github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5639] qutebrowser: cannot run userscripts #3052

New issue

Closed

opened 2026-05-05 09:41:54 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:41:54 -06:00

Owner

Originally created by @kjk11 on GitHub (Feb 5, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5639

As described here , one of the recent changes to the Qutebrowser profile, most likely this pull request https://github.com/netblue30/firejail/pull/5389, breaks the invocation of qutebrowser userscripts. I have been able to circumvent this problem by setting

ignore apparmor
ignore noexec ${HOME}

in qutebrowser.local . I believe userscripts should work by default. Perhaps there is a more fine-grained way of getting the functionality back?

Originally created by @kjk11 on GitHub (Feb 5, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5639 As described [here](https://github.com/qutebrowser/qutebrowser/issues/7575) , one of the recent changes to the Qutebrowser profile, most likely this pull request https://github.com/netblue30/firejail/pull/5389, breaks the invocation of qutebrowser userscripts. I have been able to circumvent this problem by setting ``` ignore apparmor ignore noexec ${HOME} ``` in qutebrowser.local . I believe userscripts should work by default. Perhaps there is a more fine-grained way of getting the functionality back?

gitea-mirror

2026-05-05 09:41:54 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:41:57 -06:00

Author

Owner

@ghost commented on GitHub (Feb 6, 2023):

I believe userscripts should work by default.

Thank you for reporting this. I agree.

Perhaps there is a more fine-grained way of getting the functionality back?

There are several profiles that have ignore noexec ${HOME}. In general that loosens the sandbox obviously, but it still is dependend on what you have installed under ${HOME} that potentially could pose a threat. Not really a fine-grained tool though the ignore noexec option, but we'll need to add it to the profile regardless.

You could try to compensate for this loss via additional AppArmor rules, only allowing the owner of files under ${HOME}/.config/qutebrowser/userscripts to execute those and nothing else. Check your /etc/apparmor.d/local/firejail-default, there are interesting comments inside that can help achieve this.

OTOH, something like the below should limit what's allowed to be executed:

owner @{HOME}/.config/qutebrowser/userscripts/** ix,

Just remember to clear AA's rules cache (if you use that option) after editing the file and usually a reboot is also required for AA to enforce the changes. If you need help with that, feel free to ask.

@ghost commented on GitHub (Feb 6, 2023): > I believe userscripts should work by default. Thank you for reporting this. I agree. > Perhaps there is a more fine-grained way of getting the functionality back? There are several profiles that have `ignore noexec ${HOME}`. In general that loosens the sandbox obviously, but it still is dependend on what you have installed under ${HOME} that potentially could pose a threat. Not really a fine-grained tool though the `ignore noexec` option, but we'll need to add it to the profile regardless. You could try to compensate for this `loss` via additional AppArmor rules, only allowing the owner of files under ${HOME}/.config/qutebrowser/userscripts to execute those and nothing else. Check your `/etc/apparmor.d/local/firejail-default`, there are interesting comments inside that can help achieve this. OTOH, something like the below should limit what's allowed to be executed: ``` owner @{HOME}/.config/qutebrowser/userscripts/** ix, ``` Just remember to clear AA's rules cache (if you use that option) after editing the file and usually a reboot is also required for AA to enforce the changes. If you need help with that, feel free to ask.

gitea-mirror commented

2026-05-05 09:41:58 -06:00

Author

Owner

@ghost commented on GitHub (Feb 15, 2023):

@kjk11 Usual deal. Merging the PR auto-closes this. Feel free to reopen.

@ghost commented on GitHub (Feb 15, 2023): @kjk11 Usual deal. Merging the PR auto-closes this. Feel free to reopen.

gitea-mirror referenced this issue

2026-05-05 10:23:34 -06:00

[PR #3053] [MERGED] Add new electron-mail profile #4624

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3052

No description provided.

Rows
Columns