github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #905] Opening links in external applications under firejailed Firefox #612

New issue

Closed

opened 2026-05-05 06:16:23 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 06:16:23 -06:00

Owner

Originally created by @fld on GitHub (Nov 10, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/905

When dealing with .pdf and .torrent links, I like to use Firefoxes "Open with ..."-feature for opening such files in qpdfview/okular and deluge, respectively.

After some head scratching, I was able to make qpdfview/okular work properly when opened via firefox with this:

% cat ~/.config/firejail/firefox.profile
name firefox

whitelist ~/.config/qpdfview
whitelist ~/.local/share/qpdfview
noblacklist ~/.config/qpdfview
noblacklist ~/.local/share/qpdfview

whitelist ~/.kde/share/apps/okular
noblacklist ~/.kde/share/apps/okular

include /etc/firejail/firefox.profile

Both viewers now open with correct configuration. For some reason, I had to use both "whitelist" and "noblacklist" and they had to be place above the "include ...firefox.profile" to make things work...

Getting .torrent-files to open with Deluge, was a much tougher nut to crack.. because usually the Deluge GUI is already running outside of the Firefoxes firejail-container (possibly in a jail of its own)

For starters, I added whitelist ~/.config/deluge to ~/.config/firejail/firefox.profile, but that alone wasn't enough, because Firefox still needs access to the already running Deluge. One way to do that is to run Deluge with: firejail --join=firefox deluge, but this has the drawbacks that Firefox has to already be running when you are starting Deluge and it would essentially be running under Firefoxes profile rather than Deluges profile.

Then I noticed the "--ipc-namespace="-option, which would allow me to start deluge under firefox ipc-namespace, even before firefox jail is started!

Start deluge
% firejail --ipc-namespace=firefox deluge
Open a .torrent with firejailed firefox
% firejail firefox --no-remote http://....torrent
Deluge says:
[ERROR ] 12:16:40 ipcinterface:217 No such file: /tmp/mozilla_fld0/tails-i386-2.6.torrent

So finally, this works:
% firejail --ipc-namespace=firefox --whitelist=/tmp/mozilla_fld0 deluge

I don't like how the tmp/ sub-directory name has to be added in such a static fashion, but I can't think of a way around it?

Originally created by @fld on GitHub (Nov 10, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/905 When dealing with .pdf and .torrent links, I like to use Firefoxes "Open with ..."-feature for opening such files in qpdfview/okular and deluge, respectively. After some head scratching, I was able to make qpdfview/okular work properly when opened via firefox with this: ``` % cat ~/.config/firejail/firefox.profile name firefox whitelist ~/.config/qpdfview whitelist ~/.local/share/qpdfview noblacklist ~/.config/qpdfview noblacklist ~/.local/share/qpdfview whitelist ~/.kde/share/apps/okular noblacklist ~/.kde/share/apps/okular include /etc/firejail/firefox.profile ``` Both viewers now open with correct configuration. For some reason, I had to use both "whitelist" and "noblacklist" and they had to be place above the "include ...firefox.profile" to make things work... -- Getting .torrent-files to open with Deluge, was a much tougher nut to crack.. because usually the Deluge GUI is already running outside of the Firefoxes firejail-container (possibly in a jail of its own) For starters, I added `whitelist ~/.config/deluge` to \~/.config/firejail/firefox.profile, but that alone wasn't enough, because Firefox still needs access to the already running Deluge. One way to do that is to run Deluge with: `firejail --join=firefox deluge`, but this has the drawbacks that Firefox has to already be running when you are starting Deluge and it would essentially be running under Firefoxes profile rather than Deluges profile. Then I noticed the "--ipc-namespace="-option, which would allow me to start deluge under firefox ipc-namespace, even before firefox jail is started! Start deluge `% firejail --ipc-namespace=firefox deluge` Open a .torrent with firejailed firefox `% firejail firefox --no-remote http://....torrent` Deluge says: `[ERROR ] 12:16:40 ipcinterface:217 No such file: /tmp/mozilla_fld0/tails-i386-2.6.torrent` So finally, this works: `% firejail --ipc-namespace=firefox --whitelist=/tmp/mozilla_fld0 deluge` I don't like how the tmp/ sub-directory name has to be added in such a static fashion, but I can't think of a way around it?

gitea-mirror

2026-05-05 06:16:23 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 06:16:27 -06:00

Author

Owner

@fld commented on GitHub (Nov 10, 2016):

As I was making my deluge.profile I noticed that the --ipc-namespace doesn't actually take any parameters. Here is what I'm using now:

~/.config/firejail/deluge.profile:

name deluge
apparmor                         
include /etc/firejail/deluge.profile
ipc-namespace                       
whitelist /tmp/mozilla_fld0

~/.config/firejail/firefox.profile:

name firefox  
apparmor

whitelist ~/.config/qpdfview              
whitelist ~/.local/share/qpdfview         
noblacklist ~/.config/qpdfview            
noblacklist ~/.local/share/qpdfview       

whitelist ~/.kde/share/apps/okular        
noblacklist ~/.kde/share/apps/okular      

include /etc/firejail/firefox.profile

whitelist ~/.kde/share/config/oxygenrc    
whitelist ~/.kde/share/config/kdeglobals  

whitelist ~/.config/deluge

@fld commented on GitHub (Nov 10, 2016): As I was making my deluge.profile I noticed that the --ipc-namespace doesn't actually take any parameters. Here is what I'm using now: **~/.config/firejail/deluge.profile:** ``` name deluge apparmor include /etc/firejail/deluge.profile ipc-namespace whitelist /tmp/mozilla_fld0 ``` **~/.config/firejail/firefox.profile:** ``` name firefox apparmor whitelist ~/.config/qpdfview whitelist ~/.local/share/qpdfview noblacklist ~/.config/qpdfview noblacklist ~/.local/share/qpdfview whitelist ~/.kde/share/apps/okular noblacklist ~/.kde/share/apps/okular include /etc/firejail/firefox.profile whitelist ~/.kde/share/config/oxygenrc whitelist ~/.kde/share/config/kdeglobals whitelist ~/.config/deluge ```

gitea-mirror commented

2026-05-05 06:16:29 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 12, 2016):

I have all of them in mainline git, thanks.

@netblue30 commented on GitHub (Nov 12, 2016): I have all of them in mainline git, thanks.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#612

No description provided.

Rows
Columns