[GH-ISSUE #5863] libreoffice: cannot open URL in flatpak program (AppImage) #3112

New issue

Closed

opened 2026-05-05 09:45:06 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented 2026-05-05 09:45:06 -06:00

Owner

Copy link

Originally created by @MikeNavy on GitHub (Jun 20, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5863

Description

I use LibreOffice AppImage; it contains its own help; when user wants to display the help, LibreOffice writes the help as html files in a "/tmp/" subdirectory, then it launches the application which is associated to html files.
In my case, the application associated to html files is Ungoogled-Chromium browser flatpak.
I have associated the html files to the command: /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/chromium --file-forwarding com.github.Eloston.UngoogledChromium @@u %U @@ using the "open with another application" option in Caja, entering the command line in "Use a personalized command" and ticking the "Remember this application..." option. Since I don't use any non flatpak browser, there is no default browser on my system (file association only).

When I launch LibreOffice AppImage without firejail, using ~/opt/LibreOffice.AppImage command, the help works, it is opened in Ungoogled-Chromium Browser.

When I launch LibreOffice AppImage with firejail, with the command:
firejail --appimage ~/opt/LibreOffice.AppImage, LibreOffice is launched and works normally, except the help that does not work (it is not displayed).

Steps to Reproduce

Install LibreOffice AppImage, a version including its help, in a directory of your choice in your home (I chose "/opt"). Launch LibreOffice with firejail --appimage.

1. Run in a terminal LC=ALL firejail --appimage ~/opt/LibreOffice.AppImage ("~/opt/" is the directory I used for AppImages, replace it with yours)
2. Click on 'Help' menu, then 'LibreOffice Help F1"
   --> Help is not displayed.

Using "--profile=libreoffice" option:

1. Run in a terminal LC=ALL firejail --appimage --profile=libreoffice ~/opt/LibreOffice.AppImage("~/opt/" is the directory I used for AppImages, replace it with yours)
2. Click on 'Help' menu, then 'LibreOffice Help F1"
   --> Help is not displayed.

Expected behavior

LibreOffice help should be displayed

Actual behavior

No help displayed. In the terminal:

Reading profile /etc/firejail/allow-java.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 7433, child pid 7436
** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **
Mounting appimage type 2
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/gvfs
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 195.00 ms
error: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): No such file or folder

Same result with --profile=libreoffice option.

Behavior without a profile

Run in a terminal LC=ALL firejail --noprofile --appimage ~/opt/LibreOffice.AppImage ("~/opt/" is the directory I used for AppImages, replace it with yours)
LibreOffice is launched, help does not work.
Terminal output:

Parent pid 7832, child pid 7835
** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **
Mounting appimage type 2
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 55.44 ms
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
error: ldconfig failed, exit status 256

Additional context

Any other detail that may help to understand/debug the problem

Environment

• Linux Mint 20.3 Mate, based on Ubuntu 20.04 LTS, with 5.4.0-152 generic kernel.
• Firejail version 0.9.72, deb downloaded from SourceForge.
• LibreOffice AppImage 7.4.7.2.

Checklist

• [x ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x ] I can reproduce the issue without custom modifications (e.g. globals.local).
• [x ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/allow-java.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 7433, child pid 7436
** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **
Mounting appimage type 2
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/gvfs
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 195.00 ms
error: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): No such file or folder

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/MikeNavy/5c78a9e3852eb04ee5b802da57051204

Originally created by @MikeNavy on GitHub (Jun 20, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5863 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description I use LibreOffice AppImage; it contains its own help; when user wants to display the help, LibreOffice writes the help as html files in a "/tmp/" subdirectory, then it launches the application which is associated to html files. In my case, the application associated to html files is Ungoogled-Chromium browser flatpak. I have associated the html files to the command: `/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/chromium --file-forwarding com.github.Eloston.UngoogledChromium @@u %U @@` using the "open with another application" option in Caja, entering the command line in "Use a personalized command" and ticking the "Remember this application..." option. Since I don't use any non flatpak browser, there is no default browser on my system (file association only). When I launch LibreOffice AppImage without firejail, using `~/opt/LibreOffice.AppImage` command, the help works, it is opened in Ungoogled-Chromium Browser. When I launch LibreOffice AppImage with firejail, with the command: `firejail --appimage ~/opt/LibreOffice.AppImage`, LibreOffice is launched and works normally, except the help that does not work (it is not displayed). ### Steps to Reproduce Install LibreOffice AppImage, a version including its help, in a directory of your choice in your home (I chose "/opt"). Launch LibreOffice with `firejail --appimage`. 1. Run in a terminal `LC=ALL firejail --appimage ~/opt/LibreOffice.AppImage` ("~/opt/" is the directory I used for AppImages, replace it with yours) 2. Click on 'Help' menu, then 'LibreOffice Help F1" --> Help is not displayed. Using "--profile=libreoffice" option: 1. Run in a terminal `LC=ALL firejail --appimage --profile=libreoffice ~/opt/LibreOffice.AppImage`("~/opt/" is the directory I used for AppImages, replace it with yours) 2. Click on 'Help' menu, then 'LibreOffice Help F1" --> Help is not displayed. ### Expected behavior LibreOffice help should be displayed ### Actual behavior No help displayed. In the terminal: ``` Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 7433, child pid 7436 ** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl ** Mounting appimage type 2 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/gvfs Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 195.00 ms error: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): No such file or folder ``` Same result with `--profile=libreoffice` option. ### Behavior without a profile Run in a terminal `LC=ALL firejail --noprofile --appimage ~/opt/LibreOffice.AppImage` ("~/opt/" is the directory I used for AppImages, replace it with yours) LibreOffice is launched, help does not work. Terminal output: ``` Parent pid 7832, child pid 7835 ** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl ** Mounting appimage type 2 Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 55.44 ms bwrap: Can't mount proc on /newroot/proc: Operation not permitted error: ldconfig failed, exit status 256 ``` ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Linux Mint 20.3 Mate, based on Ubuntu 20.04 LTS, with 5.4.0-152 generic kernel. - Firejail version 0.9.72, deb downloaded from SourceForge. - LibreOffice AppImage 7.4.7.2. ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x ] I can reproduce the issue without custom modifications (e.g. globals.local). - [x ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 7433, child pid 7436 ** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl ** Mounting appimage type 2 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/gvfs Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 195.00 ms error: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): No such file or folder ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> https://gist.github.com/MikeNavy/5c78a9e3852eb04ee5b802da57051204 ``` ``` </p> </details>

gitea-mirror 2026-05-05 09:45:06 -06:00

• closed this issue
• added the
  notabug
  label

gitea-mirror commented 2026-05-05 09:45:08 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 20, 2023):

I use LibreOffice AppImage; it contains its own help; when user wants to
display the help, LibreOffice writes the help as html files in a "/tmp/"
subdirectory, then it launches the application which is associated to html
files. In my case, the application associated to html files is
Ungoogled-Chromium browser flatpak. I have associated the html files to the
command: /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/chromium --file-forwarding com.github.Eloston.UngoogledChromium @@u %U @@ using the "open with another
application" option in Caja, entering the command line in "Use a personalized
command" and ticking the "Remember this application..." option. Since I don't
use any non flatpak browser, there is no default browser on my system (file
association only).

Child process initialized in 195.00 ms
error: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): No such file or folder

Running flatpak programs through firejail is unsupported, as generally firejail
removes privileges which flatpak requires.

In order to open URLs in an external browser, it is possible to make the
sandboxed program write the URLs to a socket and have another program outside
of the sandbox which listens to it and opens URLs.

See the following discussion and the related discussions for details:

• #5582

<!-- gh-comment-id:1598420410 --> @kmk3 commented on GitHub (Jun 20, 2023): > I use LibreOffice AppImage; it contains its own help; when user wants to > display the help, LibreOffice writes the help as html files in a "/tmp/" > subdirectory, then it launches the application which is associated to html > files. In my case, the application associated to html files is > Ungoogled-Chromium browser flatpak. I have associated the html files to the > command: `/usr/bin/flatpak run --branch=stable --arch=x86_64 > --command=/app/bin/chromium --file-forwarding > com.github.Eloston.UngoogledChromium @@u %U @@` using the "open with another > application" option in Caja, entering the command line in "Use a personalized > command" and ticking the "Remember this application..." option. Since I don't > use any non flatpak browser, there is no default browser on my system (file > association only). > ``` > Child process initialized in 195.00 ms > error: While opening repository /var/lib/flatpak/repo: opening repo: opendir(/var/lib/flatpak/repo): No such file or folder > ``` Running flatpak programs through firejail is unsupported, as generally firejail removes privileges which flatpak requires. In order to open URLs in an external browser, it is possible to make the sandboxed program write the URLs to a socket and have another program outside of the sandbox which listens to it and opens URLs. See the following discussion and the related discussions for details: * #5582

gitea-mirror commented 2026-05-05 09:45:08 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 20, 2023):

Furthermore you have to share your /tmp:

ignore private-tmp

And if you would use run your browser in firejail too you have to share it there as well.

<!-- gh-comment-id:1598827425 --> @rusty-snake commented on GitHub (Jun 20, 2023): Furthermore you have to share your /tmp: ``` ignore private-tmp ``` And if you would use run your browser in firejail too you have to share it there as well.

gitea-mirror commented 2026-05-05 09:45:09 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 20, 2023):

The best solution is likely to browser a online help or to export (save) it once to e.g. ~/Documents and browse it from there.

<!-- gh-comment-id:1598831013 --> @rusty-snake commented on GitHub (Jun 20, 2023): The best solution is likely to browser a online help or to export (save) it once to e.g. ~/Documents and browse it from there.

gitea-mirror commented 2026-05-05 09:45:10 -06:00

Author

Owner

Copy link

@MikeNavy commented on GitHub (Jun 20, 2023):

Or I can use LibreOffice AppImage without Firejail... ;-):

• I cannot change the way the AppImage works.
• If I download a LibreOffice AppImage using online help, it will not launch my browser if LibreOffice is firejailed.
• If I use my browser to read online help without LibreOffice, I loose the contextual help.

Regards,

MN

PS: I use firejailed LibreOffice AppImage to open files downloaded from internet; I use unsandboxed LibreOffice AppImage to open and edit my own files (and have access to the included help).

<!-- gh-comment-id:1598969802 --> @MikeNavy commented on GitHub (Jun 20, 2023): Or I can use LibreOffice AppImage without Firejail... ;-): - I cannot change the way the AppImage works. - If I download a LibreOffice AppImage using online help, it will not launch my browser if LibreOffice is firejailed. - If I use my browser to read online help without LibreOffice, I loose the contextual help. Regards, MN PS: I use firejailed LibreOffice AppImage to open files downloaded from internet; I use unsandboxed LibreOffice AppImage to open and edit my own files (and have access to the included help).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3112

No description provided.