github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1487] Firefox + Firejail + AppArmor (+ encrypted home directory) seem not to work together #994

New issue
Closed
opened 2026-05-05 07:16:40 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 07:16:40 -06:00
Owner
Copy link

Originally created by @Hocuri on GitHub (Aug 21, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1487

If I call Firefox with firejail firefox Firefox will create a new profile instead of using the existing one. After I called firejail firefox 3 times there are 4 *.profile folders in .mozilla/firefox (the old one plus 3 newly created folders)

I know that this can happen if there is no reading access to ~/.mozilla/firefox/profiles.ini which stores the current profile but on the other hand Firefox stores the name of the created profile to it so it does have writing access to it.

I think that this can also happen if the profile is not found where it was expected but I do not know why this should be.

If I add the --noprofile option there is the same behavior but additionally Firefox's Import Wizard is shown (it asks me if I want to import the settings from another browser).

I am running Linux Mint 18.2 Xfce and Firejail 0.9.38.10-0ubuntu0.16.04.1 but in a virtual box with Linux Mint everything is fine, so it seems to have nothing to do with Linux Mint.

Could somebody please help me?

Originally created by @Hocuri on GitHub (Aug 21, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1487 If I call Firefox with `firejail firefox` Firefox will create a new profile instead of using the existing one. After I called `firejail firefox` 3 times there are 4 *.profile folders in `.mozilla/firefox` (the old one plus 3 newly created folders) I know that this can happen if there is no reading access to ~/.mozilla/firefox/profiles.ini which stores the current profile but on the other hand Firefox stores the name of the created profile to it so it does have writing access to it. I think that this can also happen if the profile is not found where it was expected but I do not know why this should be. If I add the --noprofile option there is the same behavior but additionally Firefox's Import Wizard is shown (it asks me if I want to import the settings from another browser). I am running Linux Mint 18.2 Xfce and Firejail 0.9.38.10-0ubuntu0.16.04.1 but in a virtual box with Linux Mint everything is fine, so it seems to have nothing to do with Linux Mint. Could somebody please help me?
gitea-mirror 2026-05-05 07:16:40 -06:00
gitea-mirror commented 2026-05-05 07:16:44 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 22, 2017):

Are you using the default profile?

<!-- gh-comment-id:324130198 --> @chiraag-nataraj commented on GitHub (Aug 22, 2017): Are you using the default profile?
gitea-mirror commented 2026-05-05 07:16:45 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Aug 23, 2017):

I do not know if you mean Firefox' or Firejail's profile, but in each case the answer is yes (I reinstalled Firejail with apt purge firejail && apt install firejail and the behavior was still the same).

<!-- gh-comment-id:324421721 --> @Hocuri commented on GitHub (Aug 23, 2017): I do not know if you mean Firefox' or Firejail's profile, but in each case the answer is yes (I reinstalled Firejail with `apt purge firejail && apt install firejail` and the behavior was still the same).
gitea-mirror commented 2026-05-05 07:16:47 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Aug 23, 2017):

@Hocceruser What is the output of firejail firefox and of firefox like the first 20 lines of each?

<!-- gh-comment-id:324429029 --> @SkewedZeppelin commented on GitHub (Aug 23, 2017): @Hocceruser What is the output of `firejail firefox` and of `firefox` like the first 20 lines of each?
gitea-mirror commented 2026-05-05 07:16:49 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Aug 23, 2017):

I know what the problem is: I have AppArmor installed on my system. After disabling AppArmor for Firefox everything is fine.

Has someone an idea how to solve this and use the two of them together?

I already added a line /run/firejail/mnt/fslogger r, to /etc/apparmor.d/local/usr.bin.firefox but it did not help.

With Firefox+Apparmor+Firejail:

tail -F /var/log/syslog | grep apparmor

Aug 23 21:06:11 user-laptop kernel: [ 2821.200681] audit: type=1400 audit(1503515171.290:10264): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kG5GebFLYUGbfprdzd7SvPE--/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kG6UE.VMwpLXTHHcg7Ckf77MJPTDJVPZPA09jl6nM9Ds-" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:11 user-laptop kernel: [ 2821.203290] audit: type=1400 audit(1503515171.290:10265): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:06:11 user-laptop kernel: [ 2821.203292] audit: type=1400 audit(1503515171.290:10266): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:06:11 user-laptop kernel: [ 2821.203672] audit: type=1400 audit(1503515171.290:10267): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:06:11 user-laptop kernel: [ 2821.203678] audit: type=1400 audit(1503515171.290:10268): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:06:11 user-laptop kernel: [ 2821.226618] audit: type=1400 audit(1503515171.314:10269): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kGovDFPj4KLLonqUx1GzCYE--" pid=2619 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Aug 23 21:06:11 user-laptop kernel: [ 2821.226622] audit: type=1400 audit(1503515171.314:10270): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kGovDFPj4KLLonqUx1GzCYE--" pid=2619 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Aug 23 21:06:11 user-laptop kernel: [ 2821.257147] audit: type=1400 audit(1503515171.346:10271): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kfLuY3Ci.sJ143--K4imC----" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:11 user-laptop kernel: [ 2821.259950] audit: type=1400 audit(1503515171.350:10272): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kfLuY3Ci.sJ143--K4imC----" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:11 user-laptop kernel: [ 2821.260345] audit: type=1400 audit(1503515171.350:10273): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kfLuY3Ci.sJ143--K4imC----" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:11 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=2619 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"
Aug 23 21:06:11 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=2619 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"
Aug 23 21:06:11 user-laptop kernel: [ 2821.381343] WARNING: CPU: 2 PID: 2641 at /build/linux-hwe-CXNcgz/linux-hwe-4.10.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180
Aug 23 21:06:11 user-laptop kernel: [ 2821.381343] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): 
Aug 23 21:06:11 user-laptop kernel: [ 2821.381421]  apparmor_bprm_set_creds+0x953/0xa60
Aug 23 21:06:13 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=2669 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"
Aug 23 21:06:13 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=2669 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"
Aug 23 21:06:16 user-laptop kernel: [ 2826.252935] audit: type=1400 audit(1503515176.342:10440): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1ksTvtk-UW004eaOKu-5XV6xFsZKw.xKoaymYWRGO1spA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.252939] audit: type=1400 audit(1503515176.342:10441): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1ksTvtk-UW004eaOKu-5XV6xFsZKw.xKoaymYWRGO1spA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.257491] audit: type=1400 audit(1503515176.346:10442): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kzq38s7ejsvzdOhYfRWNeYa7.jTDhTaMHg0NjLG3G2vA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.258034] audit: type=1400 audit(1503515176.346:10443): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kzq38s7ejsvzdOhYfRWNeYa7.jTDhTaMHg0NjLG3G2vA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.258786] audit: type=1400 audit(1503515176.346:10444): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kaylLZ2fNzOh06XOIPkWOaKvK3Do-Gmafvd7tZmBUQoE-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.258838] audit: type=1400 audit(1503515176.346:10445): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kaylLZ2fNzOh06XOIPkWOaKvK3Do-Gmafvd7tZmBUQoE-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.266069] audit: type=1400 audit(1503515176.354:10446): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kxLjY0xXECFq6nG39eX9Pexp3wm2IwiFTTx-ao7ovArI-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.266600] audit: type=1400 audit(1503515176.354:10447): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kxLjY0xXECFq6nG39eX9Pexp3wm2IwiFTTx-ao7ovArI-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.286169] audit: type=1400 audit(1503515176.374:10448): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kTFvzPad-2pdCqLDbwwl3UjYI3i2HDzsgh-r-bMwBuhc-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Aug 23 21:06:16 user-laptop kernel: [ 2826.286274] audit: type=1400 audit(1503515176.374:10449): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kTFvzPad-2pdCqLDbwwl3UjYI3i2HDzsgh-r-bMwBuhc-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

(I have also encrypted my home directory and for some reason Firefox is trying to do something to do with the ENCRYPTED files but why should it be allowed to do this???.)

And the output:

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 2614, child pid 2615
Blacklist violations are logged to syslog

Child process initialized

(firefox:5): Gtk-WARNING **: Failed to parse /home/user/.config/gtk-3.0/settings.ini: Keine Berechtigung

parent is shutting down, bye...

With Firefox+Apparmor: (When everything works fine)

tail -F /var/log/syslog | grep apparmor

Aug 23 21:08:05 user-laptop kernel: [ 2935.658364] audit: type=1400 audit(1503515285.747:10471): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:05 user-laptop kernel: [ 2935.658366] audit: type=1400 audit(1503515285.747:10472): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:05 user-laptop kernel: [ 2935.658531] audit: type=1400 audit(1503515285.747:10473): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:05 user-laptop kernel: [ 2935.658533] audit: type=1400 audit(1503515285.747:10474): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:05 user-laptop kernel: [ 2935.679015] audit: type=1400 audit(1503515285.771:10475): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/proc/3732/net/arp" pid=3732 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:05 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=3732 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"
Aug 23 21:08:05 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=3732 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"
Aug 23 21:08:05 user-laptop kernel: [ 2935.781862] audit: type=1400 audit(1503515285.871:10476): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release" name="/usr/bin/python3.5" pid=3754 comm="lsb_release" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0
Aug 23 21:08:06 user-laptop kernel: [ 2935.978719] audit: type=1400 audit(1503515286.071:10477): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/applications/mimeinfo.cache" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:06 user-laptop kernel: [ 2936.524743] audit: type=1400 audit(1503515286.615:10478): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/icons/hicolor/index.theme" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:06 user-laptop kernel: [ 2936.525894] audit: type=1400 audit(1503515286.615:10479): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:06 user-laptop kernel: [ 2936.527389] audit: type=1400 audit(1503515286.619:10480): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 23 21:08:07 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=3782 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"
Aug 23 21:08:07 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=3782 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined"

Output:

shm_open() failed: Datei oder Verzeichnis nicht gefunden

With Firefox+Firejail: (everything works fine as well)

Output:

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 5862, child pid 5863
Blacklist violations are logged to syslog

Child process initialized

parent is shutting down, bye...
<!-- gh-comment-id:324438671 --> @Hocuri commented on GitHub (Aug 23, 2017): I know what the problem is: I have AppArmor installed on my system. After disabling AppArmor for Firefox everything is fine. Has someone an idea how to solve this and use the two of them together? I already added a line `/run/firejail/mnt/fslogger r,` to /etc/apparmor.d/local/usr.bin.firefox but it did not help. ## With Firefox+Apparmor+Firejail: ### tail -F /var/log/syslog | grep apparmor ``` Aug 23 21:06:11 user-laptop kernel: [ 2821.200681] audit: type=1400 audit(1503515171.290:10264): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kG5GebFLYUGbfprdzd7SvPE--/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kG6UE.VMwpLXTHHcg7Ckf77MJPTDJVPZPA09jl6nM9Ds-" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:11 user-laptop kernel: [ 2821.203290] audit: type=1400 audit(1503515171.290:10265): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:06:11 user-laptop kernel: [ 2821.203292] audit: type=1400 audit(1503515171.290:10266): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:06:11 user-laptop kernel: [ 2821.203672] audit: type=1400 audit(1503515171.290:10267): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:06:11 user-laptop kernel: [ 2821.203678] audit: type=1400 audit(1503515171.290:10268): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2623 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:06:11 user-laptop kernel: [ 2821.226618] audit: type=1400 audit(1503515171.314:10269): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kGovDFPj4KLLonqUx1GzCYE--" pid=2619 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Aug 23 21:06:11 user-laptop kernel: [ 2821.226622] audit: type=1400 audit(1503515171.314:10270): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kGovDFPj4KLLonqUx1GzCYE--" pid=2619 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 Aug 23 21:06:11 user-laptop kernel: [ 2821.257147] audit: type=1400 audit(1503515171.346:10271): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kfLuY3Ci.sJ143--K4imC----" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:11 user-laptop kernel: [ 2821.259950] audit: type=1400 audit(1503515171.350:10272): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kfLuY3Ci.sJ143--K4imC----" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:11 user-laptop kernel: [ 2821.260345] audit: type=1400 audit(1503515171.350:10273): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kfLuY3Ci.sJ143--K4imC----" pid=2619 comm="firefox" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:11 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=2619 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" Aug 23 21:06:11 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=2619 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" Aug 23 21:06:11 user-laptop kernel: [ 2821.381343] WARNING: CPU: 2 PID: 2641 at /build/linux-hwe-CXNcgz/linux-hwe-4.10.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180 Aug 23 21:06:11 user-laptop kernel: [ 2821.381343] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): Aug 23 21:06:11 user-laptop kernel: [ 2821.381421] apparmor_bprm_set_creds+0x953/0xa60 Aug 23 21:06:13 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=2669 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" Aug 23 21:06:13 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=2669 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" Aug 23 21:06:16 user-laptop kernel: [ 2826.252935] audit: type=1400 audit(1503515176.342:10440): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1ksTvtk-UW004eaOKu-5XV6xFsZKw.xKoaymYWRGO1spA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.252939] audit: type=1400 audit(1503515176.342:10441): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1ksTvtk-UW004eaOKu-5XV6xFsZKw.xKoaymYWRGO1spA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.257491] audit: type=1400 audit(1503515176.346:10442): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kzq38s7ejsvzdOhYfRWNeYa7.jTDhTaMHg0NjLG3G2vA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.258034] audit: type=1400 audit(1503515176.346:10443): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kzq38s7ejsvzdOhYfRWNeYa7.jTDhTaMHg0NjLG3G2vA-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.258786] audit: type=1400 audit(1503515176.346:10444): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kaylLZ2fNzOh06XOIPkWOaKvK3Do-Gmafvd7tZmBUQoE-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.258838] audit: type=1400 audit(1503515176.346:10445): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kaylLZ2fNzOh06XOIPkWOaKvK3Do-Gmafvd7tZmBUQoE-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.266069] audit: type=1400 audit(1503515176.354:10446): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kxLjY0xXECFq6nG39eX9Pexp3wm2IwiFTTx-ao7ovArI-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.266600] audit: type=1400 audit(1503515176.354:10447): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kxLjY0xXECFq6nG39eX9Pexp3wm2IwiFTTx-ao7ovArI-" pid=2619 comm="DataStorage" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.286169] audit: type=1400 audit(1503515176.374:10448): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kTFvzPad-2pdCqLDbwwl3UjYI3i2HDzsgh-r-bMwBuhc-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Aug 23 21:06:16 user-laptop kernel: [ 2826.286274] audit: type=1400 audit(1503515176.374:10449): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1k8RgQzLpFE7v4f9Cy-QGv2U--/ECRYPTFS_FNEK_ENCRYPTED.FWZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kpnQiZeayoBQaU2O6nwQwo---/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1knNPjVZgYULpMXb4n45z2VvU8BF0LqhCqtBzm2p9gLHo-/ECRYPTFS_FNEK_ENCRYPTED.FXZ3uTPGPzZhXERmT9TfE7imZ00zK2PTdm1kTFvzPad-2pdCqLDbwwl3UjYI3i2HDzsgh-r-bMwBuhc-" pid=2619 comm=444F4D20576F726B6572 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 ``` (I have also encrypted my home directory and for some reason Firefox is trying to do something to do with the ENCRYPTED files but why should it be allowed to do this???.) ### And the output: ``` Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 2614, child pid 2615 Blacklist violations are logged to syslog Child process initialized (firefox:5): Gtk-WARNING **: Failed to parse /home/user/.config/gtk-3.0/settings.ini: Keine Berechtigung parent is shutting down, bye... ``` ## With Firefox+Apparmor: (When everything works fine) ### tail -F /var/log/syslog | grep apparmor ``` Aug 23 21:08:05 user-laptop kernel: [ 2935.658364] audit: type=1400 audit(1503515285.747:10471): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:05 user-laptop kernel: [ 2935.658366] audit: type=1400 audit(1503515285.747:10472): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:05 user-laptop kernel: [ 2935.658531] audit: type=1400 audit(1503515285.747:10473): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:05 user-laptop kernel: [ 2935.658533] audit: type=1400 audit(1503515285.747:10474): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=3736 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:05 user-laptop kernel: [ 2935.679015] audit: type=1400 audit(1503515285.771:10475): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/proc/3732/net/arp" pid=3732 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:05 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=3732 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" Aug 23 21:08:05 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=3732 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" Aug 23 21:08:05 user-laptop kernel: [ 2935.781862] audit: type=1400 audit(1503515285.871:10476): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release" name="/usr/bin/python3.5" pid=3754 comm="lsb_release" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=0 Aug 23 21:08:06 user-laptop kernel: [ 2935.978719] audit: type=1400 audit(1503515286.071:10477): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/applications/mimeinfo.cache" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:06 user-laptop kernel: [ 2936.524743] audit: type=1400 audit(1503515286.615:10478): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/icons/hicolor/index.theme" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:06 user-laptop kernel: [ 2936.525894] audit: type=1400 audit(1503515286.615:10479): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:06 user-laptop kernel: [ 2936.527389] audit: type=1400 audit(1503515286.619:10480): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=3732 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 23 21:08:07 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.5" pid=3782 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" Aug 23 21:08:07 user-laptop dbus[2475]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.5" pid=3782 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2678 peer_label="unconfined" ``` ## Output: `shm_open() failed: Datei oder Verzeichnis nicht gefunden` ## With Firefox+Firejail: (everything works fine as well) ### Output: ``` Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 5862, child pid 5863 Blacklist violations are logged to syslog Child process initialized parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 07:16:51 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Aug 26, 2017):

I already added a line /run/firejail/mnt/fslogger r, to /etc/apparmor.d/local/usr.bin.firefox but it did not help.

I haven't used AppArmor for a while as I'm on Fedora now but the following should work:

  1. Set the firefox profile to complain mode by executing
    sudo aa-complain /etc/apparmor.d/usr.bin.firefox
  2. Start the firejailed Firefox and execute
    sudo aa-logprof
    This will open an interactive dialogue in which the necessary rules are presented.
    Important: You might need to repeat step 2 several times until all necessary rules are caught!
  3. Those new rules are added to /etc/apparmor.d/usr.bin.firefox if you approve them. The problem is that this file will be overwritten whenever AppArmor gets an update. Hence, you should rather manually add those new rules to /etc/apparmor.d/local/usr.bin.firefox.

If everything is okay, you should execute sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

<!-- gh-comment-id:325116920 --> @curiosity-seeker commented on GitHub (Aug 26, 2017): > I already added a line /run/firejail/mnt/fslogger r, to /etc/apparmor.d/local/usr.bin.firefox but it did not help. I haven't used AppArmor for a while as I'm on Fedora now but the following should work: 1. Set the firefox profile to complain mode by executing `sudo aa-complain /etc/apparmor.d/usr.bin.firefox` 2. Start the firejailed Firefox and execute `sudo aa-logprof` This will open an interactive dialogue in which the necessary rules are presented. Important: You might need to repeat step 2 several times until all necessary rules are caught! 3. Those new rules are added to `/etc/apparmor.d/usr.bin.firefox` if you approve them. The problem is that this file will be overwritten whenever AppArmor gets an update. Hence, you should rather manually add those new rules to `/etc/apparmor.d/local/usr.bin.firefox`. If everything is okay, you should execute `sudo aa-enforce /etc/apparmor.d/usr.bin.firefox`
gitea-mirror commented 2026-05-05 07:16:52 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Sep 10, 2017):

I found out something myself: The problem is probably not that AppArmor's profile for Firefox does not allow access to the file (so curiosity-seeker's suggestion will not work); the problem is that AppArmor does not recognize the file, probably because the path does not start with a "/". Here is again a part of AppArmor's entry to the syslog:

audit: type=1400 audit(1503515176.374:10449): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="home/.ecryptfs/user/.Private/ECRYPTFS[...] requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

Here: http://wiki.apparmor.net/index.php/FAQ#Failed_name_lookup_-_disconnected_path it says that this is due to a "lazily unmounted device path opened outside of current namespace".

So it has something to do with Firejail's namespaces. Is there any chance that there can be a patch for that?

<!-- gh-comment-id:328326216 --> @Hocuri commented on GitHub (Sep 10, 2017): I found out something myself: The problem is probably not that AppArmor's profile for Firefox does not allow access to the file (so curiosity-seeker's suggestion will not work); the problem is that AppArmor does not recognize the file, probably because the path does not start with a "/". Here is again a part of AppArmor's entry to the syslog: > audit: type=1400 audit(1503515176.374:10449): apparmor="DENIED" operation="open" info="**Failed name lookup - disconnected path**" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="**home/.ecryptfs/user/.Private/ECRYPTFS**_[...]_ requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Here: [http://wiki.apparmor.net/index.php/FAQ#Failed_name_lookup_-_disconnected_path](url) it says that this is due to a "lazily unmounted device path opened outside of current namespace". So it has something to do with Firejail's namespaces. Is there any chance that there can be a patch for that?
gitea-mirror commented 2026-05-05 07:16:54 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Sep 10, 2017):

I am not entirely sure if the encrypted home directory has something to do with the problem but in a VM without encrypted home Firefox + Firejail + AppArmor worked perfektly.

<!-- gh-comment-id:328327513 --> @Hocuri commented on GitHub (Sep 10, 2017): I am not entirely sure if the encrypted home directory has something to do with the problem but in a VM without encrypted home Firefox + Firejail + AppArmor worked perfektly.
gitea-mirror commented 2026-05-05 07:16:55 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Sep 10, 2017):

Okay, I remember that I had a similar problem when I was still using AppArmor. Adding

flags=(attach_disconnected)

to the affected AppArmor profile solved the problem. More details here.

<!-- gh-comment-id:328337737 --> @curiosity-seeker commented on GitHub (Sep 10, 2017): Okay, I remember that I had a similar problem when I was still using AppArmor. Adding `flags=(attach_disconnected)` to the affected AppArmor profile solved the problem. More details [here](http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#profile_flags).
gitea-mirror commented 2026-05-05 07:16:56 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Sep 11, 2017):

Yes, this solved problem, thank you very, very much.

But what can we do so than other people do not encounter the same problem? Supervise the syslog (/var/log/syslog) when starting a program the first time and print a warning if there are is an entry like this?
Or directly ask if the user wishes Firejail to add flags=(attach_disconnected) to the concerning AppArmor Profile?

<!-- gh-comment-id:328508519 --> @Hocuri commented on GitHub (Sep 11, 2017): Yes, this solved problem, thank you very, very much. But what can we do so than other people do not encounter the same problem? Supervise the syslog (/var/log/syslog) when starting a program the first time and print a warning if there are is an entry like this? Or directly ask if the user wishes Firejail to add `flags=(attach_disconnected)` to the concerning AppArmor Profile?
gitea-mirror commented 2026-05-05 07:16:57 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Sep 16, 2017):

@netblue30 What do you think?

<!-- gh-comment-id:329966928 --> @Hocuri commented on GitHub (Sep 16, 2017): @netblue30 What do you think?
gitea-mirror commented 2026-05-05 07:16:58 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Sep 18, 2017):

I've got another idea: If AppArmor is installed (or maybe only if it wrote something "suspicious" to the syslog) the user is warned and relegated to some web site or man page where the problems and the solutions are explained.
BTW, does anybody know if these problems also appear with Firejail+SELinux? Probably not because SELinux uses file labels instead of path names, or am I mistaken?

<!-- gh-comment-id:330272671 --> @Hocuri commented on GitHub (Sep 18, 2017): I've got another idea: If AppArmor is installed (or maybe only if it wrote something "suspicious" to the syslog) the user is warned and relegated to some web site or man page where the problems and the solutions are explained. BTW, does anybody know if these problems also appear with Firejail+SELinux? Probably not because SELinux uses file labels instead of path names, or am I mistaken?
gitea-mirror commented 2026-05-05 07:17:01 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Sep 19, 2017):

BTW, does anybody know if these problems also appear with Firejail+SELinux? Probably not because SELinux uses file labels instead of path names, or am I mistaken?

No, there are no problems with SELinux - perhaps because Firefox is not confined on Fedora/Red Hat systems (although it is on Gentoo which I've never tried).

<!-- gh-comment-id:330547962 --> @curiosity-seeker commented on GitHub (Sep 19, 2017): > BTW, does anybody know if these problems also appear with Firejail+SELinux? Probably not because SELinux uses file labels instead of path names, or am I mistaken? No, there are no problems with SELinux - perhaps because Firefox is [**not** confined](https://danwalsh.livejournal.com/72697.html) on Fedora/Red Hat systems (although [it is](http://blog.siphos.be/2015/08/why-we-do-confine-firefox/) on Gentoo which I've never tried).
gitea-mirror commented 2026-05-05 07:17:02 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 24, 2017):

@Hocceruser I think the problem is that you are trying to use appamor (from kernelspace) and firejail (from userspace) to do the same thing (Mandatory access control) which is redundant. It's like using two firewalls or two antivirs which would fight each other.

There is no point to use both to block access to same files. Firejail has nice apparmor support by invoking firejail --apparmor which is used to do things firejail isn't capable to do by itself but not to double the work it already do.

My recommendation is to choose one of those tools to confine specific app, i.e. you can use firejail to confine desktop apps (combining with apparmor support switch) and apparmor to confine system daemeons.

Weakening apparmor security only to make it do same things which firejail already do doesn't make sense from security perspective.

<!-- gh-comment-id:331708822 --> @ghost commented on GitHub (Sep 24, 2017): @Hocceruser I think the problem is that you are trying to use appamor (from kernelspace) and firejail (from userspace) to do the same thing (Mandatory access control) which is redundant. It's like using two firewalls or two antivirs which would fight each other. There is no point to use both to block access to same files. Firejail has nice apparmor support by invoking `firejail --apparmor` which is used to do things firejail isn't capable to do by itself but not to double the work it already do. My recommendation is to choose **one** of those tools to confine specific app, i.e. you can use firejail to confine desktop apps (combining with apparmor support switch) and apparmor to confine system daemeons. Weakening apparmor security only to make it do same things which firejail already do doesn't make sense from security perspective.
gitea-mirror commented 2026-05-05 07:17:03 -06:00
Author
Owner
Copy link

@Hocuri commented on GitHub (Sep 24, 2017):

You are probably right, I'll disable AppArmor for Firefox by the next opportunity.

But when Firejail discovers that the concerning program is confined with AppArmor, it should at least print a warning that Firejail does not work together with AppArmor very well and that it is redundant to use the two of them together anyway .

There is a very small security enhancement because AppArmor's profiles are a bit more granular than Firejail's (and I weakened only AppArmor's Firefox profile, so it will not decrease the security in any way) but still it is not worth it by very far.

<!-- gh-comment-id:331728644 --> @Hocuri commented on GitHub (Sep 24, 2017): You are probably right, I'll disable AppArmor for Firefox by the next opportunity. But when Firejail discovers that the concerning program is confined with AppArmor, it should at least print a warning that Firejail does not work together with AppArmor very well and that it is redundant to use the two of them together anyway . There is a very small security enhancement because AppArmor's profiles are a bit more granular than Firejail's (and I weakened only AppArmor's Firefox profile, so it will not decrease the security in any way) but still it is not worth it by very far.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#994
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?