Firejail: Trouble running Firefox Portable Dev Edition in firejail

Created on 7 Dec 2020 · 6Comments · Source: netblue30/firejail

Hi,

I installed firejail (sudo apt install firejail firejail-profiles) on a brand new Linux Mint 20.

I want to use firejail to run my portable version of Firefox Developer Edition.
This executable is located here: /home/jim/files/Portable/FirefoxDeveloperEdition/firefox.

Here are the steps I took:

I copied /etc/firejail/firefox-developer-edition.profile to /home/jim/.config/firejail
I added the following line to the bottom of /home/jim/.config/firejail/firefox-developer-edition.profile:
whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
I attempted to run the firejailed FF Dev Edition from a script, like so:

#!/bin/bash

firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.profile  /home/jim/files/Portable/FirefoxDeveloperEdition/firefox

When I run this however, I get the following error:

Reading profile /home/jim/.config/firejail/firefox-developer-edition.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2700815, child pid 2700816
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 93.49 ms
Exec failed with error: Permission denied

Parent is shutting down, bye...

If I comment out apparmor on line 32 of /etc/firejail/firefox-common.profile (this file is referenced by firefox.profile, which is referenced by firefox-developer-edition.profile), then everything works as expected.

The same issue is described here: https://unix.stackexchange.com/questions/587080/whitelist-a-directory-for-execution-with-firejail

When I run firejail --noprofile /home/jim/files/Portable/FirefoxDeveloperEdition/firefox, the program starts as expected.

When I disable firejail, the program also starts as expected.

I'm not sure if this is a bug, or if I am doing anything wrong. I would be happy to provide any details you might need.

question

Source

jameshibbard

All 6 comments

You need to add
ignore noexec ${HOME}
to
.config/firejail/firefox-developer-edition.profile

SkewedZeppelin on 7 Dec 2020

👍1

I'm afraid that didn't help. I still get the same error message.

Here's my complete .config/firejail/firefox-developer-edition.profile:

# Firejail profile for firefox-developer-edition
# Description: Developer Edition of the popular Firefox web browser
# This file is overwritten after every install/update
# Persistent local customizations
include firefox-developer-edition.local
# Persistent global definitions
# added by included profile
#include globals.local

# Redirect
include firefox.profile

whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
ignore noexec ${HOME}

jameshibbard on 7 Dec 2020

apparmor and noexec ${HOME} (in disable-exec.inc) make $HOME noexec,nodev,nosuid. This is a good defense-in-depth for the most sandboxes. However, if you want to execute software from inside your home, you need to ignore noexec ${HOME} and ignore apparmor.

If you set browser-allow-drm yes in firejail.config, ignore noexec ${HOME} is implied (via condition).

To make it work, this should be enough:

cat > ~/.config/firejail/firefox-developer-edition.local <<EOF
ignore noexec ${HOME}
ignore apparmor
whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
EOF

Aside: Why does apparmor not break DRM?????!!!

rusty-snake on 7 Dec 2020

👍1

It needs to be before any includes, I should've mentioned, eg.

I'm afraid that didn't work. I still get the same error message.

To make it work, this should be enough:

This worked. Thank you. Also, for the explanation.

So now I just have /home/jim/.config/firejail/firefox-developer-edition.local:

ignore noexec /home/jim
ignore apparmor
whitelist /home/jim/files/Portable/FirefoxDeveloperEdition

and I'm starting the application like so:

#!/bin/bash

firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.locale  /home/jim/files/Portable/FirefoxDeveloperEdition/firefox

Does that seem correct to you?

jameshibbard on 7 Dec 2020

and I'm starting the application like so:
#!/bin/bash

firejail --profile=/home/jim/.config/firejail/firefox-developer-edition.locale  /home/jim/files/Portable/FirefoxDeveloperEdition/firefox
Does that seem correct to you?

No, you lost all the security features. Right command: firejail --profile=firefox-developer-edition /home/jim/files/Portable/FirefoxDeveloperEdition/firefox.

PS: you can remove ~/.config/firejail/firefox-developer-edition.profile (dot profile).
PS2: If you use a wrapper script, you may want to add "$@".

#!/bin/bash
exec firejail --profile=firefox-developer-edition /home/jim/files/Portable/FirefoxDeveloperEdition/firefox "$@"

rusty-snake on 7 Dec 2020

Fantastic! Thanks for your help.

jameshibbard on 7 Dec 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

ark, private-tmp and browsers

ghost · 3Comments

Block access to dbus

HulaHoopWhonix · 4Comments

For --private-tmp expose /tmp/.X11-unix as read-only

Vincent43 · 3Comments

private-lib doesn't work with Palemoon & Firefox

Fincer · 4Comments

Fedora 30 Compilation Errors

SkewedZeppelin · 3Comments