Firefox 60.0 and Firejail

Questions about applications and software
Forum rules
Before you post please read how to get help
User avatar
Gruppo Sportivo
Level 3
Level 3
Posts: 159
Joined: Sun May 28, 2017 4:14 am
Location: Rotterdam (NL)

Re: Firefox 60.0 and Firejail

Post by Gruppo Sportivo »

temporary solution until final release 0.9.54
firefox-common.profile <=> /etc/firejail (open as administrator)

Changes the lines #37-#38-#39 in firefox-common.profile

Code: Select all

shell none
#disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
#tracelog
Done this with firejail version 0.9.54~rc1
Output

Code: Select all

firejail --tree
Image
Last edited by Gruppo Sportivo on Sat May 12, 2018 7:10 am, edited 5 times in total.

User avatar
Snafu
Level 2
Level 2
Posts: 66
Joined: Tue Mar 13, 2018 7:01 am
Location: Australia

Re: Firefox 60.0 and Firejail

Post by Snafu »

No, not just yet. The latest version is 0.9.52. The fixes are in 0.9.54, which will be released soon. :)
When 0.9.54 is released I hope you can announce that in these forums
When all else fails follow the instructions

now3by
Level 2
Level 2
Posts: 65
Joined: Mon Jan 23, 2017 1:56 pm

Re: Firefox 60.0 and Firejail

Post by now3by »

why I can't disable/delete only firefox profile... firefox not starting because firejail firefox profile missing even after firecfg --clean and --fix...
"apt-get purge firejail" fix this crap forever.
Linux...

User avatar
absque fenestris
Level 7
Level 7
Posts: 1940
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Firefox 60.0 and Firejail

Post by absque fenestris »

AZgl1500 wrote:
Fri May 11, 2018 1:04 pm
...
But, is it all that much needed?
I have used Firefox for 30 years, and not had any problems.
30 years is a little bit too much in this case.
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)
Linux Mint 17.3 Rosa (Mate) 64-bit - MacBook Pro 15" (Intel Core2 Duo, 8 GB RAM, 240 GB SSD) - with some separation difficulties...

User avatar
Sir Charles
Level 7
Level 7
Posts: 1897
Joined: Thu Jan 04, 2018 1:00 pm

Re: Firefox 60.0 and Firejail

Post by Sir Charles »

Firefox initial release: 2002
History of the Mozilla Project
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

User avatar
absque fenestris
Level 7
Level 7
Posts: 1940
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Firefox 60.0 and Firejail

Post by absque fenestris »

Marziano wrote:
Sat May 12, 2018 8:26 am
Firefox initial release: 2002
History of the Mozilla Project
...actually Internet in 1988 would be the more interesting question
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)
Linux Mint 17.3 Rosa (Mate) 64-bit - MacBook Pro 15" (Intel Core2 Duo, 8 GB RAM, 240 GB SSD) - with some separation difficulties...

User avatar
Sir Charles
Level 7
Level 7
Posts: 1897
Joined: Thu Jan 04, 2018 1:00 pm

Re: Firefox 60.0 and Firejail

Post by Sir Charles »

absque fenestris wrote:
Sat May 12, 2018 8:45 am
Marziano wrote:
Sat May 12, 2018 8:26 am
Firefox initial release: 2002
History of the Mozilla Project
...actually Internet in 1988 would be the more interesting question
It is,...indeed!
:D
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

User avatar
AZgl1500
Level 12
Level 12
Posts: 4087
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Firefox 60.0 and Firejail

Post by AZgl1500 »

Can't get anything past you guys :mrgreen:
Linux Mint 19.3 Cinnamon

JohnFrumm
Level 2
Level 2
Posts: 59
Joined: Sun Dec 03, 2017 12:49 pm

Re: Firefox 60.0 and Firejail

Post by JohnFrumm »

absque fenestris wrote:
Sat May 12, 2018 8:16 am
AZgl1500 wrote:
Fri May 11, 2018 1:04 pm
...
But, is it all that much needed?
I have used Firefox for 30 years, and not had any problems.
30 years is a little bit too much in this case.
Two things:
1) well I have been using firefox for 40 years. It was installed on my manual typewriter.
2) I found the firefox install version 59, I will use this until the firejail/firefox v60 issues get sorted out:
https://ftp.mozilla.org/pub/firefox/releases/59.0.3/
Have you backed up your computer recently?

User avatar
Pepi
Level 5
Level 5
Posts: 931
Joined: Wed Nov 18, 2009 7:47 pm

Re: Firefox 60.0 and Firejail

Post by Pepi »

I commented out these two in my Firefox profile and now it work. I also checked security and it appear to be sandboxing

#seccomp
#tracelog

User avatar
absque fenestris
Level 7
Level 7
Posts: 1940
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Firefox 60.0 and Firejail

Post by absque fenestris »

Oh yes - by the way:
Firefox 60.0 works best with Firejail...

firejail_0.9.54~rc1_1_i386.deb
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)
Linux Mint 17.3 Rosa (Mate) 64-bit - MacBook Pro 15" (Intel Core2 Duo, 8 GB RAM, 240 GB SSD) - with some separation difficulties...

Summerof69
Level 3
Level 3
Posts: 165
Joined: Sun Oct 25, 2015 11:52 am
Location: Mainland,Denmark

Re: Firefox 60.0 and Firejail

Post by Summerof69 »

Hello a lot of good answers in this thread;
what worked for me with FF 60 and firejail version 0.9.38.10 is to add the following in the FF short cuts:

--ignore=seccomp


So an ordinary short cut (in the "command" line) could look like this:

Code: Select all

firejail --ignore=seccomp firefox %u
and a private short cut could look like this:

Code: Select all

firejail --ignore=seccomp firefox --private --dns=8.8.8.8 --no remote
For millions of years mankind lived much like the animals
Then something happened which unleashed the power of our imagination
We learned to talk
All we need to do is make sure we keep talking
Stephen Hawkin's voice on Keep Talking by Pink Floyd

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4215
Joined: Sat Sep 13, 2014 11:12 am
Location: Swimming

Re: Firefox 60.0 and Firejail

Post by Fred Barclay »

Snafu wrote:
Sat May 12, 2018 6:04 am
When 0.9.54 is released I hope you can announce that in these forums
I'll put a note in viewtopic.php?f=58&t=269190 :)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4215
Joined: Sat Sep 13, 2014 11:12 am
Location: Swimming

Re: Firefox 60.0 and Firejail

Post by Fred Barclay »

now3by wrote:
Sat May 12, 2018 8:07 am
why I can't disable/delete only firefox profile... firefox not starting because firejail firefox profile missing even after firecfg --clean and --fix...
"apt-get purge firejail" fix this...
Now that's not being fair. You have to spend some time getting familiar with firejail instead of just guessing what commands to use. ;)

You can just delete the firefox profile, but that's rather the wrong approach to take. That would be like tossing your computer in the rubbish bin if LibreOffice didn't open a file correctly. Why not take a few moments to either (a). read the solutions that are provided here or (b). ask for help?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

xdicey
Level 4
Level 4
Posts: 474
Joined: Wed Sep 16, 2015 2:42 pm

Re: Firefox 60.0 and Firejail

Post by xdicey »

replacing secomp with this very long 'text' from here https://github.com/netblue30/firejail/i ... -388358648 works perfectly well for me.

Code: Select all

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-QUAD CORE Intel Core i7-4700MQ CPU (-HT-MCP-) 2.40GHz x4
-16GB RAM, 1 TB SSHD
-Graphics Card: Intel 4th Gen Core Processor Integrated Graphics Controller

User avatar
Pepi
Level 5
Level 5
Posts: 931
Joined: Wed Nov 18, 2009 7:47 pm

Re: Firefox 60.0 and Firejail

Post by Pepi »

I went ahead and loaded Firejail 0.9.54 and Firefox runs now. Only thing I've noticed is ... Sometimes when I launch Firefox I get the blank screen until I relaunch it again :?: Hasn't happen very much though.

Tor still doesn't work for me with Firejail. Never has really. I really don't think Firejail likes the .sh on the end of the path to launch Tor. Path to Tor --- /usr/bin/tor-browser-en.sh

User avatar
majpooper
Level 6
Level 6
Posts: 1063
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Firefox 60.0 and Firejail

Post by majpooper »

Bunch of different solutions here - a bit confusing.
1.) two different versions ~/.config/firejail/firefox.profile in two days
2.) new secccomp line
3.) do first version of 1.) plus 2.)
4.) --ignore=seccomp in shortcut command
5.) comment out #seccomp and #tracelog in firefox.profile
6.) firefox-common.profile <=> /etc/firejail (open as administrator)

Code: Select all

 shell none
         #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
         #tracelog


Fred, as firejail SME can you please provide guidance as to the recommended solution until release 0.9.54

151tom
Level 3
Level 3
Posts: 175
Joined: Fri Oct 20, 2017 5:57 pm

Re: Firefox 60.0 and Firejail

Post by 151tom »

.
Last edited by 151tom on Fri Nov 23, 2018 12:18 pm, edited 1 time in total.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4215
Joined: Sat Sep 13, 2014 11:12 am
Location: Swimming

Re: Firefox 60.0 and Firejail

Post by Fred Barclay »

majpooper wrote:
Sat May 12, 2018 4:21 pm
Fred, as firejail SME can you please provide guidance as to the recommended solution until release 0.9.54
Yes, of course. :) I've only tested this on Mint 18.3, but I imagine the process will be similar for Mint 17.x. Please make sure to close all Firefox windows before testing.

Save the following in ~/.config/firejail/firefox.profile. If you're not sure your firejail version, run firejail --version in terminal.
1. For firejail 0.9.38 users:

Code: Select all

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
protocol unix,inet,inet6,netlink
netfilter
# tracelog
noroot
whitelist ${DOWNLOADS}
whitelist ~/.mozilla
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
include /etc/firejail/whitelist-common.inc

# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
2. Firejail 0.9.52 users should be good with

Code: Select all

# Firejail profile for firefox
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/firefox.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.config/okularpartrc
noblacklist ${HOME}/.config/okularrc
noblacklist ${HOME}/.config/qpdfview
noblacklist ${HOME}/.kde/share/apps/kget
noblacklist ${HOME}/.kde/share/apps/okular
noblacklist ${HOME}/.kde/share/config/kgetrc
noblacklist ${HOME}/.kde/share/config/okularpartrc
noblacklist ${HOME}/.kde/share/config/okularrc
noblacklist ${HOME}/.kde4/share/apps/kget
noblacklist ${HOME}/.kde4/share/apps/okular
noblacklist ${HOME}/.kde4/share/config/kgetrc
noblacklist ${HOME}/.kde4/share/config/okularpartrc
noblacklist ${HOME}/.kde4/share/config/okularrc
# noblacklist ${HOME}/.local/share/gnome-shell/extensions
noblacklist ${HOME}/.local/share/okular
noblacklist ${HOME}/.local/share/qpdfview
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.pki

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/gnome-mplayer/plugin
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.config/gnome-mplayer
whitelist ${HOME}/.config/okularpartrc
whitelist ${HOME}/.config/okularrc
whitelist ${HOME}/.config/pipelight-silverlight5.1
whitelist ${HOME}/.config/pipelight-widevine
whitelist ${HOME}/.config/qpdfview
whitelist ${HOME}/.kde/share/apps/kget
whitelist ${HOME}/.kde/share/apps/okular
whitelist ${HOME}/.kde/share/config/kgetrc
whitelist ${HOME}/.kde/share/config/okularpartrc
whitelist ${HOME}/.kde/share/config/okularrc
whitelist ${HOME}/.kde4/share/apps/kget
whitelist ${HOME}/.kde4/share/apps/okular
whitelist ${HOME}/.kde4/share/config/kgetrc
whitelist ${HOME}/.kde4/share/config/okularpartrc
whitelist ${HOME}/.kde4/share/config/okularrc
whitelist ${HOME}/.keysnail.js
whitelist ${HOME}/.lastpass
whitelist ${HOME}/.local/share/gnome-shell/extensions
whitelist ${HOME}/.local/share/okular
whitelist ${HOME}/.local/share/qpdfview
whitelist ${HOME}/.mozilla
whitelist ${HOME}/.pentadactyl
whitelist ${HOME}/.pentadactylrc
whitelist ${HOME}/.pki
whitelist ${HOME}/.vimperator
whitelist ${HOME}/.vimperatorrc
whitelist ${HOME}/.wine-pipelight
whitelist ${HOME}/.wine-pipelight64
whitelist ${HOME}/.zotero
whitelist ${HOME}/dwhelper
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
# machine-id breaks pulse audio; it should work fine in setups where sound is not required
#machine-id
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
shell none
# tracelog

disable-mnt
# firefox requires a shell to launch on Arch.
# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
private-dev
# private-etc below works fine on most distributions. There are some problems on CentOS.
# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
private-tmp

noexec ${HOME}
noexec /tmp
If you want to experiment you could try not commenting the tracelog line (remove the #). I didn't experience any problems with this line uncommented in my testing, but we've received reports that it is problematic so I commented it above just to be safe.

The reason there are so many "correct" ways floating around is that firejail sets up the sandbox by evaluating arguments in the following order:
1. Command-line parameters (--ignore=seccomp, for example) take precedence in any case
2. Next, if there's a suitable profile in ~/.config/firejail/, it's evaluated.
3. If not, if there's a suitable profile in /etc/firejail/, it's evaluated

So, while the two culprits here are the seccomp and tracelog parameters, there's many different ways to disable them - command line, ./config/firejail/, or editing the base profile in /etc/firejail/ directly (which I do not generally recommend).

We've also made a change in firejail 0.9.54 and introduced the file firefox-common.profile after noticing browsers with a Mozilla heritage shared many of the same sandboxing options. You will not see this file, and you should not try to create it, unless you are running 0.9.54. ;)

Cheers!
Fred
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Pjotr
Level 21
Level 21
Posts: 14362
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Firefox 60.0 and Firejail

Post by Pjotr »

Just tested Firejail 0.9.54~rc2_1 on my Bionic box (Xubuntu). Works fine with Firefox 60 now.... :)

64-bit installer:
https://sourceforge.net/projects/fireja ... b/download

32-bit installer:
https://sourceforge.net/projects/fireja ... b/download

Note: having a previous version of Firejail installed, might cause installation failure. So first remove your current, older Firejail:

Code: Select all

sudo apt-get purge firejail
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Software & Applications”