Closed AloisJanicek closed 4 years ago
I just got it work, it boils down essentially to three issues:
In /etc/firejail/chromium.profile
, file chromium.local
is included. This file has following private-etc
declaration:
private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime
which somehow prevents KDE's kio or xdg to correctly determine default application for org-protocol://
I disabled this include
, but definitely better would be to add what is needed instead of disabling it completely.
Disabling apparmor
support allowed my script to be executed by bash
. Again it would be better to somehow whitelist this functionality.
Finally whitelisting script location was needed.
whitelist ${HOME}/.local/bin/emacs-capture
Maybe xdg
fix the private-etc
issue. https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template#L155-L166
sadly just adding edit: it actually worked, see bellowxdg
folder to private-etc
didn't fix it+
In order to make it work with AppArmor you may try using Exec=bash $HOME/.local/bin/emacs-capture "%u"
in emacs-capture.desktop
Thank you both, I got it working without compromising security. exec=bash
was essential for apparmor
and adding xdg
to private-etc
for xdg-open
now my ~/.config/firejail/chromium
is simple:
include /etc/firejail/chromium.profile
whitelist ${HOME}/.local/bin/emacs-capture
private-etc xdg,firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime
Can I append to private-etc
declaration instead of copying and editing it?
Can I append to
private-etc
declaration instead of copying and editing it?
Try it out :wink:. It should work.
BTW: If you use ~/.config/firejail/chromium.local
insted of ~/.config/firejail/chromium.profile
, you can skip the include /etc/firejail/chromium.profile
line.
@AloisJanicek I'm closing here due to inactivity, please fell free to reopen if you have more questions.
System information
- Arch Linux - default kernel - firejail-git - desktop: KDE Plasma 5.16.5 - KDE Applications: 19.08 - KDE Frameworks 5.61 - chromium 76.0.3809.132 ``` firejail version 0.9.61 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled $ aa-enabled Yes $ uname -a Linux 5.2.13-arch1-1-ARCH #1 SMP PREEMPT Fri Sep 6 17:52:33 UTC 2019 x86_64 GNU/Linux ```Background info
In chromium, I am using this little user script to generate URLs which starts with
org-protocol://
to capture URLs into emacs.(following setup is based on org-capture-extension's README)
I have
~/.local/share/applications/emacs-capture.desktop
file which points to~/.local/bin/emacs-capture
bash script.emacs-capture.desktop
looks like this: (I omitted irrelevant lines)and
emacs-capture
script like thisThis setup works flawlessly without
firejail
and delivers URL from browser to emacs.Issue
With
firejail
I get following error popup when trying openorg-protocol
URL:So I started to investigate and for now end up with
~/.config/firejail/chromium.profile
like this:Now I am able to successfully execute
xdg-open URL
orkioclient5 exec URL
when joining chromium's firejail jail on command line, but it still doesn't work from running chromium GUI itself.for example commands like this works as expected:
Questions
Why is this working on command line and not from application itself? Is there something I can change in configuration to get this working?