Firejailing Falkon browser: how can I make it work?

[Sir Charles]

Hello community,
I have tried to sandbox my Falkon browser (formerly called Qupzilla) with Firejail. I have used the following profile:

Code: Select all

# Firejail profile for falkon
# This file is overwritten after every install/update
# Persistent local customizations
#include /etc/firejail/falkon.local
# Persistent global definitions
include /etc/firejail/globals.local

#noblacklist ${HOME}/.cache/falkon
#noblacklist ${HOME}/.config/falkon

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

whitelist ${DOWNLOADS}
whitelist ~/.cache/falkon
whitelist ~/.config/falkon
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
seccomp
tracelog

private-dev
private-temp

noexec ${HOME}
noexec /temp

from here but runningfirejail falkonin a terminal results in:

Code: Select all

Reading profile /etc/firejail/falkon.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Error: line 34 in /etc/firejail/falkon.profile is invalid

Trying to comment out line 34 (which I am not sure at all if it is something I should do) and runningfirejail falkonagain, I get:

Code: Select all

Reading profile /etc/firejail/falkon.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 12207, child pid 12208
Blacklist violations are logged to syslog
Child process initialized in 213.60 ms
Qt: Session management error: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed
[7:7:0615/114050.922151:FATAL:zygote_host_impl_linux.cc(196)] Check failed: ReceiveFixedMessage(fds[0], kZygoteHelloMessage, sizeof(kZygoteHelloMessage), &real_pid). 
#0 0x7f0d15e1baee <unknown>
#1 0x7f0d15e2e0e2 <unknown>
#2 0x7f0d15a38a9b <unknown>
#3 0x7f0d15a37b56 <unknown>
#4 0x7f0d15a380fe <unknown>
#5 0x7f0d156e3d55 <unknown>
#6 0x7f0d156e7262 <unknown>
#7 0x7f0d154d5a9b <unknown>
#8 0x7f0d154d6bd5 <unknown>
#9 0x7f0d1546b4f1 QtWebEngineCore::BrowserContextAdapter::defaultContext()
#10 0x7f0d1c4a36b5 QWebEngineProfile::defaultProfile()
#11 0x7f0d1e0d872d MainApplication::MainApplication()
#12 0x55a26a6d8495 <unknown>
#13 0x7f0d1c8e2b97 __libc_start_main
#14 0x55a26a6d87da <unknown>


Parent is shutting down, bye...

Code: Select all

firejail version 0.9.52
falkon version 3.0.0

I don't know how to proceed any further. I appreciate greatly any help and instruction in order to make this work.
Thanks in advance!

[catweazel]

I have tried to sandbox my Falkon browser (formerly called Qupzilla) with Firejail. I have used the following profile:

Try this profile: https://github.com/netblue30/firejail/issues/1794

Edit: At a quick glance it looked different but at a second look it appears it might be essentially the same.

[Sir Charles]

Hi catweazel,

Thanks for the reply!

The profile I used first was linked to by Fred Barclay just a bit further down the same page so I tested it first. Now I have tried the "new" profile but unfortunately, I get more or less the same error messages as above. Something is not quite right and I cannot pinpoint what it is.

[Sir Charles]

Update:

Using the following profile for Falkon from Firejail 0.9.54:

Code: Select all

# Firejail profile for falkon
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/falkon.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/falkon
noblacklist ${HOME}/.config/falkon

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

whitelist ${DOWNLOADS}
whitelist ~/.cache/falkon
whitelist ~/.config/falkon
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
# blacklisting of chroot system calls breaks falkon
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
# tracelog

private-dev
# private-tmp - interferes with the opening of downloaded files

noexec ${HOME}
noexec /tmp

I get the following error:

Code: Select all

~ $ firejail falkon
Reading profile /etc/firejail/falkon.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Error: cannot access profile file