Firejail: White screen after upgrade to Firefox 60

Same problem on fedora workstation after updating to version 60. No problems with firefox version 59.

I have isolated this to seccomp. If you comment it out in firefox.profile it starts to work fine. Or you could run it as firejail --ignore=seccomp firefox.

Should be narrowed down to specific syscalls FF needs, though. I believe this could be connected to some sandboxing improvements FF introduced in v. 60.

The fix is to disable tracelog (#1935) and remove chroot from seccomp (https://github.com/netblue30/firejail/issues/1939#issuecomment-388358648) from /etc/firejail/firefox-common.profile. It has already been fixed in master.

@SkewedZeppelin, thanks for the info.

In my case there is no file /etc/firejail/firefox-common.profile and I have the latest Firejail 0.9.52 instaled. In /etc/firejail/ dir I have executed: ls firefox* and the output is
firefox-esr.profile firefox-nightly.profile firefox.profile

I did:

1. Opened /etc/firejail/firefox.profile file.
2. Searched for "tracelog" and added comment before it so "#tracelog".
3. Searched for "seccomp" and added comment before it so "#seccomp".
4. Bellow "#seccomp" added new line with the settings:
   seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
   shell none
5. Made sure Firefox is not started: ps aux | grep [f]irefox
6. Started Firefox: firejail firerfox
   and now Firefox starts fine and jailed. Problem solved

Just wondering why isn't there new Firejail version released to fix just this one major problem and not waiting for new new major release.

Yeah, I just updated from Fedora Linux workstation 27 to 28, and Firefox fails exactly like the earlier posters describe. In my opnion it would be the best thing to release a fixed firejail.

I tend to agree we should push out a quick fix to the 0.9.38, 0.9.48, and 0.9.52 branches at least (Ubuntu 14.04, Debian stable (I believe), plus latest stable release). There will be lots of users who want to stick with firejail from their distros' repos, but also would like to use it with firefox 60.

@netblue30 is this doable?

It's not obvious if those fixes will ever made it to distro repos. Debian stable is still on 0.9.44.8 even as 0.9.44.10 was released over a year ago. Ubuntu xenial is on 0.9.38.10 while 0.9.38.12 is the last release. If someone installs firejail outside official repos then they should install latest version available anyway and not just a old branch bump.

Probably the proper solution is to provide precompiled firejail packages for popular distros but this will be an additional burden.

@Vincent43 I agree, but I'd prefer that we at least provide the corrections. :smile: Then it's up to the package maintainers to provide the newer versions to their distros. Since @reinerh maintains firejail for Ubuntu and Debian we can hopefully get those distros covered at least; @reinerh is this possible?

@Vincent43 You can find newer versions for Debian stable in the stable-backports repository. stable itself will not get any updates (other than security fixes). Maybe when Firefox60 lands in stable (in September when FF52 is EOL) we can provide a fixed profile there.
If I see it correctly, firejail 0.9.54 will be released soon, this will then be timely available in stable-backports.

@Fred-Barclay If I understand it correctly, this is only relevant for releases shipping Firefox60?
I'll check which Ubuntu versions will be shipping this and get an updated profile there.

@reinerh
Backports provide latest firejail version so bumping old branches isn't relevant here.

All ubuntu distros provide latest fiefox version (they don't follow ESR like debian). 60 is already there.

Okay, thanks. I'm a bit surprised then that Ubuntu doesn't use ESR versions for their LTS branches...

I guess users won't be happy being several firefox versions behind the latest. Honestly I don't believe in the 'LTS/ESR' concept especially in terms of security. Much prefer the chrome/chromium policy - 'nothing is supported but latest stable'. This way we have latest chromium in every distro including debian.

A lot of users care about stability (not changing behavior/workflows every couple of weeks), at least the ones using the stable/LTS releases (otherwise they would be using unstable).
The LTS/ESR versions can provide this stability while also fixing security issues.

I know about theory and I know about practice :smile:. In firejail there are hundreds of fixes and improvements and LTS users will never find them until next major distro upgrade.