github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5436] torbrowser-launcher: can't open file '/usr/bin/torbrowser-launcher': [Errno 13] Permission denied (AppArmor) #2992

New issue
Open
opened 2026-05-05 09:38:56 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:38:56 -06:00
Owner
Copy link

Originally created by @CoRoe on GitHub (Oct 27, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5436

fj.txt
fj-debug.txt

Description

torbrowser-launcher raises an exception when run under firejail.

Steps to Reproduce

$ firejail /usr/bin/torbrowser-launcher

Expected behavior

Tor browser is launched.

Actual behavior

torbrowser-launcher raises an exception:

Behavior without a profile

Tor browser is launched.

Additional context

The issue seems to be related to gpg key access.

Environment

Linux Mint

Package: torbrowser-launcher
Version: 0.3.2-9ubuntu1

Package: firejail
Version: 0.9.70-1~0ubuntu20.04.0

Package: firejail-profiles
Version: 0.9.70-1~0ubuntu20.04.0

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /usr/bin/torbrowser-launcher: fj.txt

Output of LC_ALL=C firejail --debug /usr/bin/torbrowser-launcher: fj-debug.txt

EDIT by @rusty-snake: Fix links.

Originally created by @CoRoe on GitHub (Oct 27, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5436 [fj.txt](https://github.com/netblue30/firejail/files/9878341/fj.txt) [fj-debug.txt](https://github.com/netblue30/firejail/files/9878342/fj-debug.txt) <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description torbrowser-launcher raises an exception when run under firejail. ### Steps to Reproduce `$ firejail /usr/bin/torbrowser-launcher` ### Expected behavior Tor browser is launched. ### Actual behavior `torbrowser-launcher` raises an exception: ### Behavior without a profile Tor browser is launched. ### Additional context The issue seems to be related to gpg key access. ### Environment Linux Mint Package: torbrowser-launcher Version: 0.3.2-9ubuntu1 Package: firejail Version: 0.9.70-1~0ubuntu20.04.0 Package: firejail-profiles Version: 0.9.70-1~0ubuntu20.04.0 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log Output of `LC_ALL=C firejail /usr/bin/torbrowser-launcher`: [fj.txt](https://github.com/netblue30/firejail/files/9878385/fj.txt) Output of `LC_ALL=C firejail --debug /usr/bin/torbrowser-launcher`: [fj-debug.txt](https://github.com/netblue30/firejail/files/9878371/fj-debug.txt) --- EDIT by @rusty-snake: Fix links.
gitea-mirror commented 2026-05-05 09:38:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 27, 2022):

Does it work with noblacklist ${HOME}/.gnupg?

<!-- gh-comment-id:1293874996 --> @rusty-snake commented on GitHub (Oct 27, 2022): Does it work with `noblacklist ${HOME}/.gnupg`?
gitea-mirror commented 2026-05-05 09:38:59 -06:00
Author
Owner
Copy link

@CoRoe commented on GitHub (Oct 28, 2022):

Does it work with noblacklist ${HOME}/.gnupg?

No, no change.

<!-- gh-comment-id:1295121278 --> @CoRoe commented on GitHub (Oct 28, 2022): > Does it work with `noblacklist ${HOME}/.gnupg`? No, no change.
gitea-mirror commented 2026-05-05 09:39:00 -06:00
Author
Owner
Copy link

@CoRoe commented on GitHub (Oct 28, 2022):

I looked a bit further and it turned out that the behaviour is related to the apparmor statement in the torbrowser-launcher firejail profile. Here is a table:

TBL profile firejail-default torbrowser-launcher Result
#apparmor aa-complain aa-complain list index out of range
#apparmor aa-complain aa-enforce Permission denied tbl
#apparmor aa-enforce aa-complain list index out of range
#apparmor aa-enforce aa-enforce Permission denied tbl
apparmor aa-complain aa-complain OK
apparmor aa-complain aa-enforce OK
apparmor aa-enforce aa-complain Permission denied desktop
apparmor aa-enforce aa-enforce Permission denied desktop

The second and third columns indicate if the firejail-default resp. torbrowser-launcher AppArmor profiles are enforced or not. Last column:

list index out of range The issue I first came across, probably related to GPG keys.

Permission denied tbl:

Reading profile /home/cro/.config/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 411858, child pid 411859

40 programs installed in 55.31 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 26.74 ms
Private /usr/etc installed in 0.00 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 175.33 ms
/usr/bin/python3: can't open file '/usr/bin/torbrowser-launcher': [Errno 13] Permission denied

Permission denied desktop:

Running /home/cro/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Traceback (most recent call last):
  File "/usr/bin/torbrowser-launcher", line 30, in <module>
    torbrowser_launcher.main()
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/__init__.py", line 86, in main
    gui = Launcher(common, app, url_list)
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 152, in __init__
    self.update()
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 199, in update
    self.start(None)
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 218, in start
    self.run_task()
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 266, in run_task
    self.run()
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 439, in run
    subprocess.call([self.common.paths['tbb']['start']], cwd=self.common.paths['tbb']['dir_tbb'])
  File "/usr/lib/python3.8/subprocess.py", line 340, in call
    with Popen(*popenargs, **kwargs) as p:
  File "/usr/lib/python3.8/subprocess.py", line 858, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib/python3.8/subprocess.py", line 1704, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
PermissionError: [Errno 13] Permission denied: '/home/cro/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop'
<!-- gh-comment-id:1295143618 --> @CoRoe commented on GitHub (Oct 28, 2022): I looked a bit further and it turned out that the behaviour is related to the `apparmor` statement in the `torbrowser-launcher firejail` profile. Here is a table: | TBL profile | firejail-default | torbrowser-launcher | Result | |-------------|------------------|-------------|---------------------------| | #apparmor | aa-complain | aa-complain | list index out of range | | #apparmor | aa-complain | aa-enforce | Permission denied tbl | | #apparmor | aa-enforce | aa-complain | list index out of range | | #apparmor | aa-enforce | aa-enforce | Permission denied tbl | | apparmor | aa-complain | aa-complain | OK | | apparmor | aa-complain | aa-enforce | OK | | apparmor | aa-enforce | aa-complain | Permission denied desktop | | apparmor | aa-enforce | aa-enforce | Permission denied desktop | The second and third columns indicate if the `firejail-default` resp. `torbrowser-launcher` AppArmor profiles are enforced or not. Last column: **list index out of range** The issue I first came across, probably related to GPG keys. Permission denied tbl: ``` Reading profile /home/cro/.config/firejail/torbrowser-launcher.profile Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 411858, child pid 411859 40 programs installed in 55.31 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Private /etc installed in 26.74 ms Private /usr/etc installed in 0.00 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 175.33 ms /usr/bin/python3: can't open file '/usr/bin/torbrowser-launcher': [Errno 13] Permission denied ``` Permission denied desktop: ``` Running /home/cro/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop Traceback (most recent call last): File "/usr/bin/torbrowser-launcher", line 30, in <module> torbrowser_launcher.main() File "/usr/lib/python3/dist-packages/torbrowser_launcher/__init__.py", line 86, in main gui = Launcher(common, app, url_list) File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 152, in __init__ self.update() File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 199, in update self.start(None) File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 218, in start self.run_task() File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 266, in run_task self.run() File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 439, in run subprocess.call([self.common.paths['tbb']['start']], cwd=self.common.paths['tbb']['dir_tbb']) File "/usr/lib/python3.8/subprocess.py", line 340, in call with Popen(*popenargs, **kwargs) as p: File "/usr/lib/python3.8/subprocess.py", line 858, in __init__ self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib/python3.8/subprocess.py", line 1704, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) PermissionError: [Errno 13] Permission denied: '/home/cro/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop' ```
gitea-mirror commented 2026-05-05 09:39:01 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 28, 2022):

You should either use firejail (with its AA profile) or AppArmor to isolate a program. If you use both, they bite each other, you have trouble and some features (at both ends) can not be used.

<!-- gh-comment-id:1295145798 --> @rusty-snake commented on GitHub (Oct 28, 2022): You should either use firejail (with its AA profile) *or* AppArmor to isolate a program. If you use both, they bite each other, you have trouble and some features (at both ends) can not be used.
gitea-mirror commented 2026-05-05 09:39:03 -06:00
Author
Owner
Copy link

@CoRoe commented on GitHub (Oct 28, 2022):

So the issue is mostly related to AppArmor, except for the apparmor statement in the torbrowser-launcher profile.

<!-- gh-comment-id:1295146078 --> @CoRoe commented on GitHub (Oct 28, 2022): So the issue is mostly related to AppArmor, except for the `apparmor` statement in the torbrowser-launcher profile.
gitea-mirror commented 2026-05-05 09:39:04 -06:00
Author
Owner
Copy link

@CoRoe commented on GitHub (Oct 28, 2022):

You should either use firejail (with its AA profile) or AppArmor to isolate a program. If you use both, they bite each other, you have trouble and some features (at both ends) can not be used.

I see.

<!-- gh-comment-id:1295146810 --> @CoRoe commented on GitHub (Oct 28, 2022): > You should either use firejail (with its AA profile) _or_ AppArmor to isolate a program. If you use both, they bite each other, you have trouble and some features (at both ends) can not be used. I see.
gitea-mirror commented 2026-05-05 09:39:05 -06:00
Author
Owner
Copy link

@CoRoe commented on GitHub (Oct 28, 2022):

Thanks for your response!

<!-- gh-comment-id:1295148348 --> @CoRoe commented on GitHub (Oct 28, 2022): Thanks for your response!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2992
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?