github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5611] firefox: cursor does not unhide after moving (NixOS/sway) #3045

New issue
Open
opened 2026-05-05 09:41:24 -06:00 by gitea-mirror · 30 comments
gitea-mirror commented 2026-05-05 09:41:24 -06:00
Owner
Copy link

Originally created by @FarisFiroz on GitHub (Jan 22, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5611

Description

On a firejail sandboxed instance of firefox based browsers on swayWM, if the cursor is changed inside the browser, it has trouble changing back. This is most notable when the cursor is hidden such as when viewing a video. Once this happens, the cursor is forever hidden inside that window. Moving the cursor outside the window fixes it, but moving the cursor back inside the window breaks it.

Steps to reproduce

  1. Use the default librewolf firejail profile and launch librewolf inside of firejail on swayWM. (You can also use firefox to achieve the same effect)
  2. Open a video of some sort (Youtube).
  3. Put mouse over video or fullscreen and wait for mouse to hide.
  4. Once mouse hides, move the mouse.

Expected Behavior: Mouse unhides after moving it.
Actual Behavior: Mouse continues to stay hidden after moving it.

Extra testing

  1. This issue is caused by firejail, running librewolf/firefox without firejail has no such issues.
  2. This issue does not happen on KDE-PLASMA running wayland
  3. This issue does not occur with chromium

Supplemental Information

Firejail version: 0.9.70
SwayWM version: 1.7
Distrobution: NixOS 22.11

Originally created by @FarisFiroz on GitHub (Jan 22, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5611 ## Description On a firejail sandboxed instance of firefox based browsers on swayWM, if the cursor is changed inside the browser, it has trouble changing back. This is most notable when the cursor is hidden such as when viewing a video. Once this happens, the cursor is forever hidden inside that window. Moving the cursor outside the window fixes it, but moving the cursor back inside the window breaks it. ## Steps to reproduce 1. Use the default librewolf firejail profile and launch librewolf inside of firejail on swayWM. (You can also use firefox to achieve the same effect) 2. Open a video of some sort (Youtube). 3. Put mouse over video or fullscreen and wait for mouse to hide. 4. Once mouse hides, move the mouse. ***Expected Behavior:*** Mouse unhides after moving it. ***Actual Behavior:*** Mouse continues to stay hidden after moving it. ## Extra testing 1. This issue is caused by firejail, running librewolf/firefox without firejail has no such issues. 3. This issue does not happen on KDE-PLASMA running wayland 4. This issue does not occur with chromium ## Supplemental Information *Firejail version:* 0.9.70 *SwayWM version:* 1.7 *Distrobution:* NixOS 22.11
gitea-mirror added the
workaround
 label 2026-05-05 09:41:24 -06:00
gitea-mirror commented 2026-05-05 09:41:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 22, 2023):

Can you test with --noprofile.

<!-- gh-comment-id:1399430865 --> @rusty-snake commented on GitHub (Jan 22, 2023): Can you test with `--noprofile`.
gitea-mirror commented 2026-05-05 09:41:26 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

Yes, --noprofile allows for it to work as expected. I did just notice something though. I have a qt mouse when running with --noprofile or when not sand-boxed at all. However, when running with the librewolf.profile and firefox.profile, I do not. I believe this may be relevant.

<!-- gh-comment-id:1399440458 --> @FarisFiroz commented on GitHub (Jan 22, 2023): Yes, --noprofile allows for it to work as expected. I did just notice something though. I have a qt mouse when running with --noprofile or when not sand-boxed at all. However, when running with the librewolf.profile and firefox.profile, I do not. I believe this may be relevant.
gitea-mirror commented 2026-05-05 09:41:27 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

I checked the console and now see this:

Gdk-Message: 10:01:17.733: Unable to load left_ptr from the cursor theme

but only when sandboxed with firejail using the librewolf profile. Thats a gtk error so honestly i'm a bit lost, maybe I was wrong in my last message about it being a qt cursor.

<!-- gh-comment-id:1399444914 --> @FarisFiroz commented on GitHub (Jan 22, 2023): I checked the console and now see this: ``` Gdk-Message: 10:01:17.733: Unable to load left_ptr from the cursor theme ``` but only when sandboxed with firejail using the librewolf profile. Thats a gtk error so honestly i'm a bit lost, maybe I was wrong in my last message about it being a qt cursor.
gitea-mirror commented 2026-05-05 09:41:27 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 22, 2023):

Gdk-Message: 10:01:17.733: Unable to load left_ptr from the cursor theme

See https://wiki.archlinux.org/title/Cursor_themes#Create_links_to_missing_cursors. In fact, that whole wiki page might be helpful to check. AFAIK mozilla browsers use GTK theming, so if you're using Qt cursor theme(s) this would make sense.

<!-- gh-comment-id:1399446875 --> @ghost commented on GitHub (Jan 22, 2023): > Gdk-Message: 10:01:17.733: Unable to load left_ptr from the cursor theme See https://wiki.archlinux.org/title/Cursor_themes#Create_links_to_missing_cursors. In fact, that whole wiki page might be helpful to check. AFAIK mozilla browsers use GTK theming, so if you're using Qt cursor theme(s) this would make sense.
gitea-mirror commented 2026-05-05 09:41:28 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

See https://wiki.archlinux.org/title/Cursor_themes#Create_links_to_missing_cursors. In fact, that whole wiki page might be helpful to check.

I read through this, but unfortunately I am using nixOS and don't have a .icons directory at all. I did however do a check, I am using the breeze gtk theme and not the breeze qt theme. They look identical so I got a bit confused.

<!-- gh-comment-id:1399454594 --> @FarisFiroz commented on GitHub (Jan 22, 2023): > See https://wiki.archlinux.org/title/Cursor_themes#Create_links_to_missing_cursors. In fact, that whole wiki page might be helpful to check. I read through this, but unfortunately I am using nixOS and don't have a .icons directory at all. I did however do a check, I am using the breeze gtk theme and not the breeze qt theme. They look identical so I got a bit confused.
gitea-mirror commented 2026-05-05 09:41:28 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 22, 2023):

So the reason could be that the cursor icon isn't accessible by Firefox. Now the question is where is it installed or configured.

<!-- gh-comment-id:1399462200 --> @rusty-snake commented on GitHub (Jan 22, 2023): So the reason could be that the cursor icon isn't accessible by Firefox. Now the question is where is it installed or configured.
gitea-mirror commented 2026-05-05 09:41:29 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

Okay so here is what I have found so far:

The theme is stored in the /nix/store. This is where all packages in nixOS are stored. (This may be different if using home-manager, but I am not.)

The good thing is, every node in the nix-store is immutable so I don't believe allowing read access to them from a container/sandbox poses any security risk.

That being said, It does mean that someone who is willing to look through my store can read the different packages, derivations, etc. that I have built, so it's not exactly the "best" solution.

<!-- gh-comment-id:1399601488 --> @FarisFiroz commented on GitHub (Jan 22, 2023): Okay so here is what I have found so far: The theme is stored in the /nix/store. This is where all packages in nixOS are stored. (This may be different if using home-manager, but I am not.) The good thing is, every node in the nix-store is immutable so I don't believe allowing read access to them from a container/sandbox poses any security risk. That being said, It does mean that someone who is willing to look through my store can read the different packages, derivations, etc. that I have built, so it's not exactly the "best" solution.
gitea-mirror commented 2026-05-05 09:41:29 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

Update: Allowing read-write access to the nix-store and nix-var does not fix anything

<!-- gh-comment-id:1399602918 --> @FarisFiroz commented on GitHub (Jan 22, 2023): Update: Allowing read-write access to the nix-store and nix-var does not fix anything
gitea-mirror commented 2026-05-05 09:41:30 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jan 22, 2023):

Does this happen with firejail 0.9.72?

This does indeed seem like a path-related issue, so try disabling/commenting
all whitelist commands (for example, in librewolf.profile) to see if it works.

Then re-enable one by one to see which one breaks it.

If it does not change anything, considering that --noprofile works, try
doing the above for all commands in the profile (and included profiles).

<!-- gh-comment-id:1399618003 --> @kmk3 commented on GitHub (Jan 22, 2023): Does this happen with firejail 0.9.72? This does indeed seem like a path-related issue, so try disabling/commenting all whitelist commands (for example, in librewolf.profile) to see if it works. Then re-enable one by one to see which one breaks it. If it does not change anything, considering that `--noprofile` works, try doing the above for all commands in the profile (and included profiles).
gitea-mirror commented 2026-05-05 09:41:30 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

It seems that uncommenting the inclusion of the Firefox.profile does do "something". It is able to find a theme. With that being said, this is not breeze-dark(my theme), I have no idea where it is getting this data from. That being said, this is an improvement from not having a theme whatsoever. I will look more into firefox.profile to see what is breaking from inside that.

<!-- gh-comment-id:1399619704 --> @FarisFiroz commented on GitHub (Jan 22, 2023): It seems that uncommenting the inclusion of the Firefox.profile does do "something". It is able to find a theme. With that being said, this is not breeze-dark(my theme), I have no idea where it is getting this data from. That being said, this is an improvement from not having a theme whatsoever. I will look more into firefox.profile to see what is breaking from inside that.
gitea-mirror commented 2026-05-05 09:41:31 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

Does this happen with firejail 0.9.72?

Unfortunately, nix packages doesn't have 0.9.72 even on the unstable branch.

<!-- gh-comment-id:1399620960 --> @FarisFiroz commented on GitHub (Jan 22, 2023): > Does this happen with firejail 0.9.72? Unfortunately, nix packages doesn't have 0.9.72 even on the unstable branch.
gitea-mirror commented 2026-05-05 09:41:31 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

I have found the issue.

The line

include whitelist-run-common.inc

breaks things.

Moreover

apparmor-replace

is not valid according to the errors I'm getting.

Will now look into whitelist-run-common.inc.

<!-- gh-comment-id:1399626669 --> @FarisFiroz commented on GitHub (Jan 22, 2023): I have found the issue. The line ``` include whitelist-run-common.inc ``` breaks things. Moreover ``` apparmor-replace ``` is not valid according to the errors I'm getting. Will now look into whitelist-run-common.inc.
gitea-mirror commented 2026-05-05 09:41:31 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 22, 2023):

So it seems that trying to whitelist anything from the /run directory on nixos breaks things. I have tried to read and understand the debug log but I don't understand what's wrong. I have attached the debug output below.

output.txt

<!-- gh-comment-id:1399631880 --> @FarisFiroz commented on GitHub (Jan 22, 2023): So it seems that trying to whitelist anything from the /run directory on nixos breaks things. I have tried to read and understand the debug log but I don't understand what's wrong. I have attached the debug output below. [output.txt](https://github.com/netblue30/firejail/files/10475694/output.txt)
gitea-mirror commented 2026-05-05 09:41:32 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 23, 2023):

apparmor-replace is not valid according to the errors I'm getting.

We already ignore apparmor in librewolf.profile. To me it makes sense to also ignore apparmor-replace there. You could open a PR for that. Before doing so it might help if you could show the errors from which you conclude it 'is not valid'. I can't see anything related to AppArmor in your attached output.txt.

Also, as indicated by your output.txt there are several overrides (*.local files that get included too) in play here. I'm not suggesting there's something wrong with that. But it makes debugging this slightly more difficult without seeing their content. Please post those as well.

<!-- gh-comment-id:1399890476 --> @ghost commented on GitHub (Jan 23, 2023): > apparmor-replace is not valid according to the errors I'm getting. We already `ignore apparmor` in librewolf.profile. To me it makes sense to also `ignore apparmor-replace` there. You could open a PR for that. Before doing so it might help if you could show the errors from which you conclude it 'is not valid'. I can't see anything related to AppArmor in your attached output.txt. Also, as indicated by your output.txt there are several overrides (*.local files that get included too) in play here. I'm not suggesting there's something wrong with that. But it makes debugging this slightly more difficult without seeing their content. Please post those as well.
gitea-mirror commented 2026-05-05 09:41:32 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 23, 2023):

I can't see anything related to AppArmor in your attached output.txt.

Apologies, I uncommented apparmor-replace. Here is my error:

Error: line 36 in /home/faris/.config/FirejailProfiles/firefox-common.profile is invalid

Also, as indicated by your output.txt there are several overrides (*.local files that get included too) in play here. I'm not suggesting there's something wrong with that. But it makes debugging this slightly more difficult without seeing their content. Please post those as well.

Unfortunately, I have not set up any overrides, it must be nixos's doing. The only thing that I have done is copy paste the profiles into my home folder so I can edit them. (They are immutable by default due to nixos).

Just FYI, I uncommented most of the files in whitelist-run-common.inc when taking this output I was uncommenting and recommenting things as needed, I will set everything to default and take another output.

<!-- gh-comment-id:1400305977 --> @FarisFiroz commented on GitHub (Jan 23, 2023): > I can't see anything related to AppArmor in your attached output.txt. Apologies, I uncommented apparmor-replace. Here is my error: ``` Error: line 36 in /home/faris/.config/FirejailProfiles/firefox-common.profile is invalid ``` > Also, as indicated by your output.txt there are several overrides (*.local files that get included too) in play here. I'm not suggesting there's something wrong with that. But it makes debugging this slightly more difficult without seeing their content. Please post those as well. Unfortunately, I have not set up any overrides, it must be nixos's doing. The only thing that I have done is copy paste the profiles into my home folder so I can edit them. (They are immutable by default due to nixos). Just FYI, I uncommented most of the files in whitelist-run-common.inc when taking this output I was uncommenting and recommenting things as needed, I will set everything to default and take another output.
gitea-mirror commented 2026-05-05 09:41:33 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 23, 2023):

Error: line 36 in /home/faris/.config/FirejailProfiles/firefox-common.profile is invalid
...
Unfortunately, I have not set up any overrides, it must be nixos's doing.

Thank you for this info. Regarding apparmor-replace. That was introduced after 0.9.70 was released, so the error looks correct. I'm not familiar with nixos, nor with the way it packages Firejail. But seeing newer profiles mixed into an older release isn't exactly reassuring. If it was me I'd report such things on a OS bug tracker.

Alas, I'm clueless at the moment on how to proceed here to fix the issue. Hopefully you can find something to drop from or add to whitelist-run-common.inc.

<!-- gh-comment-id:1400400653 --> @ghost commented on GitHub (Jan 23, 2023): > Error: line 36 in /home/faris/.config/FirejailProfiles/firefox-common.profile is invalid ... Unfortunately, I have not set up any overrides, it must be nixos's doing. Thank you for this info. Regarding `apparmor-replace`. That was introduced [after](https://github.com/netblue30/firejail/commit/286c8a137433449d2cce8fafbb1fc4f95907ba98) 0.9.70 was released, so the error looks correct. I'm not familiar with nixos, nor with the way it packages Firejail. But seeing newer profiles mixed into an older release isn't exactly reassuring. If it was me I'd report such things on a OS bug tracker. Alas, I'm clueless at the moment on how to proceed here to fix the issue. Hopefully you can find something to drop from or add to whitelist-run-common.inc.
gitea-mirror commented 2026-05-05 09:41:33 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 23, 2023):

But seeing newer profiles mixed into an older release isn't exactly reassuring. If it was me I'd report such things on a OS bug tracker.

This is my fault, It's difficult to find the immutable /etc/ specifically for the package and I found it easier to download the necessary files from the repo. I apologize.

I've included the other output directly using the immutable etc for the package.
output.txt

<!-- gh-comment-id:1400411446 --> @FarisFiroz commented on GitHub (Jan 23, 2023): >But seeing newer profiles mixed into an older release isn't exactly reassuring. If it was me I'd report such things on a OS bug tracker. This is my fault, It's difficult to find the immutable /etc/ specifically for the package and I found it easier to download the necessary files from the repo. I apologize. I've included the other output directly using the immutable etc for the package. [output.txt](https://github.com/netblue30/firejail/files/10480438/output.txt)
gitea-mirror commented 2026-05-05 09:41:33 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 23, 2023):

This is my fault...

No worries, that can happen. You're not the first one to try newer profiles on an older release to fix a problem. Just keep in mind that this is likely to create incompatibility issues and is not advised.

[...]
Starting application
LD_PRELOAD=(null)
execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.2008) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection.
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: BroadcastService: 
  receivedBroadcastMessage: handler for
  remote-settings/monitor_changes
  threw error:
  Message: Error: Polling for changes failed: The URI is malformed..
[...]

In this context we can ignore the VA-API part. Does librewolf 109.0 throw the same console error when started without firejail? The execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf indicates no URI was fed to it. Why it would complain about a malformed URI in such case is beyond me. What happens when you run it with https://example.org (or any other specific one you use regularly)?

<!-- gh-comment-id:1400451914 --> @ghost commented on GitHub (Jan 23, 2023): > This is my fault... No worries, that can happen. You're not the first one to try newer profiles on an older release to fix a problem. Just keep in mind that this is likely to create incompatibility issues and is not advised. ``` [...] Starting application LD_PRELOAD=(null) execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.2008) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) console.error: BroadcastService: receivedBroadcastMessage: handler for remote-settings/monitor_changes threw error: Message: Error: Polling for changes failed: The URI is malformed.. [...] ``` In this context we can ignore the VA-API part. Does librewolf 109.0 throw the same console error when started without firejail? The `execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf` indicates no URI was fed to it. Why it would complain about a malformed URI in such case is beyond me. What happens when you run it with https://example.org (or any other specific one you use regularly)?
gitea-mirror commented 2026-05-05 09:41:34 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 23, 2023):

Yes this is not an issue with firejail. It seems to do this regardless of if I put a valid URL in. Either way, this doesn't seem to inhibit the usability of the program.

<!-- gh-comment-id:1400477642 --> @FarisFiroz commented on GitHub (Jan 23, 2023): Yes this is not an issue with firejail. It seems to do this regardless of if I put a valid URL in. Either way, this doesn't seem to inhibit the usability of the program.
gitea-mirror commented 2026-05-05 09:41:34 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jan 23, 2023):

@glitsj16 on Jan 23:

[...]
Starting application
LD_PRELOAD=(null)
execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.2008) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection.
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: BroadcastService: 
  receivedBroadcastMessage: handler for
  remote-settings/monitor_changes
  threw error:
  Message: Error: Polling for changes failed: The URI is malformed..
[...]

In this context we can ignore the VA-API part. Does librewolf 109.0 throw the
same console error when started without firejail? The execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf
indicates no URI was fed to it. Why it would complain about a malformed URI
in such case is beyond me. What happens when you run it with
https://example.org (or any other specific one you use regularly)?

FWIW I get similar errors on Artix and the program seems to work fine (though
I'm not using any special themes). I think that these specific ones started on
109, but librewolf has been printing weird JS errors on startup for a while.

<!-- gh-comment-id:1400483391 --> @kmk3 commented on GitHub (Jan 23, 2023): @glitsj16 [on Jan 23](https://github.com/netblue30/firejail/issues/5611#issuecomment-1400451914): > ``` > [...] > Starting application > LD_PRELOAD=(null) > execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf > Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.2008) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. > console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) > console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) > console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) > console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) > console.error: (new SyntaxError("The URI is malformed.", (void 0), 133)) > console.error: BroadcastService: > receivedBroadcastMessage: handler for > remote-settings/monitor_changes > threw error: > Message: Error: Polling for changes failed: The URI is malformed.. > [...] > ``` > > In this context we can ignore the VA-API part. Does librewolf 109.0 throw the > same console error when started without firejail? The `execvp argument 0: > /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf` > indicates no URI was fed to it. Why it would complain about a malformed URI > in such case is beyond me. What happens when you run it with > https://example.org (or any other specific one you use regularly)? FWIW I get similar errors on Artix and the program seems to work fine (though I'm not using any special themes). I think that these specific ones started on 109, but librewolf has been printing weird JS errors on startup for a while.
gitea-mirror commented 2026-05-05 09:41:34 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 23, 2023):

@kmk3 Thanks for these de-confusing details on latest librewolf :-)

It would be nice to find out if indeed whitelist-run-common.inc is (fully) broken on nixos. But at the moment I'm unable to install a third OS on my laptop to play around with it.

<!-- gh-comment-id:1400773105 --> @ghost commented on GitHub (Jan 23, 2023): @kmk3 Thanks for these de-confusing details on latest librewolf :-) It would be nice to find out if indeed `whitelist-run-common.inc` is (fully) broken on `nixos`. But at the moment I'm unable to install a third OS on my laptop to play around with it.
gitea-mirror commented 2026-05-05 09:41:35 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 24, 2023):

It would be nice to find out if indeed whitelist-run-common.inc is (fully) broken on nixos.

It is not "fully" broken as far as I can tell. whitelist-run-common.inc works fine(minus the cursor issue) when using the default firefox-common.profile in the immutable /etc. Unfortunately, it seems to fully break the minute I am using a firefox-common.profile not in the package's immutable /etc.

<!-- gh-comment-id:1401447293 --> @FarisFiroz commented on GitHub (Jan 24, 2023): > It would be nice to find out if indeed `whitelist-run-common.inc` is (fully) broken on `nixos`. It is not "fully" broken as far as I can tell. whitelist-run-common.inc works fine(minus the cursor issue) when using the default firefox-common.profile in the immutable /etc. Unfortunately, it seems to fully break the minute I am using a firefox-common.profile not in the package's immutable /etc.
gitea-mirror commented 2026-05-05 09:41:35 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 24, 2023):

Unfortunately, it seems to fully break the minute I am using a firefox-common.profile not in the package's immutable /etc.

Can you create per-user overrides in ${HOME}/.config/firejail? In other words, you do have access to Firejail's overrides functionality on nixos, correct? Although syntactically different, the below should all have the same result.

$ cat ~/.config/firejail/firefox-common.local
ignore include whitelist-run-common.inc

Or

$ cat ~/.config/firejail/firefox-common.profile
ignore include whitelist-run-common.inc
include /etc/firejail/firefox-common.profile

Or

$ cat ~/.config/firejail/librewolf.local
ignore include whitelist-run-common.inc
<!-- gh-comment-id:1401461998 --> @ghost commented on GitHub (Jan 24, 2023): > Unfortunately, it seems to fully break the minute I am using a firefox-common.profile not in the package's immutable /etc. Can you create per-user overrides in ${HOME}/.config/firejail? In other words, you do have access to Firejail's overrides functionality on nixos, correct? Although syntactically different, the below should all have the same result. ```console $ cat ~/.config/firejail/firefox-common.local ignore include whitelist-run-common.inc ``` Or ```console $ cat ~/.config/firejail/firefox-common.profile ignore include whitelist-run-common.inc include /etc/firejail/firefox-common.profile ``` Or ```console $ cat ~/.config/firejail/librewolf.local ignore include whitelist-run-common.inc ```
gitea-mirror commented 2026-05-05 09:41:36 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 26, 2023):

  • The overrides feature is working (at the very least, my .local file is being loaded). However,
ignore whitelist-run-common.inc

does nothing.

<!-- gh-comment-id:1404464943 --> @FarisFiroz commented on GitHub (Jan 26, 2023): - The overrides feature is working (at the very least, my .local file is being loaded). However, ``` ignore whitelist-run-common.inc ``` does nothing.
gitea-mirror commented 2026-05-05 09:41:36 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 26, 2023):

Glad to hear your overrides are being loaded. Less happy about the mistake I made :-) It should be ignore include whitelist-run-common.inc! My apologies. I've edited the examples with the correct option.

<!-- gh-comment-id:1404675069 --> @ghost commented on GitHub (Jan 26, 2023): Glad to hear your overrides are being loaded. Less happy about the mistake I made :-) It should be `ignore include whitelist-run-common.inc`! My apologies. I've edited the examples with the correct option.
gitea-mirror commented 2026-05-05 09:41:36 -06:00
Author
Owner
Copy link

@FarisFiroz commented on GitHub (Jan 27, 2023):

Less happy about the mistake I made :-)

No worries, it's nice to see that I can finally get back to debugging the issue.

Anyways yes, putting the new setting into firefox-common.local has the same behavior as using custom profiles.

<!-- gh-comment-id:1405849916 --> @FarisFiroz commented on GitHub (Jan 27, 2023): > Less happy about the mistake I made :-) No worries, it's nice to see that I can finally get back to debugging the issue. Anyways yes, putting the new setting into firefox-common.local has the same behavior as using custom profiles.
gitea-mirror commented 2026-05-05 09:41:37 -06:00
Author
Owner
Copy link

@graham00 commented on GitHub (Aug 10, 2025):

I had a similar issue (on NixOS) with ungoogled-chromium, using chromium-browser.profile, where my cursor was tiny when interacting with chromium windows (it wasn't picking up the larger gnome cursor I had configured). I found this thread and added --ignore="include whitelist-run-common.inc" and my cursor was back to normal.

I also tried locally overriding whitelist-run-common.inc and commenting all the lines out but one. It didn't matter which one I left...whether it was a path that existed or not, if 100% of the whitelist statements in there weren't commented out, the problem would occur.

Strangely, I also run librewolf, and librewolf.profile by default calls whitelist-run-common.inc as well, but in its case, my cursor was perfectly fine.

Was something perhaps done in the intervening years that fixed this for firefox, but left a cursor/whitelist-run-common.inc/?nixos? related issue for chromium? @FarisFiroz - are you still experiencing the cursor issue now with firefox, if you remove your ignore statement?

<!-- gh-comment-id:3172326772 --> @graham00 commented on GitHub (Aug 10, 2025): I had a similar issue (_on NixOS_) with ungoogled-chromium, using chromium-browser.profile, where my cursor was tiny when interacting with chromium windows (_it wasn't picking up the larger gnome cursor I had configured_). I found this thread and added `--ignore="include whitelist-run-common.inc"` and my cursor was back to normal. I also tried locally overriding whitelist-run-common.inc and commenting all the lines out but one. It didn't matter which one I left...whether it was a path that existed or not, if 100% of the whitelist statements in there weren't commented out, the problem would occur. Strangely, I also run librewolf, and librewolf.profile by default calls whitelist-run-common.inc as well, but in its case, my cursor was perfectly fine. Was something perhaps done in the intervening years that fixed this for firefox, but left a cursor/whitelist-run-common.inc/?nixos? related issue for chromium? @FarisFiroz - are you still experiencing the cursor issue now with firefox, if you remove your ignore statement?
gitea-mirror commented 2026-05-05 09:41:37 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 10, 2025):

I also tried locally overriding whitelist-run-common.inc and commenting all
the lines out but one. It didn't matter which one I left...whether it was a
path that existed or not, if 100% of the whitelist statements in there
weren't commented out, the problem would occur.

This is how whitelisting currently works: Any whitelist command enables
whitelisting for the relevant base directory.

I had a similar issue (on NixOS) with ungoogled-chromium, using
chromium-browser.profile, where my cursor was tiny when interacting with
chromium windows (it wasn't picking up the larger gnome cursor I had
configured). I found this thread and added --ignore="include whitelist-run-common.inc" and my cursor was back to normal.

What is the output of the following (similarly to #6843)?

strace -f --trace=%file -o /tmp/strace.txt \
  /usr/bin/chromium
echo
cat /tmp/strace.txt

firejail --allow-debuggers --trace=/tmp/fjtrace.txt --ignore=private-tmp \
  --profile=/etc/firejail/chromium.profile \
  /usr/bin/chromium
echo
cat /tmp/fjtrace.txt

(Replace /usr/bin/chromium with whatever the path is on NixOS)

<!-- gh-comment-id:3172505070 --> @kmk3 commented on GitHub (Aug 10, 2025): > I also tried locally overriding whitelist-run-common.inc and commenting all > the lines out but one. It didn't matter which one I left...whether it was a > path that existed or not, if 100% of the whitelist statements in there > weren't commented out, the problem would occur. This is how whitelisting currently works: Any `whitelist` command enables whitelisting for the relevant base directory. > I had a similar issue (_on NixOS_) with ungoogled-chromium, using > chromium-browser.profile, where my cursor was tiny when interacting with > chromium windows (_it wasn't picking up the larger gnome cursor I had > configured_). I found this thread and added `--ignore="include > whitelist-run-common.inc"` and my cursor was back to normal. What is the output of the following (similarly to #6843)? ```sh strace -f --trace=%file -o /tmp/strace.txt \ /usr/bin/chromium echo cat /tmp/strace.txt ``` ```sh firejail --allow-debuggers --trace=/tmp/fjtrace.txt --ignore=private-tmp \ --profile=/etc/firejail/chromium.profile \ /usr/bin/chromium echo cat /tmp/fjtrace.txt ``` (Replace `/usr/bin/chromium` with whatever the path is on NixOS)
gitea-mirror commented 2026-05-05 09:41:38 -06:00
Author
Owner
Copy link

@graham00 commented on GitHub (Aug 10, 2025):

The fjtrace.txt was 0 bytes, and the strace produced a 5MB file - not sure how best to get that linked here, however...

This is how whitelisting currently works: Any whitelist command enables whitelisting for the relevant base directory.

Oh that's right, thanks! That clued me in to try whitelisting everything in /run item by item and selectively pairing down till I figured out what was causing the problem.

Adding the following fixes things:

--whitelist=/run/current-system/sw

Apparently that's where NixOS keeps the equivalent of /usr/bin,/usr/sbin,/usr/share,etc, in a read-only overlay mount. (I'm still new to NixOS)

[user1@nixos:/run/current-system]$ ls -l
total 72
...
lrwxrwxrwx 1 root root   55 Dec 31  1969 sw -> /nix/store/zbjcck36rg5waj2la62bqyak74rh03l7-system-path

[user1@nixos:/run/current-system/sw]$ ls -l
total 0
dr-xr-xr-x 1 root root 22462 Dec 31  1969 bin
dr-xr-xr-x 1 root root    80 Dec 31  1969 etc
dr-xr-xr-x 1 root root 14110 Dec 31  1969 lib
dr-xr-xr-x 1 root root  9844 Dec 31  1969 sbin
dr-xr-xr-x 1 root root  2398 Dec 31  1969 share

[user1@nixos:/run/current-system/sw/bin]$ ls -l | head
total 5184
lrwxrwxrwx 1 root root  68 Dec 31  1969 [ -> /nix/store/0a5fbp4mn8bq66qdcb1abvlahbpa6bwc-coreutils-full-9.7/bin/[
lrwxrwxrwx 1 root root  70 Dec 31  1969 accessdb -> /nix/store/17a3l57c8lnfaqbxfw9f7m9wriazv5vj-man-db-2.13.0/bin/accessdb
lrwxrwxrwx 1 root root  74 Dec 31  1969 aconnect -> /nix/store/fvzgi1zmpy9g22625i41sgyzhlq1n9ag-alsa-utils-1.2.13/bin/aconnect
lrwxrwxrwx 1 root root  75 Dec 31  1969 addpart -> /nix/store/m10ngkbjxbj0lqdq6rsyys9h2gj1f27d-util-linux-2.41-bin/bin/addpart

How much does having the non-FHS paths not covered by the default firejail profiles compromise its effective security in nixos?

<!-- gh-comment-id:3172800903 --> @graham00 commented on GitHub (Aug 10, 2025): The fjtrace.txt was 0 bytes, and the strace produced a 5MB file - not sure how best to get that linked here, however... > This is how whitelisting currently works: Any `whitelist` command enables whitelisting for the relevant base directory. Oh that's right, thanks! That clued me in to try whitelisting everything in /run item by item and selectively pairing down till I figured out what was causing the problem. Adding the following fixes things: ` --whitelist=/run/current-system/sw` Apparently that's where NixOS keeps the equivalent of /usr/bin,/usr/sbin,/usr/share,etc, in a read-only overlay mount. (I'm still new to NixOS) ``` [user1@nixos:/run/current-system]$ ls -l total 72 ... lrwxrwxrwx 1 root root 55 Dec 31 1969 sw -> /nix/store/zbjcck36rg5waj2la62bqyak74rh03l7-system-path [user1@nixos:/run/current-system/sw]$ ls -l total 0 dr-xr-xr-x 1 root root 22462 Dec 31 1969 bin dr-xr-xr-x 1 root root 80 Dec 31 1969 etc dr-xr-xr-x 1 root root 14110 Dec 31 1969 lib dr-xr-xr-x 1 root root 9844 Dec 31 1969 sbin dr-xr-xr-x 1 root root 2398 Dec 31 1969 share [user1@nixos:/run/current-system/sw/bin]$ ls -l | head total 5184 lrwxrwxrwx 1 root root 68 Dec 31 1969 [ -> /nix/store/0a5fbp4mn8bq66qdcb1abvlahbpa6bwc-coreutils-full-9.7/bin/[ lrwxrwxrwx 1 root root 70 Dec 31 1969 accessdb -> /nix/store/17a3l57c8lnfaqbxfw9f7m9wriazv5vj-man-db-2.13.0/bin/accessdb lrwxrwxrwx 1 root root 74 Dec 31 1969 aconnect -> /nix/store/fvzgi1zmpy9g22625i41sgyzhlq1n9ag-alsa-utils-1.2.13/bin/aconnect lrwxrwxrwx 1 root root 75 Dec 31 1969 addpart -> /nix/store/m10ngkbjxbj0lqdq6rsyys9h2gj1f27d-util-linux-2.41-bin/bin/addpart ``` How much does having the non-FHS paths not covered by the default firejail profiles compromise its effective security in nixos?
gitea-mirror commented 2026-05-05 09:41:38 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 13, 2025):

The fjtrace.txt was 0 bytes, and the strace produced a 5MB file - not sure
how best to get that linked here, however...

You can just click below the comment or drag and drop a file into it to upload
the file:

This is how whitelisting currently works: Any whitelist command enables
whitelisting for the relevant base directory.

Oh that's right, thanks! That clued me in to try whitelisting everything in
/run item by item and selectively pairing down till I figured out what was
causing the problem.

Adding the following fixes things:

--whitelist=/run/current-system/sw

Apparently that's where NixOS keeps the equivalent of
/usr/bin,/usr/sbin,/usr/share,etc, in a read-only overlay mount. (I'm still
new to NixOS)

[user1@nixos:/run/current-system]$ ls -l
total 72
...
lrwxrwxrwx 1 root root   55 Dec 31  1969 sw -> /nix/store/zbjcck36rg5waj2la62bqyak74rh03l7-system-path

[user1@nixos:/run/current-system/sw]$ ls -l
total 0
dr-xr-xr-x 1 root root 22462 Dec 31  1969 bin
dr-xr-xr-x 1 root root    80 Dec 31  1969 etc
dr-xr-xr-x 1 root root 14110 Dec 31  1969 lib
dr-xr-xr-x 1 root root  9844 Dec 31  1969 sbin
dr-xr-xr-x 1 root root  2398 Dec 31  1969 share

[user1@nixos:/run/current-system/sw/bin]$ ls -l | head
total 5184
lrwxrwxrwx 1 root root  68 Dec 31  1969 [ -> /nix/store/0a5fbp4mn8bq66qdcb1abvlahbpa6bwc-coreutils-full-9.7/bin/[
lrwxrwxrwx 1 root root  70 Dec 31  1969 accessdb -> /nix/store/17a3l57c8lnfaqbxfw9f7m9wriazv5vj-man-db-2.13.0/bin/accessdb
lrwxrwxrwx 1 root root  74 Dec 31  1969 aconnect -> /nix/store/fvzgi1zmpy9g22625i41sgyzhlq1n9ag-alsa-utils-1.2.13/bin/aconnect
lrwxrwxrwx 1 root root  75 Dec 31  1969 addpart -> /nix/store/m10ngkbjxbj0lqdq6rsyys9h2gj1f27d-util-linux-2.41-bin/bin/addpart

I see, nice that at least it works.

Maybe the NixOS paths could be conditionally added to macros when building on
NixOS.

This could work for macros like ${PATH}, though macros for other system paths
are currently missing (such as ${LIB} or ${ETC}) so it would be better to
refactor the related code and add those first.

See also:

How much does having the non-FHS paths not covered by the default firejail
profiles compromise its effective security in nixos?

No idea, you'd have to check what is in those directories and how NixOS handles
them.

In general, it seems that it would at least partly negate the security of
whitelisting certain system paths (such as for private-bin and
private-etc).

It would likely be a lot of work, but for the time being you could also look at
what is whiteslited in firefox.profile/firefox-common.profile and try to
whitelist more specific directories (instead of the entire
/run/current-system/sw) until it works, such as:

whitelist /run/current-system/sw/lib
whitelist /run/current-system/sw/share/doc
whitelist /run/current-system/sw/share/gtk-doc/html
whitelist /run/current-system/sw/share/mozilla
whitelist /run/current-system/sw/share/webext
whitelist /run/current-system/sw/etc/...
# ...

Without NixOS paths in private-etc groups it might be a bit repetitive to
whitelist paths in etc/.

Whitelisting lib/ is usually tricky, so it might be useful to whitelist all of
lib/.

You'd also likely need to add NixOS paths to whitelist-usr-share-common.local
and so on.

Alternatively, try to hack firejail to add hardcoded NixOS paths where needed
and build it manually.

<!-- gh-comment-id:3183391672 --> @kmk3 commented on GitHub (Aug 13, 2025): > The fjtrace.txt was 0 bytes, and the strace produced a 5MB file - not sure > how best to get that linked here, however... You can just click below the comment or drag and drop a file into it to upload the file: * <https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files> > > This is how whitelisting currently works: Any `whitelist` command enables > > whitelisting for the relevant base directory. > > Oh that's right, thanks! That clued me in to try whitelisting everything in > /run item by item and selectively pairing down till I figured out what was > causing the problem. > > Adding the following fixes things: > > ` --whitelist=/run/current-system/sw` > > Apparently that's where NixOS keeps the equivalent of > /usr/bin,/usr/sbin,/usr/share,etc, in a read-only overlay mount. (I'm still > new to NixOS) > > ``` > [user1@nixos:/run/current-system]$ ls -l > total 72 > ... > lrwxrwxrwx 1 root root 55 Dec 31 1969 sw -> /nix/store/zbjcck36rg5waj2la62bqyak74rh03l7-system-path > > [user1@nixos:/run/current-system/sw]$ ls -l > total 0 > dr-xr-xr-x 1 root root 22462 Dec 31 1969 bin > dr-xr-xr-x 1 root root 80 Dec 31 1969 etc > dr-xr-xr-x 1 root root 14110 Dec 31 1969 lib > dr-xr-xr-x 1 root root 9844 Dec 31 1969 sbin > dr-xr-xr-x 1 root root 2398 Dec 31 1969 share > > [user1@nixos:/run/current-system/sw/bin]$ ls -l | head > total 5184 > lrwxrwxrwx 1 root root 68 Dec 31 1969 [ -> /nix/store/0a5fbp4mn8bq66qdcb1abvlahbpa6bwc-coreutils-full-9.7/bin/[ > lrwxrwxrwx 1 root root 70 Dec 31 1969 accessdb -> /nix/store/17a3l57c8lnfaqbxfw9f7m9wriazv5vj-man-db-2.13.0/bin/accessdb > lrwxrwxrwx 1 root root 74 Dec 31 1969 aconnect -> /nix/store/fvzgi1zmpy9g22625i41sgyzhlq1n9ag-alsa-utils-1.2.13/bin/aconnect > lrwxrwxrwx 1 root root 75 Dec 31 1969 addpart -> /nix/store/m10ngkbjxbj0lqdq6rsyys9h2gj1f27d-util-linux-2.41-bin/bin/addpart > ``` I see, nice that at least it works. Maybe the NixOS paths could be conditionally added to macros when building on NixOS. This could work for macros like `${PATH}`, though macros for other system paths are currently missing (such as `${LIB}` or `${ETC}`) so it would be better to refactor the related code and add those first. See also: * #4879 > How much does having the non-FHS paths not covered by the default firejail > profiles compromise its effective security in nixos? No idea, you'd have to check what is in those directories and how NixOS handles them. In general, it seems that it would at least partly negate the security of whitelisting certain system paths (such as for `private-bin` and `private-etc`). It would likely be a lot of work, but for the time being you could also look at what is whiteslited in firefox.profile/firefox-common.profile and try to whitelist more specific directories (instead of the entire `/run/current-system/sw`) until it works, such as: ``` whitelist /run/current-system/sw/lib whitelist /run/current-system/sw/share/doc whitelist /run/current-system/sw/share/gtk-doc/html whitelist /run/current-system/sw/share/mozilla whitelist /run/current-system/sw/share/webext whitelist /run/current-system/sw/etc/... # ... ``` Without NixOS paths in private-etc groups it might be a bit repetitive to whitelist paths in etc/. Whitelisting lib/ is usually tricky, so it might be useful to whitelist all of lib/. You'd also likely need to add NixOS paths to whitelist-usr-share-common.local and so on. Alternatively, try to hack firejail to add hardcoded NixOS paths where needed and build it manually.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3045
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?