Firejail: thunderbird startup problems with firejail

Created on 8 Feb 2019  路  5Comments  路  Source: netblue30/firejail

firejail --version: firejail version 0.9.52
Mint 19.1, 64b, 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
firejail package "firejail version 0.9.52-2"
thunderbird --version: Thunderbird 60.4.0
thunderbird works without firejail, or with firejail --noprofile

Apparently, Mint 19.1/Ubuntu/Debian (whoever is responsible for the .deb package) did not provide profiles for firefox and thunderbird

dpkg -L firejail | grep /etc/firejail

/etc/firejail
/etc/firejail/default.profile
/etc/firejail/disable-common.inc
/etc/firejail/disable-devel.inc
/etc/firejail/disable-passwdmgr.inc
/etc/firejail/disable-programs.inc
/etc/firejail/firejail.config
/etc/firejail/login.users
/etc/firejail/nolocal.net
/etc/firejail/server.profile
/etc/firejail/tcpserver.net
/etc/firejail/webserver.net
/etc/firejail/whitelist-common.inc
/etc/firejail/whitelist-var-common.inc

which lead to the fact that neither firefox nor thunderbird were starting out-of-the-box with firejail.
I copied your firefox.profile from here, and it worked. Then I also copied the thunderbird.profile from 19 days ago (https://github.com/netblue30/firejail/blob/master/etc/thunderbird.profile), but that one did not work.

Without thunderbird.profile, _firejail thunderbird_ opens a "choose user profile" window, which indicates that thunderbird did/does not find its configuration.

With your thunderbird.profile, _firejail thunderbird_ just claims 

$ firejail thunderbird
Reading profile /etc/firejail/thunderbird.profile
Error: cannot access profile file
$

on the command line without opening a window. The thunderbird.profile is
accessible to the current user (-rw-r--r--), so I guessed thunderbird claims that it cannot
read its own profile file. However, it is the firefox.profile it cannot read, as the strace output shows us

stat("firefox.profile/", 0x7ffc7085cc10) = -1 ENOENT (No such file or directory)
access("firefox.profile", R_OK)         = -1 ENOENT (No such file or directory)
write(2, "Error: cannot access profile fil"..., 34) = 34

/etc/firejail/firefox.profile has also -rw-r--r--

I deleted the include firefox.profile at the end of the thunderbird.profile, and _firejail thunderbird_ started.

Q1 What was the purpose of including firefox.profile at the end of thunderbird.profile, and what do i have to do to get the intended behaviour?

Q2 Even though thunderbird starts up now, it claims that

TESTING warning: noblacklist /home/x/.cache/thunderbird not matched by a proper blacklist command in disable.inc
TESTING warning: noblacklist /home/x/.gnupg not matched by a proper blacklist command in disable.inc
TESTING warning: noblacklist /home/x/.thunderbird not matched by a proper blacklist command in disable*.inc

So, what has to be done to fix this?

Thanks

picture pahhur

Most helpful comment

@pahhur Couple of things:

  1. firejail-profiles is _intentionally_ separate and not depended on by firejail because there may be cases where you don't need all of the provided profiles (see this Debian bug).
  2. The firejail package _does_ recommend installing the firejail-profiles (take a look at the output of aptitude show firejail), again as a result of that bug.
  3. As other commenters have said, 0.9.52 is _quite_ obsolete. Debian backports has 0.9.56 for Stretch.
  4. Don't manually download and install profiles to the _system_ directory. Install the firejail and firejail-profiles packages and install any custom/updated profiles either to /usr/local/etc/firejail or ~/.config/firejail.

I'm going to close this issue since the proper solution to your problem has already been mentioned multiple times. If you have further questions related to this, please re-open.

picture chiraag-nataraj on 18 Feb 2019
👍2

All 5 comments

I deleted the include firefox.profile at the end of the thunderbird.profile, and firejail thunderbird started.

you shouldn't do that

Q1 What was the purpose of including firefox.profile at the end of thunderbird.profile, and what do i have to do to get the intended behaviour?

firefox is included because thunderbird and firefox are similar enough (same base)
without it you loose a lot of the restrictions set by it

Q2 Even though thunderbird starts up now, it claims that

you are missing core firejail files

So, what has to be done to fix this?

your install is broken due to various reasons

you need to:

apt remove firejail
rm -rf /etc/firejail
apt install firejail firejail-profiles
SkewedZeppelin picture SkewedZeppelin on 9 Feb 2019
👍2

your install is broken due to various reasons

Well actually, this is a brand new installation. It seems that the distribution did install firejail by default, but firejail-profiles was forgotten.

But removing was not so easy, as you said ;) With your instructions, the apt system did not install the directory correctly. The package system claimed that it was installed, but /etc/firejail was empty.

So, it needed an apt purge firejail and a reboot ;) to fix that, and a copy of the firefox.profile (+gedit.profile +libreoffice.profile) from your 0.9.52 directory.

Thanks

pahhur picture pahhur on 9 Feb 2019

@pahhur : Firejail 0.9.52 is completely obsolete. You should really try the new version 0.9.58.2 which has many fixes implemented including profile changes for Firefox and Thunderbird.

curiosity-seeker picture curiosity-seeker on 12 Feb 2019
👍2

we fixed it in parrot by enabling ignore nodbus which was commented by default

PalinuroSec picture PalinuroSec on 14 Feb 2019

@pahhur Couple of things:

  1. firejail-profiles is _intentionally_ separate and not depended on by firejail because there may be cases where you don't need all of the provided profiles (see this Debian bug).
  2. The firejail package _does_ recommend installing the firejail-profiles (take a look at the output of aptitude show firejail), again as a result of that bug.
  3. As other commenters have said, 0.9.52 is _quite_ obsolete. Debian backports has 0.9.56 for Stretch.
  4. Don't manually download and install profiles to the _system_ directory. Install the firejail and firejail-profiles packages and install any custom/updated profiles either to /usr/local/etc/firejail or ~/.config/firejail.

I'm going to close this issue since the proper solution to your problem has already been mentioned multiple times. If you have further questions related to this, please re-open.

chiraag-nataraj picture chiraag-nataraj on 18 Feb 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

SkewedZeppelin picture SkewedZeppelin  路  3Comments
crass picture crass  路  3Comments
Fincer picture Fincer  路  4Comments
reinerh picture reinerh  路  3Comments
nuxwin picture nuxwin  路  3Comments