[GH-ISSUE #5460] librewolf: program is not sandboxed (unexpected .desktop filename)

gitea-mirror commented

2026-05-05 09:39:24 -06:00

Owner

Originally created by @Dyras on GitHub (Nov 7, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5460

Description

Describe the bug
For some reason, running sudo firecfg on Linux Mint doesn't make LibreWolf run Firejailed. I believe this has to do with the path used for the default LibreWolf shortcut.

There's a thread on Reddit about this
https://www.reddit.com/r/LibreWolf/comments/yjgcpu/librewolf_isnt_automatically_firejailed_after/

Steps to Reproduce

Steps to reproduce the behavior

Install the repo version of LibreWolf
Install Firejail
Run sudo firecfg
Run LibreWolf
Run Firefox
Open the terminal and run firejail --list
Notice that only Firefox is running in Firejail

Expected behavior

LibreWolf's default shortcuts in the system should launch LibreWolf in Firejail, as anticipated

Actual behavior

LibreWolf's default shortcuts on Linux Mint aren't launching LibreWolf in Firejail.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?
Didn't try it, but this is seemingly related to shortcuts

Additional context

Quoted from Reddit:
I think I've figured it out. The default shortcut for LibreWolf is:

/usr/share/librewolf/librewolf %u

The default shortcut for Firefox is:

firefox %u

If I change the shortcut for LibreWolf to the below, it works:

librewolf %u

Basically, it seems like Firejail doesn't take the changed shortcut into account.

Additionally, running firejail /usr/share/librewolf/librewolf %u breaks the program, while running firejail librewolf works flawlessly

Environment

Linux Mint 21
firejail version 0.9.70

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

The long debug log:
https://pastebin.com/EFNvk8ha

Output of LC_ALL=C firejail /path/to/program

pcadmin@pc:~$ firejail /usr/share/librewolf/librewolf
Reading profile /home/pcadmin/.config/firejail/librewolf.profile
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 6118, child pid 6121
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 201.65 ms
defaults/preferences/firefox.js:6: prefs parse error: expected ',' after pref name
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: no supported VAAPI profile found. (t=1.38854) [GFX1-]: glxtest: VA-API test failed: no supported VAAPI profile found.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
JavaScript error: resource://gre/modules/XULStore.jsm, line 58: Error: Can't find profile directory.

Parent is shutting down, bye...

Originally created by @Dyras on GitHub (Nov 7, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5460  ### Description _Describe the bug_ For some reason, running sudo firecfg on Linux Mint doesn't make LibreWolf run Firejailed. I believe this has to do with the path used for the default LibreWolf shortcut. There's a thread on Reddit about this https://www.reddit.com/r/LibreWolf/comments/yjgcpu/librewolf_isnt_automatically_firejailed_after/ ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Install the repo version of LibreWolf 2. Install Firejail 3. Run sudo firecfg 4. Run LibreWolf 5. Run Firefox 6. Open the terminal and run firejail --list 7. Notice that only Firefox is running in Firejail ### Expected behavior LibreWolf's default shortcuts in the system should launch LibreWolf in Firejail, as anticipated ### Actual behavior LibreWolf's default shortcuts on Linux Mint aren't launching LibreWolf in Firejail. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Didn't try it, but this is seemingly related to shortcuts ### Additional context Quoted from Reddit: I think I've figured it out. The default shortcut for LibreWolf is: `/usr/share/librewolf/librewolf %u` The default shortcut for Firefox is: `firefox %u` If I change the shortcut for LibreWolf to the below, it works: `librewolf %u` Basically, it seems like Firejail doesn't take the changed shortcut into account. Additionally, running `firejail /usr/share/librewolf/librewolf %u` breaks the program, while running `firejail librewolf` works flawlessly ### Environment Linux Mint 21 firejail version 0.9.70 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log The long debug log: https://pastebin.com/EFNvk8ha <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` pcadmin@pc:~$ firejail /usr/share/librewolf/librewolf Reading profile /home/pcadmin/.config/firejail/librewolf.profile Reading profile /etc/firejail/librewolf.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 6118, child pid 6121 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 201.65 ms defaults/preferences/firefox.js:6: prefs parse error: expected ',' after pref name Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: no supported VAAPI profile found. (t=1.38854) [GFX1-]: glxtest: VA-API test failed: no supported VAAPI profile found. ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. JavaScript error: resource://gre/modules/XULStore.jsm, line 58: Error: Can't find profile directory. Parent is shutting down, bye...

gitea-mirror

2026-05-05 09:39:24 -06:00

closed this issue
added the
firecfg

notourbug
labels

gitea-mirror commented

2026-05-05 09:39:27 -06:00

Author

Owner

@Dyras commented on GitHub (Nov 22, 2022):

I just tested on Debian and the exact same thing is happening. Firefox runs in Firejail automagically, LibreWolf just doesn't.

@Dyras commented on GitHub (Nov 22, 2022): I just tested on Debian and the exact same thing is happening. Firefox runs in Firejail automagically, LibreWolf just doesn't.

gitea-mirror commented

2026-05-05 09:39:28 -06:00

Author

Owner

@marek22k commented on GitHub (Mar 20, 2023):

Is there a current workaround to firecfg librewolf?

@marek22k commented on GitHub (Mar 20, 2023): Is there a current workaround to firecfg librewolf?

gitea-mirror commented

2026-05-05 09:39:29 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 5, 2023):

Can this still be reproduced in firejail 0.9.72?

What is the output of the following commands on your system?

$ grep '^Exec' /usr/share/applications/firefox.desktop
Exec=/usr/lib/firefox/firefox %u
Exec=/usr/lib/firefox/firefox --new-window %u
Exec=/usr/lib/firefox/firefox --private-window %u

$ grep '^Exec' /usr/share/applications/librewolf.desktop
Exec=/usr/lib/librewolf/librewolf %u
Exec=/usr/lib/librewolf/librewolf --new-window %u
Exec=/usr/lib/librewolf/librewolf --private-window %u
Exec=/usr/lib/librewolf/librewolf --ProfileManager %u

$ cat /usr/bin/firefox
#!/bin/sh
exec /usr/lib/firefox/firefox "$@"

$ cat /usr/bin/librewolf
#!/bin/sh
exec /usr/lib/librewolf/librewolf "$@"

What are the versions of firefox/librewolf used? Where are they installed
from (normal distro repository/AppImage/etc)?

On Artix:

$ pacman -Q firefox librewolf
firefox 111.0.1-1
librewolf-bin 111.0.1-1

One guess: firecfg checks whether the program in the Exec= line is in the
path, so maybe /usr/bin/firefox exists but not /usr/bin/librewolf.

Does creating the following file and re-running firecfg succeed as a
workaround?

~/bin/librewolf:

#!/bin/sh
exec firejail /usr/bin/librewolf

Run:

PATH="$HOME/bin:$PATH"
export PATH
sudo firecfg

@kmk3 commented on GitHub (Apr 5, 2023): Can this still be reproduced in firejail 0.9.72? What is the output of the following commands on your system? ```console $ grep '^Exec' /usr/share/applications/firefox.desktop Exec=/usr/lib/firefox/firefox %u Exec=/usr/lib/firefox/firefox --new-window %u Exec=/usr/lib/firefox/firefox --private-window %u $ grep '^Exec' /usr/share/applications/librewolf.desktop Exec=/usr/lib/librewolf/librewolf %u Exec=/usr/lib/librewolf/librewolf --new-window %u Exec=/usr/lib/librewolf/librewolf --private-window %u Exec=/usr/lib/librewolf/librewolf --ProfileManager %u $ cat /usr/bin/firefox #!/bin/sh exec /usr/lib/firefox/firefox "$@" $ cat /usr/bin/librewolf #!/bin/sh exec /usr/lib/librewolf/librewolf "$@" ``` What are the versions of firefox/librewolf used? Where are they installed from (normal distro repository/AppImage/etc)? On Artix: ```console $ pacman -Q firefox librewolf firefox 111.0.1-1 librewolf-bin 111.0.1-1 ``` One guess: firecfg checks whether the program in the `Exec=` line is in the path, so maybe /usr/bin/firefox exists but not /usr/bin/librewolf. Does creating the following file and re-running `firecfg` succeed as a workaround? ~/bin/librewolf: ``` #!/bin/sh exec firejail /usr/bin/librewolf ``` Run: ```sh PATH="$HOME/bin:$PATH" export PATH sudo firecfg ```

gitea-mirror commented

2026-05-05 09:39:30 -06:00

Author

Owner

@Dyras commented on GitHub (Apr 7, 2023):

It's still happening on 0.9.72

I installed it from the Main Debian Repository:
https://librewolf.net/installation/debian/

Debian uses Firefox ESR:

$ grep '^Exec' /usr/share/applications/firefox-esr.desktop
Exec=/usr/lib/firefox-esr/firefox-esr %u

The output of the following:

$ grep '^Exec' /usr/share/applications/librewolf.desktop

Is that the file can't be found.

However, the output of the following is as follows:

$ grep '^Exec' /usr/share/applications/start-librewolf.desktop
Exec=/usr/share/librewolf/librewolf %u
Exec=/usr/share/librewolf/librewolf
Exec=/usr/share/librewolf/librewolf --private-window %u
Exec=/usr/share/librewolf/librewolf --safe-mode
Exec=/usr/share/librewolf/librewolf --preferences

As for the usr/bin folder, there is actually a "librewolf" in there.

Running it as follows:

exec firejail /usr/bin/librewolf

Works as intended.

I changed the name of start-librewolf.desktop to librewolf.desktop and reran sudo firecfg. It works!

So I assume the issue is that the file in applications is named start-librewolf.desktop rather than librewolf.desktop.

@Dyras commented on GitHub (Apr 7, 2023): It's still happening on 0.9.72 I installed it from the Main Debian Repository: https://librewolf.net/installation/debian/ Debian uses Firefox ESR: ```console $ grep '^Exec' /usr/share/applications/firefox-esr.desktop Exec=/usr/lib/firefox-esr/firefox-esr %u ``` The output of the following: ``` $ grep '^Exec' /usr/share/applications/librewolf.desktop ```` Is that the file can't be found. However, the output of the following is as follows: ```console $ grep '^Exec' /usr/share/applications/start-librewolf.desktop Exec=/usr/share/librewolf/librewolf %u Exec=/usr/share/librewolf/librewolf Exec=/usr/share/librewolf/librewolf --private-window %u Exec=/usr/share/librewolf/librewolf --safe-mode Exec=/usr/share/librewolf/librewolf --preferences ``` As for the usr/bin folder, there is actually a "librewolf" in there. Running it as follows: ```sh exec firejail /usr/bin/librewolf ``` Works as intended. I changed the name of start-librewolf.desktop to librewolf.desktop and reran sudo firecfg. It works! So I assume the issue is that the file in applications is named start-librewolf.desktop rather than librewolf.desktop.

gitea-mirror commented

2026-05-05 09:39:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 7, 2023):

Duplicate of #2624

@rusty-snake commented on GitHub (Apr 7, 2023): Duplicate of #2624

gitea-mirror commented

2026-05-05 09:39:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 7, 2023):

Same cause as in #2624 (this is issue number 5460 so we're 2836 issues later). The desktop file is not named after the profile file (or the other way around).

And same workaround as in #2624, create a start-librewolf.profile. Or create your own firecfg(.py) 😎 .

@rusty-snake commented on GitHub (Apr 7, 2023): Same cause as in #2624 (this is issue number 5460 so we're 2836 issues later). The desktop file is not named after the profile file (or the other way around). And same workaround as in #2624, create a `start-librewolf.profile`. Or create your own firecfg(.py) 😎 .

gitea-mirror commented

2026-05-05 09:39:31 -06:00

Author

Owner

@marek22k commented on GitHub (Apr 11, 2023):

So I could use ln -s /etc/firejail/librewolf.profile /etc/firejail/start-librewolf.profile as a workaround? Wouldn't it make sense to rename the profile in general or does the problem only occur with the Debian installation?

@marek22k commented on GitHub (Apr 11, 2023): So I could use `ln -s /etc/firejail/librewolf.profile /etc/firejail/start-librewolf.profile` as a workaround? Wouldn't it make sense to rename the profile in general or does the problem only occur with the Debian installation?

gitea-mirror commented

2026-05-05 09:39:32 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 11, 2023):

Wouldn't it make sense to rename the profile in general or does the problem only occur with the Debian installation?

Then you would have a working firecfg but a broken firejail unless you rename the actual binary too.

@rusty-snake commented on GitHub (Apr 11, 2023): > Wouldn't it make sense to rename the profile in general or does the problem only occur with the Debian installation? Then you would have a working firecfg but a broken firejail unless you rename the actual binary too.

gitea-mirror commented

2026-05-05 09:39:33 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 11, 2023):

(Offtopic)

@Dyras

Please see the following links for how to format code blocks in markdown:

@kmk3 commented on GitHub (Apr 11, 2023): (Offtopic) @Dyras Please see the following links for how to format code blocks in markdown: * <https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks> * <https://github.github.com/gfm/#fenced-code-blocks>

gitea-mirror commented

2026-05-05 09:39:33 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 11, 2023):

@Dyras on Apr 7:

The output of the following:

$ grep '^Exec' /usr/share/applications/librewolf.desktop

Is that the file can't be found.

However, the output of the following is as follows:

$ grep '^Exec' /usr/share/applications/start-librewolf.desktop
Exec=/usr/share/librewolf/librewolf %u
Exec=/usr/share/librewolf/librewolf
Exec=/usr/share/librewolf/librewolf --private-window %u
Exec=/usr/share/librewolf/librewolf --safe-mode
Exec=/usr/share/librewolf/librewolf --preferences

I changed the name of start-librewolf.desktop to librewolf.desktop and reran
sudo firecfg. It works!

So I assume the issue is that the file in applications is named
start-librewolf.desktop rather than librewolf.desktop.

Created a MR upstream to attempt to fix this:

Rename start-librewolf.desktop to librewolf.desktop

@kmk3 commented on GitHub (Apr 11, 2023): @Dyras [on Apr 7](https://github.com/netblue30/firejail/issues/5460#issuecomment-1500170621): > The output of the following: > > ``` > $ grep '^Exec' /usr/share/applications/librewolf.desktop > ``` > > Is that the file can't be found. > > However, the output of the following is as follows: > > ``` > $ grep '^Exec' /usr/share/applications/start-librewolf.desktop > Exec=/usr/share/librewolf/librewolf %u > Exec=/usr/share/librewolf/librewolf > Exec=/usr/share/librewolf/librewolf --private-window %u > Exec=/usr/share/librewolf/librewolf --safe-mode > Exec=/usr/share/librewolf/librewolf --preferences > ``` > I changed the name of start-librewolf.desktop to librewolf.desktop and reran > sudo firecfg. It works! > > So I assume the issue is that the file in applications is named > start-librewolf.desktop rather than librewolf.desktop. Created a MR upstream to attempt to fix this: * [Rename start-librewolf.desktop to librewolf.desktop](https://gitlab.com/librewolf-community/browser/bsys5/-/merge_requests/17)

gitea-mirror commented

2026-05-05 09:39:34 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 15, 2023):

Created a MR upstream to attempt to fix this:

Rename start-librewolf.desktop to librewolf.desktop

Good news: It was merged!

Let us know if anything changes when the next LibreWolf version is released
(the one after v112.0).

Closing this for now.

@kmk3 commented on GitHub (Apr 15, 2023): > Created a MR upstream to attempt to fix this: > > * [Rename start-librewolf.desktop to librewolf.desktop](https://gitlab.com/librewolf-community/browser/bsys5/-/merge_requests/17) Good news: It was merged! Let us know if anything changes when the next LibreWolf version is released (the one after v112.0). Closing this for now.

Rows
Columns

[GH-ISSUE #5460] librewolf: program is not sandboxed (unexpected .desktop filename) #3003

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log