Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: no suitable firefox executable found #2812

Closed
mahilkita opened this issue Jun 30, 2019 · 12 comments
Closed

Error: no suitable firefox executable found #2812

mahilkita opened this issue Jun 30, 2019 · 12 comments
Labels
information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required

Comments

@mahilkita
Copy link

I just installed firejail - the install ran smoothly - however I do not have firefox in my root directory but rather in home/david/opt - thus when running david@Liberation:~$ firejail firefox I get this 👍

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 10419, child pid 10420
Blacklist violations are logged to syslog
Child process initialized in 106.24 ms
Error: no suitable firefox executable found

Parent is shutting down, bye...

Firejail needs to search the home dir for programmes like Tor and Thunderbird and Firefox anyway what config file do I need to edit to tell firejail where firefox is

email me at skipper@gbenet.com

Thanks

David
@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented Jun 30, 2019
edited
Loading

you can try putting the following in ~/.config/firejail/firefox.local

ignore noexec ${HOME}
whitelist ${HOME}/opt/firefox

similar can be done for thunderbird

for a workaround for TBB you can use torbrowser-launcher instead

@rusty-snake
Copy link
Collaborator

more instructions for the TBB:
https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#tor-browser-home-install
https://github.com/rusty-snake/firejailed-tor-browser

@rusty-snake rusty-snake added the information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required label Jun 30, 2019
@netblue30 netblue30 mentioned this issue Jun 30, 2019
Closed
@matu3ba
Copy link
Contributor

matu3ba commented Jul 8, 2019

@mahilkita Did this solve your problems?
@rusty-snake Is the manual in your first link not sufficient? I did link to that in the FAQ.

@rusty-snake
Copy link
Collaborator

Is the manual in your first link not sufficient?

Yes, but my repo is a little bit older then the wiki and it trys to be as strict as possible.

@rusty-snake
Copy link
Collaborator

@mahilkita I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

@svc88
Copy link

svc88 commented Mar 30, 2020

you can try putting the following in ~/.config/firejail/firefox.local

ignore noexec ${HOME}
whitelist ${HOME}/opt/firefox

similar can be done for thunderbird

for a workaround for TBB you can use torbrowser-launcher instead

To this date, shouldnt there be a noblacklist as well now? Like so:

noblacklist ${HOME}/opt/firefox
ignore noexec ${HOME}
whitelist ${HOME}/opt/firefox

@rusty-snake
Copy link
Collaborator

@svc88 we never blacklist ${HOME}/opt/firefox (nor ${HOME}/opt).

@nolanl nolanl mentioned this issue Mar 30, 2021
Closed
@rakor
Copy link

rakor commented May 31, 2022

I have the same issue running on debian stable.
firejail version 0.9.64.4

Also having installed the latest firefox in ~/opt/firefox.
I tried to put the lines in ~/.config/firejail/firefox.local but it does still not work telling me:

Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 395639, child pid 395642
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 150.06 ms
Exec failed with error: Permission denied

Parent is shutting down, bye...

@glitsj16
Copy link
Collaborator

@rakor The project recommends to use the backports packages on Debian stable. Please upgrade your Firejail setup and try again.

@rakor
Copy link

rakor commented May 31, 2022

Hi @glitsj16. Thanks for your help. I found the issue is apparmor. If I also add ignore apparmor to the firefox.local it is running. Btw. the same occures on Debian testing (firejail version 0.9.68).
I only don't understand the difference to the firefox-esr, that is installed using the official repository, which runs smooth just by firejail firefox. I don't have knowledge of apparmor, but in /etc/apparmor.d I could not find any firefox-profile. But as said, I never did anything with apparmor.
Is it less secure, running it with ignore apparmor ?!

@rusty-snake
Copy link
Collaborator

The reason why apparmor only breaks firefox in ~ but not firefox-esr in /usr/bin is that apparmor restricts execution of programs to a few well-known directories.

firejail/etc/apparmor/firejail-default

Lines 88 to 98 in fab6225

##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
# or similar to /etc/apparmor.d/local/firejail-default (without the quotes).
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,

You can allow firefox in firejail-local

firejail/etc/apparmor/firejail-local

Lines 4 to 18 in fab6225

# Here are some examples to allow running programs from home directory.
# Don't enable all of these, just pick a specific one or write a custom rule
# instead as done below for torbrowser-launcher.
#owner @HOME/** ix,
#owner @HOME/bin/** ix
#owner @HOME/.local/bin/** ix
# Uncomment to opt-in to apparmor for brave + ipfs
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
# Uncomment to opt-in to apparmor for brave + tor
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,
# Uncomment to opt-in to apparmor for torbrowser-launcher
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 1, 2022

@rakor

Is it less secure, running it with ignore apparmor ?!

That's up for debate. Personally I have been using Firejail and AppArmor in tandem for quite a while and feel OK with that combination. I did create AA profiles for most of the apps/daemons I use on my system, which took some time and effort. For other opinions 'out (t)here' on this topic: see e.g. #4786, #4522.

I never did anything with apparmor

If you are unsure whether AA is properly configured/functioning on your system it might be informational to read https://wiki.archlinux.org/title/Apparmor. And if you decide to not use it with Firejail there's a switch in /etc/firejail/firejail.config you can set, which is easier than having to create individual overrides. You'll need to change the default (enabled):

[...]
# Enable AppArmor functionality, default enabled.
apparmor no
[...]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@glitsj16 @rakor @SkewedZeppelin @matu3ba @rusty-snake @mahilkita @svc88