github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5385] qutebrowser profile exposes lots of stuff in / #2978

New issue
Closed
opened 2026-05-05 09:38:10 -06:00 by gitea-mirror · 5 comments
gitea-mirror commented 2026-05-05 09:38:10 -06:00
Owner
Copy link

Originally created by @Dieterbe on GitHub (Oct 1, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5385

Description

Hi! I'm a new firejail user, so maybe i'm missing something, but seems that Qutebrowser has access to stuff it probably shouldn't, including everything in /etc (/etc/passwd, /etc/sudoers, etc), as well as /tmp (including stuff unrelated to qutebrowser) and /mnt for example

Steps to Reproduce

Steps to reproduce the behavior

  1. Run in bash LC_ALL=C firejail qutebrowser (with stock unmodified profile)
  2. run o /home/<username>
  3. go to parent directory two times (arrives at /)
  4. from there, navigate into /etc, /tmp, etc

Expected behavior

/etc, /mnt and /tmp show only things related to qutebrowser (or don't exist)

Actual behavior

see description

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?

nothing, it shows all the stuff in /etc, /mnt and /tmp just the same (which is the problem)

Additional context

Any other detail that may help to understand/debug the problem

Environment

  • "Arch Linux"
  • Firejail version (firejail --version).
firejail --version
firejail version 0.9.70

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
  • If you use a development version of firejail, also the commit from which it was compiled (git rev-parse HEAD).

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

These are the outputs of just launching qutebrowser, without navigating to the "exposed" stuff. Let me know if you want the log output of those actions.

Output of LC_ALL=C firejail /path/to/program 

LC_ALL=C firejail /usr/bin/qutebrowser
Reading profile /etc/firejail/qutebrowser.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown,
Parent pid 1115296, child pid 1115297
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown,
Child process initialized in 115.33 ms
libpng warning: iCCP: known incorrect sRGB profile
[522:4:1001/155721.101805:ERROR:node_controller.cc(571)] Trying to re-add dropped peer BE80F2304705FEF0.A2769AC6C100E524

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program 

<removed this as it showed a bit more about my system than i'ld like>

Originally created by @Dieterbe on GitHub (Oct 1, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5385 ### Description Hi! I'm a new firejail user, so maybe i'm missing something, but seems that Qutebrowser has access to stuff it probably shouldn't, including everything in /etc (/etc/passwd, /etc/sudoers, etc), as well as /tmp (including stuff unrelated to qutebrowser) and /mnt for example ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run in bash `LC_ALL=C firejail qutebrowser` (with stock unmodified profile) 2. run `o /home/<username>` 3. go to parent directory two times (arrives at /) 4. from there, navigate into /etc, /tmp, etc ### Expected behavior /etc, /mnt and /tmp show only things related to qutebrowser (or don't exist) ### Actual behavior see description ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ nothing, it shows all the stuff in /etc, /mnt and /tmp just the same (which is the problem) ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - "Arch Linux" - Firejail version (`firejail --version`). ``` firejail --version firejail version 0.9.70 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log These are the outputs of just launching qutebrowser, without navigating to the "exposed" stuff. Let me know if you want the log output of those actions. <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` LC_ALL=C firejail /usr/bin/qutebrowser Reading profile /etc/firejail/qutebrowser.profile Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown, Parent pid 1115296, child pid 1115297 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown, Child process initialized in 115.33 ms libpng warning: iCCP: known incorrect sRGB profile [522:4:1001/155721.101805:ERROR:node_controller.cc(571)] Trying to re-add dropped peer BE80F2304705FEF0.A2769AC6C100E524 Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` <removed this as it showed a bit more about my system than i'ld like> ``` </p> </details>
gitea-mirror commented 2026-05-05 09:38:13 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 1, 2022):

Looking at the qutebrowser.profile it does seem like an ommission we need to address. Can you try adding the below in a ~/.config/firejail/qutebrowser.local and report back if you can see any improvements?


disable-mnt
private-cache
private-dev
private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
private-tmp

dbus-user filter
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.mpris.MediaPlayer2.*
# Add the next line to your qutebrowser.local to allow screen sharing under wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your qutebrowser.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
dbus-system none

You can play with these by commenting/uncommenting the relevant line(s). The one thing I cannot check right now is the correct name of any qutebrowser-exposed D-Bus paths we need to grant access to. But that's something we can find out later...

<!-- gh-comment-id:1264365557 --> @ghost commented on GitHub (Oct 1, 2022): Looking at the qutebrowser.profile it does seem like an ommission we need to address. Can you try adding the below in a ~/.config/firejail/qutebrowser.local and report back if you can see any improvements? ``` disable-mnt private-cache private-dev private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user filter dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.mpris.MediaPlayer2.* # Add the next line to your qutebrowser.local to allow screen sharing under wayland. #dbus-user.talk org.freedesktop.portal.Desktop # Add the next line to your qutebrowser.local if screen sharing sharing still does not work # with the above lines (might depend on the portal implementation). #ignore noroot dbus-system none ``` You can play with these by commenting/uncommenting the relevant line(s). ~~The one thing I cannot check right now is the correct name of any qutebrowser-exposed D-Bus paths we need to grant access to. But that's something we can find out later...~~
gitea-mirror commented 2026-05-05 09:38:14 -06:00
Author
Owner
Copy link

@Dieterbe commented on GitHub (Oct 1, 2022):

FWIW, jailcheck without any modifications:

1122177:dieter::/usr/bin/firejail /usr/bin/qutebrowser 
   Warning: AppArmor not enabled
   Virtual dirs: /home/dieter, /var/tmp, /etc, 
   Warning: I can run programs in /tmp
   Warning: I can run programs in /run/user/1011
   Networking: enabled

with your suggestions, i see nothing in /tmp but .X11-unix/, /mnt doesn't load, and nothing in /etc but these:
(don't mind the links to github, that's something that happens upon paste)

[ca-certificates/](https://github.com/etc/ca-certificates/)		10/1/22, 5:39:42 PM
[fonts/](https://github.com/etc/fonts/)		10/1/22, 5:39:42 PM
[pulse/](https://github.com/etc/pulse/)		10/1/22, 5:39:42 PM
[ssl/](https://github.com/etc/ssl/)		10/1/22, 5:39:42 PM
[ld.so.cache](https://github.com/etc/ld.so.cache)	146 kB	10/1/22, 5:39:42 PM
[ld.so.preload](https://github.com/etc/ld.so.preload)	0 B	10/1/22, 5:39:42 PM
[localtime](https://github.com/etc/localtime)	2.0 kB	10/1/22, 5:39:42 PM
[machine-id](https://github.com/etc/machine-id)	33 B	10/1/22, 5:39:42 PM
[resolv.conf](https://github.com/etc/resolv.conf)	103 B	10/1/22, 5:39:42 PM

jailcheck again (interestingly this doesn't really convey anything about the huge improvement we just made)

1376717:dieter::/usr/bin/firejail /usr/bin/qutebrowser 
   Warning: AppArmor not enabled
   Virtual dirs: /home/dieter, /tmp, /var/tmp, /dev, /etc, 
   Warning: I can run programs in /tmp
   Warning: I can run programs in /run/user/1011
   Networking: enabled
<!-- gh-comment-id:1264385249 --> @Dieterbe commented on GitHub (Oct 1, 2022): FWIW, jailcheck without any modifications: ``` 1122177:dieter::/usr/bin/firejail /usr/bin/qutebrowser Warning: AppArmor not enabled Virtual dirs: /home/dieter, /var/tmp, /etc, Warning: I can run programs in /tmp Warning: I can run programs in /run/user/1011 Networking: enabled ``` with your suggestions, i see nothing in /tmp but .X11-unix/, /mnt doesn't load, and nothing in /etc but these: (don't mind the links to github, that's something that happens upon paste) ``` [ca-certificates/](https://github.com/etc/ca-certificates/) 10/1/22, 5:39:42 PM [fonts/](https://github.com/etc/fonts/) 10/1/22, 5:39:42 PM [pulse/](https://github.com/etc/pulse/) 10/1/22, 5:39:42 PM [ssl/](https://github.com/etc/ssl/) 10/1/22, 5:39:42 PM [ld.so.cache](https://github.com/etc/ld.so.cache) 146 kB 10/1/22, 5:39:42 PM [ld.so.preload](https://github.com/etc/ld.so.preload) 0 B 10/1/22, 5:39:42 PM [localtime](https://github.com/etc/localtime) 2.0 kB 10/1/22, 5:39:42 PM [machine-id](https://github.com/etc/machine-id) 33 B 10/1/22, 5:39:42 PM [resolv.conf](https://github.com/etc/resolv.conf) 103 B 10/1/22, 5:39:42 PM ``` jailcheck again (interestingly this doesn't really convey anything about the huge improvement we just made) ``` 1376717:dieter::/usr/bin/firejail /usr/bin/qutebrowser Warning: AppArmor not enabled Virtual dirs: /home/dieter, /tmp, /var/tmp, /dev, /etc, Warning: I can run programs in /tmp Warning: I can run programs in /run/user/1011 Networking: enabled ```
gitea-mirror commented 2026-05-05 09:38:15 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 1, 2022):

@Dieterbe Okay, you can test the newly added D-Bus filtering thanks to The-Compiler from #qutebrowser IRC. For the other items reported by jailcheck, add the below:

include disable-exec.inc

apparmor
<!-- gh-comment-id:1264390811 --> @ghost commented on GitHub (Oct 1, 2022): @Dieterbe Okay, you can test the newly added D-Bus filtering thanks to The-Compiler from #qutebrowser IRC. For the other items reported by jailcheck, add the below: ``` include disable-exec.inc apparmor ```
gitea-mirror commented 2026-05-05 09:38:16 -06:00
Author
Owner
Copy link

@Dieterbe commented on GitHub (Oct 1, 2022):

dbus is a whole new domain for me. I don't have time now to dig into what this needs, but i did check out the https://www.bennish.net/web-notifications.html page, and the notifications seem to work just fine without further configuration beyond what you already gave.

qutebrowser is however logging this:

[20:637:1001/222658.415285:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[20:510:1001/222703.448199:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/user: Permission denied

I have added the apparmor directive but jailcheck still says "Warning: AppArmor not enabled"
I do see in the logs:

Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.

... which would probably make sense as am i not running appArmor :-) That might be a future project for me, for now I have my hands full learning firejail, and i believe it should give me most bang for the buck anyway.

<!-- gh-comment-id:1264461210 --> @Dieterbe commented on GitHub (Oct 1, 2022): dbus is a whole new domain for me. I don't have time now to dig into what this needs, but i did check out the https://www.bennish.net/web-notifications.html page, and the notifications seem to work just fine without further configuration beyond what you already gave. qutebrowser is however logging this: ``` [20:637:1001/222658.415285:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [20:510:1001/222703.448199:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/user: Permission denied ``` I have added the apparmor directive but jailcheck still says "Warning: AppArmor not enabled" I do see in the logs: ``` Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. ``` ... which would probably make sense as am i not running appArmor :-) That might be a future project for me, for now I have my hands full learning firejail, and i believe it should give me most bang for the buck anyway.
gitea-mirror commented 2026-05-05 09:38:16 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 1, 2022):

qutebrowser is however logging this:
[20:637:1001/222658.415285:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[20:510:1001/222703.448199:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/user: Permission denied

These are expected messages when using restrictive dbus-user filter + dbus-system none. The point being we only allow the referenced D-Bus paths on the user bus and nothing on the system bus.

Warning: Cannot confine the application using AppArmor.
... which would probably make sense as am i not running appArmor

Correct, without enabling AppArmor the option can't offer anything on top of Firejail. I can definately understand that you would want to dig into learning firejail first and foremost. Whenever you feel ready to enable AppArmor, check its Arch Wiki page for details.

Enjoy your firejail learning process!

<!-- gh-comment-id:1264464574 --> @ghost commented on GitHub (Oct 1, 2022): > qutebrowser is however logging this: [20:637:1001/222658.415285:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [20:510:1001/222703.448199:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/user: Permission denied These are expected messages when using restrictive dbus-user filter + dbus-system none. The point being we only allow the referenced D-Bus paths on the user bus and nothing on the system bus. > Warning: Cannot confine the application using AppArmor. ... which would probably make sense as am i not running appArmor Correct, without enabling AppArmor the option can't offer anything on top of Firejail. I can definately understand that you would want to dig into learning firejail first and foremost. Whenever you feel ready to enable AppArmor, check [its Arch Wiki page](https://wiki.archlinux.org/title/AppArmor) for details. Enjoy your firejail learning process!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2978
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?