github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6913] torbrowser-launcher: crash when uploading files (glycin) #3415

New issue

Open

opened 2026-05-05 09:59:16 -06:00 by gitea-mirror · 12 comments

gitea-mirror commented

2026-05-05 09:59:16 -06:00

Owner

Originally created by @S0AndS0 on GitHub (Sep 29, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6913

Description

Browser crashes when trying to upload file/image to website, such as T/Xwitter

Steps to Reproduce

Steps to reproduce the behavior

Run in bash LC_ALL=C firejail --profile=/etc/firejail/torbrowser-launcher.profile .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser (LC_ALL=C to get a consistent
output in English that can be understood by everybody)
Attempt to upload file to T/Xwitter, or really anywhere that'd pop KDE's upload file selector
~~Scroll down to '....'~~
See error ERROR... or lack there of, it crashes without any error reported to STD{OUT,ERR}

Expected behavior

KDE's select file window to pop for selecting a file to upload

Actual behavior

Crashes all windows/tabs of torbrowser without error being reported

Behavior without a profile

KDE's select file window to pops for selecting a file to upload

Additional context

This is relatively recent, some-when between 2025-09-18 through 2025-09-27 something about KDE and/or Firejail and/or Tor Browser ain't playing nice.

Environment

Name/version/arch of the Linux kernel: Linux 6.16.8-arch3-1 x86_64
Name/version of the Linux distribution: Arch Linux
Name/version of the relevant program(s)/package(s): 14.5.7 (based on Mozilla Firefox 128.14.0esr)
Version of Firejail (firejail --version): 0.9.76
~~If you use a development version of firejail, also the commit from which it was compiled (git rev-parse HEAD):~~

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.

searching recent commit history via GitHub didn't result in recent torbrowser related changes I could spot
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  
  Doesn't seem applicable as everything worked fine prior to recent system updates 🤷
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /home/s0ands0/.config/firejail/torbrowser-launcher.local
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.76

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Ignoring "dbus-user.talk org.freedesktop.Notifications" and 4 other dbus-user filter rules.
Parent pid 47080, child pid 47081
Warning: NVIDIA card detected, nogroups command ignored
89 programs installed in 130.12 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 69.42 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 135.93 ms
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 495.11 ms

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Profiles currently in use

> `/etc/firejail/torbrowser-launcher.profile`

# Firejail profile for torbrowser-launcher
# Description: Helps download and run the Tor Browser Bundle
# This file is overwritten after every install/update
# Persistent local customizations
include torbrowser-launcher.local
# Persistent global definitions
include globals.local

ignore noexec ${HOME}

noblacklist ${HOME}/.config/torbrowser
noblacklist ${HOME}/.local/share/torbrowser

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

blacklist /srv
blacklist /sys/class/net

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.config/torbrowser
mkdir ${HOME}/.local/share/torbrowser
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/torbrowser
whitelist ${HOME}/.local/share/torbrowser
whitelist /opt/tor-browser
whitelist /usr/share/torbrowser-launcher
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support.
# IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
# to be uncommented too for this to work as expected.
#apparmor
caps.drop all
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp !chroot
seccomp.block-secondary
#tracelog # may cause issues, see #1930

disable-mnt
private-bin bash,cat,cp,cut,dirname,env,execdesktop,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
private-dev
private-etc @tls-ca
private-tmp

dbus-user none
dbus-system none

#restrict-namespaces

~/.config/firejail/torbrowser-launcher.local

## Add the next line to your firefox.local to enable native notifications.
dbus-user.talk org.freedesktop.Notifications

## Add the next line to your firefox.local to allow inhibiting screensavers.
dbus-user.talk org.freedesktop.ScreenSaver

## Add the next lines to your firefox.local for plasma browser integration.
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver

## Enable KeePassXD integrations
# https://github.com/netblue30/firejail/discussions/5444
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
# https://github.com/netblue30/firejail/issues/3952#issuecomment-774717729
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server
private-bin keepassxc-proxy

Originally created by @S0AndS0 on GitHub (Sep 29, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6913 ### Description Browser crashes when trying to upload file/image to website, such as T/Xwitter ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run in bash `LC_ALL=C firejail --profile=/etc/firejail/torbrowser-launcher.profile .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody) 2. Attempt to upload file to T/Xwitter, or really anywhere that'd pop KDE's upload file selector 3. ~~Scroll down to '....'~~ 4. See error `ERROR`... or lack there of, it crashes without any error reported to STD{OUT,ERR} ### Expected behavior KDE's select file window to pop for selecting a file to upload ### Actual behavior Crashes all windows/tabs of `torbrowser` without error being reported ### Behavior without a profile KDE's select file window to pops for selecting a file to upload ### Additional context This is relatively recent, some-when between 2025-09-18 through 2025-09-27 something about KDE and/or Firejail and/or Tor Browser ain't playing nice. ### Environment - Name/version/arch of the Linux kernel: Linux 6.16.8-arch3-1 x86_64 - Name/version of the Linux distribution: Arch Linux - Name/version of the relevant program(s)/package(s): 14.5.7 (based on Mozilla Firefox 128.14.0esr) - Version of Firejail (`firejail --version`): 0.9.76 - ~~If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`):~~ ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). > searching recent commit history via GitHub didn't result in recent `torbrowser` related changes I could spot - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. > Doesn't seem applicable as everything worked fine prior to recent system updates :shrug: - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /home/s0ands0/.config/firejail/torbrowser-launcher.local Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.76 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Ignoring "dbus-user.talk org.freedesktop.Notifications" and 4 other dbus-user filter rules. Parent pid 47080, child pid 47081 Warning: NVIDIA card detected, nogroups command ignored 89 programs installed in 130.12 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 69.42 ms Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 135.93 ms Warning: NVIDIA card detected, nogroups command ignored Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 495.11 ms Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  ``` output goes here ``` </p> </details> <details><summary>Profiles currently in use</summary> > `/etc/firejail/torbrowser-launcher.profile` ```firejail # Firejail profile for torbrowser-launcher # Description: Helps download and run the Tor Browser Bundle # This file is overwritten after every install/update # Persistent local customizations include torbrowser-launcher.local # Persistent global definitions include globals.local ignore noexec ${HOME} noblacklist ${HOME}/.config/torbrowser noblacklist ${HOME}/.local/share/torbrowser # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc blacklist /srv blacklist /sys/class/net include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.config/torbrowser mkdir ${HOME}/.local/share/torbrowser whitelist ${DOWNLOADS} whitelist ${HOME}/.config/torbrowser whitelist ${HOME}/.local/share/torbrowser whitelist /opt/tor-browser whitelist /usr/share/torbrowser-launcher include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc # Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need # to be uncommented too for this to work as expected. #apparmor caps.drop all netfilter nodvd nogroups noinput nonewprivs noroot notv nou2f novideo protocol unix,inet,inet6 seccomp !chroot seccomp.block-secondary #tracelog # may cause issues, see #1930 disable-mnt private-bin bash,cat,cp,cut,dirname,env,execdesktop,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity private-dev private-etc @tls-ca private-tmp dbus-user none dbus-system none #restrict-namespaces ``` > `~/.config/firejail/torbrowser-launcher.local` ```firejail ## Add the next line to your firefox.local to enable native notifications. dbus-user.talk org.freedesktop.Notifications ## Add the next line to your firefox.local to allow inhibiting screensavers. dbus-user.talk org.freedesktop.ScreenSaver ## Add the next lines to your firefox.local for plasma browser integration. dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration dbus-user.talk org.kde.JobViewServer dbus-user.talk org.kde.kuiserver ## Enable KeePassXD integrations # https://github.com/netblue30/firejail/discussions/5444 noblacklist ${RUNUSER}/app mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC # https://github.com/netblue30/firejail/issues/3952#issuecomment-774717729 whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server private-bin keepassxc-proxy ``` </details>

gitea-mirror commented

2026-05-05 09:59:18 -06:00

Author

Owner

@Blourvim commented on GitHub (Sep 29, 2025):

firejail version 0.9.76
Mozilla Firefox 143.0.1
KDE plasma
arch linux 6.16.8-arch3-1
When trying to upload attachment same issue happens on vanilla firefox FYI

Sorry for no logs, will continue testing

@Blourvim commented on GitHub (Sep 29, 2025): firejail version 0.9.76 Mozilla Firefox 143.0.1 KDE plasma arch linux 6.16.8-arch3-1 When trying to upload attachment same issue happens on vanilla firefox FYI Sorry for no logs, will continue testing

gitea-mirror commented

2026-05-05 09:59:19 -06:00

Author

Owner

@Blourvim commented on GitHub (Sep 29, 2025):

@S0AndS0 Could you run firefox via the terminal, replicate the issue then paste the logs here

I think I am having the same problem, got in the zone would love to find a solution

@Blourvim commented on GitHub (Sep 29, 2025): @S0AndS0 Could you run firefox via the terminal, replicate the issue then paste the logs here I think I am having the same problem, got in the zone would love to find a solution

gitea-mirror commented

2026-05-05 09:59:20 -06:00

Author

Owner

@Friskygote commented on GitHub (Sep 29, 2025):

Have same/similar issue with Firefox on Arch after updating yesterday, to me it seems like issue with icons for built in filepicker maybe? Window icon for closing, minimizing etc. no longer show up either.

If needed I could provide full log with --debug, however I'd rather avoid it. Here is the output that gets printed when Firefox crashes while showing the file picker window (happens when uploading, downloading):

[Parent 42, Main Thread] WARNING: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /usr/src/debug/firefox/firefox-143.0.1/toolkit/xre/nsSigHandlers.cpp:201

(firefox:42): Gtk-WARNING **: 16:20:39.232: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.
**
Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders.
Used config: Config {
    image_loader: {},
    image_editor: {},
} (gdk-pixbuf-error-quark, 0)
Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders. Used config: Config {     image_loader: {},     image_editor: {}, } (gdk-pixbuf-error-quark, 0)

@Friskygote commented on GitHub (Sep 29, 2025): Have same/similar issue with Firefox on Arch after updating yesterday, to me it seems like issue with icons for built in filepicker maybe? Window icon for closing, minimizing etc. no longer show up either. If needed I could provide full log with --debug, however I'd rather avoid it. Here is the output that gets printed when Firefox crashes while showing the file picker window (happens when uploading, downloading): ``` [Parent 42, Main Thread] WARNING: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /usr/src/debug/firefox/firefox-143.0.1/toolkit/xre/nsSigHandlers.cpp:201 (firefox:42): Gtk-WARNING **: 16:20:39.232: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found. ** Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders. Used config: Config { image_loader: {}, image_editor: {}, } (gdk-pixbuf-error-quark, 0) Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders. Used config: Config { image_loader: {}, image_editor: {}, } (gdk-pixbuf-error-quark, 0) ```

gitea-mirror commented

2026-05-05 09:59:21 -06:00

Author

Owner

@S0AndS0 commented on GitHub (Sep 29, 2025):

@Blourvim gonna be a bit for me to replicate via firefox but logs of torbrowser, as unhelpful as they may be, are provided in OP x-)

@Friskygote I can confirm similar errors be popping for thunderbird too!

**
Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders.
Used config: Config {
    image_loader: {},
    image_editor: {},
} (gdk-pixbuf-error-quark, 0)
Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders. Used config: Config {     image_loader: {},     image_editor: {}, } (gdk-pixbuf-error-quark, 0)
Redirecting call to abort() to mozalloc_abort

Warning: removing 2 bytes from stdin

Parent is shutting down, bye...

But adding whitlist/noblacklist stuff to local profile ain't resulting in joy;

~/.config/firejail/thunderbird.local

noblacklist /usr/share/icons
whitelist /usr/share/icons

... So I'm inclined to point fingers of blame at KDE.

@S0AndS0 commented on GitHub (Sep 29, 2025): @Blourvim gonna be a _bit_ for me to replicate via `firefox` but logs of `torbrowser`, as unhelpful as they may be, are provided in OP x-) @Friskygote I can confirm similar errors be popping for `thunderbird` too! ``` ** Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders. Used config: Config { image_loader: {}, image_editor: {}, } (gdk-pixbuf-error-quark, 0) Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders. Used config: Config { image_loader: {}, image_editor: {}, } (gdk-pixbuf-error-quark, 0) Redirecting call to abort() to mozalloc_abort Warning: removing 2 bytes from stdin Parent is shutting down, bye... ``` But adding `whitlist`/`noblacklist` stuff to local profile ain't resulting in joy; > `~/.config/firejail/thunderbird.local` ```firejail noblacklist /usr/share/icons whitelist /usr/share/icons ``` ... So I'm inclined to point fingers of blame at KDE.

gitea-mirror commented

2026-05-05 09:59:21 -06:00

Author

Owner

@Antiz96 commented on GitHub (Sep 29, 2025):

Can confirm that most things (if not anything) that has to do with the download folder in both firefox and thunderbird (e.g. upload a file, save an image or an attachment, etc...) results in a crash, probably since the latest firefox/thunderbird update. I also confirm that the icon for "closing, maximizing, minimizing" are invisible too now.

Firejail 0.9.76
Firefox/Thunderbird 143.0.1
Arch Linux 6.16.8-arch3-1

I'm happy to provide more info if needed or test any patches if it helps :)

@Antiz96 commented on GitHub (Sep 29, 2025): Can confirm that most things (if not anything) that has to do with the download folder in both firefox and thunderbird (e.g. upload a file, save an image or an attachment, etc...) results in a crash, *probably* since the latest firefox/thunderbird update. I also confirm that the icon for "closing, maximizing, minimizing" are invisible too now. ``` Firejail 0.9.76 Firefox/Thunderbird 143.0.1 Arch Linux 6.16.8-arch3-1 ``` I'm happy to provide more info if needed or test any patches if it helps :)

gitea-mirror commented

2026-05-05 09:59:22 -06:00

Author

Owner

@kmk3 commented on GitHub (Sep 29, 2025):

Since the error seems very similar, closing as a duplicate of:

#6906

If the problem is actually caused by something else, please clarify.

@kmk3 commented on GitHub (Sep 29, 2025): Since the error seems very similar, closing as a duplicate of: * #6906 If the problem is actually caused by something else, please clarify.

gitea-mirror commented

2026-05-05 09:59:23 -06:00

Author

Owner

@S0AndS0 commented on GitHub (Sep 29, 2025):

@kmk3 Thanks! I tried the profile suggestions from myrslint within thunderbird.local and that seems to allow file upload/picker to pop 🎉

~~If I don't report back with an update, then it may be safe to assume those profile modifications to work with Tor too :-)~~

Edit 2025-09-29 20:41 -- Nope no joy with Tor Browser

$ firejail --profile=/etc/firejail/torbrowser-launcher.profile \
  .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser \
  --verbose
(Tor Browser:133): Gtk-CRITICAL **: 13:36:02.822: Unable to create user data directory '/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory

Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "179" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "178"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0)

Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed toload /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "179" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "178"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0)

Redirecting call to abort() to mozalloc_abort

Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 392:   133 Segmentation fault         (core dumped) TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox "${@}" < /dev/null

Parent is shutting down, bye...

Edit 2025-10-02 21:10 UTC

Seems the "Unable to create user data directory" warning can be ignored, here be some logs from a non-firejail Tor execution that's been fine for a few hours;

~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser --verbose

[3647] Sandbox: seccomp sandbox violation: pid 3647, tid 3647, syscall 28, args 140219587891200 4096 102 266240 4294967295 0.
[3824] Sandbox: seccomp sandbox violation: pid 3824, tid 3824, syscall 28, args 140653812056064 4096 102 266240 4294967295 0.
[5507] Sandbox: seccomp sandbox violation: pid 5507, tid 5507, syscall 28, args 140112869896192 4096 102 266240 4294967295 0.
[Parent 3447, Main Thread] WARNING: Unable to create user data directory '~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:3447): Gtk-CRITICAL **: 12:57:58.482: Unable to create user data directory '~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory
[Parent 3447, Main Thread] WARNING: gtk_widget_get_clipboard: assertion 'gtk_widget_has_screen (widget)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:3447): Gtk-CRITICAL **: 13:14:34.668: gtk_widget_get_clipboard: assertion 'gtk_widget_has_screen (widget)' failed
[Parent 3447, Main Thread] WARNING: gtk_clipboard_request_contents: assertion 'clipboard != NULL' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:3447): Gtk-CRITICAL **: 13:14:34.668: gtk_clipboard_request_contents: assertion 'clipboard != NULL' failed
[Parent 3447, Main Thread] WARNING: gtk_widget_get_clipboard: assertion 'gtk_widget_has_screen (widget)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

@S0AndS0 commented on GitHub (Sep 29, 2025): @kmk3 Thanks! I tried the profile suggestions from [`myrslint`](https://github.com/netblue30/firejail/issues/6906#issuecomment-3316349578) within `thunderbird.local` and that seems to allow file upload/picker to pop :tada: ~~If I don't report back with an update, then it may be safe to assume those profile modifications to work with Tor too :-)~~ --- ## Edit 2025-09-29 20:41 -- Nope no joy with Tor Browser ```console $ firejail --profile=/etc/firejail/torbrowser-launcher.profile \ .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser \ --verbose (Tor Browser:133): Gtk-CRITICAL **: 13:36:02.822: Unable to create user data directory '/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "179" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "178"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0) Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed toload /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "179" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "178"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0) Redirecting call to abort() to mozalloc_abort Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 392: 133 Segmentation fault (core dumped) TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox "${@}" < /dev/null Parent is shutting down, bye... ``` ## Edit 2025-10-02 21:10 UTC Seems the `"Unable to create user data directory"` warning can be ignored, here be some logs from a non-firejail Tor execution that's been fine for a few hours; ```bash ~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser --verbose ``` ``` [3647] Sandbox: seccomp sandbox violation: pid 3647, tid 3647, syscall 28, args 140219587891200 4096 102 266240 4294967295 0. [3824] Sandbox: seccomp sandbox violation: pid 3824, tid 3824, syscall 28, args 140653812056064 4096 102 266240 4294967295 0. [5507] Sandbox: seccomp sandbox violation: pid 5507, tid 5507, syscall 28, args 140112869896192 4096 102 266240 4294967295 0. [Parent 3447, Main Thread] WARNING: Unable to create user data directory '~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:3447): Gtk-CRITICAL **: 12:57:58.482: Unable to create user data directory '~/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory [Parent 3447, Main Thread] WARNING: gtk_widget_get_clipboard: assertion 'gtk_widget_has_screen (widget)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:3447): Gtk-CRITICAL **: 13:14:34.668: gtk_widget_get_clipboard: assertion 'gtk_widget_has_screen (widget)' failed [Parent 3447, Main Thread] WARNING: gtk_clipboard_request_contents: assertion 'clipboard != NULL' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:3447): Gtk-CRITICAL **: 13:14:34.668: gtk_clipboard_request_contents: assertion 'clipboard != NULL' failed [Parent 3447, Main Thread] WARNING: gtk_widget_get_clipboard: assertion 'gtk_widget_has_screen (widget)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 ```

gitea-mirror commented

2026-05-05 09:59:23 -06:00

Author

Owner

@ferreum commented on GitHub (Oct 6, 2025):

torbrowser also required netlink protocol for me. With this in torbrowser-launcher.local the open/save dialog does not crash the browser any more:

private-bin bwrap
noblacklist ${PATH}/bwrap
noblacklist /proc/sys/kernel/overflowuid
noblacklist /proc/sys/kernel/overflowgid

# whitelist /usr/share/glycin-loaders

ignore seccomp !chroot
seccomp !chroot,!mount,!pivot_root,!umount2

protocol unix,inet,inet6,netlink

whitelist /usr/share/glycin-loaders is not needed because the it apparently ships its own version of that in .local

For posterity: I found this by attaching sudo strace -p $firefoxPid -s 2048 and making the browser crash by pressing ctrl+s (open a save dialog). Scanning the strace output, directly before the crash I found an error log with a long bwrap command. I ran that command manually in the same torbrowser-launcher firejail profile, which printed bwrap: loopback: Failed to create NETLINK_ROUTE socket: Operation not supported which points to the netlink protocol. Note I used strace because torbrowser seems to redirect its own stdout/stderr to /dev/null and I couldn't find a quick way to prevent that. Edit: I see running start-tor-browser with --verbose as mentioned above would have worked here, so better do that than use strace.

@ferreum commented on GitHub (Oct 6, 2025): torbrowser also required `netlink` protocol for me. With this in `torbrowser-launcher.local` the open/save dialog does not crash the browser any more: ``` private-bin bwrap noblacklist ${PATH}/bwrap noblacklist /proc/sys/kernel/overflowuid noblacklist /proc/sys/kernel/overflowgid # whitelist /usr/share/glycin-loaders ignore seccomp !chroot seccomp !chroot,!mount,!pivot_root,!umount2 protocol unix,inet,inet6,netlink ``` `whitelist /usr/share/glycin-loaders` is not needed because the it apparently ships its own version of that in `.local` For posterity: I found this by attaching `sudo strace -p $firefoxPid -s 2048` and making the browser crash by pressing `ctrl+s` (open a save dialog). Scanning the strace output, directly before the crash I found an error log with a long `bwrap` command. I ran that command manually in the same torbrowser-launcher firejail profile, which printed `bwrap: loopback: Failed to create NETLINK_ROUTE socket: Operation not supported` which points to the netlink protocol. Note I used strace because torbrowser seems to redirect its own stdout/stderr to /dev/null and I couldn't find a quick way to prevent that. Edit: I see running `start-tor-browser` with `--verbose` as mentioned above would have worked here, so better do that than use strace.

gitea-mirror commented

2026-05-05 09:59:23 -06:00

Author

Owner

@S0AndS0 commented on GitHub (Oct 6, 2025):

Hmm, seems even with those configs it still be crashing on Arch Linux for me;

firejail --profile=/etc/firejail/torbrowser-launcher.profile .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser --verbose

Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /home/s0ands0/.config/firejail/torbrowser-launcher.local
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.76

Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown,
Ignoring "dbus-user.talk org.freedesktop.Notifications" and 4 other dbus-user filter rules.
Parent pid 42300, child pid 42301
Warning: NVIDIA card detected, nogroups command ignored
Warning: not remounting /var/lib/docker/overlay2/599a2bfc78588744339de9ff3f6f8d3fb4d774d0e418c7ece429673439823b22/merged
Warning: not remounting /var/lib/docker/overlay2/599a2bfc78588744339de9ff3f6f8d3fb4d774d0e418c7ece429673439823b22/merged
88 programs installed in 122.22 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 58.23 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 151.42 ms
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 489.25 ms
.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 299: getconf: command not found
.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 302: [: -ne: unary operator expected
[Parent 132, Main Thread] WARNING: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:132): Gtk-WARNING **: 16:15:31.360: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.
[Parent 132, Main Thread] WARNING: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:132): Gdk-CRITICAL **: 16:15:31.377: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed
[Parent 132, Main Thread] WARNING: g_object_unref: assertion 'G_IS_OBJECT (object)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:132): GLib-GObject-CRITICAL **: 16:15:31.377: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
[Parent 132, Main Thread] WARNING: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

# ... Truncated...

(Tor Browser:132): Gdk-CRITICAL **: 16:15:32.796: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed
[Parent 132, Main Thread] WARNING: g_object_unref: assertion 'G_IS_OBJECT (object)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:132): GLib-GObject-CRITICAL **: 16:15:32.796: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
[404] Sandbox: seccomp sandbox violation: pid 404, tid 404, syscall 28, args 140124247977984 4096 102 266240 4294967295 0.

# ... Try to do Ctrl^s on `about:blank`

[Parent 132, Main Thread] WARNING: Unable to create user data directory '/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory: 'glib warning', file /var
/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187

(Tor Browser:132): Gtk-CRITICAL **: 16:18:07.531: Unable to create user data directory '/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory
**
Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "124" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "122"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0)
Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "124" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "122"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0)
Redirecting call to abort() to mozalloc_abort

^[Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 392:   132 Segmentation fault         (core dumped) TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox "${@}" < /dev/null
Warning: removing 3 bytes from stdin

Parent is shutting down, bye...

... but the Could not spawn"bwrap" "--unshare-all" bits are consistent with whatstrace` be leading us towards 🤔

@S0AndS0 commented on GitHub (Oct 6, 2025): Hmm, seems even with those configs it still be crashing on Arch Linux for me; ```bash firejail --profile=/etc/firejail/torbrowser-launcher.profile .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser --verbose ``` ``` Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /home/s0ands0/.config/firejail/torbrowser-launcher.local Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.76 Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown, Ignoring "dbus-user.talk org.freedesktop.Notifications" and 4 other dbus-user filter rules. Parent pid 42300, child pid 42301 Warning: NVIDIA card detected, nogroups command ignored Warning: not remounting /var/lib/docker/overlay2/599a2bfc78588744339de9ff3f6f8d3fb4d774d0e418c7ece429673439823b22/merged Warning: not remounting /var/lib/docker/overlay2/599a2bfc78588744339de9ff3f6f8d3fb4d774d0e418c7ece429673439823b22/merged 88 programs installed in 122.22 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 58.23 ms Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 151.42 ms Warning: NVIDIA card detected, nogroups command ignored Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown, Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 489.25 ms .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 299: getconf: command not found .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 302: [: -ne: unary operator expected [Parent 132, Main Thread] WARNING: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:132): Gtk-WARNING **: 16:15:31.360: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found. [Parent 132, Main Thread] WARNING: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:132): Gdk-CRITICAL **: 16:15:31.377: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed [Parent 132, Main Thread] WARNING: g_object_unref: assertion 'G_IS_OBJECT (object)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:132): GLib-GObject-CRITICAL **: 16:15:31.377: g_object_unref: assertion 'G_IS_OBJECT (object)' failed [Parent 132, Main Thread] WARNING: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 # ... Truncated... (Tor Browser:132): Gdk-CRITICAL **: 16:15:32.796: gdk_cairo_surface_create_from_pixbuf: assertion 'GDK_IS_PIXBUF (pixbuf)' failed [Parent 132, Main Thread] WARNING: g_object_unref: assertion 'G_IS_OBJECT (object)' failed: 'glib warning', file /var/tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:132): GLib-GObject-CRITICAL **: 16:15:32.796: g_object_unref: assertion 'G_IS_OBJECT (object)' failed [404] Sandbox: seccomp sandbox violation: pid 404, tid 404, syscall 28, args 140124247977984 4096 102 266240 4294967295 0. # ... Try to do Ctrl^s on `about:blank` [Parent 132, Main Thread] WARNING: Unable to create user data directory '/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory: 'glib warning', file /var /tmp/build/firefox-fdb404861a1e/toolkit/xre/nsSigHandlers.cpp:187 (Tor Browser:132): Gtk-CRITICAL **: 16:18:07.531: Unable to create user data directory '/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share' for storing the recently used files list: Not a directory ** Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "124" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "122"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0) Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/breeze-dark/status/16/image-missing.svg: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/lib" "/lib64" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/fontconfig" "--bind-try" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/s0ands0/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "124" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "122"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0) Redirecting call to abort() to mozalloc_abort ^[Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. .local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser: line 392: 132 Segmentation fault (core dumped) TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox "${@}" < /dev/null Warning: removing 3 bytes from stdin Parent is shutting down, bye... ``` ... but the ` Could not spawn `"bwrap" "--unshare-all" ` bits are consistent with what `strace` be leading us towards :thinking:

gitea-mirror commented

2026-05-05 09:59:24 -06:00

Author

Owner

@ferreum commented on GitHub (Oct 7, 2025):

The fact it says Permission denied (os error 13) indicates there's some other permission issue going on.

If the issue is running bwrap itself, you can easily see that by checking firejail --ls=$torbrowserFirejailPid /bin/bwrap. If it says "cannot access /bin/bwrap", it may still be blacklisted by another rule.

Assuming it's accessible, try to run the bwrap command in the same firejail profile. Basically

firejail --profile=/etc/firejail/torbrowser-launcher.profile "bwrap" "--unshare-all" "--die-with-parent" "--chdir" ...etc...

Then check if there's any better indication for what's wrong. For me where the crash is fixed, manually running bwrap like this results in bwrap: Can't read seccomp data: Bad file descriptor

@ferreum commented on GitHub (Oct 7, 2025): The fact it says `Permission denied (os error 13)` indicates there's some other permission issue going on. If the issue is running `bwrap` itself, you can easily see that by checking `firejail --ls=$torbrowserFirejailPid /bin/bwrap`. If it says "cannot access /bin/bwrap", it may still be blacklisted by another rule. Assuming it's accessible, try to run the `bwrap` command in the same firejail profile. Basically ``` firejail --profile=/etc/firejail/torbrowser-launcher.profile "bwrap" "--unshare-all" "--die-with-parent" "--chdir" ...etc... ``` Then check if there's any better indication for what's wrong. For me where the crash is fixed, manually running bwrap like this results in `bwrap: Can't read seccomp data: Bad file descriptor`

gitea-mirror commented

2026-05-05 09:59:24 -06:00

Author

Owner

@S0AndS0 commented on GitHub (Oct 7, 2025):

Woot, totally works now 🎉 ya was right and I was wrong!

... Totally touched I was with skill issues over here, because private-bin keepassxc-proxy,bwrap is not the same as private-bin keepassxc-proxy bwrap... punctuation is important 🤦

For any future folks that are doing the questionable thing of using keepassxc with Tor, here be the torbrowser-launcher.local file that's functionally merged various modifications;

## Add the next line to your firefox.local to enable native notifications.
dbus-user.talk org.freedesktop.Notifications

## Add the next line to your firefox.local to allow inhibiting screensavers.
dbus-user.talk org.freedesktop.ScreenSaver

## Add the next lines to your firefox.local for plasma browser integration.
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver

## Enable KeePassXD integrations
# https://github.com/netblue30/firejail/discussions/5444
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
# https://github.com/netblue30/firejail/issues/3952#issuecomment-774717729
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server
## https://github.com/netblue30/firejail/issues/6913#issuecomment-3374406673
private-bin keepassxc-proxy,bwrap

##
# https://github.com/netblue30/firejail/issues/6906
# https://github.com/netblue30/firejail/issues/6913#issuecomment-3374406673
whitelist /usr/share/glycin-loaders
noblacklist ${PATH}/bwrap
noblacklist /proc/sys/kernel/overflowgid
noblacklist /proc/sys/kernel/overflowuid
ignore seccomp !chroot
seccomp !chroot,!mount,!pivot_root,!umount2
protocol unix,inet,inet6,netlink

@S0AndS0 commented on GitHub (Oct 7, 2025): Woot, totally works now :tada: ya was right and I was wrong! > ... Totally touched I was with skill issues over here, because `private-bin keepassxc-proxy,bwrap` is not the same as `private-bin keepassxc-proxy bwrap`... punctuation is important 🤦 For any future folks that are doing the questionable thing of using keepassxc with Tor, here be the `torbrowser-launcher.local` file that's functionally merged various modifications; ```firejail ## Add the next line to your firefox.local to enable native notifications. dbus-user.talk org.freedesktop.Notifications ## Add the next line to your firefox.local to allow inhibiting screensavers. dbus-user.talk org.freedesktop.ScreenSaver ## Add the next lines to your firefox.local for plasma browser integration. dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration dbus-user.talk org.kde.JobViewServer dbus-user.talk org.kde.kuiserver ## Enable KeePassXD integrations # https://github.com/netblue30/firejail/discussions/5444 noblacklist ${RUNUSER}/app mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC # https://github.com/netblue30/firejail/issues/3952#issuecomment-774717729 whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server ## https://github.com/netblue30/firejail/issues/6913#issuecomment-3374406673 private-bin keepassxc-proxy,bwrap ## # https://github.com/netblue30/firejail/issues/6906 # https://github.com/netblue30/firejail/issues/6913#issuecomment-3374406673 whitelist /usr/share/glycin-loaders noblacklist ${PATH}/bwrap noblacklist /proc/sys/kernel/overflowgid noblacklist /proc/sys/kernel/overflowuid ignore seccomp !chroot seccomp !chroot,!mount,!pivot_root,!umount2 protocol unix,inet,inet6,netlink ```

gitea-mirror commented

2026-05-05 09:59:25 -06:00

Author

Owner

@ipaqmaster commented on GitHub (Nov 20, 2025):

Thanks

private-bin bwrap
whitelist /usr/share/glycin-loaders
noblacklist ${PATH}/bwrap

Fixes xfce4-screenshooter for the most recent firejail update I installed, which restored its symlink to firejail.

@ipaqmaster commented on GitHub (Nov 20, 2025): Thanks ``` private-bin bwrap whitelist /usr/share/glycin-loaders noblacklist ${PATH}/bwrap ``` Fixes `xfce4-screenshooter` for the most recent firejail update I installed, which restored its symlink to firejail.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3415

No description provided.

Rows
Columns