Firejail: Firefox and Thunderbird jails share some settings, if the other jail is "running"

Please confirm my issue(s).

1. Not on my system.
2. Don't using VPNs

My gateway issue was gone, after I reinstalled my system (Parrot OS) and resolvconf.service seems to works correctly. It might've been a DNS issue, not gateway issue.
I have to further test that but I have no time for the moment.

The profile issue:
Thunderbird cannot access the default profile if firefox was started and is running before thunderbird was started.
I have this issue even after reinstalling my system.

@Loader009 still an issue?

@rusty-snake yes, sadly.

1. close all firefox and thunderbird instances
2. run firejail firefox in a terminal, let it open
3. run firejail thunderbird in a terminal, thunderbird asks you to set up an account

┌─[anonymous@parrot]─[~]
└──╼ $firejail --list
30744:anonymous:firefox:firejail firefox 
31094:anonymous::firejail thunderbird 

Distro? firejail-version? firejail-profile changes? Any other special things.

what happens if starting firefox w/o firejail and TB with FJ? What when starting FF with FJ and TB w/o FJ?

Distro

ParrotOS (parrotlinux.org)
security focused rolling release distribution, based on debian

┌─[anonymous@parrot]─[~]
└──╼ $uname -a
Linux parrot 5.3.0-3parrot3-amd64 #1 SMP Parrot 5.3.9-3parrot3 (2019-11-23) x86_64 GNU/Linux

firejail-version

Version: 0.9.58.2-3parrot4

Maintainer: Reiner Herrmann ---email hidden---

firejail-profile changes

$ls /etc/firejail/*.local 
/etc/firejail/firefox.local

$cat /etc/firejail/firefox.local 
whitelist ${HOME}/eclipse-uni-SW-workspace



md5-dce2a2b682b509261696b670b264ceb0



$ls ~/.config/firejail/
telegram.profile



md5-f939b3eb0d2569e263139fe49402fcff



$firejail --list
49069:anonymous:firefox:firejail thunderbird 



md5-35a3360e80b1fe1eedfc06219c6cbc2a



$firejail --list
49226:anonymous:firefox:firejail firefox

comment

Mind the 49069:anonymous:firefox:firejail thunderbird thing, the profile "firefox" is being used for thunderbird.

So, starting only one in FJ has no issue, right? => both must be firejailed to get this issue.

Mind the 49069:anonymous:firefox:firejail thunderbird thing, the profile "firefox" is being used for thunderbird

You set this up? What happens with firejail --profile=/etc/firejial/firefox.profile firefox and then firejail --profile=/etc/firejail/thunderbird.profile thunderbird? If you want that TB use the FF profile, you must whitelist additional paths.

So, starting only one in FJ has no issue, right? => both must be firejailed to get this issue.

Kinda correct, only happens whenever firefox is firejailed first.

You set this up?

No, all I do is firejail firefox or firejail thunderbird.

What happens with firejail --profile=/etc/firejial/firefox.profile firefox and then firejail --profile=/etc/firejail/thunderbird.profile thunderbird? If you want that TB use the FF profile, you must whitelist additional paths.

I don't want thunderbird to use the firefox profile, it happens "on its own", without my intervention.

Down there you see what happens when running the two.
The firejail of thunderbird tries to switch to the firefox firejail and fails.
This might happen because the firefox.profile is included in the thunderbird.profile -- this might be an outdated config?
source: https://nest.parrotsec.org/debian-packages/firejail/blob/master/etc/thunderbird.profile

I also noticed that I uncommented ignore nodbus, sorry, I forgot that change of my.

┌─[anonymous@parrot]─[~]
└──╼ $firejail --profile=/etc/firejail/firefox.profile firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 61433, child pid 61434
Warning: skipping pango for private /etc
Warning: skipping asound.conf for private /etc
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Private /etc installed in 100.92 ms
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 285.44 ms

###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost

┌─[anonymous@parrot]─[~]
└──╼ $firejail --profile=/etc/firejail/thunderbird.profile thunderbird
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Switching to pid 61434, the first child process inside the sandbox
Error: --shell=none configured, but no program specified

┌─[anonymous@parrot]─[~]
└──╼ $cat /etc/firejail/thunderbird.profile 
# Firejail profile for thunderbird
# Description: Email, RSS and newsgroup client with integrated spam filter
# This file is overwritten after every install/update
# Persistent local customizations
include thunderbird.local
# Persistent global definitions
include globals.local

# Users have thunderbird set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories

noblacklist ${HOME}/.cache/thunderbird
noblacklist ${HOME}/.gnupg
# noblacklist ${HOME}/.icedove
noblacklist ${HOME}/.thunderbird

# If you have setup Thunderbird to archive emails to a local folder,
# make sure you add the path to that folder to the mkdir and whitelist
# rules below. Otherwise they will be deleted when you close Thunderbird.
# See https://github.com/netblue30/firejail/issues/2357
mkdir ${HOME}/.cache/thunderbird
mkdir ${HOME}/.gnupg
# mkdir ${HOME}/.icedove
mkdir ${HOME}/.thunderbird
whitelist ${HOME}/.cache/thunderbird
whitelist ${HOME}/.gnupg
# whitelist ${HOME}/.icedove
whitelist ${HOME}/.thunderbird

# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
ignore private-tmp
# machine-id breaks audio in browsers; enable it when sound is not required
# machine-id
read-only ${HOME}/.config/mimeapps.list
# writable-run-user is needed for signing and encrypting emails
writable-run-user

# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
# noblacklist /var/mail
# noblacklist /var/spool/mail
# writable-var

# allow browsers
# Redirect
# Uncomment if you use enigmail
ignore nodbus
include firefox.profile

grep "join-or-start" /etc/firejail/*?

yep, the firefox.profile contains a join-or-start.

┌─[anonymous@parrot]─[~]
└──╼ $grep "join-or-start" /etc/firejail/*
/etc/firejail/atom.profile:join-or-start atom
/etc/firejail/blender.profile:join-or-start blender
/etc/firejail/code.profile:join-or-start code
/etc/firejail/dolphin.profile:join-or-start dolphin
/etc/firejail/firefox.profile:join-or-start firefox
/etc/firejail/gimp.profile:join-or-start gimp
/etc/firejail/kate.profile:join-or-start kate
/etc/firejail/keepassxc.profile:join-or-start keepassxc
/etc/firejail/kwrite.profile:join-or-start kwrite
/etc/firejail/libreoffice.profile:join-or-start libreoffice
/etc/firejail/okular.profile:join-or-start okular
/etc/firejail/pluma.profile:join-or-start pluma
/etc/firejail/qbittorrent.profile:join-or-start qbittorrent
/etc/firejail/spotify.profile:join-or-start spotify
/etc/firejail/vlc.profile:join-or-start vlc
/etc/firejail/vscodium.profile:join-or-start vscodium

 # allow browsers  
 # Redirect
 # Uncomment if you use enigmail
 ignore nodbus
+ignore join-or-start
 include firefox.profile

This works, thank you.

Might the following way be better?

 # allow browsers  
 # Redirect
 # Uncomment if you use enigmail
 ignore nodbus
-include firefox.profile
+include firefox-common.profile

Based on this:
https://github.com/netblue30/firejail/blob/master/etc/thunderbird.profile

No #2818.

I see, that commit is not merged in the parrot git, thus it would break thunderbird-link->firefox compatibility.
Thanks again.

I'll close this, because the issue is solved now.

@rusty-snake I might have another solution but this is out of firejails possibilities I think.
I modified ~/.local/share/applications/firefox.desktop to this:
Exec=firejail --profile=firefox --join-or-start=firefox firefox %u
And ~/.local/share/applications/thunderbird.desktop to this:
Exec=/usr/bin/firejail --profile=thunderbird --join-or-start=thunderbird thunderbird %u

After a restart of thunderbird it ran in a different jail than firefox but opened a link in the correct firefox window.

FYI: #3294

or easier: echo "join-or-start firefox" >> "~/.config/firejail/firefox.local" and same for thunderbird.

PS: the --profile arguments are unnecessary.

or easier: echo "join-or-start firefox" >> "~/.config/firejail/firefox.local" and same for thunderbird.

This would result in every firefox instance running in the jail "firefox", but I actually use a firefox-home and a firefox-uni (university) jail, that's why I can't do that.
(Soon I'll also do it for thunderbird.)

PS: the --profile arguments are unnecessary.

The --profile argument is (in my opinion) necessary because otherwise thunderbird has no jail in firejail --list.
Right now:

firejail --list
29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot 
38770:anonymous:thunderbird-home:/usr/bin/firejail --profile=thunderbird --join-or-start=thunderbird-home thunderbird 

but I actually use a firefox-home and a firefox-uni (university) jail,

Ok, thats a special case where it is easyer with the .desktop file. Only alternative would be --join-or-start=firefox-uni --ignore=join-or-start.

The --profile argument is (in my opinion) necessary

If you have Exec=firejail thunderbird firejail will automatic pick thunderbird.profile. --profile is only nessessary if you have firejail --profile=thunderbird bash or firejail --profile=thunderbrid thunderwird.wrapper.

Ok, thats a special case where it is easyer with the .desktop file. Only alternative would be --join-or-start=firefox-uni --ignore=join-or-start.

Yeah, that's an idea.

The --profile argument is (in my opinion) necessary

If you have Exec=firejail thunderbird firejail will automatic pick thunderbird.profile. --profile is only nessessary if you have firejail --profile=thunderbird bash or firejail --profile=thunderbrid thunderwird.wrapper.

Sadly no. Look at this:
Before running firejail thunderbird

$firejail --list
29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot

After running firejail thunderbird

$firejail --list
29222:anonymous:firefox-home:firejail --profile=firefox --join-or-start=firefox-home firefox -P Parrot 
56082:anonymous::firejail thunderbird 

Probably because of this in thunderbird.profile to get the initial issue of this ticket solved:

 # allow browsers  
 # Redirect
 # Uncomment if you use enigmail
 ignore nodbus
+ignore join-or-start
 include firefox.profile

After running firejail thunderbird

this shows that TB is sandboxed. IDK what you mean with "therwise thunderbird has no jail in firejail --list."

Ok, then I missinterpreted it.
I thought the empty jailname meant that thunderbird was not jailed or not jailed correctly.