install it using `dpkg -i google-chrome-stable_current_amd64.deb` - `mkdir -p ~/temp/youtube` (can be any folder, but I used this one) - `cd ~/temp/youtube` - no other google-chrome instances are running; `ps aux|grep -i chrom[e]|wc -l` = 0 - run `firejail --private=$(pwd) --noprofile /usr/bin/google-chrome-stable` - in a running google-chrome press `CTRL+O` (to open a file dialog) - you can see list of files in your home directory and recently opened files (**which is wrong**) - when you try to open some file (for example image/txt/pdf file), error in google-chrome is showed: "Your file couldn’t be accessed, It may have been moved, edited, or deleted., ERR_FILE_NOT_FOUND" - so files are not readable **which is correct behavior** ### Expected behavior When specify a command line option `--private=$FOLDER`, then only files from a $FOLDER should be visible in a $HOME folder, "recently opened files should be only from $FOLDER (if there were some files opened previously) It looks like the issue is in "open file dialog" which have access to all files in my $HOME folder ### Actual behavior When specify a command line option `--private=$FOLDER`, then all files from $HOME folder are visible in "open file dialog" and I can select a file. google chrome then display an error that file is not readable When trying to upload some file to [virustotal](https://www.virustotal.com/gui/home/upload), then file is uploaded successfully, but file size is **0 bytes** (just to check whether it is possible read and upload a file using a javascript) When open home folder as a URL in a google-chrome so `/home/luky` in my case, I see just expected content of my $FOLDER file, so this **works correctly too** Running without any profiles ~~~ firejail --private=`pwd` --noprofile /usr/bin/google-chrome-stable Parent pid 3458157, child pid 3458158 Child process initialized in 35.11 ms [4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files Fontconfig error: Cannot load default config file: No such file: (null) ~~~ Running using an existing profiles ~~~ firejail --private=`pwd` /usr/bin/google-chrome-stable Reading profile /etc/firejail/google-chrome-stable.profile Reading profile /etc/firejail/google-chrome.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 3460196, child pid 3460197 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Child process initialized in 611.12 ms [4:38:0712/120310.381051:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [4:38:0712/120310.381297:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [4:107:0712/120310.967129:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [4:107:0712/120310.967196:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [4:107:0712/120310.967274:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [4:107:0712/120310.969111:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [4:107:0712/120310.969213:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied Fontconfig error: Cannot load default config file: No such file: (null) Parent is shutting down, bye... ~~~ - the issue is that google-chrome is able to get a list of files and traverse a whole $HOME dir, when you are using firejail option `--private=FOLDER` ### Additional context Maybe it is related just to open file dialog and its caching, because when I click on a image file in "open file dialog" on a right side I see a small image preview. So it looks like that "open file dialog" is able to access file list and read file content to make a small image preview, but google-chrome itself cannot access a file content (as running with `--private=FOLDER` command line option) firefox is using the same "open file dialog" and when I run: ~~~ firejail --private=$(pwd) --noprofile firefox --no-remote ~~~ then "open file dialog" in a firefox is not showing files from original $HOME folder, it is showing files from --private=$FOLDER, **which is correct behavior** So it looks like that google-chrome is using "open file dialog" a different way and can escape from firejail container, **which is wrong** ### Environment ~~~ DISTRIB_ID=Ubuntu DISTRIB_RELEASE=21.04 DISTRIB_CODENAME=hirsute DISTRIB_DESCRIPTION="Ubuntu 21.04" ~~~ kernel ~~~ Linux lukynb 5.11.0-40-generic #44-Ubuntu SMP Wed Oct 20 16:16:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ~~~ ~~~ firejail version 0.9.70 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ~~~ ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail --private=`pwd` --noprofile /usr/bin/google-chrome-stable</code></summary> <p> ``` Parent pid 3458157, child pid 3458158 Child process initialized in 35.11 ms [4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files Fontconfig error: Cannot load default config file: No such file: (null) ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug --private=`pwd` --noprofile /usr/bin/google-chrome-stable</code></summary> <p> ``` firejail --debug --private=`pwd` --noprofile /usr/bin/google-chrome-stable Autoselecting /bin/bash as shell Building quoted command line: '/usr/bin/google-chrome-stable' Command name #google-chrome-stable# DISPLAY=:1 parsed as 1 Using the local network stack Parent pid 3459610, child pid 3459611 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1762 1602 8:2 /etc /etc ro,noatime master:1 - ext4 /dev/sda2 rw mountid=1762 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 1767 1762 8:2 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw mountid=1767 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 1768 1602 8:2 /var /var ro,noatime master:1 - ext4 /dev/sda2 rw mountid=1768 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 1778 1768 8:2 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw mountid=1778 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 1779 1602 8:2 /usr /usr ro,noatime master:1 - ext4 /dev/sda2 rw mountid=1779 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0 Mount-bind /home/luky/temp/youtube on top of /home/luky 1877 1808 8:2 /home/luky/temp/youtube /home/luky rw,noatime master:1 - ext4 /dev/sda2 rw mountid=1877 fsname=/home/luky/temp/youtube dir=/home/luky fstype=ext4 Mounting a new /root directory Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module rebuilding /etc directory Creating empty /run/firejail/mnt/dns-etc/emacs directory Creating empty /run/firejail/mnt/dns-etc/ipp-usb directory Creating empty /run/firejail/mnt/dns-etc/sensors3.conf file Creating empty /run/firejail/mnt/dns-etc/pipewire directory Creating empty /run/firejail/mnt/dns-etc/logcheck directory Creating empty /run/firejail/mnt/dns-etc/sysctl.d directory Creating empty /run/firejail/mnt/dns-etc/issue file Creating empty /run/firejail/mnt/dns-etc/networkd-dispatcher directory Creating empty /run/firejail/mnt/dns-etc/services file Creating empty /run/firejail/mnt/dns-etc/cron.daily directory Creating empty /run/firejail/mnt/dns-etc/iproute2 directory Creating empty /run/firejail/mnt/dns-etc/rarfiles.lst file Creating empty /run/firejail/mnt/dns-etc/java-11-openjdk directory Creating empty /run/firejail/mnt/dns-etc/default directory Creating empty /run/firejail/mnt/dns-etc/apt directory Creating empty /run/firejail/mnt/dns-etc/rc4.d directory Creating empty /run/firejail/mnt/dns-etc/perl directory Creating empty /run/firejail/mnt/dns-etc/python3.9 directory Creating empty /run/firejail/mnt/dns-etc/passwd- file Creating empty /run/firejail/mnt/dns-etc/apache2 directory Creating empty /run/firejail/mnt/dns-etc/firebird directory Creating empty /run/firejail/mnt/dns-etc/menu-methods directory Creating empty /run/firejail/mnt/dns-etc/vulkan directory Creating empty /run/firejail/mnt/dns-etc/netconfig file Creating empty /run/firejail/mnt/dns-etc/sensors.d directory Creating empty /run/firejail/mnt/dns-etc/dillo directory Creating empty /run/firejail/mnt/dns-etc/debian_version file Creating empty /run/firejail/mnt/dns-etc/xdg directory Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file Creating empty /run/firejail/mnt/dns-etc/mysql directory Creating empty /run/firejail/mnt/dns-etc/dbus-1 directory Creating empty /run/firejail/mnt/dns-etc/dkms directory Creating empty /run/firejail/mnt/dns-etc/syslog.d directory Creating empty /run/firejail/mnt/dns-etc/selinux directory Creating empty /run/firejail/mnt/dns-etc/reader.conf.d directory Creating empty /run/firejail/mnt/dns-etc/.java directory Creating empty /run/firejail/mnt/dns-etc/inputrc file Creating empty /run/firejail/mnt/dns-etc/profile.d directory Creating empty /run/firejail/mnt/dns-etc/cron.d directory Creating empty /run/firejail/mnt/dns-etc/sudoers file Creating empty /run/firejail/mnt/dns-etc/calendar directory Creating empty /run/firejail/mnt/dns-etc/alsa directory Creating empty /run/firejail/mnt/dns-etc/pm directory Creating empty /run/firejail/mnt/dns-etc/resolv3.conf file Creating empty /run/firejail/mnt/dns-etc/sane.d directory Creating empty /run/firejail/mnt/dns-etc/modules file Creating empty /run/firejail/mnt/dns-etc/rc3.d directory Creating empty /run/firejail/mnt/dns-etc/sudoers.d directory Creating empty /run/firejail/mnt/dns-etc/skel directory Creating empty /run/firejail/mnt/dns-etc/GNUstep directory Creating empty /run/firejail/mnt/dns-etc/alternatives directory Creating empty /run/firejail/mnt/dns-etc/login.defs file Creating empty /run/firejail/mnt/dns-etc/networks file Creating empty /run/firejail/mnt/dns-etc/fuse.conf file Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file Creating empty /run/firejail/mnt/dns-etc/udev directory Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file Creating empty /run/firejail/mnt/dns-etc/ucf.conf file Creating empty /run/firejail/mnt/dns-etc/legal file Creating empty /run/firejail/mnt/dns-etc/syslog.conf file Creating empty /run/firejail/mnt/dns-etc/dhcp directory Creating empty /run/firejail/mnt/dns-etc/thunderbird directory Creating empty /run/firejail/mnt/dns-etc/gnome directory Creating empty /run/firejail/mnt/dns-etc/subuid- file Creating empty /run/firejail/mnt/dns-etc/sudo_logsrvd.conf file Creating empty /run/firejail/mnt/dns-etc/xattr.conf file Creating empty /run/firejail/mnt/dns-etc/hostname file Creating empty /run/firejail/mnt/dns-etc/hosts.deny file Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory Creating empty /run/firejail/mnt/dns-etc/modules-load.d directory Creating empty /run/firejail/mnt/dns-etc/fstab file Creating empty /run/firejail/mnt/dns-etc/network directory Creating empty /run/firejail/mnt/dns-etc/smartd.conf file Creating empty /run/firejail/mnt/dns-etc/libccid_Info.plist file Creating empty /run/firejail/mnt/dns-etc/polkit-1 directory Creating empty /run/firejail/mnt/dns-etc/ssh directory Creating empty /run/firejail/mnt/dns-etc/pulse directory Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf file Creating empty /run/firejail/mnt/dns-etc/terminfo directory Creating empty /run/firejail/mnt/dns-etc/ldap directory Creating empty /run/firejail/mnt/dns-etc/firefox directory Creating empty /run/firejail/mnt/dns-etc/firejail directory Creating empty /run/firejail/mnt/dns-etc/shadow file Creating empty /run/firejail/mnt/dns-etc/kernel directory Creating empty /run/firejail/mnt/dns-etc/libblockdev directory Creating empty /run/firejail/mnt/dns-etc/vdpau_wrapper.cfg file Creating empty /run/firejail/mnt/dns-etc/java-8-openjdk directory Creating empty /run/firejail/mnt/dns-etc/bash_completion file Creating empty /run/firejail/mnt/dns-etc/tlp.conf file Creating empty /run/firejail/mnt/dns-etc/modprobe.d directory Creating empty /run/firejail/mnt/dns-etc/issue.net file Creating empty /run/firejail/mnt/dns-etc/magic file Creating empty /run/firejail/mnt/dns-etc/update-motd.d directory Creating empty /run/firejail/mnt/dns-etc/timidity directory Creating empty /run/firejail/mnt/dns-etc/shadow- file Creating empty /run/firejail/mnt/dns-etc/depmod.d directory Creating empty /run/firejail/mnt/dns-etc/snmp directory Creating empty /run/firejail/mnt/dns-etc/timezone file Creating empty /run/firejail/mnt/dns-etc/mime.types file Creating empty /run/firejail/mnt/dns-etc/lsb-release file Creating empty /run/firejail/mnt/dns-etc/java-16-openjdk directory Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory Creating empty /run/firejail/mnt/dns-etc/ImageMagick-6 directory Creating empty /run/firejail/mnt/dns-etc/libreoffice directory Creating empty /run/firejail/mnt/dns-etc/libnl-3 directory Creating empty /run/firejail/mnt/dns-etc/ltrace.conf file Creating empty /run/firejail/mnt/dns-etc/bash_completion.d directory Creating empty /run/firejail/mnt/dns-etc/subuid file Creating empty /run/firejail/mnt/dns-etc/manpath.config file Creating empty /run/firejail/mnt/dns-etc/gshadow- file Creating empty /run/firejail/mnt/dns-etc/X11 directory Creating empty /run/firejail/mnt/dns-etc/samba directory Creating empty /run/firejail/mnt/dns-etc/papersize file Creating empty /run/firejail/mnt/dns-etc/group file Creating empty /run/firejail/mnt/dns-etc/mc directory Creating empty /run/firejail/mnt/dns-etc/webfsd.conf file Creating empty /run/firejail/mnt/dns-etc/acpi directory Creating empty /run/firejail/mnt/dns-etc/host.conf file Creating empty /run/firejail/mnt/dns-etc/python2.7 directory Creating empty /run/firejail/mnt/dns-etc/tlp.d directory Creating empty /run/firejail/mnt/dns-etc/groff directory Creating empty /run/firejail/mnt/dns-etc/hostapd directory Creating empty /run/firejail/mnt/dns-etc/mpv directory Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file Creating empty /run/firejail/mnt/dns-etc/udisks2 directory Creating empty /run/firejail/mnt/dns-etc/debconf.conf file Creating empty /run/firejail/mnt/dns-etc/hdparm.conf file Creating empty /run/firejail/mnt/dns-etc/dictionaries-common directory Creating empty /run/firejail/mnt/dns-etc/binfmt.d directory Creating empty /run/firejail/mnt/dns-etc/ufw directory Creating empty /run/firejail/mnt/dns-etc/smi.conf file Creating empty /run/firejail/mnt/dns-etc/subgid- file Creating empty /run/firejail/mnt/dns-etc/shells file Creating empty /run/firejail/mnt/dns-etc/locale.gen file Creating empty /run/firejail/mnt/dns-etc/security directory Creating empty /run/firejail/mnt/dns-etc/mbuffer.rc file Creating empty /run/firejail/mnt/dns-etc/gtk-3.0 directory Creating empty /run/firejail/mnt/dns-etc/avahi directory Creating empty /run/firejail/mnt/dns-etc/group- file Creating empty /run/firejail/mnt/dns-etc/cups directory Creating empty /run/firejail/mnt/dns-etc/mailcap.order file Creating empty /run/firejail/mnt/dns-etc/rc6.d directory Creating empty /run/firejail/mnt/dns-etc/ghostscript directory Creating empty /run/firejail/mnt/dns-etc/sudo.conf file Creating empty /run/firejail/mnt/dns-etc/init.d directory Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf.dpkg-old file Creating empty /run/firejail/mnt/dns-etc/grub.d directory Creating empty /run/firejail/mnt/dns-etc/rpc file Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file Creating empty /run/firejail/mnt/dns-etc/minidlna.conf file Creating empty /run/firejail/mnt/dns-etc/fonts directory Creating empty /run/firejail/mnt/dns-etc/pam.conf file Creating empty /run/firejail/mnt/dns-etc/magic.mime file Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file Creating empty /run/firejail/mnt/dns-etc/hp directory Creating empty /run/firejail/mnt/dns-etc/rcS.d directory Creating empty /run/firejail/mnt/dns-etc/protocols file Creating empty /run/firejail/mnt/dns-etc/update-manager directory Creating empty /run/firejail/mnt/dns-etc/console-setup directory Creating empty /run/firejail/mnt/dns-etc/gai.conf file Creating empty /run/firejail/mnt/dns-etc/initramfs-tools directory Creating empty /run/firejail/mnt/dns-etc/schroot directory Creating empty /run/firejail/mnt/dns-etc/deluser.conf file Creating empty /run/firejail/mnt/dns-etc/logrotate.d directory Creating empty /run/firejail/mnt/dns-etc/apport directory Creating empty /run/firejail/mnt/dns-etc/matplotlibrc file Creating empty /run/firejail/mnt/dns-etc/rc2.d directory Creating empty /run/firejail/mnt/dns-etc/machine-id file Creating empty /run/firejail/mnt/dns-etc/ethertypes file Creating empty /run/firejail/mnt/dns-etc/glvnd directory Creating empty /run/firejail/mnt/dns-etc/rearj.cfg file Creating empty /run/firejail/mnt/dns-etc/subgid file Creating empty /run/firejail/mnt/dns-etc/apparmor directory Creating empty /run/firejail/mnt/dns-etc/pam.d directory Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file Creating empty /run/firejail/mnt/dns-etc/wgetrc file Creating empty /run/firejail/mnt/dns-etc/smartmontools directory Creating empty /run/firejail/mnt/dns-etc/profile file Creating empty /run/firejail/mnt/dns-etc/libpaper.d directory Creating empty /run/firejail/mnt/dns-etc/passwd file Creating empty /run/firejail/mnt/dns-etc/gtk-2.0 directory Creating empty /run/firejail/mnt/dns-etc/python3 directory Creating empty /run/firejail/mnt/dns-etc/rc0.d directory Creating empty /run/firejail/mnt/dns-etc/dpkg directory Creating empty /run/firejail/mnt/dns-etc/mailcap file Creating empty /run/firejail/mnt/dns-etc/wireshark directory Creating empty /run/firejail/mnt/dns-etc/cron.weekly directory Creating empty /run/firejail/mnt/dns-etc/apparmor.d directory Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory Creating empty /run/firejail/mnt/dns-etc/sysctl.conf file Creating empty /run/firejail/mnt/dns-etc/gshadow file Creating empty /run/firejail/mnt/dns-etc/environment file Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file Creating empty /run/firejail/mnt/dns-etc/openal directory Creating empty /run/firejail/mnt/dns-etc/locale.alias file Creating empty /run/firejail/mnt/dns-etc/nanorc file Creating empty /run/firejail/mnt/dns-etc/gss directory Creating empty /run/firejail/mnt/dns-etc/hosts file Creating empty /run/firejail/mnt/dns-etc/libibverbs.d directory Creating empty /run/firejail/mnt/dns-etc/dconf directory Creating empty /run/firejail/mnt/dns-etc/icedtea-web directory Creating empty /run/firejail/mnt/dns-etc/lighttpd directory Creating empty /run/firejail/mnt/dns-etc/rc5.d directory Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file Creating empty /run/firejail/mnt/dns-etc/adduser.conf file Creating empty /run/firejail/mnt/dns-etc/iwd directory Creating empty /run/firejail/mnt/dns-etc/rc1.d directory Creating empty /run/firejail/mnt/dns-etc/PackageKit directory Creating empty /run/firejail/mnt/dns-etc/gdb directory Creating empty /run/firejail/mnt/dns-etc/resolv.conf file Creating empty /run/firejail/mnt/dns-etc/inetd.d directory Creating empty /run/firejail/mnt/dns-etc/systemd directory Creating empty /run/firejail/mnt/dns-etc/hosts.allow file Creating empty /run/firejail/mnt/dns-etc/inetd.conf file Creating empty /run/firejail/mnt/dns-etc/ssl directory Mount-bind /run/firejail/mnt/dns-etc on top of /etc Current directory: /home/luky/temp/youtube DISPLAY=:1 parsed as 1 Masking all X11 sockets except /tmp/.X11-unix/X1 Mounting read-only /run/firejail/mnt/seccomp 2419 1744 0:78 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=2419 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 180 .. -rw-r--r-- luky luky 568 seccomp -rw-r--r-- luky luky 432 seccomp.32 -rw-r--r-- luky luky 0 seccomp.postexec -rw-r--r-- luky luky 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Running '/usr/bin/google-chrome-stable' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/usr/bin/google-chrome-stable' Child process initialized in 77.05 ms monitoring pid 4 [4:118:0712/115244.283472:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:118:0712/115244.283812:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:118:0712/115244.284377:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files Fontconfig error: Cannot load default config file: No such file: (null) ``` </p> </details>
gitea-mirror 2026-05-05 09:35:43 -06:00
  • closed this issue
  • added the
    notabug
         label
gitea-mirror commented 2026-05-05 09:35:46 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 12, 2022):

chromium* uses portals for it's file dialog.

Related/Duplicate of: #5032.

<!-- gh-comment-id:1181681721 --> @rusty-snake commented on GitHub (Jul 12, 2022): chromium\* uses portals for it's file dialog. Related/Duplicate of: #5032.
gitea-mirror commented 2026-05-05 09:35:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 12, 2022):

firefox: Set widget.use-xdg-desktop-portal.file-picker=1 on about:config and you get the same.

<!-- gh-comment-id:1181682444 --> @rusty-snake commented on GitHub (Jul 12, 2022): firefox: Set `widget.use-xdg-desktop-portal.file-picker=1` on `about:config` and you get the same.
gitea-mirror commented 2026-05-05 09:35:48 -06:00
Author
Owner
Copy link

@lukypko commented on GitHub (Jul 12, 2022):

OK, I can confirm that when I set widget.use-xdg-desktop-portal.file-picker=1 in firefox, then firefox (immediately without a restart) is showing a content of $HOME folder, so behave exactly the same as in google-chrome.

It works without a package use-xdg-desktop-portalinstalled.

So I guess, it is not a plan to support that in a firejail, actually "the application" cannot access file content, just the "file picker".

Some other links:
Support portals
https://forum.manjaro.org/t/browsers-like-firefox-require-xdg-desktop-portal-package-to-use-os-default-file-manager/106933
https://bugzilla.mozilla.org/show_bug.cgi?id=1285711#c31
https://forum.manjaro.org/t/set-nemo-as-default-filemanager/83387/8

<!-- gh-comment-id:1181719793 --> @lukypko commented on GitHub (Jul 12, 2022): OK, I can confirm that when I set `widget.use-xdg-desktop-portal.file-picker=1` in firefox, then firefox (immediately without a restart) is showing a content of $HOME folder, so behave exactly the same as in google-chrome. It works without a package `use-xdg-desktop-portal`installed. So I guess, it is not a plan to support that in a firejail, actually "the application" cannot access file content, just the "file picker". Some other links: [ Support portals](https://github.com/netblue30/firejail/issues/811) https://forum.manjaro.org/t/browsers-like-firefox-require-xdg-desktop-portal-package-to-use-os-default-file-manager/106933 https://bugzilla.mozilla.org/show_bug.cgi?id=1285711#c31 https://forum.manjaro.org/t/set-nemo-as-default-filemanager/83387/8
gitea-mirror commented 2026-05-05 09:35:50 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 12, 2022):

it is not a plan to support that in a firejail

  1. It would be more work than we have development power at firejail side at the moment.
  2. It needs to be supported by x-d-p.

see also #4716

<!-- gh-comment-id:1181772552 --> @rusty-snake commented on GitHub (Jul 12, 2022): > it is not a plan to support that in a firejail 1. It would be more work than we have development power at firejail side at the moment. 2. It needs to be supported by x-d-p. --- see also #4716
gitea-mirror commented 2026-05-05 09:35:51 -06:00
Author
Owner
Copy link

@marcalia commented on GitHub (Nov 14, 2022):

I have the same problem with google-chrome running in firejail on debian 11 (xfce4) using the option --private=folder.
Trying to upload a file via the dialogue results in an error complaining about a 0 byte file.
Workaround:
Opening a file via file://... in the address bar, this shows the intended folder structure, and copying the address into the upload dialogue by opening the input filed via ctrl+l leads to a successful upload.

<!-- gh-comment-id:1313541195 --> @marcalia commented on GitHub (Nov 14, 2022): I have the same problem with google-chrome running in firejail on debian 11 (xfce4) using the option --private=folder. Trying to upload a file via the dialogue results in an error complaining about a 0 byte file. Workaround: Opening a file via file://... in the address bar, this shows the intended folder structure, and copying the address into the upload dialogue by opening the input filed via ctrl+l leads to a successful upload.
gitea-mirror commented 2026-05-05 09:35:52 -06:00
Author
Owner
Copy link

@wonbug commented on GitHub (Feb 24, 2023):

To pile on, I'm having a similar issue with google-chrome on Ubuntu 22.04.2 LTS. I confirmed it's running firejailed, yet the application is able to see the entirety of my disk, including the root directory. On a previous installation, it can only access the Downloads directory as one would expect. Do I need to take additional steps to limit what files Chrome can access?

<!-- gh-comment-id:1444585774 --> @wonbug commented on GitHub (Feb 24, 2023): To pile on, I'm having a similar issue with google-chrome on Ubuntu 22.04.2 LTS. I confirmed it's running firejailed, yet the application is able to see the entirety of my disk, including the root directory. On a previous installation, it can only access the Downloads directory as one would expect. Do I need to take additional steps to limit what files Chrome can access?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2934
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?