github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 06:06:02 -06:00

[PR #7152] profiles: torbrowser-launcher: add getconf to private-bin,dri-access, glxtest #6343

New issue

Open

opened 2026-05-05 10:55:09 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:55:09 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/7152
Author: @cobratbq
Created: 4/28/2026
Status: 🔄 Open

Base: master ← Head: torbrowser-fixes

📝 Commits (1)

46baf4a profile:torbrowser-launcher: add getconf to private-bin

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 etc/profile-m-z/torbrowser-launcher.profile (+1 -1)

📄 Description

Several fixes, work-in-progress…

🗸 Add getconf to private-bin listing for allowed commands. (Used in conditional in start-up script.)
🗸 Investigate possible mention of vaapitest (unless not happening in resulting situation)
- Issue with Debian's AppArmor profile for torbrowser-launcher. Adding vaapitest in same form as entry for glxtest is sufficient to make it execute successfully. Not an issue in firejail.
? Investigate matter of denied /dev/dri/card* access.
? Investigate crashes concerning glxtest (likely related to /dev/dri/card* access)

Firejail: 0.9.80 (github-package)
Distro: Debian Trixie (13)

Some reports

Current firejail-profile is interfering with proper detection of GPU hardware. I get these reports, though I'm not completely sure that I am not causing this with local changes. It doesn't seem to be.

Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: ManageChildProcess failed
 (t=0.639868) [GFX1-]: glxtest: ManageChildProcess failed

Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: ManageChildProcess failed
 (t=0.639868) |[1][GFX1-]: No GPUs detected via PCI
 (t=0.639868) [GFX1-]: No GPUs detected via PCI

It might be connected to these dmesg reports:

[10309.722074] audit: type=1400 audit(1777313836.069:355): apparmor="DENIED" operation="file_receive" class="file" info="Failed name lookup - disconnected path" error=-13 profile="torbrowser_firefox" name="dev/dri/card0" pid=10894 comm="glxtest" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0
[10309.724432] audit: type=1400 audit(1777313836.073:356): apparmor="DENIED" operation="file_receive" class="file" info="Failed name lookup - disconnected path" error=-13 profile="torbrowser_firefox" name="dev/dri/card0" pid=10894 comm="glxtest" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Without firejail, seems related to AppArmor profile of torbrowser.

 (t=0.639465) [GFX1-]: FireTestProcess failed: Failed to spawn child process “/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/vaapitest” (Permission denied)

dmesg:

[ 2457.252435] audit: type=1400 audit(1777394876.112:226): apparmor="DENIED" operation="exec" class="file" profile="torbrowser_firefox" name="/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/vaapitest" pid=10116 comm="firefox.real" requested_mask="x" denied_mask="x" fsuid=1001 ouid=1001

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/7152 **Author:** [@cobratbq](https://github.com/cobratbq) **Created:** 4/28/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `torbrowser-fixes` --- ### 📝 Commits (1) - [`46baf4a`](https://github.com/netblue30/firejail/commit/46baf4ab3ca224e5d8c484cb103575e6c59dabca) profile:torbrowser-launcher: add getconf to private-bin ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `etc/profile-m-z/torbrowser-launcher.profile` (+1 -1) </details> ### 📄 Description Several fixes, work-in-progress… - 🗸 Add `getconf` to `private-bin` listing for allowed commands. (Used in conditional in start-up script.) - 🗸 Investigate possible mention of `vaapitest` (unless not happening in resulting situation) - Issue with Debian's AppArmor profile for torbrowser-launcher. Adding `vaapitest` in same form as entry for `glxtest` is sufficient to make it execute successfully. Not an issue in firejail. - ? Investigate matter of denied `/dev/dri/card*` access. - ? Investigate crashes concerning `glxtest` (likely related to `/dev/dri/card*` access) Firejail: 0.9.80 (github-package) Distro: Debian Trixie (13) --- Some reports Current firejail-profile is interfering with proper detection of GPU hardware. I get these reports, though I'm not completely sure that I am not causing this with local changes. It doesn't seem to be. ``` Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: ManageChildProcess failed (t=0.639868) [GFX1-]: glxtest: ManageChildProcess failed Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: ManageChildProcess failed (t=0.639868) |[1][GFX1-]: No GPUs detected via PCI (t=0.639868) [GFX1-]: No GPUs detected via PCI ``` It might be connected to these dmesg reports: ``` [10309.722074] audit: type=1400 audit(1777313836.069:355): apparmor="DENIED" operation="file_receive" class="file" info="Failed name lookup - disconnected path" error=-13 profile="torbrowser_firefox" name="dev/dri/card0" pid=10894 comm="glxtest" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0 [10309.724432] audit: type=1400 audit(1777313836.073:356): apparmor="DENIED" operation="file_receive" class="file" info="Failed name lookup - disconnected path" error=-13 profile="torbrowser_firefox" name="dev/dri/card0" pid=10894 comm="glxtest" requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0 ``` Without `firejail`, seems related to AppArmor profile of torbrowser. ``` (t=0.639465) [GFX1-]: FireTestProcess failed: Failed to spawn child process “/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/vaapitest” (Permission denied) ``` dmesg: ``` [ 2457.252435] audit: type=1400 audit(1777394876.112:226): apparmor="DENIED" operation="exec" class="file" profile="torbrowser_firefox" name="/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/vaapitest" pid=10116 comm="firefox.real" requested_mask="x" denied_mask="x" fsuid=1001 ouid=1001 ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror added the

pull-request

label 2026-05-05 10:55:09 -06:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6343

No description provided.

Rows
Columns