[GH-ISSUE #6269] torbrowser: error: Tor exited during startup

gitea-mirror commented

2026-05-05 09:50:24 -06:00

Owner

Originally created by @marek22k on GitHub (Mar 8, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6269

Description

I am on Arch Linux and have installed Tor via the "Tor Browser Launcher". When I start Tor without Firejail everything works, when I start Tor with Firejail an error message appears.

Steps to Reproduce

Steps to reproduce the behavior

Install Arch Linux (Xfce4, linux-lts)
Install Tor Browser via Tor Browser Launcher
Start Tor
Error message appears

Expected behavior

Tor Browser shows the error message:

Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start.

Furthermore, it cannot connect to the network.

Actual behavior

No error message, successfully connection to the tor network.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Works

$LC_ALL=C firejail --noprofile /usr/bin/torbrowser-launcher
Parent pid 77321, child pid 77322
Child process initialized in 5.63 ms
Tor Browser Launcher
By Micah Lee & Tor Project, licensed under MIT
version 0.3.7
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/
Launching Tor Browser.
Running /home/marek/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...

Parent is shutting down, bye...

Additional context

Screenshot:

Environment

Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")

Arch Linux

Firejail version (firejail --version).

$ firejail --version
firejail version 0.9.72

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

Log

Output of LC_ALL=C firejail /path/to/program

$LC_ALL=C firejail /usr/bin/torbrowser-launcher
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 78530, child pid 78531
79 programs installed in 117.92 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 38.72 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 242.48 ms
Tor Browser Launcher
By Micah Lee & Tor Project, licensed under MIT
version 0.3.7
https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/

(python:99): dbind-WARNING **: 19:44:27.032: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Launching Tor Browser.
Running /home/marek/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/marek22k/6de941d4f8d644e1ee4736007a8ea577

Originally created by @marek22k on GitHub (Mar 8, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6269 ### Description I am on Arch Linux and have installed Tor via the "Tor Browser Launcher". When I start Tor without Firejail everything works, when I start Tor with Firejail an error message appears. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Install Arch Linux (Xfce4, linux-lts) 2. Install Tor Browser via Tor Browser Launcher 3. Start Tor 4. Error message appears ### Expected behavior Tor Browser shows the error message: > Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start. Furthermore, it cannot connect to the network. ### Actual behavior No error message, successfully connection to the tor network. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Works ``` $LC_ALL=C firejail --noprofile /usr/bin/torbrowser-launcher Parent pid 77321, child pid 77322 Child process initialized in 5.63 ms Tor Browser Launcher By Micah Lee & Tor Project, licensed under MIT version 0.3.7 https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/ Launching Tor Browser. Running /home/marek/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop Launching './Browser/start-tor-browser --detach'... Parent is shutting down, bye... ``` ### Additional context Screenshot: ![tor](https://github.com/netblue30/firejail/assets/46723399/43d08c46-3f90-4af6-b91b-203ea0b8833b) ### Environment - Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") Arch Linux - Firejail version (`firejail --version`). ``` $ firejail --version firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist  - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [X] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` $LC_ALL=C firejail /usr/bin/torbrowser-launcher Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 78530, child pid 78531 79 programs installed in 117.92 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 38.72 ms Private /usr/etc installed in 0.00 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 242.48 ms Tor Browser Launcher By Micah Lee & Tor Project, licensed under MIT version 0.3.7 https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/ (python:99): dbind-WARNING **: 19:44:27.032: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Launching Tor Browser. Running /home/marek/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop Launching './Browser/start-tor-browser --detach'... Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> https://gist.github.com/marek22k/6de941d4f8d644e1ee4736007a8ea577 </p> </details>

gitea-mirror added the

bug

label 2026-05-05 09:50:24 -06:00

gitea-mirror commented

2026-05-05 09:50:26 -06:00

Author

Owner

@ghost commented on GitHub (Mar 9, 2024):

Apparently Tor Browser 13.0.11 (based on Mozilla Firefox 115.8.0esr) changed a few things. The former versions installed under ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser and now under ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser. This affects our apparmor opt-in rule, although you don't seem to have that enabled AFAICT from your logs.

Can you try adding the below and report back please?

$ cat ~/.config/firejail/torbrowser-launcher.local
private-bin execdesktop

HTH

@ghost commented on GitHub (Mar 9, 2024): Apparently Tor Browser `13.0.11 (based on Mozilla Firefox 115.8.0esr)` changed a few things. The former versions installed under ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser and now under ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser. This affects our `apparmor` opt-in rule, although you don't seem to have that enabled AFAICT from your logs. Can you try adding the below and report back please? ```sh $ cat ~/.config/firejail/torbrowser-launcher.local private-bin execdesktop ``` HTH

gitea-mirror commented

2026-05-05 09:50:27 -06:00

Author

Owner

@ghost commented on GitHub (Mar 9, 2024):

UPDATE: note for people that do enable apparmor in a local override

c16f7a2902/etc/apparmor/firejail-local (L27)

Fixed rule:
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix,

@ghost commented on GitHub (Mar 9, 2024): UPDATE: note for people that do enable apparmor in a local override https://github.com/netblue30/firejail/blob/c16f7a2902cfbae0c022edd795e155c5abde48c8/etc/apparmor/firejail-local#L27 Fixed rule: #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix,

gitea-mirror commented

2026-05-05 09:50:28 -06:00

Author

Owner

@marek22k commented on GitHub (Mar 9, 2024):

Can you try adding the below and report back please?

Mhh, somehow it doesn't work for me. (Log: https://gist.github.com/marek22k/763449af038fefe103cf8c57259eada1)

This affects our apparmor opt-in rule, although you don't seem to have that enabled AFAICT from your logs.

As I understand it, AppArmor offers additional protection. How can I activate it?

@marek22k commented on GitHub (Mar 9, 2024): > Can you try adding the below and report back please? Mhh, somehow it doesn't work for me. (Log: https://gist.github.com/marek22k/763449af038fefe103cf8c57259eada1) > This affects our apparmor opt-in rule, although you don't seem to have that enabled AFAICT from your logs. As I understand it, AppArmor offers additional protection. How can I activate it?

gitea-mirror commented

2026-05-05 09:50:29 -06:00

Author

Owner

@ghost commented on GitHub (Mar 10, 2024):

Mhh, somehow it doesn't work for me.

From a diff between the 0.9.72 versus the one in git master I notice we also added include whitelist-run-common.inc and seccomp.block-secondary. Any improvement when you also add those to torbrowser-launcher.local?

As I understand it, AppArmor offers additional protection. How can I activate it?

follow the Arch AppArmor wiki
check /etc/apparmor.d/firejail-default, and especially /etc/apparmor.d/local/firejail-default - the latter is the one you'll need to edit for the torbrowser-launcher.profile

@ghost commented on GitHub (Mar 10, 2024): > Mhh, somehow it doesn't work for me. From a diff between the 0.9.72 versus the one in git master I notice we also added `include whitelist-run-common.inc` and `seccomp.block-secondary`. Any improvement when you also add those to torbrowser-launcher.local? > As I understand it, AppArmor offers additional protection. How can I activate it? - follow the Arch [AppArmor wiki](https://wiki.archlinux.org/title/AppArmor) - check /etc/apparmor.d/firejail-default, and especially /etc/apparmor.d/local/firejail-default - the latter is the one you'll need to edit for the torbrowser-launcher.profile

gitea-mirror commented

2026-05-05 09:50:30 -06:00

Author

Owner

@marek22k commented on GitHub (Mar 10, 2024):

From a diff between the 0.9.72 versus the one in git master I notice we also added include whitelist-run-common.inc and seccomp.block-secondary. Any improvement when you also add those to torbrowser-launcher.local?

Unfortunately not.
Log:
log.txt

AppArmor: Thanks for the links! I might have a look at that later.

@marek22k commented on GitHub (Mar 10, 2024): > From a diff between the 0.9.72 versus the one in git master I notice we also added `include whitelist-run-common.inc` and `seccomp.block-secondary`. Any improvement when you also add those to torbrowser-launcher.local? Unfortunately not. Log: [log.txt](https://github.com/netblue30/firejail/files/14550448/log.txt) AppArmor: Thanks for the links! I might have a look at that later.

gitea-mirror commented

2026-05-05 09:50:31 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 10, 2024):

From a diff between the 0.9.72 versus the one in git master I notice we
also added include whitelist-run-common.inc and
seccomp.block-secondary. Any improvement when you also add those to
torbrowser-launcher.local?

Unfortunately not. Log:
log.txt

Does it work with firejail-git?

I'd suggest to comment lines in torbrowser-launcher.profile until you find
which ones are causing issues.

@kmk3 commented on GitHub (Mar 10, 2024): > > From a diff between the 0.9.72 versus the one in git master I notice we > > also added `include whitelist-run-common.inc` and > > `seccomp.block-secondary`. Any improvement when you also add those to > > torbrowser-launcher.local? > > Unfortunately not. Log: > [log.txt](https://github.com/netblue30/firejail/files/14550448/log.txt) Does it work with firejail-git? I'd suggest to comment lines in torbrowser-launcher.profile until you find which ones are causing issues.

gitea-mirror commented

2026-05-05 09:50:32 -06:00

Author

Owner

@johkra commented on GitHub (Mar 16, 2024):

The path on my installation is:

$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop

The Browser path component in #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser*/Browser/** ix, changed in #6270 makes the path not match.

Changing this to owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser*/** ix, worked for me.

@johkra commented on GitHub (Mar 16, 2024): The path on my installation is: `$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop` The `Browser` path component in `#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser*/Browser/** ix,` changed in #6270 makes the path not match. Changing this to `owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser*/** ix,` worked for me.

gitea-mirror commented

2026-05-05 09:50:32 -06:00

Author

Owner

@ghost commented on GitHub (Mar 16, 2024):

@johkra Thanks for reporting! I changed it in git accordingly.

@ghost commented on GitHub (Mar 16, 2024): @johkra Thanks for reporting! I changed it in git accordingly.

gitea-mirror commented

2026-05-05 09:50:33 -06:00

Author

Owner

@powerjungle commented on GitHub (Mar 30, 2024):

Can you try adding the below and report back please?
$ cat ~/.config/firejail/torbrowser-launcher.local
private-bin execdesktop

@glitsj16 I tried this and I get: Warning: file execdesktop not found and it still didn't fix the tor browser error. I don't use the apparmor profile.

I also tried adding these three lines:

include disable-proc.inc
include whitelist-run-common.inc
seccomp.block-secondary

This did nothing as well.

I commented the whole firejail torbrowser-launcher profile and started uncommenting lines one by one. These lines need to remain commented for the error to disappear:

nonewprivs
protocol unix,inet,inet6
seccomp !chroot

@powerjungle commented on GitHub (Mar 30, 2024): > Can you try adding the below and report back please? > ```shell > $ cat ~/.config/firejail/torbrowser-launcher.local > private-bin execdesktop > ``` @glitsj16 I tried this and I get: `Warning: file execdesktop not found` and it still didn't fix the tor browser error. I don't use the apparmor profile. I also tried adding these three lines: ``` include disable-proc.inc include whitelist-run-common.inc seccomp.block-secondary ``` This did nothing as well. I commented the whole firejail torbrowser-launcher profile and started uncommenting lines one by one. These lines need to remain commented for the error to disappear: ``` nonewprivs protocol unix,inet,inet6 seccomp !chroot ```

gitea-mirror commented

2026-05-05 09:50:34 -06:00

Author

Owner

@ghost commented on GitHub (Apr 1, 2024):

tried this and I get: Warning: file execdesktop not found and it still didn't fix the tor browser error. I don't use the apparmor profile.

Thanks for testing. Outside of the sandbox, do you have $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/execdesktop? it's a small bash script that checks the X-TorBrowser-ExecShell= line in $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop. Just asking to stay on the same page. Your Tor Browser Launcher installation should have that file on disk.

I don't use the apparmor profile

Good to know.

These lines need to remain commented for the error to disappear:

nonewprivs
protocol unix,inet,inet6
seccomp !chroot

Hmmm, those are pretty vital parts of the sandbox. Personally I wouldn't use TB without those options. Still can't reproduce. I'd try putting aside the TB profile in $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/TorBrowser/Data and see if anything changes for the better...

@ghost commented on GitHub (Apr 1, 2024): > tried this and I get: Warning: file execdesktop not found and it still didn't fix the tor browser error. I don't use the apparmor profile. Thanks for testing. Outside of the sandbox, do you have `$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/execdesktop`? it's a small bash script that checks the `X-TorBrowser-ExecShell=` line in `$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop`. Just asking to stay on the same page. Your Tor Browser Launcher installation should have that file on disk. > I don't use the apparmor profile Good to know. > These lines need to remain commented for the error to disappear: nonewprivs protocol unix,inet,inet6 seccomp !chroot Hmmm, those are pretty vital parts of the sandbox. Personally I wouldn't use TB without those options. Still can't reproduce. I'd try putting aside the TB profile in `$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/TorBrowser/Data` and see if anything changes for the better...

gitea-mirror commented

2026-05-05 09:50:35 -06:00

Author

Owner

@powerjungle commented on GitHub (Apr 1, 2024):

Thanks for testing. Outside of the sandbox, do you have $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/execdesktop?

I do have it, but how is firejail supposed to find it? I'm assuming it finds the other binaries using PATH, but execdesktop isn't added to the env.

Hmmm, those are pretty vital parts of the sandbox.

Yeah I know, but I'm assuming the reason it fails with them is that the child requires some privileges which it doesn't get. I was looking at the tor profile, but couldn't find anything that seems to be causing it yet. I don't understand why protocol unix,inet,inet6 should interfere, but uncommenting it causes the error to appear even if the other 2 are commented.

Still can't reproduce.

Are you using the current master version of firejail? Maybe something other than the profiles got fixed.

@powerjungle commented on GitHub (Apr 1, 2024): > Thanks for testing. Outside of the sandbox, do you have $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/execdesktop? I do have it, but how is firejail supposed to find it? I'm assuming it finds the other binaries using PATH, but `execdesktop` isn't added to the env. > Hmmm, those are pretty vital parts of the sandbox. Yeah I know, but I'm assuming the reason it fails with them is that the child requires some privileges which it doesn't get. I was looking at the tor profile, but couldn't find anything that seems to be causing it yet. I don't understand why `protocol unix,inet,inet6` should interfere, but uncommenting it causes the error to appear even if the other 2 are commented. > Still can't reproduce. Are you using the current master version of firejail? Maybe something other than the profiles got fixed.

gitea-mirror commented

2026-05-05 09:50:36 -06:00

Author

Owner

@ghost commented on GitHub (Apr 1, 2024):

I do have it, but how is firejail supposed to find it? I'm assuming it finds the other binaries using PATH, but execdesktop isn't added to the env.

execdesktop is a helper script, part of what get's installed by torbrowser-launcher in your ${HOME}. It isn't in your PATH, but it is the shebang of $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop:

$ head -n 1 $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop
#!/usr/bin/env ./Browser/execdesktop

That's exactly why it now needs to be part of private-bin, where this issue all started :-)

Are you using the current master version of firejail? Maybe something other than the profiles got fixed.

Indeed I am, like most if not all collaborators here are. It's also why you were asked asked if it works with firejail-git.

Did you try that yet?

@ghost commented on GitHub (Apr 1, 2024): > I do have it, but how is firejail supposed to find it? I'm assuming it finds the other binaries using PATH, but execdesktop isn't added to the env. `execdesktop` is a helper script, part of what get's installed by torbrowser-launcher in your ${HOME}. It isn't in your PATH, but it is the shebang of $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop: ```sh $ head -n 1 $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop #!/usr/bin/env ./Browser/execdesktop ``` That's exactly why it now needs to be part of `private-bin`, where this issue all started :-) > Are you using the current master version of firejail? Maybe something other than the profiles got fixed. Indeed I am, like most if not all collaborators here are. It's also why [you were asked](https://github.com/netblue30/firejail/issues/6269#issuecomment-1987249907) asked if it works with [firejail-git](https://aur.archlinux.org/packages/firejail-git). Did you try that yet?

gitea-mirror commented

2026-05-05 09:50:36 -06:00

Author

Owner

@ghost commented on GitHub (Apr 1, 2024):

@powerjungle
I just reverted to Firejail 0.9.72 to further test this. My TB is at version 13.0.13 (based on Mozilla Firefox 115.9.1esr), which is the latest available. It just works fine for me here with firejail, only needing the private-bin execdesktop 0.9.72's torbrowser-launcher.profile is missing.

So I'm not any wiser as to what might be causing the issue at your end. Assuming you use firecfg I wonder what your start-tor-browser.desktop actually looks like. For testing, please put aside any torbrowser.local you might have and run the below:

$ firejail --profile=torbrowser-launcher ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser

That bypasses the .desktop file and the extra execdesktop isn't needed in this case.

@ghost commented on GitHub (Apr 1, 2024): @powerjungle I just reverted to Firejail `0.9.72` to further test this. My TB is at version 13.0.13 (based on Mozilla Firefox 115.9.1esr), which is the latest available. It just works fine for me here with firejail, only needing the `private-bin execdesktop` 0.9.72's torbrowser-launcher.profile is missing. So I'm not any wiser as to what might be causing the issue at your end. Assuming you use firecfg I wonder what your `start-tor-browser.desktop` actually looks like. For testing, please put aside any torbrowser.local you might have and run the below: `$ firejail --profile=torbrowser-launcher ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser` That bypasses the .desktop file and the extra execdesktop isn't needed in this case.

gitea-mirror commented

2026-05-05 09:50:37 -06:00

Author

Owner

@marek22k commented on GitHub (May 10, 2024):

Is there a workaround? The fix in 988e71de09 does not solve the problem for me. (Maybe re-open the issue?) (Also same issue with firejail-git from AUR.)

@marek22k commented on GitHub (May 10, 2024): Is there a workaround? The fix in https://github.com/glitsj16/firejail/commit/988e71de0999097ce7be3a3a97b0a2b831bbe7f9 does not solve the problem for me. (Maybe re-open the issue?) (Also same issue with `firejail-git` from AUR.)

gitea-mirror commented

2026-05-05 09:50:38 -06:00

Author

Owner

@ghost commented on GitHub (May 10, 2024):

Is there a workaround? The fix in glitsj16@988e71d does not solve the problem for me. (Maybe re-open the issue?)

Reopening...

Any logs and/or context description to try to understand what's going wrong on your end?

@ghost commented on GitHub (May 10, 2024): > Is there a workaround? The fix in glitsj16@988e71d does not solve the problem for me. (Maybe re-open the issue?) Reopening... Any logs and/or context description to try to understand what's going wrong on your end?

gitea-mirror commented

2026-05-05 09:50:38 -06:00

Author

Owner

@marek22k commented on GitHub (May 10, 2024):

The same symptoms occur as before.
firejail.log

And with firejail-git:
firejail-git.log

@marek22k commented on GitHub (May 10, 2024): The same symptoms occur as before. [firejail.log](https://github.com/netblue30/firejail/files/15274140/firejail.log) And with `firejail-git`: [firejail-git.log](https://github.com/netblue30/firejail/files/15274167/firejail-git.log)

gitea-mirror commented

2026-05-05 09:50:38 -06:00

Author

Owner

@ghost commented on GitHub (May 14, 2024):

The same symptoms occur as before.

I've looked and re-looked, but, alas, I can't get a meaningful grip on your issue. Let's hope someone else can join in with a fresh pair of eyes and be more helpful.

@ghost commented on GitHub (May 14, 2024): > The same symptoms occur as before. I've looked and re-looked, but, alas, I can't get a meaningful grip on your issue. Let's hope someone else can join in with a fresh pair of eyes and be more helpful.

gitea-mirror commented

2026-05-05 09:50:39 -06:00

Author

Owner

@schrotthaufen commented on GitHub (Nov 1, 2024):

Another Arch user here.

Can you try adding the below and report back please?
$ cat ~/.config/firejail/torbrowser-launcher.local
private-bin execdesktop

Just adding this didn't help, but also adding apparmor to ~/.config/firejail/torbrowser-launcher.local, and uncommenting owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix,, as well as adding owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/start-tor-browser.desktop ix, in /etc/apparmor.d/local/firejail-default fixed it for me. I did not try to completely disable apparmor on the system.

@schrotthaufen commented on GitHub (Nov 1, 2024): Another Arch user here. > Can you try adding the below and report back please? > > ```shell > $ cat ~/.config/firejail/torbrowser-launcher.local > private-bin execdesktop > ``` Just adding this didn't help, but also adding `apparmor` to `~/.config/firejail/torbrowser-launcher.local`, and uncommenting `owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix,`, as well as adding `owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/start-tor-browser.desktop ix,` in `/etc/apparmor.d/local/firejail-default` fixed it for me. I did not try to completely disable apparmor on the system.

gitea-mirror commented

2026-05-05 09:50:40 -06:00

Author

Owner

@kmk3 commented on GitHub (Nov 4, 2024):

Another Arch user here.

Can you try adding the below and report back please? shell $ cat ~/.config/firejail/torbrowser-launcher.local private-bin execdesktop

Just adding this didn't help, but also adding apparmor to
~/.config/firejail/torbrowser-launcher.local, and uncommenting owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix,, as well as adding owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/start-tor-browser.desktop ix, in /etc/apparmor.d/local/firejail-default fixed it for me. I did not
try to completely disable apparmor on the system.

For clarity, does it work for you with firejail-git and no modifications?

@kmk3 commented on GitHub (Nov 4, 2024): > Another Arch user here. > > > Can you try adding the below and report back please? ```shell $ cat > > ~/.config/firejail/torbrowser-launcher.local private-bin execdesktop ``` > > Just adding this didn't help, but also adding `apparmor` to > `~/.config/firejail/torbrowser-launcher.local`, and uncommenting `owner > @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** > ix,`, as well as adding `owner > @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/start-tor-browser.desktop > ix,` in `/etc/apparmor.d/local/firejail-default` fixed it for me. I did not > try to completely disable apparmor on the system. For clarity, does it work for you with firejail-git and no modifications?

gitea-mirror commented

2026-05-05 09:50:40 -06:00

Author

Owner

@schrotthaufen commented on GitHub (Nov 4, 2024):

With d763fb73ca I no longer need owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/start-tor-browser.desktop ix,, but it still won't work without apparmor in ~/.config/firejail/torbrowser-launcher.local, and uncommenting owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix, in /etc/apparmor.d/local/firejail-default.

@schrotthaufen commented on GitHub (Nov 4, 2024): With d763fb73ca06b2c35db9025ed6c2418d63c0cb0a I no longer need `owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/start-tor-browser.desktop ix,`, but it still won't work without `apparmor` in `~/.config/firejail/torbrowser-launcher.local`, and uncommenting `owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser/Browser/** ix,` in `/etc/apparmor.d/local/firejail-default`.

gitea-mirror commented

2026-05-05 09:50:40 -06:00

Author

Owner

@powerjungle commented on GitHub (Jan 6, 2025):

Okay, I found the cause in my case. Since I installed the package torbrowser-launcher using the Debian package manager apt, it installed an Apparmor profile and it's set in enforce mode. If you download the "Tor browser bundle" from the Tor project website, you don't have the Apparmor profile, so you won't have this issue. I tried running the master version of Firejail before setting the Tor browser profile to complain in Apparmor and the issue was still present. The torbrowser-launcher package is the latest stable upstream version in this case, because I'm running Debian testing.

I did:

sudo aa-complain /etc/apparmor.d/torbrowser.Browser.firefox
sudo aa-complain /etc/apparmor.d/torbrowser.Tor.tor

and running the Tor browser with Firejail now works. Note, on Debian this requires the apparmor-utils package.

I don't know how Apparmor and Firejail conflict in this case, cause I haven't looked into it deeply.

I don't use the apparmor profile.

With this I meant I don't use the Firejail apparmor profile. I don't have the apparmor keyword in the torbrowser-launcher.local file.

@powerjungle commented on GitHub (Jan 6, 2025): Okay, I found the cause in my case. Since I installed the package `torbrowser-launcher` using the Debian package manager `apt`, it installed an Apparmor profile and it's set in `enforce` mode. If you download the "Tor browser bundle" from the Tor project website, you don't have the Apparmor profile, so you won't have this issue. I tried running the `master` version of Firejail before setting the Tor browser profile to `complain` in Apparmor and the issue was still present. The `torbrowser-launcher` package is the latest stable upstream version in this case, because I'm running Debian testing. I did: ``` sudo aa-complain /etc/apparmor.d/torbrowser.Browser.firefox sudo aa-complain /etc/apparmor.d/torbrowser.Tor.tor ``` and running the Tor browser with Firejail now works. Note, on Debian this requires the `apparmor-utils` package. I don't know how Apparmor and Firejail conflict in this case, cause I haven't looked into it deeply. > I don't use the apparmor profile. With this I meant I don't use the Firejail apparmor profile. I don't have the `apparmor` keyword in the `torbrowser-launcher.local` file.

gitea-mirror commented

2026-05-05 09:50:41 -06:00

Author

Owner

@cobratbq commented on GitHub (Jan 13, 2025):

It looks like I recently ran into the same issue. I think the issue is caused by the fact that apparmor setting is commented out in torbrowser-launcher but is also enabled by default in /etc/firejail/firejail.config. However, the firejail-profile at /etc/apparmor.d/local/firejail-default still has the "Uncomment to opt-in to apparmor for torbrowser-launcher" config line commented out. I think the commented-out apparmor entry in torbrowser-launcher is meaningless when it's enabled by default.

So, my (otherwise very limited) experience:

IF apparmor enabled by default in /etc/firejail/firejail.config:

it does not matter whether torbrowser-launcher.profile contains or not apparmor
/etc/apparmor.d/local/firejail-default would need to have its dedicated torbrowser-launcher line uncommented, otherwise enforcement is too strict and breaks torbrowser.

Note: if my understanding is correct, apparmor applies a program's apparmor-profile within the confines of its firejail-default restrictions.

@cobratbq commented on GitHub (Jan 13, 2025): It looks like I recently ran into the same issue. I think the issue is caused by the fact that `apparmor` setting is commented out in `torbrowser-launcher` but is also enabled by default in `/etc/firejail/firejail.config`. However, the firejail-profile at `/etc/apparmor.d/local/firejail-default` still has the "_Uncomment to opt-in to apparmor for torbrowser-launcher_" config line commented out. I think the commented-out `apparmor` entry in `torbrowser-launcher` is meaningless when it's enabled by default. So, my (otherwise very limited) experience: IF `apparmor` enabled by default in `/etc/firejail/firejail.config`: 1. it does not matter whether `torbrowser-launcher.profile` contains or not `apparmor` 2. `/etc/apparmor.d/local/firejail-default` would need to have its dedicated `torbrowser-launcher` line uncommented, otherwise enforcement is too strict and breaks torbrowser. Note: if my understanding is correct, `apparmor` applies a program's apparmor-profile within the confines of its `firejail-default` restrictions.

gitea-mirror commented

2026-05-05 09:50:42 -06:00

Author

Owner

@cobratbq commented on GitHub (Jan 16, 2025):

Some additional comments:

I have questions/concerns regarding incorrectness/incompleteness of recent fix.
Given previous bulletpoint, I also wonder if there are additional changes necessary, e.g. in apparmor profile to make this script executable. (I have not fully investigated this yet.)
The include-chain is somewhat illogical: start-tor-browser.profile ---includes-> start-tor-browser.desktop.profile ---includes-> torbrowser-launcher.profile. (torbrowser-launcher currently executes start-tor-browser.desktop, start-tor-browser.desktop executes Browser/start-tor-browser (script). I would logically expect different dependence on includes.

I made similar corrections, though I find that running tor-browser through torbrowser-launcher doesn't yet work. Is this a local problem on my side or does anyone else have the same issue?

Note that running Browser/start-tor-browser directly with firejail has no issues, even with apparmor active, given comments on corrections for my case.

2025-01-28 update:

Feedback in first comment regarding apparmor is false, but with unexpected result: if apparmor in profile is not enabled, both Browser and Tor load with torbrowser_firefox apparmor-profile, according to aa-status. (At least in my case.) This causes tor to fail to execute.
etc/apparmor/firejail-local is incomplete, because torbrowser-launcher executes ~/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop. /etc/apparmor.d/local/firejail-default (only) marks ./Browser/** executable but not ./start-tor-browser.desktop. Now, with apparmor in profile enabled, this mapping of processes to profiles is correctly made. (This would imply that PR #6270 is indeed incomplete. See also comment above.)
When using aa-exec to explicitly apply profiles to /usr/bin/torbrowser-launcher (without involving firejail), processes are also correctly mapped to profiles. So the mapping of both tor and firefox.real processes to torbrowser_firefox happens only when executed through firejail with apparmor in profile disabled. Bug in firejail?
I think this involves/duplicates issue #5436. (The solution is the extra apparmor "owner line" in etc/apparmor/firejail-local to mark start-tor-browser.desktop executable.)
Adding execdesktop to private-bin did not make a difference for me. (See comments above)
To other users: there is less complication if you run ~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser with firejail directly, as opposed to going through /usr/bin/torbrowser-launcher. Although that only works until torbrowser-launcher or the packaging changes, i.e. paths or scripts change.
I have my reservations on whether torbrowser-launcher executing start-tor-browser.desktop is smart, i.e. too much unnecessary indirection. Though this is out of your control.

@glitsj16 @rusty-snake @netblue30 I think these findings shed light on this and another issue. I may be able to get other information if necessary.

@cobratbq commented on GitHub (Jan 16, 2025): Some additional comments: - I have questions/concerns regarding [incorrectness/incompleteness of recent fix](<https://github.com/netblue30/firejail/pull/6270/files#r1919363150>). - Given previous bulletpoint, I also wonder if there are additional changes necessary, e.g. in apparmor profile to make this script executable. (I have not fully investigated this yet.) - The include-chain is somewhat illogical: `start-tor-browser.profile ---includes-> start-tor-browser.desktop.profile ---includes-> torbrowser-launcher.profile`. (torbrowser-launcher currently executes `start-tor-browser.desktop`, `start-tor-browser.desktop` executes `Browser/start-tor-browser` (script). I would logically expect different dependence on includes. I made similar corrections, though I find that running tor-browser through `torbrowser-launcher` doesn't yet work. Is this a local problem on my side or does anyone else have the same issue? Note that running `Browser/start-tor-browser` directly with `firejail` has no issues, even with apparmor active, given [comments on corrections](<https://github.com/netblue30/firejail/issues/6269#issuecomment-2588432098>) for my case. __2025-01-28 update__: - Feedback in [first comment](<https://github.com/netblue30/firejail/issues/6269#issuecomment-2588432098>) regarding `apparmor` is false, but with unexpected result: if `apparmor` in profile is not enabled, both _Browser_ and _Tor_ load with `torbrowser_firefox` apparmor-profile, according to `aa-status`. (At least in my case.) This causes `tor` to fail to execute. - `etc/apparmor/firejail-local` is incomplete, because `torbrowser-launcher` executes `~/.local/share/torbrowser/tbb/x86_64/tor-browser/start-tor-browser.desktop`. `/etc/apparmor.d/local/firejail-default` (only) marks `./Browser/**` executable but not `./start-tor-browser.desktop`. Now, with `apparmor` in profile enabled, this mapping of processes to profiles is correctly made. (This would imply that PR #6270 is indeed incomplete. See also comment above.) - When using `aa-exec` to explicitly apply profiles to `/usr/bin/torbrowser-launcher` (without involving firejail), processes are also correctly mapped to profiles. So the mapping of both `tor` and `firefox.real` processes to `torbrowser_firefox` happens only when executed through `firejail` with `apparmor` in profile disabled. __Bug in firejail?__ - I think this involves/duplicates issue #5436. (The solution is the extra apparmor "owner line" in `etc/apparmor/firejail-local` to mark `start-tor-browser.desktop` executable.) - Adding `execdesktop` to `private-bin` did not make a difference for me. (See comments above) - To other users: there is less complication if you run `~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser` with `firejail` directly, as opposed to going through `/usr/bin/torbrowser-launcher`. Although that only works until `torbrowser-launcher` or the packaging changes, i.e. paths or scripts change. - I have my reservations on whether `torbrowser-launcher` executing `start-tor-browser.desktop` is smart, i.e. too much unnecessary indirection. Though this is out of your control. @glitsj16 @rusty-snake @netblue30 I think these findings shed light on this and another issue. I may be able to get other information if necessary.

gitea-mirror commented

2026-05-05 09:50:42 -06:00

Author

Owner

@ddd75a650fee04c0ce576c877521c6bd commented on GitHub (Apr 15, 2025):

It started to happen to me recently, and it just didn't used to happen days ago.
It's blocking not just Tor Browser connection, but it's also blocking Brave's Tor connection.
Even if you use the AUR Tor Browser binary version, that is based on the Tor Project's site package, it's also blocked, so I think the problem is worse now.
I'm on Arch Linux.

@ddd75a650fee04c0ce576c877521c6bd commented on GitHub (Apr 15, 2025): It started to happen to me recently, and it just didn't used to happen days ago. It's blocking not just Tor Browser connection, but it's also blocking Brave's Tor connection. Even if you use the AUR Tor Browser binary version, that is based on the Tor Project's site package, it's also blocked, so I think the problem is worse now. I'm on Arch Linux.

gitea-mirror referenced this issue

2026-05-05 10:24:46 -06:00

[PR #3229] [MERGED] Whitelist more /usr/share for okular and others #4687

Rows
Columns

[GH-ISSUE #6269] torbrowser: error: Tor exited during startup #3229

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log