qBittorrent: menu items that open external apps do not work

[grizzlyuser]

Steps to reproduce:

1. Run qBittorrent with profile included in firejail for it.
2. Download some torrent with a file. There has to be associated application to open that file type. For example, download any video file from here: http://bbb3d.renderfarming.net/download.html (seems to be perfectly legal).
3. Right click the torrent and select 'Preview file...'
4. Right click the torrent and select 'Open destination folder'
5. Click 'Content' button in the bottom
6. Right click the file and select 'Open'
7. Right click the file and select 'Open destination folder'
8. Select menu 'View' - 'Search Engine' and switch to 'Search' tab.
9. Search for any torrent (you might need to click 'Search plugins...' in the bottom and select 'Check for updates' first to download them).
10. Select any found torrent and click 'Go to description page' button in the bottom.

Expected results: Appropriate application opens on steps 3, 4, 6, 7, 10, like video player, file manager and web browser.
Actual results: Nothing happens on steps 3, 4, 6, 7, 10. The file still can be opened using regular file manager. Only the following messages can be seen if qBittorrent was launched from the terminal:

Unable to detect a launcher for 'file:///<path to downloaded file>'
Unable to detect a launcher for 'file:///<path to download folder>'
Unable to detect a launcher for 'file:///<path to downloaded file>'
Unable to detect a launcher for 'file:///<path to download folder>'
Unable to detect a web browser to launch '<URL>'

Environment used:
Firejail version: 0.9.56
qBittorrent version: v4.1.5
OS: Parabola GNU/Linux-libre (Arch Linux derivative), freshly updated

Note: I was able to reproduce the issue when only qBittorrent runs in a sandbox, and also when firejail is used by default for other applications (after running firecfg). These steps worked fine when qBittorrent runs unprotected. So it looks like the issue is related to qBittorrent profile in the first place.

[rusty-snake]

Reason:

firejail/etc/qbittorrent.profile

Line 54 in 8d464d9

private-bin qbittorrent,python*

If you want to fix:
echo "ignore private-bin" >> .config/firejail/qbittorrent.profile

But that can still have problems because qbittorrent has a very strict profile.

[glitsj16]

What you're describing isn't all that exceptional in a firejail context. In fact one could argue that it's exactly the behavior you'd want. Looking at /etc/firejail/qbittorrent.profile you'll notice it contains a private-bin qbittorrent,python* entree. Those are the only commands authorized to run inside the sandbox, which is a good thing security-wise. You can add commands for any external application you need/want, either in a (system-wide) /etc/firejail/qbittorrent.local, in a (per-user) ~/.config/firejail/qbittorrent.local file, or added as a parameter to the command used to start qbittorrent. E.g. private-bin foo bar will add the commands foo and bar to the list of applications allowed to run in the qbittorrent sandbox.

Another option is to use ignore private-bin in such a .local file/command-line parameter. This would definately not work for a video player, as the profile also comes with nosound and novideo and I'm assuming that's not going to be the way you prefer to enjoy your favo video :-). You can override those too, slowly but surely crippling the original sandbox in each step taken to provide more useability.

I do realize this might not be what you expected. Try looking at security and useability as a matter of degrees and find your workable balance. IMHO, I'd keep the profile as tight as possible and use another dedicated firejail profile for watching/listening to the result of the bittorrent process once your file is fully downloaded. But that's a personal opinion.

[rieje]

@glitsj16

How would you deal with a situation where you're using multiple firefox profiles and want to share a download directory? For example, I dedicate a firefox profile for shopping and need to upload a screenshot I took on the system, saved to the downloads folder. Ideally, I don't expose the download directory and use --get=<file> or --put=<file, but that's a hassle involving the need to use ff --list, get the firejail ID, etc. I'm not sure if it's possible to script this for usability purposes for someone using multiple firefox profile instances at once.

At the moment I'm using bind mounts to ~/Downloads in /etc/fstab so the jailed profiles see the contents of the downloads directory. A side-effect is that rm <jailed profile directory> will also remove the downloads directory if I'm not careful.

Really curious on your thoughts and personal setup with regards to multiple firefox profiles--I also see that you use profile-sync-daemon for reasons other than performance, presumably. Do you have a reddit account I can contact you to discuss about this? Much appreciated.

[chiraag-nataraj]

@rieje I'm not @glitsj16, but I'll give you my take on these questions :)

How would you deal with a situation where you're using multiple firefox profiles and want to share a download directory?

I just share it with the understanding that any files in that directory will be accessible to all programs (so if it's something sensitive, I pretty much immediately move it out of ${DOWNLOADS}). It's not perfect, but avoids the hassle of dealing with --put and --get, especially since I share ${DOWNLOADS} with all my programs.

Ideally, I don't expose the download directory and use --get= or --put=<file, but that's a hassle involving the need to use ff --list, get the firejail ID, etc. I'm not sure if it's possible to script this for usability purposes for someone using multiple firefox profile instances at once.

If you're using systemd, you could potentially create a scripted solution for this which involves generating predictable unit names (firefox-${profile} is a good template) and using systemctl --user show -p MainPID --value to get the PID of the sandbox.

[rieje]

Thanks for the info, I'll do that and also see if I can see if there are existing implementations of the systemd method like you've described (my scripting is not too great).

I have a profile dedicated to downloading sensitive files and at the moment it's to ~/downloads. Moving sensitive files way from the directory is doable if it weren't for this profile constantly downloading lots of content and requiring me to move it frequently. Perhaps related, I'm also using /usr/lib/firefox/mozilla.cfg where I have my about:config settings (including the setting for the download folder) for Firefox and AFAIK it is not jailed because I believe its settings are applied to all my jailed profiles. What if I want different profiles (and ideally also temporary profiles) to use different about:config settings defined in mozilla.cfg? For example, have a jailed profile use a different download directory?

And would it be possible for temporary profiles to have addons installed automatically?

[chiraag-nataraj]

You should definitely check out my private-profile.sh script (there are usage instructions in that repo).

What if I want different profiles (and ideally also temporary profiles) to use different about:config settings defined in mozilla.cfg? For example, have a jailed profile use a different download directory?

With my script, there's an option to copy an existing profile (and which files/folders to copy from that existing profile) into a new temporary profile. You could set up multiple different "template" firefox profiles with different settings and use those profiles as the -p option to my script.

And would it be possible for temporary profiles to have addons installed automatically?

Yup! With the provided firefox.private file in the repo, my script will copy extensions and their settings, the widevine plugin, preferences, etc.

[chiraag-nataraj]

I'm going to go ahead and close this for now, since the original question was answered. @grizzlyuser, feel free to re-open if you have any more questions. @rieje, if you have questions about that script, please create an issue in that repo :)