[GH-ISSUE #6651] Add a profile for betterbird #3326

New issue

Closed

opened 2026-05-05 09:54:48 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented 2026-05-05 09:54:48 -06:00

Owner

Copy link

Originally created by @PWungsten on GitHub (Feb 19, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6651

Description

I am trying to run betterbird in firejail. I cannot get a profile that works. The automatically-built profile does not work.

Steps to Reproduce

1. Run /usr/bin/firejail --build=betterbird.profile /usr/local/bin/betterbird/betterbird & . It runs, I can do normal stuff in betterbird.
2. When betterbird exits, the file betterbird.profile is created. All OK so far.
3. Move betterbird.profile to $HOME/.config/firejail
4. Run /usr/bin/firejail /usr/local/bin/betterbird/betterbird. This fails, reporting

Reading profile /home/ME/.config/firejail/betterbird.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Warning: networking feature is disabled in Firejail configuration file
Warning: "shell none" command in the profile file is done by default; the command will be deprecated
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 5647, child pid 5648
4 programs installed in 6.20 ms
Warning: skipping drirc for private /etc
Private /etc installed in 27.52 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 107.37 ms
Error: no suitable /usr/local/bin/betterbird/betterbird executable found

Here is the automatically-created profile (comments and commented-out lines deleted)

include disable-common.inc
include disable-programs.inc
whitelist ${HOME}/.mozilla/firefox
whitelist ${HOME}/.mozilla/firefox/Crash Reports
whitelist ${HOME}/.cache/thumbnails
whitelist ${HOME}/.hidden
whitelist ${HOME}/.mozilla/extensions
whitelist ${HOME}/.mailcap
whitelist ${HOME}/.local/bin
whitelist ${HOME}/bin
whitelist ${HOME}/.local/share/glib-2.0/schemas
whitelist ${HOME}/.cache/mesa_shader_cache_db
whitelist ${HOME}/Downloads
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.thunderbird
whitelist ${HOME}/.Xdefaults-peter-AS23
include whitelist-common.inc

whitelist /run/dconf/user/1000
include whitelist-run-common.inc
whitelist ${RUNUSER}/flatpak-info
whitelist ${RUNUSER}/gvfsd
whitelist ${RUNUSER}/pulse
whitelist ${RUNUSER}/at-spi/bus_0
include whitelist-runuser-common.inc
whitelist /usr/share/mozilla
whitelist /usr/share/gnome
whitelist /usr/share/cinnamon
include whitelist-usr-share-common.inc
whitelist /var/db/zoneinfo
include whitelist-var-common.inc

caps.drop all
ipc-namespace
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink,
netfilter
seccomp !chroot	# allowing chroot, just in case this is an Electron app
shell none
private-bin dash,betterbird/glxtest,betterbird/betterbird-bin,betterbird/betterbird,
private-dev
private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux,

Additional context

There is a file /usr/local/bin/betterbird/betterbird which I can run without firejail, so I think firejail has created a virtual /usr .

I tried adding these lines

whitelist /usr
whitelist /usr/local
whitelist /usr/local/bin
whitelist /usr/local/bin/betterbird
whitelist /var/mail

but got errors like

Error: invalid whitelist path /usr
or /usr/local after removing /usr. Removing both /usr and /usr/local caused the same error as above. (I have included /var/mail because I hope to get betterbird to access Postfix mail from within my LAN.)

Environment

Kernel: Linux 6.8.0-53-generic x86_64
Distribution: Linus Mint 22.1
Betterbird 128.7.0esr-bb22 (64-bit)
Firejail 0.9.72

Originally created by @PWungsten on GitHub (Feb 19, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6651 ### Description I am trying to run betterbird in firejail. I cannot get a profile that works. The automatically-built profile does not work. ### Steps to Reproduce 1. Run `/usr/bin/firejail --build=betterbird.profile /usr/local/bin/betterbird/betterbird &` . It runs, I can do normal stuff in betterbird. 2. When betterbird exits, the file betterbird.profile is created. All OK so far. 3. Move betterbird.profile to `$HOME/.config/firejail` 4. Run `/usr/bin/firejail /usr/local/bin/betterbird/betterbird`. This fails, reporting ``` Reading profile /home/ME/.config/firejail/betterbird.profile Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Warning: networking feature is disabled in Firejail configuration file Warning: "shell none" command in the profile file is done by default; the command will be deprecated Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 5647, child pid 5648 4 programs installed in 6.20 ms Warning: skipping drirc for private /etc Private /etc installed in 27.52 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 107.37 ms Error: no suitable /usr/local/bin/betterbird/betterbird executable found ``` Here is the automatically-created profile (comments and commented-out lines deleted) ``` include disable-common.inc include disable-programs.inc whitelist ${HOME}/.mozilla/firefox whitelist ${HOME}/.mozilla/firefox/Crash Reports whitelist ${HOME}/.cache/thumbnails whitelist ${HOME}/.hidden whitelist ${HOME}/.mozilla/extensions whitelist ${HOME}/.mailcap whitelist ${HOME}/.local/bin whitelist ${HOME}/bin whitelist ${HOME}/.local/share/glib-2.0/schemas whitelist ${HOME}/.cache/mesa_shader_cache_db whitelist ${HOME}/Downloads whitelist ${HOME}/.cache/thunderbird whitelist ${HOME}/.thunderbird whitelist ${HOME}/.Xdefaults-peter-AS23 include whitelist-common.inc whitelist /run/dconf/user/1000 include whitelist-run-common.inc whitelist ${RUNUSER}/flatpak-info whitelist ${RUNUSER}/gvfsd whitelist ${RUNUSER}/pulse whitelist ${RUNUSER}/at-spi/bus_0 include whitelist-runuser-common.inc whitelist /usr/share/mozilla whitelist /usr/share/gnome whitelist /usr/share/cinnamon include whitelist-usr-share-common.inc whitelist /var/db/zoneinfo include whitelist-var-common.inc caps.drop all ipc-namespace netfilter nonewprivs noroot protocol unix,inet,inet6,netlink, netfilter seccomp !chroot # allowing chroot, just in case this is an Electron app shell none private-bin dash,betterbird/glxtest,betterbird/betterbird-bin,betterbird/betterbird, private-dev private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux, ``` ### Additional context There is a file /usr/local/bin/betterbird/betterbird which I can run without firejail, so I think firejail has created a virtual /usr . I tried adding these lines ``` whitelist /usr whitelist /usr/local whitelist /usr/local/bin whitelist /usr/local/bin/betterbird whitelist /var/mail ``` but got errors like ``` Error: invalid whitelist path /usr or /usr/local after removing /usr. Removing both /usr and /usr/local caused the same error as above. (I have included /var/mail because I hope to get betterbird to access Postfix mail from within my LAN.) ``` ### Environment Kernel: Linux 6.8.0-53-generic x86_64 Distribution: Linus Mint 22.1 Betterbird 128.7.0esr-bb22 (64-bit) Firejail 0.9.72

gitea-mirror 2026-05-05 09:54:48 -06:00

• closed this issue
• added the
  profile-request
  label

gitea-mirror commented 2026-05-05 09:54:51 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 19, 2025):

Duplicated of #1139

<!-- gh-comment-id:2668076011 --> @rusty-snake commented on GitHub (Feb 19, 2025): Duplicated of #1139

gitea-mirror commented 2026-05-05 09:54:52 -06:00

Author

Owner

Copy link

@PWungsten commented on GitHub (Feb 19, 2025):

I have not so much asked for a new profile, as reported a bug that --build creates an invalid profile.

<!-- gh-comment-id:2668147476 --> @PWungsten commented on GitHub (Feb 19, 2025): I have not so much asked for a new profile, as reported a bug that --build creates an invalid profile.

gitea-mirror commented 2026-05-05 09:54:52 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Feb 19, 2025):

Error: no suitable /usr/local/bin/betterbird/betterbird executable found

This is likely due to private-bin.

I have not so much asked for a new profile, as reported a bug that --build
creates an invalid profile.

--build is intended as a starting point to check what a program might need
(see also --trace=); it is not expected to create a fully working profile.

If you want to create a new profile, look at the existing profiles for similar
programs (if any) and also the following:

• etc/templates/profile.template
• firejail(1) and firejail-profile(5)
• https://github.com/netblue30/firejail/wiki/Creating-Profiles

<!-- gh-comment-id:2669047646 --> @kmk3 commented on GitHub (Feb 19, 2025): > ``` > Error: no suitable /usr/local/bin/betterbird/betterbird executable found > ``` This is likely due to `private-bin`. > I have not so much asked for a new profile, as reported a bug that --build > creates an invalid profile. `--build` is intended as a starting point to check what a program might need (see also `--trace=`); it is not expected to create a fully working profile. If you want to create a new profile, look at the existing profiles for similar programs (if any) and also the following: * etc/templates/profile.template * firejail(1) and firejail-profile(5) * https://github.com/netblue30/firejail/wiki/Creating-Profiles

gitea-mirror commented 2026-05-05 09:54:53 -06:00

Author

Owner

Copy link

@PWungsten commented on GitHub (Feb 19, 2025):

kmk3 thanks for your input. Removing private-bin helped, but not completely.

betterbird now starts, but reports "failed to connect to server".

I could not find much help with web searches. Issue 3376 looks slightly similar, but offers no cure. I suspect I have an issue with log-on to my email provider. Below is an excerpt from syslog when firejail started (irrelevant time and device name removed)

dbus-daemon[953]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.144' (uid=1000 pid=17106 comm="/usr/local/bin/betterbird/betterbird" label="unconfined")
dbus-daemon[953]: [system] Successfully activated service 'org.freedesktop.timedate1'
rtkit-daemon[1499]: Supervising 7 threads of 4 processes of 1 users.
rtkit-daemon[1499]: message repeated 3 times: [ Supervising 7 threads of 4 processes of 1 users.]
rtkit-daemon[1499]: Failed to look up client: No such file or directory
rtkit-daemon[1499]: Supervising 7 threads of 4 processes of 1 users.

<!-- gh-comment-id:2669241554 --> @PWungsten commented on GitHub (Feb 19, 2025): kmk3 thanks for your input. Removing `private-bin` helped, but not completely. betterbird now starts, but reports "failed to connect to server". I could not find much help with web searches. Issue 3376 looks slightly similar, but offers no cure. I suspect I have an issue with log-on to my email provider. Below is an excerpt from `syslog` when firejail started (irrelevant time and device name removed) > dbus-daemon[953]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.144' (uid=1000 pid=17106 comm="/usr/local/bin/betterbird/betterbird" label="unconfined") > dbus-daemon[953]: [system] Successfully activated service 'org.freedesktop.timedate1' > rtkit-daemon[1499]: Supervising 7 threads of 4 processes of 1 users. > rtkit-daemon[1499]: message repeated 3 times: [ Supervising 7 threads of 4 processes of 1 users.] > rtkit-daemon[1499]: Failed to look up client: No such file or directory > rtkit-daemon[1499]: Supervising 7 threads of 4 processes of 1 users.

gitea-mirror commented 2026-05-05 09:54:54 -06:00

Author

Owner

Copy link

@PWungsten commented on GitHub (Feb 19, 2025):

I have fixed the "failed to connect to server", by removing these lines from the profile.

private-dev
private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux,

Have I been too liberal? Is there a more secure way to allow log-on to my email provider?

<!-- gh-comment-id:2669292319 --> @PWungsten commented on GitHub (Feb 19, 2025): I have fixed the "failed to connect to server", by removing these lines from the profile. > private-dev > private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux, Have I been too liberal? Is there a more secure way to allow log-on to my email provider?

gitea-mirror commented 2026-05-05 09:54:55 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Feb 20, 2025):

(Offtopic)

Please see the following links for how to format code blocks in markdown:

• https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks
• https://github.github.com/gfm/#fenced-code-blocks

<!-- gh-comment-id:2670585536 --> @kmk3 commented on GitHub (Feb 20, 2025): (Offtopic) Please see the following links for how to format code blocks in markdown: * <https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks> * <https://github.github.com/gfm/#fenced-code-blocks>

gitea-mirror commented 2026-05-05 09:54:56 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Feb 20, 2025):

I have fixed the "failed to connect to server", by removing these lines from
the profile.

private-dev
private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux,

Have I been too liberal? Is there a more secure way to allow log-on to my
email provider?

You can use --trace= to find the paths that it uses.

Also, debugging should be easier with firejail-git
due to #6400.

<!-- gh-comment-id:2670585840 --> @kmk3 commented on GitHub (Feb 20, 2025): > I have fixed the "failed to connect to server", by removing these lines from > the profile. > > > private-dev > > private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux, > > Have I been too liberal? Is there a more secure way to allow log-on to my > email provider? You can use `--trace=` to find the paths that it uses. Also, debugging should be easier with [firejail-git](https://github.com/netblue30/firejail?tab=readme-ov-file#building) due to #6400.

gitea-mirror commented 2026-05-05 09:54:58 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 20, 2025):

private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux

No resolv.conf

<!-- gh-comment-id:2670681929 --> @rusty-snake commented on GitHub (Feb 20, 2025): > private-etc hosts,ld.so.conf.d,ld.so.conf,firefox,login.defs,mailcap,localtime,timezone,machine-id,mime.types,dconf,fonts,drirc,os-release,thunderbird,xdg,gtk-3.0,selinux No `resolv.conf`

gitea-mirror referenced this issue 2026-05-05 10:25:25 -06:00

[PR #3326] [MERGED] profiles: add dbus filters #4724

gitea-mirror referenced this issue 2026-05-05 10:25:52 -06:00

[PR #3397] [MERGED] Follow-up for #3326 #4749

gitea-mirror referenced this issue 2026-05-05 10:49:29 -06:00

[PR #6486] [MERGED] profiles: browsers: centralize/sync/improve comments #6035

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3326

No description provided.