github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6927] firefox: file picker is not sandboxed #3421

New issue

Open

opened 2026-05-05 09:59:31 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:59:31 -06:00

Owner

Originally created by @rieje on GitHub (Oct 6, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6927

Description

When using XDG file picker instead of the built-in file picker for Firefox, it is not sandboxed. It has access to files on the host filesystem. Consequently, selecting any file with it results in Firefox producing the error "no read permissions".

Expected behavior

I'm using xdg-desktop-portal-termfilechooser as the XDG file picker and it should be restricted to the same sandboxed filesystem that FIrefox sees and selecting files for Firefox should be possible. I've also tried GTK file picker and same issue.

Actual behavior

The file picker is not running in/on the sandbox filesystem. If I go to the address bar and type /home/rieje, I can confirm Firefox instance is sandboxed. If I Ctrl-o to launch the terminal file picker, it has access to my host filesystem, i.e. it's not sandboxed.

Behavior without a profile

Same behavior as above.

Additional context

To set up the terminal XDG file picker for Firefox, I'm using xdg-desktop-portal-termfilechooser) and running Alacritty terminal on Yazi file manager and followed its configuration, which involves. editing the following configs/scripts. I haven't done anything additional on firejail's side of things, not sure if they need to be whitelisted or how to best go about that.

~/.config/xdg-desktop-portal-termfilechooser/config
~/.config/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
~/.config/xdg-desktop-portal/portals.conf
executables under /usr/share/xdg-desktop-portal-termfilechooser/

Changes to the config above requires restarting the services:

systemctl --user restart xdg-desktop-portal-termfilechooser.service
systemctl --user restart xdg-desktop-portal.service

With Firefox this about:config setting needs to be set: widget.use-xdg-desktop-portal.file-picker to 1 to use the XDG file picker.

If I run Firefox unsandboxed, the file picker works fine--it can pick files for Firefox because they both see the same filesystem. If Firefox is sandboxed and I don't use the XDG file picker and instead rely on the default file picker for Firefox, it can also pick files and sees only files in the sandbox as expected. I'm not sure if the issue is the XDG file picker escaping the sandbox or if it's somehow started outside the sandbox which would be surprising to me because my intuition is that anything started by sandboxed Firefox is a subprocess.

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.16.10-arch1-1 x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): firefox 143.0.4-1
Version of Firejail (firejail --version): 0.9.76-1

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/firefox.profile
Reading profile /home/rieje/.config/firejail/firefox.local
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.76

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 118750, child pid 118754
6 programs installed in 31.25 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning fcopy: cannot create symbolic link /etc/X11/xorg.conf.d/99-monitor-dpms.conf
Private /etc installed in 26.78 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 22.29 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 147.34 ms
[Parent 48, Main Thread] WARNING: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /usr/src/debug/firefox/firefox-143.0.4/toolkit/xre/nsSigHandlers.cpp:201

(firefox:48): Gtk-WARNING **: 21:48:55.444: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.
[GFX1-]: GFX: CanvasTranslator failed creating WebGL shared context

Output of LC_ALL=C firejail --debug /path/to/program

fjdebug.txt

Relates to:

#6924

Originally created by @rieje on GitHub (Oct 6, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6927 ### Description When using XDG file picker instead of the built-in file picker for Firefox, it is not sandboxed. It has access to files on the host filesystem. Consequently, selecting any file with it results in Firefox producing the error "no read permissions". ### Expected behavior I'm using [xdg-desktop-portal-termfilechooser](https://github.com/hunkyburrito/xdg-desktop-portal-termfilechooser) as the XDG file picker and it should be restricted to the same sandboxed filesystem that FIrefox sees and selecting files for Firefox should be possible. I've also tried GTK file picker and same issue. ### Actual behavior The file picker is not running in/on the sandbox filesystem. If I go to the address bar and type `/home/rieje`, I can confirm Firefox instance is sandboxed. If I `Ctrl-o` to launch the terminal file picker, it has access to my host filesystem, i.e. it's not sandboxed. ### Behavior without a profile Same behavior as above. ### Additional context To set up the terminal XDG file picker for Firefox, I'm using [xdg-desktop-portal-termfilechooser](https://github.com/hunkyburrito/xdg-desktop-portal-termfilechooser)) and running Alacritty terminal on Yazi file manager and followed its configuration, which involves. editing the following configs/scripts. I haven't done anything additional on firejail's side of things, not sure if they need to be whitelisted or how to best go about that. - `~/.config/xdg-desktop-portal-termfilechooser/config` - `~/.config/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh` - `~/.config/xdg-desktop-portal/portals.conf` - executables under `/usr/share/xdg-desktop-portal-termfilechooser/` Changes to the config above requires restarting the services: `systemctl --user restart xdg-desktop-portal-termfilechooser.service` `systemctl --user restart xdg-desktop-portal.service` With Firefox this `about:config` setting needs to be set: `widget.use-xdg-desktop-portal.file-picker` to `1` to use the XDG file picker. If I run Firefox unsandboxed, the file picker works fine--it can pick files for Firefox because they both see the same filesystem. If Firefox is sandboxed and I don't use the XDG file picker and instead rely on the default file picker for Firefox, it can also pick files and sees only files in the sandbox as expected. I'm not sure if the issue is the XDG file picker escaping the sandbox or if it's somehow started outside the sandbox which would be surprising to me because my intuition is that anything started by sandboxed Firefox is a subprocess. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.16.10-arch1-1 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): firefox 143.0.4-1 - Version of Firejail (`firejail --version`): 0.9.76-1 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/firefox.profile Reading profile /home/rieje/.config/firejail/firefox.local Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.76 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 118750, child pid 118754 6 programs installed in 31.25 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning fcopy: cannot create symbolic link /etc/X11/xorg.conf.d/99-monitor-dpms.conf Private /etc installed in 26.78 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 22.29 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 147.34 ms [Parent 48, Main Thread] WARNING: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /usr/src/debug/firefox/firefox-143.0.4/toolkit/xre/nsSigHandlers.cpp:201 (firefox:48): Gtk-WARNING **: 21:48:55.444: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found. [GFX1-]: GFX: CanvasTranslator failed creating WebGL shared context ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  [fjdebug.txt](https://gist.github.com/rieje/412e2d71764adbbb811a3784847db9a8) </p> </details> Relates to: * #6924

gitea-mirror added the

needinfo

sandbox-ipc

labels 2026-05-05 09:59:31 -06:00

gitea-mirror commented

2026-05-05 09:59:33 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 6, 2025):

When using XDG file picker instead of the built-in file picker for Firefox,
it is not sandboxed. It has access to files on the host filesystem.

I'm using xdg-desktop-portal-termfilechooser as the XDG file picker

Actual behavior

The file picker is not running in/on the sandbox filesystem. If I go to the
address bar and type /home/rieje, I can confirm Firefox instance is
sandboxed. If I Ctrl-o to launch the terminal file picker, it has access to
my host filesystem, i.e. it's not sandboxed.

I'm not sure about that specific file picker, but in general xdg portals access
the system through dbus, which is not sandboxed, as it runs as a daemon.

So the file picker showing more files than what is available in the sandbox is
expected behavior.

Theoretically this should not be an issue, but if you want to avoid potential
sandbox escapes through dbus, block it (dbus-system none + dbus-user none)
and avoid using xdg portals.

Consequently, selecting any file with it results in Firefox producing the
error "no read permissions".

This might be due to:

#6906

@kmk3 commented on GitHub (Oct 6, 2025): > When using XDG file picker instead of the built-in file picker for Firefox, > it is not sandboxed. It has access to files on the host filesystem. > I'm using xdg-desktop-portal-termfilechooser as the XDG file picker > ### Actual behavior > > The file picker is not running in/on the sandbox filesystem. If I go to the > address bar and type `/home/rieje`, I can confirm Firefox instance is > sandboxed. If I `Ctrl-o` to launch the terminal file picker, it has access to > my host filesystem, i.e. it's not sandboxed. I'm not sure about that specific file picker, but in general xdg portals access the system through dbus, which is not sandboxed, as it runs as a daemon. So the file picker showing more files than what is available in the sandbox is expected behavior. Theoretically this should not be an issue, but if you want to avoid potential sandbox escapes through dbus, block it (`dbus-system none` + `dbus-user none`) and avoid using xdg portals. > Consequently, selecting any file with it results in Firefox producing the > error "no read permissions". This might be due to: * #6906

gitea-mirror commented

2026-05-05 09:59:34 -06:00

Author

Owner

@lucasmz-dev commented on GitHub (Oct 6, 2025):

With Firefox this about:config setting needs to be set: widget.use-xdg-desktop-portal.file-picker to 1 to use the XDG file picker.

Or you grant firefox org.freedesktop.portal.Desktop

@lucasmz-dev commented on GitHub (Oct 6, 2025): > With Firefox this about:config setting needs to be set: widget.use-xdg-desktop-portal.file-picker to 1 to use the XDG file picker. Or you grant firefox org.freedesktop.portal.Desktop

gitea-mirror commented

2026-05-05 09:59:35 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 10, 2025):

With Firefox this about:config setting needs to be set:
widget.use-xdg-desktop-portal.file-picker to 1 to use the XDG file picker.

Or you grant firefox org.freedesktop.portal.Desktop

Good idea.

@rieje

Does adding the following to firefox.local change anything?

dbus-user.talk org.freedesktop.portal.Desktop

If that does not work, try commenting firefox.profile and
firefox-common.profile until it works to find out which lines are causing the
problem and post them in here.

@kmk3 commented on GitHub (Oct 10, 2025): > > With Firefox this about:config setting needs to be set: > > widget.use-xdg-desktop-portal.file-picker to 1 to use the XDG file picker. > > Or you grant firefox org.freedesktop.portal.Desktop Good idea. @rieje Does adding the following to firefox.local change anything? ``` dbus-user.talk org.freedesktop.portal.Desktop ``` If that does not work, try commenting firefox.profile and firefox-common.profile until it works to find out which lines are causing the problem and post them in here.

gitea-mirror commented

2026-05-05 09:59:35 -06:00

Author

Owner

@lucasmz-dev commented on GitHub (Oct 10, 2025):

Good idea.

Sorry I meant what he said also happens if you grant that. You might even need to, unsure. It's kind of messy because it doesn't work either way IME, only with directories the firejail sandbox grants access to.

@lucasmz-dev commented on GitHub (Oct 10, 2025): > Good idea. Sorry I meant what he said also happens if you grant that. You might even need to, unsure. It's kind of messy because it doesn't work either way IME, only with directories the firejail sandbox grants access to.

gitea-mirror commented

2026-05-05 09:59:36 -06:00

Author

Owner

@rieje commented on GitHub (Oct 13, 2025):

firefox-common.profile already includes dbus-user.talk org.freedesktop.portal.Desktop. I tried to be as permissive as possible, but same issue:

With Firefox this about:config setting needs to be set: widget.use-xdg-desktop-portal.file-picker to 1 to use the XDG file picker.

Or you grant firefox org.freedesktop.portal.Desktop

Without setting the about:config setting, it won't pick up the preferred XDG portal set at ~/.config/xdg-desktop-portal/portals.conf.

@rieje commented on GitHub (Oct 13, 2025): firefox-common.profile already includes `dbus-user.talk org.freedesktop.portal.Desktop`. I tried to be as permissive as possible, but same issue: * [firefox-common.profile](https://0x0.st/KS8X.txt) * [firefox.profile](https://0x0.st/KS88.txt) * [firefox.local](https://0x0.st/KS8K.txt) > > With Firefox this about:config setting needs to be set: widget.use-xdg-desktop-portal.file-picker to 1 to use the XDG file picker. > > Or you grant firefox org.freedesktop.portal.Desktop Without setting the about:config setting, it won't pick up the preferred XDG portal set at `~/.config/xdg-desktop-portal/portals.conf`.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3421

No description provided.

Rows
Columns