[GH-ISSUE #958] Qutebrowser fails to load with qutebrowser.conf profile and webengine backend #650

New issue

Closed

opened 2026-05-05 06:21:11 -06:00 by gitea-mirror · 10 comments

gitea-mirror commented 2026-05-05 06:21:11 -06:00

Owner

Copy link

Originally created by @craftyguy on GitHub (Dec 5, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/958

Using firejail 0.9.44.2 and qutebrowser from git, along with an unmodified profile file, I get this when launching qutebrowser.

Qutebrowser runs fine in firejail when using the webkit backend.

I noticed some commits recently for qutebrowser specifically, so I built firejail from git (latest as of this edit) and still see the same issue.

$ firejail qutebrowser --backend=webengine
Reading profile /etc/firejail/qutebrowser.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 6682, child pid 6683
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized
[1205/150458:ERROR:browser_main_loop.cc(217)] Running without the SUID sandbox! See https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the sandbox on.
[1205/150458:FATAL:credentials.cc(317)] Check failed: ChrootToSafeEmptyDir().
#0 0x7ff127730e5e base::debug::StackTrace::StackTrace()
#1 0x7ff12774850e logging::LogMessage::~LogMessage()
#2 0x7ff1273cfa38 sandbox::Credentials::DropFileSystemAccess()
#3 0x7ff1270e99df content::LinuxSandbox::EngageNamespaceSandbox()
#4 0x7ff126b69f00 content::ZygoteMain()
#5 0x7ff1269eee20 content::RunZygote()
#6 0x7ff1269ef499 content::ContentMainRunnerImpl::Run()
#7 0x7ff1269edac9 content::ContentMain()
#8 0x7ff125ea52f4 QtWebEngine::processMain()
#9 0x0000004006d3 main
#10 0x7ff124e35291 __libc_start_main
#11 0x00000040072a _start

Received signal 6
#0 0x7ff127730e5e base::debug::StackTrace::StackTrace()
#1 0x7ff127731239 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7ff124e480b0 <unknown>
#3 0x7ff124e4804f __GI_raise
#4 0x7ff124e4947a __GI_abort
#5 0x7ff127730625 base::debug::BreakDebugger()
#6 0x7ff127748675 logging::LogMessage::~LogMessage()
#7 0x7ff1273cfa38 sandbox::Credentials::DropFileSystemAccess()
#8 0x7ff1270e99df content::LinuxSandbox::EngageNamespaceSandbox()
#9 0x7ff126b69f00 content::ZygoteMain()
#10 0x7ff1269eee20 content::RunZygote()
#11 0x7ff1269ef499 content::ContentMainRunnerImpl::Run()
#12 0x7ff1269edac9 content::ContentMain()
#13 0x7ff125ea52f4 QtWebEngine::processMain()
#14 0x0000004006d3 main
#15 0x7ff124e35291 __libc_start_main
#16 0x00000040072a _start
  r8: 0000000000000000  r9: 00007fffdc927bc0 r10: 0000000000000008 r11: 0000000000000246
 r12: 00007fffdc927e20 r13: 00007fffdc9284e8 r14: 00007fffdc927e30 r15: 0000000000000000
  di: 0000000000000002  si: 00007fffdc927bc0  bp: 00007fffdc928060  bx: 0000000000000006
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007ff124e4804f  sp: 00007fffdc927c38
  ip: 00007ff124e4804f efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Originally created by @craftyguy on GitHub (Dec 5, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/958 Using firejail 0.9.44.2 and qutebrowser from git, along with an unmodified profile file, I get this when launching qutebrowser. Qutebrowser runs fine in firejail when using the webkit backend. I noticed some commits recently for qutebrowser specifically, so I built firejail from git (latest as of this edit) and still see the same issue. ``` $ firejail qutebrowser --backend=webengine Reading profile /etc/firejail/qutebrowser.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 6682, child pid 6683 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized [1205/150458:ERROR:browser_main_loop.cc(217)] Running without the SUID sandbox! See https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the sandbox on. [1205/150458:FATAL:credentials.cc(317)] Check failed: ChrootToSafeEmptyDir(). #0 0x7ff127730e5e base::debug::StackTrace::StackTrace() #1 0x7ff12774850e logging::LogMessage::~LogMessage() #2 0x7ff1273cfa38 sandbox::Credentials::DropFileSystemAccess() #3 0x7ff1270e99df content::LinuxSandbox::EngageNamespaceSandbox() #4 0x7ff126b69f00 content::ZygoteMain() #5 0x7ff1269eee20 content::RunZygote() #6 0x7ff1269ef499 content::ContentMainRunnerImpl::Run() #7 0x7ff1269edac9 content::ContentMain() #8 0x7ff125ea52f4 QtWebEngine::processMain() #9 0x0000004006d3 main #10 0x7ff124e35291 __libc_start_main #11 0x00000040072a _start Received signal 6 #0 0x7ff127730e5e base::debug::StackTrace::StackTrace() #1 0x7ff127731239 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7ff124e480b0 <unknown> #3 0x7ff124e4804f __GI_raise #4 0x7ff124e4947a __GI_abort #5 0x7ff127730625 base::debug::BreakDebugger() #6 0x7ff127748675 logging::LogMessage::~LogMessage() #7 0x7ff1273cfa38 sandbox::Credentials::DropFileSystemAccess() #8 0x7ff1270e99df content::LinuxSandbox::EngageNamespaceSandbox() #9 0x7ff126b69f00 content::ZygoteMain() #10 0x7ff1269eee20 content::RunZygote() #11 0x7ff1269ef499 content::ContentMainRunnerImpl::Run() #12 0x7ff1269edac9 content::ContentMain() #13 0x7ff125ea52f4 QtWebEngine::processMain() #14 0x0000004006d3 main #15 0x7ff124e35291 __libc_start_main #16 0x00000040072a _start r8: 0000000000000000 r9: 00007fffdc927bc0 r10: 0000000000000008 r11: 0000000000000246 r12: 00007fffdc927e20 r13: 00007fffdc9284e8 r14: 00007fffdc927e30 r15: 0000000000000000 di: 0000000000000002 si: 00007fffdc927bc0 bp: 00007fffdc928060 bx: 0000000000000006 dx: 0000000000000000 ax: 0000000000000000 cx: 00007ff124e4804f sp: 00007fffdc927c38 ip: 00007ff124e4804f efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] ```

gitea-mirror 2026-05-05 06:21:11 -06:00

• closed this issue
• added the
  information_old
  label

gitea-mirror commented 2026-05-05 06:21:20 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 8, 2016):

ERROR:browser_main_loop.cc(217)] Running without the SUID sandbox!

This is something new, it tries to rise privileges and install a suid sandbox. What happens if you run "firejail qutebrowser"? I assume this will use a different backend.

For webkit backend, in /etc/firejail/qutebrowser.profile you will need to comment out some of the lines there, it will look like this:

# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
noblacklist ~/.config/qutebrowser
noblacklist ~/.cache/qutebrowser
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

#caps.drop all
netfilter
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp
#tracelog

whitelist ${DOWNLOADS}
mkdir ~/.config/qutebrowser
whitelist ~/.config/qutebrowser
mkdir ~/.cache/qutebrowser
whitelist ~/.cache/qutebrowser
mkdir ~/.local/share/qutebrowser
whitelist ~/.local/share/qutebrowser
include /etc/firejail/whitelist-common.inc

<!-- gh-comment-id:265753286 --> @netblue30 commented on GitHub (Dec 8, 2016): > ERROR:browser_main_loop.cc(217)] Running without the SUID sandbox! This is something new, it tries to rise privileges and install a suid sandbox. What happens if you run "firejail qutebrowser"? I assume this will use a different backend. For webkit backend, in /etc/firejail/qutebrowser.profile you will need to comment out some of the lines there, it will look like this: ````` # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser noblacklist ~/.config/qutebrowser noblacklist ~/.cache/qutebrowser include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc #caps.drop all netfilter #nonewprivs #noroot #protocol unix,inet,inet6,netlink #seccomp #tracelog whitelist ${DOWNLOADS} mkdir ~/.config/qutebrowser whitelist ~/.config/qutebrowser mkdir ~/.cache/qutebrowser whitelist ~/.cache/qutebrowser mkdir ~/.local/share/qutebrowser whitelist ~/.local/share/qutebrowser include /etc/firejail/whitelist-common.inc `````

gitea-mirror commented 2026-05-05 06:21:21 -06:00

Author

Owner

Copy link

@craftyguy commented on GitHub (Dec 8, 2016):

This is something new, it tries to rise privileges and install a suid sandbox. What happens if you run "firejail qutebrowser"? I assume this will use a different backend.

Exactly, it defaults to using webkit backend (which works OK with firejail), but that's not a desirable backend to use with qutebrowser. The QT Webengine backend is based off of chromium, and supports sandboxing, which may be what that message is.

Do you see the issue I see if you run qutebrowser with firejail qutebrowser --backend=webengine ?

<!-- gh-comment-id:265820749 --> @craftyguy commented on GitHub (Dec 8, 2016): > This is something new, it tries to rise privileges and install a suid sandbox. What happens if you run "firejail qutebrowser"? I assume this will use a different backend. Exactly, it defaults to using webkit backend (which works OK with firejail), but that's not a desirable backend to use with qutebrowser. The QT Webengine backend is based off of chromium, and supports sandboxing, which may be what that message is. Do you see the issue I see if you run qutebrowser with ```firejail qutebrowser --backend=webengine``` ?

gitea-mirror commented 2026-05-05 06:21:25 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 9, 2016):

Just for me to clarify:

When you run "firejail qutebrowser", it uses webkit backend and the existing profile works fine.

When you run "firejail qutebrowser ---backend=webengine", it uses webengine backend based on chromium, and the profile needs to be modified.

Do you see the issue I see if you run qutebrowser with firejail qutebrowser --backend=webengine ?

It should be fine, basically it becomes a chromium browser.

<!-- gh-comment-id:266010230 --> @netblue30 commented on GitHub (Dec 9, 2016): Just for me to clarify: When you run "firejail qutebrowser", it uses webkit backend and the existing profile works fine. When you run "firejail qutebrowser ---backend=webengine", it uses webengine backend based on chromium, and the profile needs to be modified. > Do you see the issue I see if you run qutebrowser with firejail qutebrowser --backend=webengine ? It should be fine, basically it becomes a chromium browser.

gitea-mirror commented 2026-05-05 06:21:28 -06:00

Author

Owner

Copy link

@craftyguy commented on GitHub (Dec 9, 2016):

Your clarifying statement is correct. It seems like the webengine backend should run fine but my limited knowledge of the inner workings of qtwebengine and firejail have forced me to file this issue to seek help. Do you have any suggestions on how I can debug this further?

On December 9, 2016 5:10:43 AM PST, netblue30 notifications@github.com wrote:

Just for me to clarify:

When you run "firejail qutebrowser", it uses webkit backend and the
existing profile works fine.

When you run "firejail qutebrowser ---backend=webengine", it uses
webengine backend based on chromium, and the profile needs to be
modified.

Do you see the issue I see if you run qutebrowser with firejail
qutebrowser --backend=webengine ?

It should be fine, basically it becomes a chromium browser.

--
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/958#issuecomment-266010230

<!-- gh-comment-id:266093716 --> @craftyguy commented on GitHub (Dec 9, 2016): Your clarifying statement is correct. It seems like the webengine backend should run fine but my limited knowledge of the inner workings of qtwebengine and firejail have forced me to file this issue to seek help. Do you have any suggestions on how I can debug this further? On December 9, 2016 5:10:43 AM PST, netblue30 <notifications@github.com> wrote: >Just for me to clarify: > >When you run "firejail qutebrowser", it uses webkit backend and the >existing profile works fine. > >When you run "firejail qutebrowser ---backend=webengine", it uses >webengine backend based on chromium, and the profile needs to be >modified. > >> Do you see the issue I see if you run qutebrowser with firejail >qutebrowser --backend=webengine ? > >It should be fine, basically it becomes a chromium browser. > >-- >You are receiving this because you authored the thread. >Reply to this email directly or view it on GitHub: >https://github.com/netblue30/firejail/issues/958#issuecomment-266010230

gitea-mirror commented 2026-05-05 06:21:30 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 10, 2016):

Try the profile I gave you when using webengine backend, if it works you are all set. You can modify /etc/profile/qutebrowser.profile or make a copy of that file and put it in ~/.config/firejail/qutebrowser.profile and modify it there.

<!-- gh-comment-id:266224838 --> @netblue30 commented on GitHub (Dec 10, 2016): Try the profile I gave you when using webengine backend, if it works you are all set. You can modify /etc/profile/qutebrowser.profile or make a copy of that file and put it in ~/.config/firejail/qutebrowser.profile and modify it there.

gitea-mirror commented 2026-05-05 06:21:34 -06:00

Author

Owner

Copy link

@craftyguy commented on GitHub (Dec 10, 2016):

I created a 3rd profile based on the one you posted with changes in #957, and re-enabled commands one by one to get a more restrictive profile. Qutebrowser still fails to start with the above error if seccomp is enabled.

# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
noblacklist ~/.config/qutebrowser
noblacklist ~/.cache/qutebrowser
noblacklist ~/.local/share/qutebrowser
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
#seccomp
#tracelog

whitelist ${DOWNLOADS}
mkdir ~/.config/qutebrowser
whitelist ~/.config/qutebrowser
mkdir ~/.cache/qutebrowser
whitelist ~/.cache/qutebrowser
mkdir ~/.local/share/qutebrowser
whitelist ~/.local/share/qutebrowser
include /etc/firejail/whitelist-common.inc

<!-- gh-comment-id:266225676 --> @craftyguy commented on GitHub (Dec 10, 2016): I created a 3rd profile based on the one you posted with changes in #957, and re-enabled commands one by one to get a more restrictive profile. Qutebrowser still fails to start with the above error if seccomp is enabled. ``` # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser noblacklist ~/.config/qutebrowser noblacklist ~/.cache/qutebrowser noblacklist ~/.local/share/qutebrowser include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs noroot protocol unix,inet,inet6,netlink #seccomp #tracelog whitelist ${DOWNLOADS} mkdir ~/.config/qutebrowser whitelist ~/.config/qutebrowser mkdir ~/.cache/qutebrowser whitelist ~/.cache/qutebrowser mkdir ~/.local/share/qutebrowser whitelist ~/.local/share/qutebrowser include /etc/firejail/whitelist-common.inc ```

gitea-mirror commented 2026-05-05 06:21:35 -06:00

Author

Owner

Copy link

@craftyguy commented on GitHub (Dec 10, 2016):

In addition, I get the same error if I re-enable tracelog, which seems weird based on my understanding of what tracelog does..

<!-- gh-comment-id:266227596 --> @craftyguy commented on GitHub (Dec 10, 2016): In addition, I get the same error if I re-enable tracelog, which seems weird based on my understanding of what tracelog does..

gitea-mirror commented 2026-05-05 06:21:37 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Dec 11, 2016):

I created a 3rd profile based on the one you posted with changes in #957, and re-enabled commands one by one to get a more restrictive profile. Qutebrowser still fails to start with the above error if seccomp is enabled.

Yes, seccomp will kill it. The browser starts its own sandbox and needs to elevate privileges. Disable the following:

#caps.drop all
netfilter
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp
#tracelog

In addition, I get the same error if I re-enable tracelog, which seems weird based on my understanding of what tracelog does.

Just disable it. We have the same problem for Chromium browser, never got to the bottom of it.

<!-- gh-comment-id:266282297 --> @netblue30 commented on GitHub (Dec 11, 2016): > I created a 3rd profile based on the one you posted with changes in #957, and re-enabled commands one by one to get a more restrictive profile. Qutebrowser still fails to start with the above error if seccomp is enabled. Yes, seccomp will kill it. The browser starts its own sandbox and needs to elevate privileges. Disable the following: ````` #caps.drop all netfilter #nonewprivs #noroot #protocol unix,inet,inet6,netlink #seccomp #tracelog ````` > In addition, I get the same error if I re-enable tracelog, which seems weird based on my understanding of what tracelog does. Just disable it. We have the same problem for Chromium browser, never got to the bottom of it.

gitea-mirror commented 2026-05-05 06:21:40 -06:00

Author

Owner

Copy link

@probonopd commented on GitHub (Aug 18, 2017):

Running into the same:
https://travis-ci.org/AppImage/AppImageHub/builds/266071961#L555

I am launching Firejail like this:

firejail --noprofile --net=none --appimage ./Some.AppImage

What do I need to do?

<!-- gh-comment-id:323429469 --> @probonopd commented on GitHub (Aug 18, 2017): Running into the same: https://travis-ci.org/AppImage/AppImageHub/builds/266071961#L555 I am launching Firejail like this: ``` firejail --noprofile --net=none --appimage ./Some.AppImage ``` What do I need to do?

gitea-mirror commented 2026-05-05 06:21:41 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Dec 10, 2017):

@craftyguy There might be a chance to keep the Firejail seccomp filter along the seccomp filter sandbox of QtWebEngineProcess.

If you wanna it try out, replace seccomp in the qutebrowser profile with this long line:

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

<!-- gh-comment-id:350521921 --> @smitsohu commented on GitHub (Dec 10, 2017): @craftyguy There might be a chance to keep the Firejail seccomp filter along the ~~seccomp filter~~ sandbox of QtWebEngineProcess. If you wanna it try out, replace `seccomp` in the qutebrowser profile with this long line: `seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice`

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#650

No description provided.