github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6966] Error: Firejail configuration file /etc/firejail/firejail.config not found (private-etc) #3436

New issue
Closed
opened 2026-05-05 09:59:58 -06:00 by gitea-mirror · 19 comments
gitea-mirror commented 2026-05-05 09:59:58 -06:00
Owner
Copy link

Originally created by @Antiz96 on GitHub (Nov 12, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6966

Description

Since d1aeeb4fa1, programs (or specific actions in said program) running from a private-etc environment fail because firejail.config is not accessible from said environment.

I'm guessing this is because checkcfg(0) is now called early in the process in main.c.

Steps to Reproduce

Steps to reproduce the behavior

From a firejail build including d1aeeb4fa1 (thunderbird is just an example).

  1. Run in bash LC_ALL=C firejail /usr/local/bin/thunderbird (where /usr/local/bin/thunderbird is the symlink create by firecfg)
  2. See error:
[...]
Error: Firejail configuration file /etc/firejail/firejail.config not found

Parent is shutting down, bye...

Different scenario

  1. LC_ALL=C firejail /usr/bin/thunderbird
  2. Program starts but...
  3. Do some actions that should triggers something outside of the sandboxed environment (e.g. clicking a link from a mail to open in your web browser)
  4. Nothing happens (link is not being opened) and see error:
[...]
Error: Firejail configuration file /etc/firejail/firejail.config not found

Expected behavior

Program to starts (or actions within this program to work reliably)

Actual behavior

Program fails to start (or specific actions triggering something outside of the sandboxed environment fail).

Behavior without a profile

Both LC_ALL=C firejail --noprofile /usr/local/bin/thunderbird and LC_ALL=C firejail --noprofile /usr/bin/thunderbird work as expected (where /usr/local/bin/thunderbird is the symlink create by firecfg).

Additional context

Adding private-etc firejail/firejail.config to e.g. ~/.config/firejail/thunderbird.local fixes (or "works around") the issue.

I reported this issue a few days in the related MR at https://github.com/netblue30/firejail/pull/6878#discussion_r2490670980

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.17.7-arch1-1 x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): Mozilla Thunderbird 144.0.1
  • Version of Firejail (firejail --version): Tried both with firejail version 0.9.76 with the d1aeeb4fa1 commit backported or with a build from the master branch directly.
  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD): 7e26e940c2

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /usr/local/bin/thunderbird(where `/usr/local/bin/thunderbird` is the symlink create by `firecfg`) 

Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.76

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.own org.mozilla.thunderbird.*" and 4 other dbus-user filter rules.
Parent pid 691159, child pid 691160
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 36.33 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Base filesystem installed in 73.89 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 155.86 ms
Error: Firejail configuration file /etc/firejail/firejail.config not found

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

Originally created by @Antiz96 on GitHub (Nov 12, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6966 ### Description Since d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925, programs (or specific actions in said program) running from a `private-etc` environment fail because `firejail.config` is not accessible from said environment. I'm guessing this is because `checkcfg(0)` is now called early in the process in [main.c](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925#diff-6698244f9a67e5c8ae5c03806df74f6d9f1ae1b31ad6176eb09e136f07f3dad9R1078-R1080). ### Steps to Reproduce _Steps to reproduce the behavior_ From a firejail build including d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925 (thunderbird is just an example). 1. Run in bash `LC_ALL=C firejail /usr/local/bin/thunderbird` (where `/usr/local/bin/thunderbird` is the symlink create by `firecfg`) 2. See error: ``` [...] Error: Firejail configuration file /etc/firejail/firejail.config not found Parent is shutting down, bye... ``` _Different scenario_ 1. LC_ALL=C firejail /usr/bin/thunderbird 2. Program starts but... 3. Do some actions that should triggers something outside of the sandboxed environment (e.g. clicking a link from a mail to open in your web browser) 4. Nothing happens (link is not being opened) and see error: ``` [...] Error: Firejail configuration file /etc/firejail/firejail.config not found ``` ### Expected behavior Program to starts (or actions within this program to work reliably) ### Actual behavior Program fails to start (or specific actions triggering something outside of the sandboxed environment fail). ### Behavior without a profile Both `LC_ALL=C firejail --noprofile /usr/local/bin/thunderbird` and `LC_ALL=C firejail --noprofile /usr/bin/thunderbird` work as expected (where `/usr/local/bin/thunderbird` is the symlink create by `firecfg`). ### Additional context Adding `private-etc firejail/firejail.config` to e.g. `~/.config/firejail/thunderbird.local` fixes (or "works around") the issue. I reported this issue a few days in the related MR at https://github.com/netblue30/firejail/pull/6878#discussion_r2490670980 ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.17.7-arch1-1 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): Mozilla Thunderbird 144.0.1 - Version of Firejail (`firejail --version`): Tried both with `firejail version 0.9.76` with the d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925 commit backported or with a build from the master branch directly. - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): https://github.com/netblue30/firejail/commit/7e26e940c26066d1500b7ea722cc3b8aba4bb727 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [X] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [X] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [X] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /usr/local/bin/thunderbird</code>(where `/usr/local/bin/thunderbird` is the symlink create by `firecfg`)</summary> <p> ``` Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.76 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.own org.mozilla.thunderbird.*" and 4 other dbus-user filter rules. Parent pid 691159, child pid 691160 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 36.33 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/doc Base filesystem installed in 73.89 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Child process initialized in 155.86 ms Error: Firejail configuration file /etc/firejail/firejail.config not found Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long, save it to a file (e.g. "fjdebug.txt") and attach it to the comment: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files If that does not work, create a secret gist at https://gist.github.com/ and link it here. --> ``` ``` </p> </details>
gitea-mirror 2026-05-05 09:59:58 -06:00
gitea-mirror commented 2026-05-05 10:00:02 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 13, 2025):

Since
d1aeeb4,
programs (or specific actions in said program) running from a private-etc
environment fail because firejail.config is not accessible from said
environment.

I'm guessing this is because checkcfg(0) is now called early in the process
in
main.c.

Yes, I also think that this line is likely what causes it.

But from a brief look at it I don't really understand why.

The issue seems to be the same as in:

  1. Run in bash LC_ALL=C firejail /usr/local/bin/thunderbird (where
    /usr/local/bin/thunderbird is the symlink create by firecfg)
  2. See error:
[...]
Error: Firejail configuration file /etc/firejail/firejail.config not found

Parent is shutting down, bye...

Does it work with the following?

LC_ALL=C firejail /usr/bin/thunderbird
<!-- gh-comment-id:3525259311 --> @kmk3 commented on GitHub (Nov 13, 2025): > Since > [d1aeeb4](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925), > programs (or specific actions in said program) running from a `private-etc` > environment fail because `firejail.config` is not accessible from said > environment. > > I'm guessing this is because `checkcfg(0)` is now called early in the process > in > [main.c](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925#diff-6698244f9a67e5c8ae5c03806df74f6d9f1ae1b31ad6176eb09e136f07f3dad9R1078-R1080). Yes, I also think that this line is likely what causes it. But from a brief look at it I don't really understand why. The issue seems to be the same as in: * #2877 * #6959 > 1. Run in bash `LC_ALL=C firejail /usr/local/bin/thunderbird` (where > `/usr/local/bin/thunderbird` is the symlink create by `firecfg`) > 2. See error: > > > ``` > [...] > Error: Firejail configuration file /etc/firejail/firejail.config not found > > Parent is shutting down, bye... > ``` Does it work with the following? ```sh LC_ALL=C firejail /usr/bin/thunderbird ```
gitea-mirror commented 2026-05-05 10:00:03 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Nov 13, 2025):

Since
d1aeeb4,
programs (or specific actions in said program) running from a private-etc
environment fail because firejail.config is not accessible from said
environment.

I'm guessing this is because checkcfg(0) is now called early in the process
in
main.c.

Yes, I also think that this line is likely what causes it.

But from a brief look at it I don't really understand why.

The issue seems to be the same as in:

Definitely the same as in #6959.
We have backported d1aeeb4fa1 into the Arch Linux package (see https://gitlab.archlinux.org/archlinux/packaging/packages/firejail/-/issues/1#note_347916), which explains why this user is suffering from this issue with it.

Just in case, as said in my report, I've reproduced this issue from a development version too. So the backport itself is not the culprit, the issue is also present when building from the master branch / HEAD.

  1. Run in bash LC_ALL=C firejail /usr/local/bin/thunderbird (where
    /usr/local/bin/thunderbird is the symlink create by firecfg)
  2. See error:
[...]
Error: Firejail configuration file /etc/firejail/firejail.config not found

Parent is shutting down, bye...

Does it work with the following?

LC_ALL=C firejail /usr/bin/thunderbird

I've also covered this case in my report, see below:

Different scenario

  1. LC_ALL=C firejail /usr/bin/thunderbird
  2. Program starts but...
  3. Do some actions that should triggers something outside of the sandboxed environment (e.g. clicking a link from a mail to open in your web browser)
  4. Nothing happens (link is not being opened) and see error:
[...]
Error: Firejail configuration file /etc/firejail/firejail.config not found
<!-- gh-comment-id:3525417241 --> @Antiz96 commented on GitHub (Nov 13, 2025): > > Since > > [d1aeeb4](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925), > > programs (or specific actions in said program) running from a `private-etc` > > environment fail because `firejail.config` is not accessible from said > > environment. > > > > I'm guessing this is because `checkcfg(0)` is now called early in the process > > in > > [main.c](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925#diff-6698244f9a67e5c8ae5c03806df74f6d9f1ae1b31ad6176eb09e136f07f3dad9R1078-R1080). > > Yes, I also think that this line is likely what causes it. > > But from a brief look at it I don't really understand why. > > The issue seems to be the same as in: > > * #2877 > * #6959 > Definitely the same as in #6959. We have backported d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925 into the Arch Linux package (see https://gitlab.archlinux.org/archlinux/packaging/packages/firejail/-/issues/1#note_347916), which explains why this user is suffering from this issue with it. Just in case, as said in my report, I've reproduced this issue from a development version too. So the backport itself is not the culprit, the issue is also present when building from the master branch / HEAD. > > 1. Run in bash `LC_ALL=C firejail /usr/local/bin/thunderbird` (where > > `/usr/local/bin/thunderbird` is the symlink create by `firecfg`) > > 2. See error: > > > > > > ``` > > [...] > > Error: Firejail configuration file /etc/firejail/firejail.config not found > > > > Parent is shutting down, bye... > > ``` > > Does it work with the following? > > ```sh > LC_ALL=C firejail /usr/bin/thunderbird > ``` > I've also covered this case in my report, see below: > > _Different scenario_ > > > > 1. LC_ALL=C firejail /usr/bin/thunderbird > > 2. Program starts but... > > 3. Do some actions that should triggers something outside of the sandboxed environment (e.g. clicking a link from a mail to open in your web browser) > > 4. Nothing happens (link is not being opened) and see error: > > > > ``` > > [...] > > Error: Firejail configuration file /etc/firejail/firejail.config not found > > ```
gitea-mirror commented 2026-05-05 10:00:03 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 19, 2025):

Just in case, as said in my report, I've reproduced this issue from a
development version too. So the backport itself is not the culprit, the issue
is also present when building from the master branch / HEAD.

  1. Run in bash LC_ALL=C firejail /usr/local/bin/thunderbird (where
    /usr/local/bin/thunderbird is the symlink create by firecfg)
  2. See error:
[...]
Error: Firejail configuration file /etc/firejail/firejail.config not found

Parent is shutting down, bye...

I remember seeing this message when I was working on #6878 and testing some
unrelated thing, but the firejail commands being executed weren't related to
thunderbird and I'm not sure if private-etc was involved.

After I switched branches (or rebased to master or whatever) and rebuilt
firejail, running the same exact commands stopped causing the error message
(and I'm fairly sure I had at least the arg-max code and maybe also the
env-max code in the checked out branch, though it's been a while).

Which makes me think that there may be a race condition or something similar
involved (in such a way that changing something unrelated in the code and
recompiling could trigger it).

See also the commits that caused/fixed #2877 (the latter commit mentions an
"an early [checkcfg] check").

Does it work with the following?

LC_ALL=C firejail /usr/bin/thunderbird

I've also covered this case in my report, see below:

Different scenario

  1. LC_ALL=C firejail /usr/bin/thunderbird
  2. Program starts but...
  3. Do some actions that should triggers something outside of the
    sandboxed environment (e.g. clicking a link from a mail to open in
    your web browser)
  4. Nothing happens (link is not being opened) and see error:
[...]
Error: Firejail configuration file /etc/firejail/firejail.config not found

I see, my bad.

I don't use email in thunderbird ("clicking a link from an email"); is there a
simple way to reproduce it from something like firefox?

Does it only happen when dbus is used?

For the time being I'm thinking of just commenting the checkcfg(0) line and
leaving the rest of the code as is until someone feels like debugging and
finding out why it actually happens, as there is already enough breakage in the
current version:

<!-- gh-comment-id:3551121271 --> @kmk3 commented on GitHub (Nov 19, 2025): > Just in case, as said in my report, I've reproduced this issue from a > development version too. So the backport itself is not the culprit, the issue > is also present when building from the master branch / HEAD. > > > > 1. Run in bash `LC_ALL=C firejail /usr/local/bin/thunderbird` (where > > > `/usr/local/bin/thunderbird` is the symlink create by `firecfg`) > > > 2. See error: > > > > > > ``` > > > [...] > > > Error: Firejail configuration file /etc/firejail/firejail.config not found > > > > > > Parent is shutting down, bye... > > > ``` I remember seeing this message when I was working on #6878 and testing some unrelated thing, but the firejail commands being executed weren't related to thunderbird and I'm not sure if `private-etc` was involved. After I switched branches (or rebased to master or whatever) and rebuilt firejail, running the same exact commands stopped causing the error message (and I'm fairly sure I had at least the `arg-max` code and maybe also the `env-max` code in the checked out branch, though it's been a while). Which makes me think that there may be a race condition or something similar involved (in such a way that changing something unrelated in the code and recompiling could trigger it). See also the commits that caused/fixed #2877 (the latter commit mentions an "an early [checkcfg] check"). * https://github.com/netblue30/firejail/commit/8bff773d6a7bf70c97b3d5b751df9ec0dd6c8b5d * https://github.com/netblue30/firejail/commit/d32509945f13ccb9892ad15303230955bb525fae > > Does it work with the following? > > > > LC_ALL=C firejail /usr/bin/thunderbird > > I've also covered this case in my report, see below: > > > > _Different scenario_ > > > > > > 1. LC_ALL=C firejail /usr/bin/thunderbird > > > 2. Program starts but... > > > 3. Do some actions that should triggers something outside of the > > > sandboxed environment (e.g. clicking a link from a mail to open in > > > your web browser) > > > 4. Nothing happens (link is not being opened) and see error: > > > > > > ``` > > > [...] > > > Error: Firejail configuration file /etc/firejail/firejail.config not found > > > ``` I see, my bad. I don't use email in thunderbird ("clicking a link from an email"); is there a simple way to reproduce it from something like firefox? Does it only happen when dbus is used? For the time being I'm thinking of just commenting the `checkcfg(0)` line and leaving the rest of the code as is until someone feels like debugging and finding out why it actually happens, as there is already enough breakage in the current version: * #6906
gitea-mirror commented 2026-05-05 10:00:04 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Nov 19, 2025):

I don't use email in thunderbird ("clicking a link from an email"); is there a
simple way to reproduce it from something like firefox?

Simply running firejail /usr/local/bin/firefox (where /usr/local/bin/firefox is the symlink created by firecfg) is enough to reproduce the issue:

$  firejail /usr/local/bin/firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /home/antiz/.config/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.76

Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown,
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.own org.mozilla.*" and 2 other dbus-user filter rules.
Parent pid 607692, child pid 607693
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 36.79 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 60.41 ms
Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown,
Child process initialized in 147.54 ms
Error: Firejail configuration file /etc/firejail/firejail.config not found

Parent is shutting down, bye...
<!-- gh-comment-id:3554447397 --> @Antiz96 commented on GitHub (Nov 19, 2025): > I don't use email in thunderbird ("clicking a link from an email"); is there a simple way to reproduce it from something like firefox? Simply running `firejail /usr/local/bin/firefox` (where `/usr/local/bin/firefox` is the symlink created by `firecfg`) is enough to reproduce the issue: ```bash $ firejail /usr/local/bin/firefox Reading profile /etc/firejail/firefox.profile Reading profile /home/antiz/.config/firejail/firefox.local Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.76 Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown, Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.own org.mozilla.*" and 2 other dbus-user filter rules. Parent pid 607692, child pid 607693 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 36.79 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 60.41 ms Seccomp list in: !chroot,!mount,!pivot_root,!umount2, check list: @default-keep, prelist: unknown,unknown,unknown,unknown, Child process initialized in 147.54 ms Error: Firejail configuration file /etc/firejail/firejail.config not found Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 10:00:05 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 20, 2025):

I don't use email in thunderbird ("clicking a link from an email"); is there a
simple way to reproduce it from something like firefox?

Simply running firejail /usr/local/bin/firefox (where
/usr/local/bin/firefox is the symlink created by firecfg) is enough to
reproduce the issue:

This seems to be equivalent to running firejail firefox (instead of the
recommended firejail /usr/bin/firefox or just firefox).

Running firejail-in-firejail is known to cause this (among other) issues; see:

How can the issue be reproduced without firejail-in-firejail?

<!-- gh-comment-id:3555618014 --> @kmk3 commented on GitHub (Nov 20, 2025): > > I don't use email in thunderbird ("clicking a link from an email"); is there a > > simple way to reproduce it from something like firefox? > > Simply running `firejail /usr/local/bin/firefox` (where > `/usr/local/bin/firefox` is the symlink created by `firecfg`) is enough to > reproduce the issue: This seems to be equivalent to running `firejail firefox` (instead of the recommended `firejail /usr/bin/firefox` or just `firefox`). Running firejail-in-firejail is known to cause this (among other) issues; see: * #2877 * #6963 How can the issue be reproduced without firejail-in-firejail?
gitea-mirror commented 2026-05-05 10:00:05 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Nov 20, 2025):

This seems to be equivalent to running firejail firefox (instead of the
recommended firejail /usr/bin/firefox or just firefox).

Indeed, that's right. Although it was working fine before.

How can the issue be reproduced without firejail-in-firejail?

Well, does the first reproducer I gave with thunderbird count as "firejail-in-firejail"? This issue occurs when running thunderbird in firejail and then try to open a link from there in firefox (also running in firejail). In that case it's not really "firejail-in-firejail" but more like "firejail-to-firejail" (which used to work fine before d1aeeb4fa1).

Running firejail-in-firejail is known to cause this (among other) issues; see:

https://github.com/netblue30/firejail/issues/2877

I understand if you say that the exposed issue and reproducer scenario falls under the above, it's indeed pretty likely that this is cause by some "firejail in firejail (or firejail to firejail)" interaction. But one thing I can reliably say is that every scenarios I exposed in this issue used to work fine before d1aeeb4fa1 so there's definitely a regression somewhere in there.

I remain available if there's any additional information /test I can provide and I'll let you know if I can find other reproducer! 🙂

<!-- gh-comment-id:3559199243 --> @Antiz96 commented on GitHub (Nov 20, 2025): > This seems to be equivalent to running firejail firefox (instead of the recommended firejail /usr/bin/firefox or just firefox). Indeed, that's right. Although it was working fine before. > How can the issue be reproduced without firejail-in-firejail? Well, does the first reproducer I gave with thunderbird count as "firejail-in-firejail"? This issue occurs when running thunderbird in firejail and then try to open a link from there in firefox (also running in firejail). In that case it's not really "firejail-**in**-firejail" but more like "firejail-**to**-firejail" (which used to work fine before https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925). > Running firejail-in-firejail is known to cause this (among other) issues; see: > > https://github.com/netblue30/firejail/issues/2877 I understand if you say that the exposed issue and reproducer scenario falls under the above, it's indeed pretty likely that this is cause by some "firejail in firejail (or firejail *to* firejail)" interaction. But one thing I can reliably say is that every scenarios I exposed in this issue used to work fine before https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925 so there's definitely a regression somewhere in there. I remain available if there's any additional information /test I can provide and I'll let you know if I can find other reproducer! 🙂
gitea-mirror commented 2026-05-05 10:00:06 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 21, 2025):

I remain available if there's any additional information /test I can provide
and I'll let you know if I can find other reproducer! 🙂

I see, thanks.

How can the issue be reproduced without firejail-in-firejail?

Well, does the first reproducer I gave with thunderbird count as
"firejail-in-firejail"? This issue occurs when running thunderbird in
firejail and then try to open a link from there in firefox (also running in
firejail). In that case it's not really "firejail-in-firejail" but more
like "firejail-to-firejail" (which used to work fine before
d1aeeb4).

In the thunderbird -> firefox scenario, the error happens in firefox right?

Could it be that firefox is being invoked as firejail-in-firejail by
thunderbird?

What is the exact command that thunderbird calls?

Does it work after sudo rm /usr/local/bin/firefox?

Running firejail-in-firejail is known to cause this (among other) issues;
see: #2877

I understand if you say that the exposed issue and reproducer scenario falls
under the above, it's indeed pretty likely that this is cause by some
"firejail in firejail (or firejail to firejail)" interaction. But one thing
I can reliably say is that every scenarios I exposed in this issue used to
work fine before
d1aeeb4
so there's definitely a regression somewhere in there.

Yes, from what is being reported it appears that the commit has made the issue
worse/more apparent, though firejail-in-firejail has been (sometimes subtly)
broken (and not recommended) for a long time.

Though arguably it might be better to outright crash with firejail-in-firejail
than for it to randomly break things (and especially with it not being obvious
to the user that the breakage is due to firejail-in-firejail).

Maybe for the time being we could intentionally abort early and clarify the
situation by showing an error saying that firejail-in-firejail is not
supported.

<!-- gh-comment-id:3561885906 --> @kmk3 commented on GitHub (Nov 21, 2025): > I remain available if there's any additional information /test I can provide > and I'll let you know if I can find other reproducer! 🙂 I see, thanks. > > How can the issue be reproduced without firejail-in-firejail? > > Well, does the first reproducer I gave with thunderbird count as > "firejail-in-firejail"? This issue occurs when running thunderbird in > firejail and then try to open a link from there in firefox (also running in > firejail). In that case it's not really "firejail-**in**-firejail" but more > like "firejail-**to**-firejail" (which used to work fine before > [d1aeeb4](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925)). In the thunderbird -> firefox scenario, the error happens in firefox right? Could it be that firefox is being invoked as firejail-in-firejail by thunderbird? What is the exact command that thunderbird calls? Does it work after `sudo rm /usr/local/bin/firefox`? > > Running firejail-in-firejail is known to cause this (among other) issues; > > see: [#2877](https://github.com/netblue30/firejail/issues/2877) > > I understand if you say that the exposed issue and reproducer scenario falls > under the above, it's indeed pretty likely that this is cause by some > "firejail in firejail (or firejail _to_ firejail)" interaction. But one thing > I can reliably say is that every scenarios I exposed in this issue used to > work fine before > [d1aeeb4](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925) > so there's definitely a regression somewhere in there. Yes, from what is being reported it appears that the commit has made the issue worse/more apparent, though firejail-in-firejail has been (sometimes subtly) broken (and not recommended) for a long time. Though arguably it might be better to outright crash with firejail-in-firejail than for it to randomly break things (and especially with it not being obvious to the user that the breakage is due to firejail-in-firejail). Maybe for the time being we could intentionally abort early and clarify the situation by showing an error saying that firejail-in-firejail is not supported.
gitea-mirror commented 2026-05-05 10:00:06 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Nov 21, 2025):

In the thunderbird -> firefox scenario, the error happens in firefox right?

No, it's shown in firejail's thunderbird logs.

1 - Run thunderbird (from the firecfg symlink) or firejail /usr/bin/thunderbird
2 - Click a link from a mail
3 - See "Error: Firejail configuration file /etc/firejail/firejail.config not found" appearing in the logs of the command executed in step 1.

Could it be that firefox is being invoked as firejail-in-firejail by
thunderbird?

Well, I ran firecfg so both thunderbird and firefox runs under firejail by default. So thunderbird indeed tries to contact firefox while they are both being sandboxed (which is definitely part of the culprit, as it works if I sudo rm /usr/local/bin/firefox, as said later in this comment).

However, I'm not sure if it necessary tries to "invoke" it per say though. It is supposed to open the link in my currently running (and sandboxed) firefox instance, not invoke a new instance. Hence why I said it's unclear to me if it's really a "firejail-in-firejail" case or more of a "firejail-to-firejail" case (if that matters). Basically, I have both thunderbird and firefox respectively started under a firejail sandbox and the former cannot communicate to the latter anymore (e.g. when it comes to opening a link) without being hit by the "Error: Firejail configuration file /etc/firejail/firejail.config not found" issue.

What is the exact command that thunderbird calls?

That I do not now I'm afraid. I guess either something like xdg-open [url] or directly firefox [url] basically (probably the latter)?

Does it work after sudo rm /usr/local/bin/firefox?

Yes it does, so that confirms that the issue is when a sandboxed "program A" tries to "communicate" with an also sandboxed "program B", which is definitely expected in some cases, but it's unclear if it is for this one particularly (see the last paragraph of my comment).

Yes, from what is being reported it appears that the commit has made the issue
worse/more apparent, though firejail-in-firejail has been (sometimes subtly)
broken (and not recommended) for a long time.

Though arguably it might be better to outright crash with firejail-in-firejail
than for it to randomly break things (and especially with it not being obvious
to the user that the breakage is due to firejail-in-firejail).

Maybe for the time being we could intentionally abort early and clarify the
situation by showing an error saying that firejail-in-firejail is not
supported.

I totally get your point.
Although, does that mean that opening links from a "firejailed" thunderbird instance to a "firejailed" firefox instance is expected not to work by default for example?

As it used to work fine before d1aeeb4fa1 and as there are dedicated parameters in the default thunderbird profile on that front (see here, unless it assumes a "non-firejailed" firefox ?), it's a bit confusing from a user point of view.

All and all, I would understand if such cases would be considered unsupported upstream wise. But if that's the case, I guess it would indeed be relevant to clarify it (e.g. from the logs / default behavior). Given the above, it's unclear if it's a regression or the intended behavior (even though that was luckily working before, somehow). As I said in the issue description, adding private-etc firejail/firejail.config to ~/.config/firejail/thunderbird.local works as a workaround, I can live that 🙂

I will give https://github.com/netblue30/firejail/pull/6970 a test soon to see if it helps. I'll report back shortly!
EDIT: It doesn't help unfortunately 😕

<!-- gh-comment-id:3562469400 --> @Antiz96 commented on GitHub (Nov 21, 2025): > In the thunderbird -> firefox scenario, the error happens in firefox right? No, it's shown in firejail's thunderbird logs. 1 - Run `thunderbird` (from the `firecfg` symlink) or `firejail /usr/bin/thunderbird` 2 - Click a link from a mail 3 - See "Error: Firejail configuration file /etc/firejail/firejail.config not found" appearing in the logs of the command executed in step 1. > Could it be that firefox is being invoked as firejail-in-firejail by thunderbird? Well, I ran `firecfg` so both thunderbird and firefox runs under firejail by default. So thunderbird indeed tries to contact firefox while they are both being sandboxed (which is definitely part of the culprit, as it works if I `sudo rm /usr/local/bin/firefox`, as said later in this comment). However, I'm not sure if it necessary tries to "invoke" it per say though. It is supposed to open the link in my currently running (and sandboxed) firefox instance, not invoke a new instance. Hence why I said it's unclear to me if it's really a "firejail-**in**-firejail" case or more of a "firejail-**to**-firejail" case (if that matters). Basically, I have both thunderbird and firefox respectively started under a firejail sandbox and the former cannot communicate to the latter anymore (e.g. when it comes to opening a link) without being hit by the "Error: Firejail configuration file /etc/firejail/firejail.config not found" issue. > What is the exact command that thunderbird calls? That I do not now I'm afraid. I guess either something like `xdg-open [url]` or directly `firefox [url]` basically (probably the latter)? > Does it work after sudo rm /usr/local/bin/firefox? Yes it does, so that confirms that the issue is when a sandboxed "program A" tries to "communicate" with an also sandboxed "program B", which is definitely expected in some cases, but it's unclear if it is for this one particularly (see the last paragraph of my comment). > Yes, from what is being reported it appears that the commit has made the issue worse/more apparent, though firejail-in-firejail has been (sometimes subtly) broken (and not recommended) for a long time. > > Though arguably it might be better to outright crash with firejail-in-firejail than for it to randomly break things (and especially with it not being obvious to the user that the breakage is due to firejail-in-firejail). > > Maybe for the time being we could intentionally abort early and clarify the situation by showing an error saying that firejail-in-firejail is not supported. I totally get your point. Although, does that mean that opening links from a "firejailed" thunderbird instance to a "firejailed" firefox instance is expected not to work by default for example? As it used to work fine before https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925 and as there are dedicated parameters in the default thunderbird profile on that front (see [here](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/thunderbird.profile#L22-L23), unless it assumes a "non-firejailed" firefox ?), it's a bit confusing from a user point of view. All and all, I would understand if such cases would be considered unsupported upstream wise. But if that's the case, I guess it would indeed be relevant to clarify it (e.g. from the logs / default behavior). Given the above, it's unclear if it's a regression or the intended behavior (even though that was luckily working before, somehow). As I said in the issue description, adding `private-etc firejail/firejail.config` to `~/.config/firejail/thunderbird.local` works as a workaround, I can live that 🙂 I will give https://github.com/netblue30/firejail/pull/6970 a test soon to see if it helps. I'll report back shortly! EDIT: It doesn't help unfortunately 😕
gitea-mirror commented 2026-05-05 10:00:06 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 22, 2025):

In the thunderbird -> firefox scenario, the error happens in firefox right?

No, it's shown in firejail's thunderbird logs.

Do you mean in the same terminal output as thunderbird?

If so, thunderbird might be trying to open the firefox executable inside of its
own sandbox instead of using something like dbus.

However, I'm not sure if it necessary tries to "invoke" it per say though. It
is supposed to open the link in my currently running (and sandboxed) firefox
instance, not invoke a new instance. Hence why I said it's unclear to me if
it's really a "firejail-in-firejail" case or more of a
"firejail-to-firejail" case (if that matters). Basically, I have both
thunderbird and firefox respectively started under a firejail sandbox and the
former cannot communicate to the latter anymore (e.g. when it comes to
opening a link) without being hit by the "Error: Firejail configuration file
/etc/firejail/firejail.config not found" issue.

Does anything change if only thunderbird is running (and not firefox) before
opening the link?

What is the exact command that thunderbird calls?

That I do not now I'm afraid. I guess either something like xdg-open [url]
or directly firefox [url] basically (probably the latter)?

Does it work after sudo rm /usr/local/bin/firefox?

Yes it does, so that confirms that the issue is when a sandboxed "program A"
tries to "communicate" with an also sandboxed "program B", which is
definitely expected in some cases, but it's unclear if it is for this one
particularly (see the last paragraph of my comment).

So maybe it's as simple as firejailed thunderbird calling just firefox, which
calls /usr/local/bin/firefox -> firejail -> firejail /usr/bin/firefox
(which is supported) and firefox breaks when looking for
/etc/firejail/firejail.config because thunderbird has private-etc.

Edit: I can reproduce it easily by using just firejail-in-firejail +
private-etc:

$ firejail --quiet --profile=thunderbird firejail true
Error: Firejail configuration file /etc/firejail/firejail.config not found
$ firejail --quiet --private-etc firejail true
Error: Firejail configuration file /etc/firejail/firejail.config not found

Yes, from what is being reported it appears that the commit has made the
issue worse/more apparent, though firejail-in-firejail has been (sometimes
subtly) broken (and not recommended) for a long time. Though arguably it
might be better to outright crash with firejail-in-firejail than for it to
randomly break things (and especially with it not being obvious to the user
that the breakage is due to firejail-in-firejail). Maybe for the time
being we could intentionally abort early and clarify the situation by
showing an error saying that firejail-in-firejail is not supported.

I totally get your point. Although, does that mean that opening links from a
"firejailed" thunderbird instance to a "firejailed" firefox instance is
expected not to work by default for example?

As it used to work fine before
d1aeeb4
and as there are dedicated parameters in the default thunderbird profile on
that front (see
here,
unless it assumes a "non-firejailed" firefox ?), it's a bit confusing from a
user point of view.

It's expected to work if the caller uses some form of IPC like dbus (which
bypasses the sandbox).

If not, it's more likely to break in general, as in this scenario firefox would
be running under the same sandbox as thunderbird (which was configured by
thunderbird.profile rather than firefox.profile).

Without IPC it can be made to work, but it's difficult to keep the right
balance in the caller profile to allow running other programs (especially big
and complex ones like a web browser).

All and all, I would understand if such cases would be considered unsupported
upstream wise. But if that's the case, I guess it would indeed be relevant to
clarify it (e.g. from the logs / default behavior). Given the above, it's
unclear if it's a regression or the intended behavior (even though that was
luckily working before, somehow). As I said in the issue description, adding
private-etc firejail/firejail.config to
~/.config/firejail/thunderbird.local works as a workaround, I can live that
🙂

I wasn't too sure, but maybe adding firejail/firejail.config to the default
private-etc group would indeed be a good enough solution.

Edit: It seems that the proper fix would be doing the sandbox check before
calling checkcfg, so that firejail does not even try to read firejail.config
if an existing sandbox is detected:

<!-- gh-comment-id:3566169378 --> @kmk3 commented on GitHub (Nov 22, 2025): > > In the thunderbird -> firefox scenario, the error happens in firefox right? > > No, it's shown in firejail's thunderbird logs. Do you mean in the same terminal output as thunderbird? If so, thunderbird might be trying to open the firefox executable inside of its own sandbox instead of using something like dbus. > However, I'm not sure if it necessary tries to "invoke" it per say though. It > is supposed to open the link in my currently running (and sandboxed) firefox > instance, not invoke a new instance. Hence why I said it's unclear to me if > it's really a "firejail-**in**-firejail" case or more of a > "firejail-**to**-firejail" case (if that matters). Basically, I have both > thunderbird and firefox respectively started under a firejail sandbox and the > former cannot communicate to the latter anymore (e.g. when it comes to > opening a link) without being hit by the "Error: Firejail configuration file > /etc/firejail/firejail.config not found" issue. Does anything change if only thunderbird is running (and not firefox) before opening the link? > > What is the exact command that thunderbird calls? > > That I do not now I'm afraid. I guess either something like `xdg-open [url]` > or directly `firefox [url]` basically (probably the latter)? > > > Does it work after sudo rm /usr/local/bin/firefox? > > Yes it does, so that confirms that the issue is when a sandboxed "program A" > tries to "communicate" with an also sandboxed "program B", which is > definitely expected in some cases, but it's unclear if it is for this one > particularly (see the last paragraph of my comment). So maybe it's as simple as firejailed thunderbird calling just `firefox`, which calls `/usr/local/bin/firefox` -> `firejail` -> `firejail /usr/bin/firefox` (which is supported) and firefox breaks when looking for /etc/firejail/firejail.config because thunderbird has `private-etc`. Edit: I can reproduce it easily by using just firejail-in-firejail + `private-etc`: ```console $ firejail --quiet --profile=thunderbird firejail true Error: Firejail configuration file /etc/firejail/firejail.config not found $ firejail --quiet --private-etc firejail true Error: Firejail configuration file /etc/firejail/firejail.config not found ``` > > Yes, from what is being reported it appears that the commit has made the > > issue worse/more apparent, though firejail-in-firejail has been (sometimes > > subtly) broken (and not recommended) for a long time. Though arguably it > > might be better to outright crash with firejail-in-firejail than for it to > > randomly break things (and especially with it not being obvious to the user > > that the breakage is due to firejail-in-firejail). Maybe for the time > > being we could intentionally abort early and clarify the situation by > > showing an error saying that firejail-in-firejail is not supported. > > I totally get your point. Although, does that mean that opening links from a > "firejailed" thunderbird instance to a "firejailed" firefox instance is > expected not to work by default for example? > > As it used to work fine before > [d1aeeb4](https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925) > and as there are dedicated parameters in the default thunderbird profile on > that front (see > [here](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/thunderbird.profile#L22-L23), > unless it assumes a "non-firejailed" firefox ?), it's a bit confusing from a > user point of view. It's expected to work if the caller uses some form of IPC like dbus (which bypasses the sandbox). If not, it's more likely to break in general, as in this scenario firefox would be running under the same sandbox as thunderbird (which was configured by thunderbird.profile rather than firefox.profile). Without IPC it can be made to work, but it's difficult to keep the right balance in the caller profile to allow running other programs (especially big and complex ones like a web browser). > All and all, I would understand if such cases would be considered unsupported > upstream wise. But if that's the case, I guess it would indeed be relevant to > clarify it (e.g. from the logs / default behavior). Given the above, it's > unclear if it's a regression or the intended behavior (even though that was > luckily working before, somehow). As I said in the issue description, adding > `private-etc firejail/firejail.config` to > `~/.config/firejail/thunderbird.local` works as a workaround, I can live that > 🙂 I wasn't too sure, but maybe adding `firejail/firejail.config` to the default `private-etc` group would indeed be a good enough solution. Edit: It seems that the proper fix would be doing the sandbox check before calling `checkcfg`, so that firejail does not even try to read firejail.config if an existing sandbox is detected: * #6969
gitea-mirror commented 2026-05-05 10:00:07 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Nov 22, 2025):

Do you mean in the same terminal output as thunderbird?

If so, thunderbird might be trying to open the firefox executable inside of its
own sandbox instead of using something like dbus.

Yes.

Maybe yeah 🤔

Does anything change if only thunderbird is running (and not firefox) before
opening the link?

Nop, nothing happens visually and same error in the terminal output: Error: Firejail configuration file /etc/firejail/firejail.config not found

So maybe it's as simple as firejailed thunderbird calling just firefox, which
calls /usr/local/bin/firefox -> firejail -> firejail /usr/bin/firefox
(which is supported) and firefox breaks when looking for
/etc/firejail/firejail.config because thunderbird has private-etc.

That's also my understanding.

It's expected to work if the caller uses some form of IPC like dbus (which
bypasses the sandbox).

If not, it's more likely to break in general, as in this scenario firefox would
be running under the same sandbox as thunderbird (which was configured by
thunderbird.profile rather than firefox.profile).

Well, the caller should use dbus in that case I assume, not sure if there was recent changes on that front.

Without IPC it can be made to work, but it's difficult to keep the right
balance in the caller profile to allow running other programs (especially big
and complex ones like a web browser).

Fair enough. Hopefully, I'm not asking for such complex cases to be supported here 👼 😛

I wasn't too sure, but maybe adding firejail/firejail.config to the default
private-etc group would indeed be a good enough solution.

That's one possible solution I though of at first, but I wasn't sure if this was a good approach or more of a workaround (as it wasn't completely clear what actually caused this issue in the first place).

Edit: It seems that the proper fix would be doing the sandbox check before
calling checkcfg, so that firejail does not even try to read firejail.config
if an existing sandbox is detected:

https://github.com/netblue30/firejail/pull/6969

Oh, sounds like a promising solution indeed!
I'm happy to give it a go once you consider it ready for a test (I see it's still a draft for now).

<!-- gh-comment-id:3566221802 --> @Antiz96 commented on GitHub (Nov 22, 2025): > Do you mean in the same terminal output as thunderbird? > > If so, thunderbird might be trying to open the firefox executable inside of its own sandbox instead of using something like dbus. Yes. Maybe yeah 🤔 > Does anything change if only thunderbird is running (and not firefox) before opening the link? Nop, nothing happens visually and same error in the terminal output: `Error: Firejail configuration file /etc/firejail/firejail.config not found` > So maybe it's as simple as firejailed thunderbird calling just firefox, which calls /usr/local/bin/firefox -> firejail -> firejail /usr/bin/firefox (which is supported) and firefox breaks when looking for /etc/firejail/firejail.config because thunderbird has private-etc. That's also my understanding. > It's expected to work if the caller uses some form of IPC like dbus (which bypasses the sandbox). > > If not, it's more likely to break in general, as in this scenario firefox would be running under the same sandbox as thunderbird (which was configured by thunderbird.profile rather than firefox.profile). Well, the caller *should* use dbus in that case I assume, not sure if there was recent changes on that front. > Without IPC it can be made to work, but it's difficult to keep the right balance in the caller profile to allow running other programs (especially big and complex ones like a web browser). Fair enough. Hopefully, I'm not asking for such complex cases to be supported here 👼 😛 > I wasn't too sure, but maybe adding firejail/firejail.config to the default private-etc group would indeed be a good enough solution. That's one possible solution I though of at first, but I wasn't sure if this was a good approach or more of a workaround (as it wasn't completely clear what actually caused this issue in the first place). > Edit: It seems that the proper fix would be doing the sandbox check before calling checkcfg, so that firejail does not even try to read firejail.config if an existing sandbox is detected: > > https://github.com/netblue30/firejail/pull/6969 Oh, sounds like a promising solution indeed! I'm happy to give it a go once you consider it ready for a test (I see it's still a draft for now).
gitea-mirror commented 2026-05-05 10:00:07 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 22, 2025):

Edit: It seems that the proper fix would be doing the sandbox check before
calling checkcfg, so that firejail does not even try to read
firejail.config if an existing sandbox is detected:
#6969

Oh, sounds like a promising solution indeed! I'm happy to give it a go once
you consider it ready for a test (I see it's still a draft for now).

Note: After the push I saw that it broke some things, so I'll merge just the
original commit and open a new PR for the new change.

<!-- gh-comment-id:3566238606 --> @kmk3 commented on GitHub (Nov 22, 2025): > > Edit: It seems that the proper fix would be doing the sandbox check before > > calling checkcfg, so that firejail does not even try to read > > firejail.config if an existing sandbox is detected: > > [#6969](https://github.com/netblue30/firejail/pull/6969) > > Oh, sounds like a promising solution indeed! I'm happy to give it a go once > you consider it ready for a test (I see it's still a draft for now). Note: After the push I saw that it broke some things, so I'll merge just the original commit and open a new PR for the new change.
gitea-mirror commented 2026-05-05 10:00:08 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Nov 22, 2025):

Edit: It seems that the proper fix would be doing the sandbox check before
calling checkcfg, so that firejail does not even try to read
firejail.config if an existing sandbox is detected:
#6969

Oh, sounds like a promising solution indeed! I'm happy to give it a go once
you consider it ready for a test (I see it's still a draft for now).

Note: After the push I saw that it broke some things, so I'll merge just the original commit and open a new PR for the new change.

Alright, don't hesitate to ping me if you need tests for the new PR.
I'll be AFK for the rest of the day but I can do some tests tomorrow :)

<!-- gh-comment-id:3566247626 --> @Antiz96 commented on GitHub (Nov 22, 2025): > > > Edit: It seems that the proper fix would be doing the sandbox check before > > > calling checkcfg, so that firejail does not even try to read > > > firejail.config if an existing sandbox is detected: > > > [#6969](https://github.com/netblue30/firejail/pull/6969) > > > > > > Oh, sounds like a promising solution indeed! I'm happy to give it a go once > > you consider it ready for a test (I see it's still a draft for now). > > Note: After the push I saw that it broke some things, so I'll merge just the original commit and open a new PR for the new change. Alright, don't hesitate to ping me if you need tests for the new PR. I'll be AFK for the rest of the day but I can do some tests tomorrow :)
gitea-mirror commented 2026-05-05 10:00:08 -06:00
Author
Owner
Copy link

@ipaqmaster commented on GitHub (Nov 26, 2025):

It would be nice if clicking a link in firejailed thunderbird opened the link in my also firejailed firefox (Different jails). I haven't found a working combination of changes yet.

I also caught, today, thunderbird trying to launch firefox via its firejail symlink and making the same complaint as seen in the title. It doesn't seem to acknowledge its already in one and just run it, it tries to run firejail inside firejail. Difficult when both thunderbird and firefox's $PATH entries are firejail symlinks.

Addressed/worked around in https://github.com/netblue30/firejail/issues/6981

<!-- gh-comment-id:3579074110 --> @ipaqmaster commented on GitHub (Nov 26, 2025): ~It would be nice if clicking a link in firejailed thunderbird opened the link in my also firejailed firefox (Different jails). I haven't found a working combination of changes yet.~ ~I also caught, today, thunderbird trying to launch firefox via its firejail symlink and making the same complaint as seen in the title. It doesn't seem to acknowledge its already in one and just run it, it tries to run firejail inside firejail. Difficult when both thunderbird and firefox's $PATH entries are firejail symlinks.~ Addressed/worked around in https://github.com/netblue30/firejail/issues/6981
gitea-mirror commented 2026-05-05 10:00:08 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 4, 2025):

@Antiz96 give it a try, it should be fixed now. Thanks tor the report.

<!-- gh-comment-id:3612172901 --> @netblue30 commented on GitHub (Dec 4, 2025): @Antiz96 give it a try, it should be fixed now. Thanks tor the report.
gitea-mirror commented 2026-05-05 10:00:09 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Dec 4, 2025):

@Antiz96 give it a try, it should be fixed now. Thanks tor the report.

@netblue30 I built firejail against master but I'm still facing the issue where it looks for whatever link I click as an executable rather than firefox:

Warning: an existing sandbox was detected. https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/775 will run without any additional sandboxing features
Error: no suitable https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/775 executable found
<!-- gh-comment-id:3614186551 --> @Antiz96 commented on GitHub (Dec 4, 2025): > [@Antiz96](https://github.com/Antiz96) give it a try, it should be fixed now. Thanks tor the report. @netblue30 I built firejail against master but I'm still facing the issue [where it looks for whatever link I click as an executable rather than firefox](https://github.com/netblue30/firejail/pull/6971#issuecomment-3566404195): ``` Warning: an existing sandbox was detected. https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/775 will run without any additional sandboxing features Error: no suitable https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/775 executable found ```
gitea-mirror commented 2026-05-05 10:00:09 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 5, 2025):

Thanks @Antiz96, give it a try again when you get a chance. I've just put a new fix in. We seem to be fixing it in one place and break it in another. Currently it seems to be running fine on Debian stable.

Also, do you have firefox set up as a symbolic link in /usr/local/bin? For example by running "sudo firecfg"

<!-- gh-comment-id:3614845342 --> @netblue30 commented on GitHub (Dec 5, 2025): Thanks @Antiz96, give it a try again when you get a chance. I've just put a new fix in. We seem to be fixing it in one place and break it in another. Currently it seems to be running fine on Debian stable. Also, do you have firefox set up as a symbolic link in /usr/local/bin? For example by running "sudo firecfg"
gitea-mirror commented 2026-05-05 10:00:10 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Dec 5, 2025):

Thanks @Antiz96, give it a try again when you get a chance. I've just put a new fix in. We seem to be fixing it in one place and break it in another. Currently it seems to be running fine on Debian stable.

@netblue30 Seems like it's working fine now! 🥳

For what it's worth, I'm still getting warnings that the firejail config isn't found though (unless I add private-etc firejail/firejail.config in my thunderbird.local conf) but I guess that's expected?:

Warning: Firejail configuration file /etc/firejail/firejail.config not found, using defaults
Warning: Firejail configuration file /etc/firejail/firejail.config not found, using defaults
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

Anyway, regardless of the above warnings, opening links from firejailed thunderbird into firejailed firefox works again now! Thanks 🙂

Also, do you have firefox set up as a symbolic link in /usr/local/bin? For example by running "sudo firecfg"

Yes I do (via firecfg).

<!-- gh-comment-id:3616182454 --> @Antiz96 commented on GitHub (Dec 5, 2025): > Thanks [@Antiz96](https://github.com/Antiz96), give it a try again when you get a chance. I've just put a new fix in. We seem to be fixing it in one place and break it in another. Currently it seems to be running fine on Debian stable. @netblue30 Seems like it's working fine now! 🥳 For what it's worth, I'm still getting warnings that the firejail config isn't found though (unless I add `private-etc firejail/firejail.config` in my thunderbird.local conf) but I guess that's expected?: ``` Warning: Firejail configuration file /etc/firejail/firejail.config not found, using defaults Warning: Firejail configuration file /etc/firejail/firejail.config not found, using defaults Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features ``` Anyway, regardless of the above warnings, opening links from firejailed thunderbird into firejailed firefox works again now! Thanks 🙂 > Also, do you have firefox set up as a symbolic link in /usr/local/bin? For example by running "sudo firecfg" Yes I do (via `firecfg`).
gitea-mirror commented 2026-05-05 10:00:10 -06:00
Author
Owner
Copy link

@Antiz96 commented on GitHub (Dec 5, 2025):

@kmk3 If that helps, it seems like ee879a2f26 is the fixing commit. Backporting this one (in addition of d1aeeb4fa1) on top of 0.9.76 seems to work as expected (both regarding the MAX_ARGS feature and the issue exposed here).

<!-- gh-comment-id:3616511183 --> @Antiz96 commented on GitHub (Dec 5, 2025): @kmk3 If that helps, it seems like https://github.com/netblue30/firejail/commit/ee879a2f26a7762ed5666e7b2ef021b87c7145fb is the fixing commit. Backporting this one (in addition of https://github.com/netblue30/firejail/commit/d1aeeb4fa1d3c1a2c626267c76db70cd81bdb925) on top of 0.9.76 seems to work as expected (both regarding the MAX_ARGS feature and the issue exposed here).
gitea-mirror commented 2026-05-05 10:00:11 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 12, 2025):

@Antiz96 thanks again. I'll close it for now. If it comes back open a new bug!

<!-- gh-comment-id:3646601363 --> @netblue30 commented on GitHub (Dec 12, 2025): @Antiz96 thanks again. I'll close it for now. If it comes back open a new bug!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3436
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?