[GH-ISSUE #5601] qutebrowser: links do not open in the existing instance #3037

New issue

Closed

opened 2026-05-05 09:41:05 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented 2026-05-05 09:41:05 -06:00

Owner

Copy link

Originally created by @aleprovencio on GitHub (Jan 18, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5601

Description

Until upgrading firejail to this last release, I used to open links on external apps and they would open on a new qutebrowser tab.

Steps to Reproduce

Steps to reproduce the behavior

1. Run a firejailed qutebrowser
2. Open a link from external app, ex: kitty's open_url_with_hints

Expected behavior

The link would open a new tab of the already running qutebrowser instance

Actual behavior

A new qutebrowser instance is opened with the link

Behavior without a profile

The same happens

Additional context

I've had to make other adjustments on my qutebrowser.local as well after this upgrade, but couldn't figure this one out. I've tried things like ignore dbus-system none and dbus-user.own org.qutebrowser.* without success.

Environment

• Arch Linux
• Firejail 0.9.72

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

 LC_ALL=C firejail qutebrowser
Reading profile /etc/firejail/qutebrowser.profile
Reading profile /home/aleprovencio/.config/firejail/qutebrowser.local
Reading profile /etc/firejail/allow-lua.inc
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /home/aleprovencio/.config/firejail/whitelist-common.local
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown,
Parent pid 804258, child pid 804265
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 135.12 ms
Private /usr/etc installed in 0.01 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown,
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 594.76 ms
[15:36:0118/103157.250946:ERROR:address_tracker_linux.cc(214)] Could not bind NETLINK socket: Address already in use (98)

Originally created by @aleprovencio on GitHub (Jan 18, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5601 ### Description Until upgrading `firejail` to this last release, I used to open links on external apps and they would open on a new `qutebrowser` tab. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run a firejailed `qutebrowser` 2. Open a link from external app, ex: `kitty`'s `open_url_with_hints` ### Expected behavior The link would open a new tab of the already running `qutebrowser` instance ### Actual behavior A new `qutebrowser` instance is opened with the link ### Behavior without a profile The same happens ### Additional context I've had to make other adjustments on my `qutebrowser.local` as well after this upgrade, but couldn't figure this one out. I've tried things like `ignore dbus-system none` and `dbus-user.own org.qutebrowser.*` without success. ### Environment - Arch Linux - Firejail 0.9.72 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ```  LC_ALL=C firejail qutebrowser Reading profile /etc/firejail/qutebrowser.profile Reading profile /home/aleprovencio/.config/firejail/qutebrowser.local Reading profile /etc/firejail/allow-lua.inc Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /home/aleprovencio/.config/firejail/whitelist-common.local Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown, Parent pid 804258, child pid 804265 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 135.12 ms Private /usr/etc installed in 0.01 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown, Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 594.76 ms [15:36:0118/103157.250946:ERROR:address_tracker_linux.cc(214)] Could not bind NETLINK socket: Address already in use (98) ``` </p> </details>

gitea-mirror 2026-05-05 09:41:05 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 09:41:08 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 18, 2023):

I've had to make other adjustments on my qutebrowser.local as well after this upgrade, but couldn't figure this one out. I've tried things like ignore dbus-system none and dbus-user.own org.qutebrowser.* without success.

It would be helpful if you could post your qutebrowser.local here. I'm asuming you've added include allow-lua.inc to that for some reason, as that isn't in /etc/firejail/qutebrowser.profile. You also have a whitelist-common.local according to the above output. Please post that as well.

I'm not normally using qutebrowser on my Arch Linux box, but I do have it installed to work on its profile on occasion. IMO it's unlikely this is D-Bus related. Very few applications need access to the system bus, and AFAICT qutebrowser doesn't expose any D-Bus addresses of its own (checked with d-feet). Without additional info my only advice at the moment is to disable the newly added options (one by one) from the 0.9.72 qutebrowser.profile so you can get as close as possible to the former 0.9.70 version that used to work for you.

Potential culprits:

• include allow-bin-sh.inc + include disable-shell.inc (if bash is not your shell)
• include disable-exec.inc (if you use a qutebrowser wrapper script under ${HOME} for example)

<!-- gh-comment-id:1396196058 --> @ghost commented on GitHub (Jan 18, 2023): > I've had to make other adjustments on my qutebrowser.local as well after this upgrade, but couldn't figure this one out. I've tried things like ignore dbus-system none and dbus-user.own org.qutebrowser.* without success. It would be helpful if you could post your `qutebrowser.local` here. I'm asuming you've added `include allow-lua.inc` to that for some reason, as that isn't in /etc/firejail/qutebrowser.profile. You also have a `whitelist-common.local` according to the above output. Please post that as well. I'm not normally using qutebrowser on my Arch Linux box, but I do have it installed to work on its profile on occasion. IMO it's unlikely this is D-Bus related. Very few applications need access to the system bus, and AFAICT qutebrowser doesn't expose any D-Bus addresses of its own (checked with d-feet). Without additional info my only advice at the moment is to disable the newly added options (one by one) from the 0.9.72 qutebrowser.profile so you can get as close as possible to the former 0.9.70 version that used to work for you. Potential culprits: - include allow-bin-sh.inc + include disable-shell.inc (if bash is not your shell) - include disable-exec.inc (if you use a qutebrowser wrapper script under ${HOME} for example)

gitea-mirror commented 2026-05-05 09:41:11 -06:00

Author

Owner

Copy link

@aleprovencio commented on GitHub (Jan 19, 2023):

Thank you for your help. Below are my local files, I hope comments are self-explanatory of my doings.

whitelist-common.local

# dotfiles are symlinked
whitelist ${HOME}/.local/share/code/aleprovencio-config

qutebrowser.local

# troubleshooting: https://github.com/netblue30/firejail/issues/5601#issuecomment-1396196058
#ignore apparmor
#ignore disable-mnt
#ignore private-dev
#ignore private-etc
#ignore private-tmp
#ignore disable-shell
#ignore noroot
#ignore dbus-system none
#dbus-user filter
#dbus-user.own org.qutebrowser.*
#noblacklist ${PATH}/fish

# pywal
ignore private-cache
whitelist ${HOME}/.cache/wal

# userscripts
ignore include disable-exec.inc

# editor.command
ignore read-only ${HOME}/.local/share/nvim
#blacklisted by disable-interpreters.inc
include allow-lua.inc
#blacklisted by disable-programs.inc
noblacklist ${HOME}/.config/kitty
#whitelist
whitelist /usr/share/nvim
whitelist ${HOME}/.config/kitty
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.local/share/nvim
whitelist ${HOME}/.config/nvim
whitelist ${HOME}/.cache/nvim
whitelist ${HOME}/.local/share/nvim

# mpv/yt-dlp
#blacklisted by disable-programs.inc
noblacklist ${HOME}/.config/mpv
noblacklist ${HOME}/.config/yt-dlp
#whitelist
whitelist ${HOME}/.config/mpv
whitelist ${HOME}/.config/yt-dlp

# zathura
#blacklisted by disable-programs.inc
noblacklist ${HOME}/.config/zathura
#whitelist
whitelist ${HOME}/.config/zathura

<!-- gh-comment-id:1396863434 --> @aleprovencio commented on GitHub (Jan 19, 2023): Thank you for your help. Below are my local files, I hope comments are self-explanatory of my doings. whitelist-common.local ``` # dotfiles are symlinked whitelist ${HOME}/.local/share/code/aleprovencio-config ``` qutebrowser.local ``` # troubleshooting: https://github.com/netblue30/firejail/issues/5601#issuecomment-1396196058 #ignore apparmor #ignore disable-mnt #ignore private-dev #ignore private-etc #ignore private-tmp #ignore disable-shell #ignore noroot #ignore dbus-system none #dbus-user filter #dbus-user.own org.qutebrowser.* #noblacklist ${PATH}/fish # pywal ignore private-cache whitelist ${HOME}/.cache/wal # userscripts ignore include disable-exec.inc # editor.command ignore read-only ${HOME}/.local/share/nvim #blacklisted by disable-interpreters.inc include allow-lua.inc #blacklisted by disable-programs.inc noblacklist ${HOME}/.config/kitty #whitelist whitelist /usr/share/nvim whitelist ${HOME}/.config/kitty noblacklist ${HOME}/.config/nvim noblacklist ${HOME}/.cache/nvim noblacklist ${HOME}/.local/share/nvim whitelist ${HOME}/.config/nvim whitelist ${HOME}/.cache/nvim whitelist ${HOME}/.local/share/nvim # mpv/yt-dlp #blacklisted by disable-programs.inc noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/yt-dlp #whitelist whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/yt-dlp # zathura #blacklisted by disable-programs.inc noblacklist ${HOME}/.config/zathura #whitelist whitelist ${HOME}/.config/zathura ```

gitea-mirror commented 2026-05-05 09:41:12 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 19, 2023):

ignore include disable-exec.inc

IIRC qutebrowser now has apparmor.
Also, if you only need ${HOME} executable you can be more specific. So try to replace this line with

ignore apparmor
ignore noexec ${HOME}

<!-- gh-comment-id:1397127459 --> @rusty-snake commented on GitHub (Jan 19, 2023): > ignore include disable-exec.inc IIRC qutebrowser now has `apparmor`. Also, if you only need `${HOME}` executable you can be more specific. So try to replace this line with ``` ignore apparmor ignore noexec ${HOME} ```

gitea-mirror commented 2026-05-05 09:41:13 -06:00

Author

Owner

Copy link

@The-Compiler commented on GitHub (Jan 24, 2023):

qutebrowser upstream here - this is related to qutebrowser not being able to access its unix socket in /run/user/$UID/qutebrowser/ipc-<hash>. An user reported that they get:

ipc:send_to_running_instance:476 Connecting to /run/user/1011/qutebrowser/ipc-34c336827b750ba10a020fd62ec4664f
ipc:send_to_running_instance:506 No existing instance present (error 2)

when starting qutebrowser, which means qutebrowser then opens in a new process.

2 seems to be QLocalSocket::ServerNotFoundError, i.e. I suppose it got an ENOENT for that file.

<!-- gh-comment-id:1401915448 --> @The-Compiler commented on GitHub (Jan 24, 2023): qutebrowser upstream here - this is related to qutebrowser not being able to access its unix socket in `/run/user/$UID/qutebrowser/ipc-<hash>`. An user reported that they get: ``` ipc:send_to_running_instance:476 Connecting to /run/user/1011/qutebrowser/ipc-34c336827b750ba10a020fd62ec4664f ipc:send_to_running_instance:506 No existing instance present (error 2) ``` when starting qutebrowser, which means qutebrowser then opens in a new process. 2 seems to be `QLocalSocket::ServerNotFoundError`, i.e. I suppose it got an `ENOENT` for that file.

gitea-mirror commented 2026-05-05 09:41:13 -06:00

Author

Owner

Copy link

@Dieterbe commented on GitHub (Jan 24, 2023):

could be due to #5389 ?

<!-- gh-comment-id:1401998897 --> @Dieterbe commented on GitHub (Jan 24, 2023): could be due to #5389 ?

gitea-mirror commented 2026-05-05 09:41:14 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 24, 2023):

@The-Compiler @Dieterbe Thanks for the info! It looks like we need an additional

whitelist ${RUNUSER}/qutebrowser

in qutebrowser.profile.

@aleprovencio Can you confirm your issue is fixed when adding that to your qutebrowser.local? I'll fix it in master when you confirm it solves it. Or you can open a PR yourself.

<!-- gh-comment-id:1402040646 --> @ghost commented on GitHub (Jan 24, 2023): @The-Compiler @Dieterbe Thanks for the info! It looks like we need an additional ``` whitelist ${RUNUSER}/qutebrowser ``` in [qutebrowser.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/qutebrowser.profile). @aleprovencio Can you confirm your issue is fixed when adding that to your `qutebrowser.local`? I'll fix it in master when you confirm it solves it. Or you can open a PR yourself.

gitea-mirror commented 2026-05-05 09:41:15 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 24, 2023):

Remember to mkdir it too.

<!-- gh-comment-id:1402120664 --> @rusty-snake commented on GitHub (Jan 24, 2023): Remember to `mkdir` it too.

gitea-mirror commented 2026-05-05 09:41:16 -06:00

Author

Owner

Copy link

@aleprovencio commented on GitHub (Jan 25, 2023):

It does work, thank you all for your time

<!-- gh-comment-id:1403711018 --> @aleprovencio commented on GitHub (Jan 25, 2023): It does work, thank you all for your time

gitea-mirror commented 2026-05-05 09:41:16 -06:00

Author

Owner

Copy link

@Dieterbe commented on GitHub (Jan 26, 2023):

Thank you! open source power !! 👯

<!-- gh-comment-id:1404700842 --> @Dieterbe commented on GitHub (Jan 26, 2023): Thank you! open source power !! :dancers:

gitea-mirror referenced this issue 2026-05-05 10:23:28 -06:00

[PR #3037] [MERGED] Resolve #3029: drop outdated Skype profile #4617

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3037

No description provided.