github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

applications #3376

New issue

Closed

opened 2026-05-05 09:57:03 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:57:03 -06:00

Owner

Originally created by @ipaqmaster on GitHub (Jul 6, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6802

Description

PWAsForFirefox throws OS error 13 (11) as it attempts to create ${HOME}/.local/share/applications/FFPWA-someuuid.desktop because its only accessible as a Read-only filesystem.

I tried adding these two lines in ${HOME}/.config/firejail/firefox.local but nothing has changed:

noblacklist ${HOME}/.local/share/applications
whitelist   ${HOME}/.local/share/applications

Steps to Reproduce

Steps to reproduce the behavior

Open firefox with the default firejail profile
Install this extension https://github.com/filips123/PWAsForFirefox
Go to any website and open the extension in the extensions list
Go to the apps tab and attempt to install whatever webpage you're currently on as a PWA
With other whitelists and noblacklists relevant to this extension it almost succeeds but fails to finish the installation by installing the shortcut thus failing instead.

Expected behavior

Being able to use this extension while firefox is running in firejail

Actual behavior

The extension almost succeeds with a few other whitelist and noblacklist lines in firefox.local - but ultimately fails when it attempts to create a start menu .desktop file for the web app being installed and gives up trying to install it.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Nothing. Works fine without firejail

Additional context

It's frustrating that whitelist and noblacklist overrides aren't always enough to allow certain paths into some of the default profiles

Any other detail that may help to understand/debug the problem

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.12.35-1-lts x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): Mozilla Firefox 140.0.2
Version of Firejail (firejail --version): firejail version 0.9.74
If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD):

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Relates to:

#6689

Originally created by @ipaqmaster on GitHub (Jul 6, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6802  ### Description PWAsForFirefox throws OS error 13 (11) as it attempts to create `${HOME}/.local/share/applications/FFPWA-someuuid.desktop` because its only accessible as a Read-only filesystem. I tried adding these two lines in `${HOME}/.config/firejail/firefox.local` but nothing has changed: ``` noblacklist ${HOME}/.local/share/applications whitelist ${HOME}/.local/share/applications ``` ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Open firefox with the default firejail profile 2. Install this extension https://github.com/filips123/PWAsForFirefox 3. Go to any website and open the extension in the extensions list 4. Go to the apps tab and attempt to install whatever webpage you're currently on as a PWA 5. With other whitelists and noblacklists relevant to this extension it almost succeeds but fails to finish the installation by installing the shortcut thus failing instead. ### Expected behavior Being able to use this extension while firefox is running in firejail ### Actual behavior The extension almost succeeds with a few other whitelist and noblacklist lines in firefox.local - but ultimately fails when it attempts to create a start menu .desktop file for the web app being installed and gives up trying to install it. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Nothing. Works fine without firejail ### Additional context It's frustrating that whitelist and noblacklist overrides aren't always enough to allow certain paths into some of the default profiles _Any other detail that may help to understand/debug the problem_ ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.12.35-1-lts x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): Mozilla Firefox 140.0.2 - Version of Firejail (`firejail --version`): firejail version 0.9.74 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  ``` output goes here ``` </p> </details> Relates to: * #6689

gitea-mirror

2026-05-05 09:57:03 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:57:07 -06:00

Author

Owner

@ipaqmaster commented on GitHub (Jul 6, 2025):

Attempting to add:

noblacklist ${HOME}/.local/share/applications
whitelist   ${HOME}/.local/share/applications
read-write ${HOME}/.local/share/applications

Also does not make the path writable which I think would have fixed this if it worked.

@ipaqmaster commented on GitHub (Jul 6, 2025): Attempting to add: ``` noblacklist ${HOME}/.local/share/applications whitelist ${HOME}/.local/share/applications read-write ${HOME}/.local/share/applications ``` Also does not make the path writable which I think would have fixed this if it worked.

gitea-mirror commented

2026-05-05 09:57:08 -06:00

Author

Owner

@ipaqmaster commented on GitHub (Jul 6, 2025):

I found the cause. It's because firefox.profile includes firefox-common.profile and that one includes disable-common.inc, commenting that makes the above work successfully.

disable-common.inc has an explicit read-only ${HOME}/.local/share/applications inside which is overriding my firefox.local exception.

I'll have to think of a way to keep including disable-common.inc while letting the above directories past.

@ipaqmaster commented on GitHub (Jul 6, 2025): I found the cause. It's because `firefox.profile` includes `firefox-common.profile` and that one includes `disable-common.inc`, commenting that makes the above work successfully. disable-common.inc has an explicit `read-only ${HOME}/.local/share/applications` inside which is overriding my firefox.local exception. I'll have to think of a way to keep including `disable-common.inc` while letting the above directories past.

gitea-mirror commented

2026-05-05 09:57:09 -06:00

Author

Owner

@ipaqmaster commented on GitHub (Jul 6, 2025):

Excellent it looks like I can just add the line ignore read-only ${HOME}/.local/share/applications to the firefox.local and now I can add PWA

My full final ${HOME}/.config/firejail/firefox.local:

whitelist   /usr/share/firefoxpwa
whitelist   ${HOME}/.local/share/firefoxpwa
read-write ${HOME}/.local/share/applications
ignore read-only ${HOME}/.local/share/applications # include-common.inc would otherwise set this read-only again later

Because of /etc/firejail/disable-exec.inc containing noexec ${HOME} firefox can't run the PWA executable itself (${HOME}/.local/share/firefoxpwa/runtime/firefox), but the start menu shortcut works to launch it outside of firefox

@ipaqmaster commented on GitHub (Jul 6, 2025): Excellent it looks like I can just add the line `ignore read-only ${HOME}/.local/share/applications` to the firefox.local and now I can add PWA My full final `${HOME}/.config/firejail/firefox.local`: ``` whitelist /usr/share/firefoxpwa whitelist ${HOME}/.local/share/firefoxpwa read-write ${HOME}/.local/share/applications ignore read-only ${HOME}/.local/share/applications # include-common.inc would otherwise set this read-only again later ``` Because of `/etc/firejail/disable-exec.inc` containing `noexec ${HOME}` firefox can't run the PWA executable itself (${HOME}/.local/share/firefoxpwa/runtime/firefox), but the start menu shortcut works to launch it outside of firefox

gitea-mirror commented

2026-05-05 09:57:10 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 8, 2025):

Excellent it looks like I can just add the line ignore read-only ${HOME}/.local/share/applications to the firefox.local and now I can add PWA

My full final ${HOME}/.config/firejail/firefox.local:
whitelist   /usr/share/firefoxpwa
whitelist   ${HOME}/.local/share/firefoxpwa
read-write ${HOME}/.local/share/applications
ignore read-only ${HOME}/.local/share/applications # include-common.inc would otherwise set this read-only again later

I'm glad that it works, but note that this is dangerous, as it allows creating
a .desktop file that could override the one for an existing program (such as
for firefox) and run arbitrary commands outside of firejail (if the .desktop
file is opened through an application launcher).

Rows
Columns