github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #908] Thunderbird: Okular can't open PDF files #614

New issue

Closed

opened 2026-05-05 06:17:04 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 06:17:04 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (Nov 12, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/908

A couple of days ago I noticed that Okular no longer opens attached PDF files in Thunderbird. Every time I get an error message like

Can't open /tmp/mozilla_hank0/example.pdf

After some investigation I found the culprit: The Thunderbird profile contains

include /etc/firejail/firefox.profile

and that one the rule

private-tmp

After commenting that rule everything works nicely. However, that rule certainly makes sense in the firefox.profile. So the question is if

include /etc/firejail/firefox.profile

should be removed from thunderbird.profile. If I comment that entry and I click links in Thunderbird they are still opened in a firejailed Firefox. Even is Firefox is not yet open it is not started as a sub-process of the firejailed Thunderbird (according to firejail --tree) but as an own firejailed process. Perhaps because I'm using symlink invocation?

My suggestion is to rewrite the Thunderbord profile like this:

mkdir ~/.gnupg
whitelist ~/.gnupg

noblacklist ~/.thunderbird
mkdir ~/.thunderbird
whitelist ~/.thunderbird

noblacklist ~/.cache/thunderbird
mkdir ~/.cache/thunderbird
whitelist ~/.cache/thunderbird

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog

whitelist ${DOWNLOADS}

include /etc/firejail/whitelist-common.inc

Originally created by @curiosity-seeker on GitHub (Nov 12, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/908 A couple of days ago I noticed that Okular no longer opens attached PDF files in Thunderbird. Every time I get an error message like `Can't open /tmp/mozilla_hank0/example.pdf` After some investigation I found the culprit: The Thunderbird profile contains `include /etc/firejail/firefox.profile` and that one the rule `private-tmp` After commenting that rule everything works nicely. However, that rule certainly makes sense in the firefox.profile. So the question is if `include /etc/firejail/firefox.profile` should be removed from thunderbird.profile. If I comment that entry and I click links in Thunderbird they are still opened in a firejailed Firefox. Even is Firefox is not yet open it is **not** started as a sub-process of the firejailed Thunderbird (according to firejail --tree) but as an own firejailed process. Perhaps because I'm using symlink invocation? My suggestion is to rewrite the Thunderbord profile like this: ```noblacklist ~/.gnupg mkdir ~/.gnupg whitelist ~/.gnupg noblacklist ~/.thunderbird mkdir ~/.thunderbird whitelist ~/.thunderbird noblacklist ~/.cache/thunderbird mkdir ~/.cache/thunderbird whitelist ~/.cache/thunderbird include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs noroot protocol unix,inet,inet6,netlink seccomp tracelog whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc ```

gitea-mirror

2026-05-05 06:17:04 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:17:11 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 13, 2016):

What happens if before "include /etc/firejail/firefox.profile" you add a "ignore private-tmp"?

ignore private-tmp
include /etc/firejail/firefox.profile

This should disable private-tmp in firefox.profile.

@netblue30 commented on GitHub (Nov 13, 2016): What happens if before "include /etc/firejail/firefox.profile" you add a "ignore private-tmp"? ``` ignore private-tmp include /etc/firejail/firefox.profile ``` This should disable private-tmp in firefox.profile.

gitea-mirror commented

2026-05-05 06:17:13 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Nov 13, 2016):

Ah, yes - this works, indeed! I had completely forgotten about the ignore command - sorry!

Okular is now able to open PDF files.

@curiosity-seeker commented on GitHub (Nov 13, 2016): Ah, yes - this works, indeed! I had completely forgotten about the `ignore` command - sorry! Okular is now able to open PDF files.

gitea-mirror commented

2026-05-05 06:17:15 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 15, 2016):

I pushed it in the profile file in git, thanks.

@netblue30 commented on GitHub (Nov 15, 2016): I pushed it in the profile file in git, thanks.

gitea-mirror referenced this issue

2026-05-05 10:05:59 -06:00

[PR #614] [MERGED] Telegram #3683

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#614

No description provided.

Rows
Columns