github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #884] slack.profile does not allow opening URLs in messages #598

New issue
Closed
opened 2026-05-05 06:15:11 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 06:15:11 -06:00
Owner
Copy link

Originally created by @elvetemedve on GitHub (Oct 31, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/884

Somehow the default web browser should be white-listed in order to be able to open URLs posted in instant messages.

Originally created by @elvetemedve on GitHub (Oct 31, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/884 Somehow the default web browser should be white-listed in order to be able to open URLs posted in instant messages.
gitea-mirror 2026-05-05 06:15:11 -06:00
gitea-mirror commented 2026-05-05 06:15:18 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Nov 1, 2016):

Isn't that hard/impossible to do? On Debian, you could theoretically use x-www-browser, but that's just a symbolic link to /etc/alternatives/x-www-browser which in turn is a symbolic link to the actual browser. You have no way of apriori knowing what that is. One tack to take is just to whitelist all the common browsers, but that's kinda defeating the purpose. The other way is to create a local profile ~/.config/firejail/slack.profile, include the global one, and additionally whitelist whatever browser you use, which is probably the best way to go.

<!-- gh-comment-id:257590558 --> @chiraag-nataraj commented on GitHub (Nov 1, 2016): Isn't that hard/impossible to do? On Debian, you could theoretically use `x-www-browser`, but that's just a symbolic link to `/etc/alternatives/x-www-browser` which in turn is a symbolic link to the actual browser. You have no way of apriori knowing what that is. One tack to take is just to whitelist all the common browsers, but that's kinda defeating the purpose. The other way is to create a local profile `~/.config/firejail/slack.profile`, include the global one, and additionally whitelist whatever browser you use, which is probably the best way to go.
gitea-mirror commented 2026-05-05 06:15:22 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Nov 1, 2016):

Well, I like the idea of adding all common browsers to the whitelist. I don't think that would weaken the protection, because those browsers should be run in a sandbox as well. But current profile decrease the usability (I could mention the document viewer evince which has the same issue. I cannot open external links from documents). It's not something the application should not do, this is part of its feature set.

<!-- gh-comment-id:257603786 --> @elvetemedve commented on GitHub (Nov 1, 2016): Well, I like the idea of adding all common browsers to the whitelist. I don't think that would weaken the protection, because those browsers should be run in a sandbox as well. But current profile decrease the usability (I could mention the document viewer _evince_ which has the same issue. I cannot open external links from documents). It's not something the application should not do, this is part of its feature set.
gitea-mirror commented 2026-05-05 06:15:26 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Nov 1, 2016):

Well whitelisting them means also whitelisting additional files in /etc, additional binaries, and so on - basically, it forces the profile to be wider than it should be and allows access to files that slack itself may not need. So it does indeed weaken the protection. Now whether that weakening of the profile is something you want is up to you, but I don't think it should be the default for the profile.

By the way, this is additionally super bad because whitelisting Google Chrome means also disabling seccomp and capabilities filters, which are effectively necessary for any program which doesn't have its own (basically any program except for Google Chrome). You really don't want to do this unless you have to.

[Edit] I believe the additional whitelisting is only necessary if you assume you may have to start the program from within the slack sandbox. Otherwise, you may be able to get away with just whitelisting the binaries, so it may not be as bad as I first thought.

<!-- gh-comment-id:257703514 --> @chiraag-nataraj commented on GitHub (Nov 1, 2016): Well whitelisting them means also whitelisting additional files in `/etc`, additional binaries, and so on - basically, it forces the profile to be wider than it should be and allows access to files that slack itself may not need. So it does indeed weaken the protection. Now whether that weakening of the profile is something you want is up to you, but I don't think it should be the default for the profile. By the way, this is additionally super bad because whitelisting Google Chrome means also disabling seccomp and capabilities filters, which are effectively necessary for any program which doesn't have its own (basically any program except for Google Chrome). You _really_ don't want to do this unless you have to. [Edit] I believe the additional whitelisting is only necessary if you assume you may have to start the program from within the slack sandbox. Otherwise, you may be able to get away with just whitelisting the binaries, so it may not be as bad as I first thought.
gitea-mirror commented 2026-05-05 06:15:28 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Nov 1, 2016):

I played a bit with the slack.profile and removed few restrictions. As I see the opened browser will be run in the same sandbox as Slack just like you mentioned.

Reading profile /home/geza/.config/firejail/slack.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/whitelist-common.inc
Warning: user namespaces not available in the current kernel.
Parent pid 15006, child pid 15007
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized
Redirecting symlink to /usr/bin/slack
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: cannot switch euid to root
Warning: cannot switch egid to root
Warning: an existing sandbox was detected. /usr/bin/slack will run without any additional sandboxing features
Child process initialized

(slack:8): dconf-WARNING **: Unable to open /var/lib/flatpak/exports/share/dconf/profile/user: Permission denied
Creating Slack Application
/opt/google/chrome/google-chrome: line 45: /dev/fd/62: No such file or directory
/opt/google/chrome/google-chrome: line 46: /dev/fd/62: No such file or directory
The setuid sandbox is not running as root. Common causes:

  • An unprivileged process using ptrace on it, like a debugger.
  • A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
    Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Is there a way to tell firejail to create new processes outside the sandbox of Slack? When I click on a link like https://kernel.org/, then I would like to see firejail google-chrome-stable http://kernel.org/ executed. That way Chrome would run within its own sandbox.

<!-- gh-comment-id:257731465 --> @elvetemedve commented on GitHub (Nov 1, 2016): I played a bit with the slack.profile and removed few restrictions. As I see the opened browser will be run in the same sandbox as Slack just like you mentioned. > Reading profile /home/geza/.config/firejail/slack.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile /etc/firejail/disable-programs.inc > Reading profile /etc/firejail/disable-devel.inc > Reading profile /etc/firejail/disable-passwdmgr.inc > Reading profile /etc/firejail/whitelist-common.inc > Warning: user namespaces not available in the current kernel. > Parent pid 15006, child pid 15007 > Warning: /sbin directory link was not blacklisted > Warning: /usr/sbin directory link was not blacklisted > Child process initialized > Redirecting symlink to /usr/bin/slack > Warning: cannot switch euid to root > Warning: cannot switch egid to root > Warning: cannot switch euid to root > Warning: cannot switch egid to root > Warning: an existing sandbox was detected. /usr/bin/slack will run without any additional sandboxing features > Child process initialized > > (slack:8): dconf-WARNING **: Unable to open /var/lib/flatpak/exports/share/dconf/profile/user: Permission denied > Creating Slack Application > /opt/google/chrome/google-chrome: line 45: /dev/fd/62: No such file or directory > /opt/google/chrome/google-chrome: line 46: /dev/fd/62: No such file or directory > The setuid sandbox is not running as root. Common causes: > - An unprivileged process using ptrace on it, like a debugger. > - A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) > Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Is there a way to tell firejail to create new processes outside the sandbox of Slack? When I click on a link like `https://kernel.org/`, then I would like to see `firejail google-chrome-stable http://kernel.org/` executed. That way Chrome would run within its own sandbox.
gitea-mirror commented 2026-05-05 06:15:31 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Nov 2, 2016):

Try with Chrome already opened (you may have to whitelist Google Chrome's configuration directory? not sure). I think it will still require syscalls, though probably not as many...

<!-- gh-comment-id:257739175 --> @chiraag-nataraj commented on GitHub (Nov 2, 2016): Try with Chrome already opened (you may have to whitelist Google Chrome's configuration directory? not sure). I think it will still require syscalls, though probably not as many...
gitea-mirror commented 2026-05-05 06:15:35 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Nov 6, 2016):

I managed to enable opening URLs via Google Chrome. Unfortunately it's not enough strict to make it default.
I think seccomp filter has a bug, because if I restrict access to any system call like seccomp.drop swapon, it won't work anymore, but I'm sure that neither Slack nor Chrome touch the swap management.

See the modified profile here: slack.profile.txt

<!-- gh-comment-id:258697492 --> @elvetemedve commented on GitHub (Nov 6, 2016): I managed to enable opening URLs via Google Chrome. Unfortunately it's not enough strict to make it default. I think seccomp filter has a bug, because if I restrict access to any system call like `seccomp.drop swapon`, it won't work anymore, but I'm sure that neither Slack nor Chrome touch the swap management. See the modified profile here: [slack.profile.txt](https://github.com/netblue30/firejail/files/573983/slack.profile.txt)
gitea-mirror commented 2026-05-05 06:15:37 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Nov 6, 2016):

Yes, because the default seccomp filter (which is what seccomp.drop uses) doesn't work for Google Chrome.

<!-- gh-comment-id:258718860 --> @chiraag-nataraj commented on GitHub (Nov 6, 2016): Yes, because the default seccomp filter (which is what `seccomp.drop` uses) doesn't work for Google Chrome.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#598
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?