[GH-ISSUE #7107] torbrowser: cannot start program #3487

New issue

Closed

opened 2026-05-05 10:01:44 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented 2026-05-05 10:01:44 -06:00

Owner

Copy link

Originally created by @ibahnasy on GitHub (Mar 16, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7107

• firejail version 0.9.72

$ cat ~/.config/firejail/torbrowser-launcher.local

whitelist /usr/bin/getconf
whitelist /usr/bin/grep
whitelist /usr/bin/cut
whitelist /home/user/tor-browser

ignore noexec ${HOME}
ignore noexec /tmp
ignore noexec /var
ignore noexec /run/user/1000

ignore include disable-programs.inc
ignore include disable-common.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc

ignore private-bin
ignore x11
ignore nosound
ignore nodbus

whitelist ${RUNUSER}/wayland-0
env GDK_BACKEND=wayland
env MOZ_ENABLE_WAYLAND=1

firejail --no3d --profile=/etc/firejail/torbrowser-launcher.profile ./Browser/start-tor-browser --debug

Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /home/user/.config/firejail/torbrowser-launcher.local
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 321523, child pid 321524
Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged
Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged
Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged
Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged
Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged
Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged
Warning: cannot find /var/run/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping ld.so.preload for private /etc
Private /etc installed in 34.79 ms
Private /usr/etc installed in 0.00 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 83.03 ms
Cannot start application: No such file or directory

Parent is shutting down, bye...

$ firejail --profile=default --whitelist=/home/user/tor-browser /home/user/tor-browser/Browser/firefox

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 321925, child pid 321926
Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged
Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged
Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged
Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged
Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged
Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged
Warning: cannot find /var/run/utmp
Child process initialized in 39.83 ms
[8] Sandbox: CanCreateUserNamespace() clone() failure: EPERM
[8, Main Thread] WARNING: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied: 'glib warning', file /var/tmp/build/firefox-a67a3014b915/toolkit/xre/nsSigHandlers.cpp:201

(Tor Browser:8): dconf-WARNING **: 18:36:17.073: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied
[54, Main Thread] WARNING: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied: 'glib warning', file /var/tmp/build/firefox-a67a3014b915/toolkit/xre/nsSigHandlers.cpp:201

(Tor Browser:54): dconf-WARNING **: 18:36:17.400: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied
[Parent 54, Main Thread] WARNING: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /var/tmp/build/firefox-a67a3014b915/toolkit/xre/nsSigHandlers.cpp:201

(Tor Browser:54): Gtk-WARNING **: 18:36:18.106: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.
**
Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Yaru/16x16/status/image-missing.png: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/libx32" "/libx32" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib64" "/lib64" "--seccomp" "78" "/usr/libexec/glycin-loaders/2+/glycin-image-rs" "--dbus-fd" "77"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0)
Bail out! Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Yaru/16x16/status/image-missing.png: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/libx32" "/libx32" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib64" "/lib64" "--seccomp" "78" "/usr/libexec/glycin-loaders/2+/glycin-image-rs" "--dbus-fd" "77"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0)
Redirecting call to abort() to mozalloc_abort


Parent is shutting down, bye...

I have tried workarounds here but didn't solve the issue.

Originally created by @ibahnasy on GitHub (Mar 16, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7107 * firejail version 0.9.72 `$ cat ~/.config/firejail/torbrowser-launcher.local ` ``` whitelist /usr/bin/getconf whitelist /usr/bin/grep whitelist /usr/bin/cut whitelist /home/user/tor-browser ignore noexec ${HOME} ignore noexec /tmp ignore noexec /var ignore noexec /run/user/1000 ignore include disable-programs.inc ignore include disable-common.inc ignore include disable-exec.inc ignore include disable-interpreters.inc ignore private-bin ignore x11 ignore nosound ignore nodbus whitelist ${RUNUSER}/wayland-0 env GDK_BACKEND=wayland env MOZ_ENABLE_WAYLAND=1 ``` `firejail --no3d --profile=/etc/firejail/torbrowser-launcher.profile ./Browser/start-tor-browser --debug` ``` Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /home/user/.config/firejail/torbrowser-launcher.local Reading profile /etc/firejail/allow-python2.inc Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 321523, child pid 321524 Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged Warning: cannot find /var/run/utmp Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping ld.so.preload for private /etc Private /etc installed in 34.79 ms Private /usr/etc installed in 0.00 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 83.03 ms Cannot start application: No such file or directory Parent is shutting down, bye... ``` `$ firejail --profile=default --whitelist=/home/user/tor-browser /home/user/tor-browser/Browser/firefox` ``` Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 321925, child pid 321926 Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged Warning: not remounting /var/lib/docker/overlay2/e45706e087cf01a0dec7c7124251d2f90f35261b05b251175e1d99a23f537845/merged Warning: not remounting /var/lib/docker/overlay2/4e48582e048037ca233fcdd46bf347d99b52b19052150970e5d3a4de0eee5d65/merged Warning: not remounting /var/lib/docker/overlay2/b10238addf0e75f640ce7b389c3a71730397a1f5db8b78e10e5bbc6d13a14b83/merged Warning: cannot find /var/run/utmp Child process initialized in 39.83 ms [8] Sandbox: CanCreateUserNamespace() clone() failure: EPERM [8, Main Thread] WARNING: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied: 'glib warning', file /var/tmp/build/firefox-a67a3014b915/toolkit/xre/nsSigHandlers.cpp:201 (Tor Browser:8): dconf-WARNING **: 18:36:17.073: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied [54, Main Thread] WARNING: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied: 'glib warning', file /var/tmp/build/firefox-a67a3014b915/toolkit/xre/nsSigHandlers.cpp:201 (Tor Browser:54): dconf-WARNING **: 18:36:17.400: Unable to open /var/lib/snapd/desktop/dconf/profile/user: Permission denied [Parent 54, Main Thread] WARNING: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /var/tmp/build/firefox-a67a3014b915/toolkit/xre/nsSigHandlers.cpp:201 (Tor Browser:54): Gtk-WARNING **: 18:36:18.106: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found. ** Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Yaru/16x16/status/image-missing.png: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/libx32" "/libx32" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib64" "/lib64" "--seccomp" "78" "/usr/libexec/glycin-loaders/2+/glycin-image-rs" "--dbus-fd" "77"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0) Bail out! Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Yaru/16x16/status/image-missing.png: Could not spawn `"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000" "--symlink" "/usr/libx32" "/libx32" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib64" "/lib64" "--seccomp" "78" "/usr/libexec/glycin-loaders/2+/glycin-image-rs" "--dbus-fd" "77"`: Permission denied (os error 13) (gdk-pixbuf-error-quark, 0) Redirecting call to abort() to mozalloc_abort Parent is shutting down, bye... ``` I have tried workarounds here but didn't solve the issue.

gitea-mirror 2026-05-05 10:01:44 -06:00

• closed this issue
• added the
  needinfo
  old-version
  labels

gitea-mirror commented 2026-05-05 10:01:47 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 16, 2026):

Basic debugging information is missing; please follow the bug report template:

• https://github.com/netblue30/firejail/issues/new?template=bug_report.md

<!-- gh-comment-id:4069251373 --> @kmk3 commented on GitHub (Mar 16, 2026): Basic debugging information is missing; please follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md>

gitea-mirror commented 2026-05-05 10:01:48 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 16, 2026):

firejail version 0.9.72

Note that we do not maintain that version of firejail:

• https://github.com/netblue30/firejail/blob/master/SECURITY.md

Versions other than the latest usually have outdated profiles and may contain
bugs and security vulnerabilities that were fixed in later versions.

See also:

• https://github.com/netblue30/firejail#installing

<!-- gh-comment-id:4069251620 --> @kmk3 commented on GitHub (Mar 16, 2026): > firejail version 0.9.72 Note that we do not maintain that version of firejail: * <https://github.com/netblue30/firejail/blob/master/SECURITY.md> Versions other than the latest usually have outdated profiles and may contain bugs and security vulnerabilities that were fixed in later versions. See also: * <https://github.com/netblue30/firejail#installing>

gitea-mirror commented 2026-05-05 10:01:48 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Mar 21, 2026):

How is that a duplicate of the File dialog crashes issue. I think it's maybe a duplicate of #7057

<!-- gh-comment-id:4101535520 --> @mYnDstrEAm commented on GitHub (Mar 21, 2026): How is that a duplicate of the File dialog crashes issue. I think it's maybe a duplicate of #7057

gitea-mirror commented 2026-05-05 10:01:49 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 21, 2026):

How is that a duplicate of the File dialog crashes issue. I think it's maybe
a duplicate of #7057

Because of the gdk-pixbuf warnings/errors.

But indeed there may be other issues as well.

Removing duplicate status and leaving the issue closed due to the firejail
version being too old and unsupported.

If the problem happens with firejail 0.9.80, please open a new bug report and
follow the bug report template:

• https://github.com/netblue30/firejail/issues/new?template=bug_report.md

<!-- gh-comment-id:4103090107 --> @kmk3 commented on GitHub (Mar 21, 2026): > How is that a duplicate of the File dialog crashes issue. I think it's maybe > a duplicate of [#7057](https://github.com/netblue30/firejail/issues/7057) Because of the gdk-pixbuf warnings/errors. But indeed there may be other issues as well. Removing duplicate status and leaving the issue closed due to the firejail version being too old and unsupported. If the problem happens with firejail 0.9.80, please open a new bug report and follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md>

gitea-mirror referenced this issue 2026-05-05 10:26:21 -06:00

[PR #3487] [MERGED] clarify writing to /var/mail and /var/spool/mail in apparmor #4776

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3487

No description provided.