-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot unblacklist /usr/libexec in firefox-common.local #5339
Comments
We accept PR's. Although I can sympathize with your configuration issue, throwing out the baby with the bathwater seems a bit overkill IMO. Please consider this is not a bug, the recommended way works, as you state yourself. Currently we have exactly 13 other web browser profiles that include firefox-common.profile. Whether or not you're using all or some of them, if it's necessary to support your use case, the exact same workaround can be applied. Not willing to do the work is fine, but that's up to you. Besides, emacs has it's own dedicated profile and running it in the firefox sandbox is also your decision. The latest emacs on Arch Linux installs files to /usr/share/emacs (nothing to /usr/libexec because that's discouraged on that OS). If on Debian this dir exists as well, you need to add In the mean time I've counted exactly 13 |
@vinc17fr commented on Aug 24:
Suggestion: Create a new profile, such as "webbrowser-common.profile" and include it in the Then add the commands needed to allow emacs in it (or in a new |
Replying to the last two comments:
It is not my decision. It is Firefox that runs Emacs (as an helper application) for Concerning I don't see why
This is precisely what I want to avoid, because I don't want to remember to update my configuration for future web browsers I will use. BTW, firejail currently has this issue, making the web-browser profiles inconsistent: why isn't It seems that |
I was confused by this from the beginning I guess. Personally I've never experienced any problems with text/* file handling in a sandboxed Firefox. Now I realize that's due to my settings and personal workflow. I open them in FF or save them to ${DOWNLOADS} and open them via CLI and/or GUI file manager with whatever app is needed, running in its own dedicated sandbox. It's a habit I suppose. Can you provide a link to a file somewhere you always open with emacs?
That's the thing. IMO this is a distro/packaging issue. Some use /usr/libexec, some don't. Those that do don't just put all executables that make up an application in that location, but also use /usr/bin. This is the commit that added
IMO this whole discussion hints at |
@vinc17fr commented on Aug 25:
I'm afraid that there is currently no firejail-only solution to this that does There is xdg-open, which was made precisely for this use case, though it
Yes, but as mentioned in #3226, there is currently no way to do such a
Good question. As said above, it looks like these restrictions were first @rusty-snake Is this something that could be added to an existing include? Or
No; see chromium-common.profile and the profiles for TUI browsers, such as And even if the name were changed, it would still be included at the end of See the usual structure of a profile that includes a -common profile:
Additionally, note that the primary purpose of -common profiles is not user From the user's perspective, a -common profile can used as a common The question then becomes one of usability/organization/maintenance. For example, including firefox-pre-common.profile at the beginning and Though that does not include every browser. So maybe webbrowser-common.profile So use either webbrowser-tui-common.profile or webbrowser-gui-common.profile + And so on and so forth. All of which increase complexity and potential for confusion (for example, "why So again, I'd go with either xdg-open or with overriding the .local for every |
One line isn't a include thing. I'm even against all short includes (3-5 lines) but we don't have aliases/macros yet. |
So as mentioned, the main purpose of firefox-common.profile is to organize Other ways of resolving the issue at hand were posted and there hasn't been any Feel free to post any updates or request to reopen if you have more questions. |
Description
In order to view some kinds of text files from Firefox (and potentially other similar web browsers), I need to run some text viewer, and GNU Emacs is the best one for me. However, with the new GNU Emacs 28 version under Debian, being able to access
/usr/libexec/emacs
is required, and this is currently not possible by default:Though I could add
noblacklist /usr/libexec
to~/.config/firejail/firefox.local
to solve this issue, I would prefer to put everything to~/.config/firejail/firefox-common.local
, which is used by more profiles associated with web browsers. But addingnoblacklist /usr/libexec
there doesn't work as it is run too late (becausefirefox.profile
includesfirefox-common.profile
at the end), andignore blacklist /usr/libexec
doesn't work either (for the same reason?). Moreover,whitelist /usr/libexec
gives an error andwhitelist /usr/libexec/emacs
doesn't have any effect (due to the blacklist?).If there is no way to unblacklist some blacklisted directory, the profiles need to be reworked to run
firefox-common.local
earlier; otherwise, what's the point of this so-called local customization?Steps to Reproduce
noblacklist /usr/libexec
andignore blacklist /usr/libexec
in~/.config/firejail/firefox-common.local
(do not use other local customization). Or do not use any local customization.firejail --profile=firefox sh
emacs
(if GNU Emacs 28 is installed) and/orls -ld /usr/libexec
.Expected behavior
/usr/libexec
should be accessible.Actual behavior
/usr/libexec
is not accessible;ls -ld /usr/libexec
outputs permissionsdr--------
instead ofdrwxr-xr-x
.Behavior without a profile
N/A: The issue is about profile configuration.
Environment
firejail --version
): 0.9.70 (Debian package firejail 0.9.70-1)Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)The text was updated successfully, but these errors were encountered: