[GH-ISSUE #5528] brave: built-in tor connections are blocked #3023

New issue

Open

opened 2026-05-05 09:40:30 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented 2026-05-05 09:40:30 -06:00

Owner

Copy link

Originally created by @ibahnasy on GitHub (Dec 15, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5528

Description

Brave browser can't get connected to it's builtin Tor when firejail is used.

Steps to Reproduce

Run the browser with firejail: firejail brave-browser
Then start a private window with Tor

Expected behavior

Tor should get connected normally.

Actual behavior

Tor fail to connect at all.

Behavior without a profile

Tor works fine

Additional context

Any other detail that may help to understand/debug the problem

Environment

• Ubuntu 22.10
• Firejail version (0.9.70).

Checklist

• [ Y ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [ Y ] I can reproduce the issue without custom modifications (e.g. globals.local).
• [ Y ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [ Y ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [ Y ] I have performed a short search for similar issues (to avoid opening a duplicate).
• [ Y ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ Y ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/brave-browser.profile
Reading profile /etc/firejail/brave.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 32787, child pid 32788
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 90.45 ms
[10:38:1215/105820.667362:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:38:1215/105820.667434:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied

(brave:10): dbind-WARNING **: 10:58:20.725: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus: No such file or directory
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
[10:174:1215/105820.873125:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:174:1215/105820.873160:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:174:1215/105820.873199:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:174:1215/105820.873223:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:174:1215/105820.873245:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
[10:10:1215/105838.486111:ERROR:CONSOLE(1)] "This document requires 'TrustedScript' assignment.", source: chrome://newtab/private_new_tab.bundle.js (1)
[46:46:1215/105838.843202:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 1 times!
[46:46:1215/105838.843624:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 2 times!
[46:46:1215/105838.851584:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 3 times!
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
LaunchProcess: failed to execvp:
/home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

Content too large to submit here!

Originally created by @ibahnasy on GitHub (Dec 15, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5528 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Brave browser can't get connected to it's builtin Tor when firejail is used. ### Steps to Reproduce Run the browser with firejail: `firejail brave-browser` Then start a private window with Tor ### Expected behavior Tor should get connected normally. ### Actual behavior Tor fail to connect at all. ### Behavior without a profile Tor works fine ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Ubuntu 22.10 - Firejail version (0.9.70). ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [ Y ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ Y ] I can reproduce the issue without custom modifications (e.g. globals.local). - [ Y ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ Y ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ Y ] I have performed a short search for similar issues (to avoid opening a duplicate). - [ Y ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ Y ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/brave-browser.profile Reading profile /etc/firejail/brave.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 32787, child pid 32788 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 90.45 ms [10:38:1215/105820.667362:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:38:1215/105820.667434:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied (brave:10): dbind-WARNING **: 10:58:20.725: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus: No such file or directory libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null) [10:174:1215/105820.873125:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:174:1215/105820.873160:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:174:1215/105820.873199:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:174:1215/105820.873223:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:174:1215/105820.873245:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 [10:10:1215/105838.486111:ERROR:CONSOLE(1)] "This document requires 'TrustedScript' assignment.", source: chrome://newtab/private_new_tab.bundle.js (1) [46:46:1215/105838.843202:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 1 times! [46:46:1215/105838.843624:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 2 times! [46:46:1215/105838.851584:ERROR:gl_surface_presentation_helper.cc(260)] GetVSyncParametersIfAvailable() failed for 3 times! LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 LaunchProcess: failed to execvp: /home/neo/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/1.0.29/tor-0.4.7.10-linux-brave-2 ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> ``` Content too large to submit here! ``` </p> </details>

gitea-mirror added the

information_old

notabug

labels 2026-05-05 09:40:30 -06:00

gitea-mirror commented 2026-05-05 09:40:32 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Dec 15, 2022):

Most likely this is due to AppArmor. You've got two options here. Both are mentioned in /etc/firejail/brave.profile:

[...]
# TOR is installed in ${HOME}.
# NOTE: chromium-common.profile enables apparmor. To keep that intact
# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
# Alternatively you can add 'ignore apparmor' to your brave.local.
ignore noexec ${HOME}
[...]

If you do use AppArmor (AA) you will need to check your /etc/apparmor.d/local/firejail-default and make sure the relevant rules are enabled. AA caches these rules, so a restart is needed if you make any changes to that file. If you don't use AA then a simple ~/.config/firejail/brave.local containing ignore apparmor should fix things. Post your files here if you need more help.

<!-- gh-comment-id:1352799136 --> @ghost commented on GitHub (Dec 15, 2022): Most likely this is due to `AppArmor`. You've got two options here. Both are mentioned in /etc/firejail/brave.profile: ``` [...] # TOR is installed in ${HOME}. # NOTE: chromium-common.profile enables apparmor. To keep that intact # you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. # Alternatively you can add 'ignore apparmor' to your brave.local. ignore noexec ${HOME} [...] ``` If you do use AppArmor (AA) you will need to check your `/etc/apparmor.d/local/firejail-default` and make sure the relevant rules are enabled. AA caches these rules, so a restart is needed if you make any changes to that file. If you don't use AA then a simple `~/.config/firejail/brave.local` containing `ignore apparmor` should fix things. Post your files here if you need more help.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3023

No description provided.