[GH-ISSUE #6105] pulsar: help wanted to create a new profile #3181

New issue

Open

opened 2026-05-05 09:48:12 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented 2026-05-05 09:48:12 -06:00

Owner

Copy link

Originally created by @Lonniebiz on GitHub (Nov 26, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6105

I requested a profile for Pulsar here.

I tried to create a local profile based on the one for atom:

# Description: A hackable text editor for the 21st Century
# This file is overwritten after every install/update
# Persistent local customizations
include pulsar.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt

noblacklist ${HOME}/.atom
noblacklist ${HOME}/.config/Atom
noblacklist ${HOME}/.config/Pulsar

# Allows files commonly used by IDEs
include allow-common-devel.inc

# net none
nosound

# Redirect
include electron.profile

But I got stuck on this error:

Error: /tmp/.org.chromium.Chromium.jcnd3m: failed to map segment from shared object

I tried adding these directive into the local profile, but they don't seem to get me past the error:

# Allow access to /tmp directory
noblacklist /tmp

# Allow execution of files in /tmp (use with caution)
noblacklist /tmp/.org.chromium.Chromium.*

After that, I tried using firetools to create a totally different profile for Pulsar:

# Custom profile for Pulsar

# file system
include /etc/firejail/disable-common.inc

# network
net none

# multimedia
nosound
novideo

# kernel
seccomp !chroot
nonewprivs
caps.drop all
noroot
apparmor

I changed seccomp to seccomp !chroot due to this error:
"Check failed: sys_chroot("/proc/self/fdinfo/") == 0"

After that, it at least launched. However, I bet someone more experience than I could make a less permissive profile that also launches. I'm still learning.

Originally created by @Lonniebiz on GitHub (Nov 26, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/6105 I requested a profile for Pulsar [here](https://github.com/netblue30/firejail/issues/1139#issuecomment-1826783530). I tried to create a local profile based on the one for atom: ```# Firejail profile for Pulsar # Description: A hackable text editor for the 21st Century # This file is overwritten after every install/update # Persistent local customizations include pulsar.local # Persistent global definitions include globals.local # Disabled until someone reported positive feedback ignore include disable-devel.inc ignore include disable-interpreters.inc ignore include disable-xdg.inc ignore whitelist ${DOWNLOADS} ignore whitelist ${HOME}/.config/Electron ignore whitelist ${HOME}/.config/electron*-flag*.conf ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc ignore include whitelist-var-common.inc ignore apparmor ignore disable-mnt noblacklist ${HOME}/.atom noblacklist ${HOME}/.config/Atom noblacklist ${HOME}/.config/Pulsar # Allows files commonly used by IDEs include allow-common-devel.inc # net none nosound # Redirect include electron.profile ``` But I got stuck on this error: `Error: /tmp/.org.chromium.Chromium.jcnd3m: failed to map segment from shared object` I tried adding these directive into the local profile, but they don't seem to get me past the error: ``` # Allow access to /tmp directory noblacklist /tmp # Allow execution of files in /tmp (use with caution) noblacklist /tmp/.org.chromium.Chromium.* ``` After that, I tried using firetools to create a totally different profile for Pulsar: ``` # Custom profile for Pulsar # file system include /etc/firejail/disable-common.inc # network net none # multimedia nosound novideo # kernel seccomp !chroot nonewprivs caps.drop all noroot apparmor ``` I changed `seccomp` to `seccomp !chroot` due to this error: "Check failed: sys_chroot("/proc/self/fdinfo/") == 0" After that, it at least launched. However, I bet someone more experience than I could make a less permissive profile that also launches. I'm still learning.

gitea-mirror added the

profile-request

label 2026-05-05 09:48:12 -06:00

gitea-mirror commented 2026-05-05 09:48:14 -06:00

Author

Owner

Copy link

@ross-zilligen commented on GitHub (Jan 8, 2026):

I've been trying to get a working profile for Pulsar under Fedora 42 (not in any repos on my distro so I had just installing from a github release). I found this page after I had already been tinkering with a modified version of the atom profile (similar to yourself). I also added a few lines from the VS code profile since both editors are Electron-based.

Like you, I was getting a lot of Error: /tmp/.org.chromium.Chromium.XXXXXX: failed to map segment from shared object noise when I was running things. But wanted to chime in with a few bits that I learned along the way in case it is helpful to the overall effort to get a profile that both works and has decent enough security to make it into the default profiles.

first there were a few non-firejail errors related to /tmp/.org.chromium.Chromium.XXXXXX due to /tmp having noexec. See:

• Pulsar Issue 999: failed to map segment from shared object
• Signal-Desktop Issue 2707: Signal doesn't start with noexec /tmp: failed to map segment from shared object

both of these had suggestions such as remounting tmp w exec which someone rightly pointed out

Remounting /tmp with exec is probably not a good long term solution. noexec on /tmp and /var/tmp is common for hardened systems.

There was also a suggestion of overriding TMPDIR to point to somewhere other that /tmp, which I thought was more interesting.

I had attempted that in one version of the profile I was working on by adding:

mkdir ${HOME}/.tmp/pulsar
noblacklist ${HOME}/.tmp/pulsar
env TMPDIR=${HOME}/.tmp/pulsar

but I could never get it to launch using either the /opt/Pulsar/pulsar binary or the /usr/bin/pulsar bash script.

firejail --profile=pulsar-edit /usr/bin/pulsar --no-sandbox would just hang after awhile when using this and not give any useful errors. The ${HOME}/.tmp/pulsar folder did get created but there wasn't anything inside. But the binary under /opt would give me this apparently related to node-sentinel-file-watcher (aka 'nsfw'):

$ firejail --profile=pulsar-edit /opt/Pulsar/pulsar --no-sandbox
Reading profile /etc/firejail/pulsar-edit.profile
Reading profile /home/notmyrealusername/.config/firejail/globals.local
Reading profile /home/notmyrealusername/.config/firejail/unset-user-vars.local
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron-common.profile
Reading profile /etc/firejail/blink-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/notmyrealusername/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
firejail version 0.9.76

Parent pid 1576340, child pid 1576341
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 69.87 ms
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 157.77 ms
ENOENT, node_modules/nsfw/build/Release/nsfw.node not found in /opt/Pulsar/resources/app.asar
Error: ENOENT, node_modules/nsfw/build/Release/nsfw.node not found in /opt/Pulsar/resources/app.asar
at createError (electron/js2c/asar_bundle.js:5:1289)
at Object.func [as .node] (electron/js2c/asar_bundle.js:5:2008)
at Module.load (internal/modules/cjs/loader.js:935:32)
at Module._load (internal/modules/cjs/loader.js:776:14)
at Function.f._load (electron/js2c/asar_bundle.js:5:12913)
at Module.require (internal/modules/cjs/loader.js:959:19)
at require (internal/modules/cjs/helpers.js:88:18)
at Object.<anonymous> (/opt/Pulsar/resources/app.asar/node_modules/nsfw/js/src/index.js:4:14)
at Module._compile (internal/modules/cjs/loader.js:1078:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1108:10)

---

so I never really got it working while isolating /tmp to my satisfaction. BUT if you comment out the stuff I was attempting with TMPDIR and the noexec /tmp then it at least runs (not even any errors from the 'nsfw' module) ... can't say how protected you are like that so it might be pretty useless for folks wandering in from the web. OTOH, there are already profiles under /etc/firejail that don't appear to block /tmp so maybe its fine? I'm not a security expert so I'll wait for someone more experienced on that front to chime in.

In either case, hopefully there are a few more clues here that will get us a but closer to a final Pulsar profile :-D

btw here's the /etc/firejail/pulsar-edit.profile I was using at the end:

# Firejail profile for Pulsar Text Editor
# Description: A Community-led Hyper-Hackable Text Editor, Forked from Atom, built on Electron
# https://github.com/pulsar-edit/pulsar
# This file is overwritten after every install/update
# Persistent local customizations
include pulsar.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt
ignore dbus-user none
ignore dbus-system none

noblacklist ${HOME}/.pulsar
noblacklist ${HOME}/.config/Pulsar

#mkdir ${HOME}/.tmp/pulsar
#noblacklist ${HOME}/.tmp/pulsar
#env TMPDIR=${HOME}/.tmp/pulsar

# Allows files commonly used by IDEs
include allow-common-devel.inc

#net none
nosound

# Disabling noexec ${HOME} for now since it will
# probably interfere with running some programs in Pulsar
#noexec ${HOME}
#noexec /tmp

# Redirect
include electron-common.profile

<!-- gh-comment-id:3722256416 --> @ross-zilligen commented on GitHub (Jan 8, 2026): I've been trying to get a working profile for [Pulsar](https://github.com/pulsar-edit/pulsar) under Fedora 42 (not in any repos on my distro so I had just installing from a github release). I found this page after I had already been tinkering with a modified version of the atom profile (similar to yourself). I also added a few lines from the VS code profile since both editors are Electron-based. Like you, I was getting a lot of `Error: /tmp/.org.chromium.Chromium.XXXXXX: failed to map segment from shared object` noise when I was running things. But wanted to chime in with a few bits that I learned along the way in case it is helpful to the overall effort to get a profile that both works *and* has decent enough security to make it into the default profiles. first there were a few non-firejail errors related to ` /tmp/.org.chromium.Chromium.XXXXXX` due to /tmp having `noexec`. See: - [Pulsar Issue 999: failed to map segment from shared object](https://github.com/pulsar-edit/pulsar/issues/999) - [Signal-Desktop Issue 2707: Signal doesn't start with noexec /tmp: failed to map segment from shared object](https://github.com/signalapp/Signal-Desktop/issues/2707) both of these had suggestions such as remounting tmp w `exec` which someone rightly pointed out > Remounting /tmp with exec is probably not a good long term solution. noexec on /tmp and /var/tmp is common for hardened systems. There was also a suggestion of overriding TMPDIR to point to somewhere other that /tmp, which I thought was more interesting. I had attempted that in one version of the profile I was working on by adding: ``` mkdir ${HOME}/.tmp/pulsar noblacklist ${HOME}/.tmp/pulsar env TMPDIR=${HOME}/.tmp/pulsar ``` but I could never get it to launch using either the `/opt/Pulsar/pulsar` binary or the `/usr/bin/pulsar` bash script. `firejail --profile=pulsar-edit /usr/bin/pulsar --no-sandbox` would just hang after awhile when using this and not give any useful errors. The `${HOME}/.tmp/pulsar` folder did get created but there wasn't anything inside. But the binary under /opt would give me this apparently related to [node-sentinel-file-watcher (aka 'nsfw')](https://www.npmjs.com/package/nsfw): ``` $ firejail --profile=pulsar-edit /opt/Pulsar/pulsar --no-sandbox Reading profile /etc/firejail/pulsar-edit.profile Reading profile /home/notmyrealusername/.config/firejail/globals.local Reading profile /home/notmyrealusername/.config/firejail/unset-user-vars.local Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/electron-common.profile Reading profile /etc/firejail/blink-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /home/notmyrealusername/.config/firejail/disable-common.local Reading profile /etc/firejail/disable-programs.inc firejail version 0.9.76 Parent pid 1576340, child pid 1576341 Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 69.87 ms Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 157.77 ms ENOENT, node_modules/nsfw/build/Release/nsfw.node not found in /opt/Pulsar/resources/app.asar Error: ENOENT, node_modules/nsfw/build/Release/nsfw.node not found in /opt/Pulsar/resources/app.asar at createError (electron/js2c/asar_bundle.js:5:1289) at Object.func [as .node] (electron/js2c/asar_bundle.js:5:2008) at Module.load (internal/modules/cjs/loader.js:935:32) at Module._load (internal/modules/cjs/loader.js:776:14) at Function.f._load (electron/js2c/asar_bundle.js:5:12913) at Module.require (internal/modules/cjs/loader.js:959:19) at require (internal/modules/cjs/helpers.js:88:18) at Object.<anonymous> (/opt/Pulsar/resources/app.asar/node_modules/nsfw/js/src/index.js:4:14) at Module._compile (internal/modules/cjs/loader.js:1078:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1108:10) ``` --- so I never *really* got it working while isolating /tmp to my satisfaction. BUT if you comment out the stuff I was attempting with `TMPDIR` and the `noexec /tmp` then it at least runs (not even any errors from the 'nsfw' module) ... can't say how protected you are like that so it might be pretty useless for folks wandering in from the web. OTOH, there are already profiles under /etc/firejail that don't appear to block /tmp so maybe its fine? I'm not a security expert so I'll wait for someone more experienced on that front to chime in. In either case, hopefully there are a few more clues here that will get us a but closer to a final Pulsar profile :-D btw here's the /etc/firejail/pulsar-edit.profile I was using at the end: ``` # Firejail profile for Pulsar Text Editor # Description: A Community-led Hyper-Hackable Text Editor, Forked from Atom, built on Electron # https://github.com/pulsar-edit/pulsar # This file is overwritten after every install/update # Persistent local customizations include pulsar.local # Persistent global definitions include globals.local # Disabled until someone reported positive feedback ignore include disable-devel.inc ignore include disable-exec.inc ignore include disable-interpreters.inc ignore include disable-xdg.inc ignore whitelist ${DOWNLOADS} ignore whitelist ${HOME}/.config/Electron ignore whitelist ${HOME}/.config/electron*-flag*.conf ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc ignore include whitelist-var-common.inc ignore apparmor ignore disable-mnt ignore dbus-user none ignore dbus-system none noblacklist ${HOME}/.pulsar noblacklist ${HOME}/.config/Pulsar #mkdir ${HOME}/.tmp/pulsar #noblacklist ${HOME}/.tmp/pulsar #env TMPDIR=${HOME}/.tmp/pulsar # Allows files commonly used by IDEs include allow-common-devel.inc #net none nosound # Disabling noexec ${HOME} for now since it will # probably interfere with running some programs in Pulsar #noexec ${HOME} #noexec /tmp # Redirect include electron-common.profile ```

gitea-mirror referenced this issue 2026-05-05 10:24:31 -06:00

[PR #3181] [MERGED] move copyright to 2020 (part 2) #4675

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3181

No description provided.