google-chrome: real home is accessible with --private= (dbus)

[lukypko]

Description

google-chrome is able to access file list when using --private=FOLDER option

Steps to Reproduce

• download a google-chrome-stable_current_amd64.deb from https://google.com web page
• install it using dpkg -i google-chrome-stable_current_amd64.deb
• mkdir -p ~/temp/youtube (can be any folder, but I used this one)
• cd ~/temp/youtube
• no other google-chrome instances are running; ps aux|grep -i chrom[e]|wc -l = 0
• run firejail --private=$(pwd) --noprofile /usr/bin/google-chrome-stable
• in a running google-chrome press CTRL+O (to open a file dialog)
• you can see list of files in your home directory and recently opened files (which is wrong)
• when you try to open some file (for example image/txt/pdf file), error in google-chrome is showed: "Your file couldn’t be accessed, It may have been moved, edited, or deleted., ERR_FILE_NOT_FOUND"
• so files are not readable which is correct behavior

Expected behavior

When specify a command line option --private=$FOLDER, then only files from a $FOLDER should be visible in a $HOME folder, "recently opened files should be only from $FOLDER (if there were some files opened previously)

It looks like the issue is in "open file dialog" which have access to all files in my $HOME folder

Actual behavior

When specify a command line option --private=$FOLDER, then all files from $HOME folder are visible in "open file dialog" and I can select a file. google chrome then display an error that file is not readable When trying to upload some file to virustotal, then file is uploaded successfully, but file size is 0 bytes (just to check whether it is possible read and upload a file using a javascript)

When open home folder as a URL in a google-chrome so /home/luky in my case, I see just expected content of my $FOLDER file, so this works correctly too

Running without any profiles

firejail --private=`pwd`  --noprofile /usr/bin/google-chrome-stable
Parent pid 3458157, child pid 3458158
Child process initialized in 35.11 ms
[4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
Fontconfig error: Cannot load default config file: No such file: (null)

Running using an existing profiles

firejail --private=`pwd` /usr/bin/google-chrome-stable
Reading profile /etc/firejail/google-chrome-stable.profile
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3460196, child pid 3460197
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 611.12 ms
[4:38:0712/120310.381051:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:38:0712/120310.381297:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967129:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967196:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.967274:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.969111:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:107:0712/120310.969213:ERROR:bus.cc(398)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
Fontconfig error: Cannot load default config file: No such file: (null)

Parent is shutting down, bye...

• the issue is that google-chrome is able to get a list of files and traverse a whole $HOME dir, when you are using firejail option --private=FOLDER

Additional context

Maybe it is related just to open file dialog and its caching, because when I click on a image file in "open file dialog" on a right side I see a small image preview. So it looks like that "open file dialog" is able to access file list and read file content to make a small image preview, but google-chrome itself cannot access a file content (as running with --private=FOLDER command line option)

firefox is using the same "open file dialog" and when I run:

firejail --private=$(pwd) --noprofile firefox --no-remote

then "open file dialog" in a firefox is not showing files from original $HOME folder, it is showing files from --private=$FOLDER, which is correct behavior

So it looks like that google-chrome is using "open file dialog" a different way and can escape from firejail container, which is wrong

Environment

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Ubuntu 21.04"

kernel

Linux lukynb 5.11.0-40-generic #44-Ubuntu SMP Wed Oct 20 16:16:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

firejail version 0.9.70

Compile time support:
    - always force nonewprivs support is disabled
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - D-BUS proxy support is enabled
    - file transfer support is enabled
    - firetunnel support is enabled
    - IDS support is disabled
    - networking support is enabled
    - output logging is enabled
    - overlayfs support is disabled
    - private-home support is enabled
    - private-cache and tmpfs as user enabled
    - SELinux support is disabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

Checklist

• [x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x] I have performed a short search for similar issues (to avoid opening a duplicate).
• [x] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [x] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail --private=`pwd` --noprofile /usr/bin/google-chrome-stable

``` Parent pid 3458157, child pid 3458158 Child process initialized in 35.11 ms [4:109:0712/112101.841338:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:109:0712/112101.841744:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:109:0712/112101.842103:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files Fontconfig error: Cannot load default config file: No such file: (null) ```

Output of LC_ALL=C firejail --debug --private=`pwd` --noprofile /usr/bin/google-chrome-stable

``` firejail --debug --private=`pwd` --noprofile /usr/bin/google-chrome-stable Autoselecting /bin/bash as shell Building quoted command line: '/usr/bin/google-chrome-stable' Command name #google-chrome-stable# DISPLAY=:1 parsed as 1 Using the local network stack Parent pid 3459610, child pid 3459611 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1762 1602 8:2 /etc /etc ro,noatime master:1 - ext4 /dev/sda2 rw mountid=1762 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 1767 1762 8:2 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw mountid=1767 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 1768 1602 8:2 /var /var ro,noatime master:1 - ext4 /dev/sda2 rw mountid=1768 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 1778 1768 8:2 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda2 rw mountid=1778 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 1779 1602 8:2 /usr /usr ro,noatime master:1 - ext4 /dev/sda2 rw mountid=1779 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0 Mount-bind /home/luky/temp/youtube on top of /home/luky 1877 1808 8:2 /home/luky/temp/youtube /home/luky rw,noatime master:1 - ext4 /dev/sda2 rw mountid=1877 fsname=/home/luky/temp/youtube dir=/home/luky fstype=ext4 Mounting a new /root directory Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module rebuilding /etc directory Creating empty /run/firejail/mnt/dns-etc/emacs directory Creating empty /run/firejail/mnt/dns-etc/ipp-usb directory Creating empty /run/firejail/mnt/dns-etc/sensors3.conf file Creating empty /run/firejail/mnt/dns-etc/pipewire directory Creating empty /run/firejail/mnt/dns-etc/logcheck directory Creating empty /run/firejail/mnt/dns-etc/sysctl.d directory Creating empty /run/firejail/mnt/dns-etc/issue file Creating empty /run/firejail/mnt/dns-etc/networkd-dispatcher directory Creating empty /run/firejail/mnt/dns-etc/services file Creating empty /run/firejail/mnt/dns-etc/cron.daily directory Creating empty /run/firejail/mnt/dns-etc/iproute2 directory Creating empty /run/firejail/mnt/dns-etc/rarfiles.lst file Creating empty /run/firejail/mnt/dns-etc/java-11-openjdk directory Creating empty /run/firejail/mnt/dns-etc/default directory Creating empty /run/firejail/mnt/dns-etc/apt directory Creating empty /run/firejail/mnt/dns-etc/rc4.d directory Creating empty /run/firejail/mnt/dns-etc/perl directory Creating empty /run/firejail/mnt/dns-etc/python3.9 directory Creating empty /run/firejail/mnt/dns-etc/passwd- file Creating empty /run/firejail/mnt/dns-etc/apache2 directory Creating empty /run/firejail/mnt/dns-etc/firebird directory Creating empty /run/firejail/mnt/dns-etc/menu-methods directory Creating empty /run/firejail/mnt/dns-etc/vulkan directory Creating empty /run/firejail/mnt/dns-etc/netconfig file Creating empty /run/firejail/mnt/dns-etc/sensors.d directory Creating empty /run/firejail/mnt/dns-etc/dillo directory Creating empty /run/firejail/mnt/dns-etc/debian_version file Creating empty /run/firejail/mnt/dns-etc/xdg directory Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file Creating empty /run/firejail/mnt/dns-etc/mysql directory Creating empty /run/firejail/mnt/dns-etc/dbus-1 directory Creating empty /run/firejail/mnt/dns-etc/dkms directory Creating empty /run/firejail/mnt/dns-etc/syslog.d directory Creating empty /run/firejail/mnt/dns-etc/selinux directory Creating empty /run/firejail/mnt/dns-etc/reader.conf.d directory Creating empty /run/firejail/mnt/dns-etc/.java directory Creating empty /run/firejail/mnt/dns-etc/inputrc file Creating empty /run/firejail/mnt/dns-etc/profile.d directory Creating empty /run/firejail/mnt/dns-etc/cron.d directory Creating empty /run/firejail/mnt/dns-etc/sudoers file Creating empty /run/firejail/mnt/dns-etc/calendar directory Creating empty /run/firejail/mnt/dns-etc/alsa directory Creating empty /run/firejail/mnt/dns-etc/pm directory Creating empty /run/firejail/mnt/dns-etc/resolv3.conf file Creating empty /run/firejail/mnt/dns-etc/sane.d directory Creating empty /run/firejail/mnt/dns-etc/modules file Creating empty /run/firejail/mnt/dns-etc/rc3.d directory Creating empty /run/firejail/mnt/dns-etc/sudoers.d directory Creating empty /run/firejail/mnt/dns-etc/skel directory Creating empty /run/firejail/mnt/dns-etc/GNUstep directory Creating empty /run/firejail/mnt/dns-etc/alternatives directory Creating empty /run/firejail/mnt/dns-etc/login.defs file Creating empty /run/firejail/mnt/dns-etc/networks file Creating empty /run/firejail/mnt/dns-etc/fuse.conf file Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file Creating empty /run/firejail/mnt/dns-etc/udev directory Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file Creating empty /run/firejail/mnt/dns-etc/ucf.conf file Creating empty /run/firejail/mnt/dns-etc/legal file Creating empty /run/firejail/mnt/dns-etc/syslog.conf file Creating empty /run/firejail/mnt/dns-etc/dhcp directory Creating empty /run/firejail/mnt/dns-etc/thunderbird directory Creating empty /run/firejail/mnt/dns-etc/gnome directory Creating empty /run/firejail/mnt/dns-etc/subuid- file Creating empty /run/firejail/mnt/dns-etc/sudo_logsrvd.conf file Creating empty /run/firejail/mnt/dns-etc/xattr.conf file Creating empty /run/firejail/mnt/dns-etc/hostname file Creating empty /run/firejail/mnt/dns-etc/hosts.deny file Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory Creating empty /run/firejail/mnt/dns-etc/modules-load.d directory Creating empty /run/firejail/mnt/dns-etc/fstab file Creating empty /run/firejail/mnt/dns-etc/network directory Creating empty /run/firejail/mnt/dns-etc/smartd.conf file Creating empty /run/firejail/mnt/dns-etc/libccid_Info.plist file Creating empty /run/firejail/mnt/dns-etc/polkit-1 directory Creating empty /run/firejail/mnt/dns-etc/ssh directory Creating empty /run/firejail/mnt/dns-etc/pulse directory Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf file Creating empty /run/firejail/mnt/dns-etc/terminfo directory Creating empty /run/firejail/mnt/dns-etc/ldap directory Creating empty /run/firejail/mnt/dns-etc/firefox directory Creating empty /run/firejail/mnt/dns-etc/firejail directory Creating empty /run/firejail/mnt/dns-etc/shadow file Creating empty /run/firejail/mnt/dns-etc/kernel directory Creating empty /run/firejail/mnt/dns-etc/libblockdev directory Creating empty /run/firejail/mnt/dns-etc/vdpau_wrapper.cfg file Creating empty /run/firejail/mnt/dns-etc/java-8-openjdk directory Creating empty /run/firejail/mnt/dns-etc/bash_completion file Creating empty /run/firejail/mnt/dns-etc/tlp.conf file Creating empty /run/firejail/mnt/dns-etc/modprobe.d directory Creating empty /run/firejail/mnt/dns-etc/issue.net file Creating empty /run/firejail/mnt/dns-etc/magic file Creating empty /run/firejail/mnt/dns-etc/update-motd.d directory Creating empty /run/firejail/mnt/dns-etc/timidity directory Creating empty /run/firejail/mnt/dns-etc/shadow- file Creating empty /run/firejail/mnt/dns-etc/depmod.d directory Creating empty /run/firejail/mnt/dns-etc/snmp directory Creating empty /run/firejail/mnt/dns-etc/timezone file Creating empty /run/firejail/mnt/dns-etc/mime.types file Creating empty /run/firejail/mnt/dns-etc/lsb-release file Creating empty /run/firejail/mnt/dns-etc/java-16-openjdk directory Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory Creating empty /run/firejail/mnt/dns-etc/ImageMagick-6 directory Creating empty /run/firejail/mnt/dns-etc/libreoffice directory Creating empty /run/firejail/mnt/dns-etc/libnl-3 directory Creating empty /run/firejail/mnt/dns-etc/ltrace.conf file Creating empty /run/firejail/mnt/dns-etc/bash_completion.d directory Creating empty /run/firejail/mnt/dns-etc/subuid file Creating empty /run/firejail/mnt/dns-etc/manpath.config file Creating empty /run/firejail/mnt/dns-etc/gshadow- file Creating empty /run/firejail/mnt/dns-etc/X11 directory Creating empty /run/firejail/mnt/dns-etc/samba directory Creating empty /run/firejail/mnt/dns-etc/papersize file Creating empty /run/firejail/mnt/dns-etc/group file Creating empty /run/firejail/mnt/dns-etc/mc directory Creating empty /run/firejail/mnt/dns-etc/webfsd.conf file Creating empty /run/firejail/mnt/dns-etc/acpi directory Creating empty /run/firejail/mnt/dns-etc/host.conf file Creating empty /run/firejail/mnt/dns-etc/python2.7 directory Creating empty /run/firejail/mnt/dns-etc/tlp.d directory Creating empty /run/firejail/mnt/dns-etc/groff directory Creating empty /run/firejail/mnt/dns-etc/hostapd directory Creating empty /run/firejail/mnt/dns-etc/mpv directory Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file Creating empty /run/firejail/mnt/dns-etc/udisks2 directory Creating empty /run/firejail/mnt/dns-etc/debconf.conf file Creating empty /run/firejail/mnt/dns-etc/hdparm.conf file Creating empty /run/firejail/mnt/dns-etc/dictionaries-common directory Creating empty /run/firejail/mnt/dns-etc/binfmt.d directory Creating empty /run/firejail/mnt/dns-etc/ufw directory Creating empty /run/firejail/mnt/dns-etc/smi.conf file Creating empty /run/firejail/mnt/dns-etc/subgid- file Creating empty /run/firejail/mnt/dns-etc/shells file Creating empty /run/firejail/mnt/dns-etc/locale.gen file Creating empty /run/firejail/mnt/dns-etc/security directory Creating empty /run/firejail/mnt/dns-etc/mbuffer.rc file Creating empty /run/firejail/mnt/dns-etc/gtk-3.0 directory Creating empty /run/firejail/mnt/dns-etc/avahi directory Creating empty /run/firejail/mnt/dns-etc/group- file Creating empty /run/firejail/mnt/dns-etc/cups directory Creating empty /run/firejail/mnt/dns-etc/mailcap.order file Creating empty /run/firejail/mnt/dns-etc/rc6.d directory Creating empty /run/firejail/mnt/dns-etc/ghostscript directory Creating empty /run/firejail/mnt/dns-etc/sudo.conf file Creating empty /run/firejail/mnt/dns-etc/init.d directory Creating empty /run/firejail/mnt/dns-etc/ca-certificates.conf.dpkg-old file Creating empty /run/firejail/mnt/dns-etc/grub.d directory Creating empty /run/firejail/mnt/dns-etc/rpc file Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file Creating empty /run/firejail/mnt/dns-etc/minidlna.conf file Creating empty /run/firejail/mnt/dns-etc/fonts directory Creating empty /run/firejail/mnt/dns-etc/pam.conf file Creating empty /run/firejail/mnt/dns-etc/magic.mime file Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file Creating empty /run/firejail/mnt/dns-etc/hp directory Creating empty /run/firejail/mnt/dns-etc/rcS.d directory Creating empty /run/firejail/mnt/dns-etc/protocols file Creating empty /run/firejail/mnt/dns-etc/update-manager directory Creating empty /run/firejail/mnt/dns-etc/console-setup directory Creating empty /run/firejail/mnt/dns-etc/gai.conf file Creating empty /run/firejail/mnt/dns-etc/initramfs-tools directory Creating empty /run/firejail/mnt/dns-etc/schroot directory Creating empty /run/firejail/mnt/dns-etc/deluser.conf file Creating empty /run/firejail/mnt/dns-etc/logrotate.d directory Creating empty /run/firejail/mnt/dns-etc/apport directory Creating empty /run/firejail/mnt/dns-etc/matplotlibrc file Creating empty /run/firejail/mnt/dns-etc/rc2.d directory Creating empty /run/firejail/mnt/dns-etc/machine-id file Creating empty /run/firejail/mnt/dns-etc/ethertypes file Creating empty /run/firejail/mnt/dns-etc/glvnd directory Creating empty /run/firejail/mnt/dns-etc/rearj.cfg file Creating empty /run/firejail/mnt/dns-etc/subgid file Creating empty /run/firejail/mnt/dns-etc/apparmor directory Creating empty /run/firejail/mnt/dns-etc/pam.d directory Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file Creating empty /run/firejail/mnt/dns-etc/wgetrc file Creating empty /run/firejail/mnt/dns-etc/smartmontools directory Creating empty /run/firejail/mnt/dns-etc/profile file Creating empty /run/firejail/mnt/dns-etc/libpaper.d directory Creating empty /run/firejail/mnt/dns-etc/passwd file Creating empty /run/firejail/mnt/dns-etc/gtk-2.0 directory Creating empty /run/firejail/mnt/dns-etc/python3 directory Creating empty /run/firejail/mnt/dns-etc/rc0.d directory Creating empty /run/firejail/mnt/dns-etc/dpkg directory Creating empty /run/firejail/mnt/dns-etc/mailcap file Creating empty /run/firejail/mnt/dns-etc/wireshark directory Creating empty /run/firejail/mnt/dns-etc/cron.weekly directory Creating empty /run/firejail/mnt/dns-etc/apparmor.d directory Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory Creating empty /run/firejail/mnt/dns-etc/sysctl.conf file Creating empty /run/firejail/mnt/dns-etc/gshadow file Creating empty /run/firejail/mnt/dns-etc/environment file Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file Creating empty /run/firejail/mnt/dns-etc/openal directory Creating empty /run/firejail/mnt/dns-etc/locale.alias file Creating empty /run/firejail/mnt/dns-etc/nanorc file Creating empty /run/firejail/mnt/dns-etc/gss directory Creating empty /run/firejail/mnt/dns-etc/hosts file Creating empty /run/firejail/mnt/dns-etc/libibverbs.d directory Creating empty /run/firejail/mnt/dns-etc/dconf directory Creating empty /run/firejail/mnt/dns-etc/icedtea-web directory Creating empty /run/firejail/mnt/dns-etc/lighttpd directory Creating empty /run/firejail/mnt/dns-etc/rc5.d directory Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file Creating empty /run/firejail/mnt/dns-etc/adduser.conf file Creating empty /run/firejail/mnt/dns-etc/iwd directory Creating empty /run/firejail/mnt/dns-etc/rc1.d directory Creating empty /run/firejail/mnt/dns-etc/PackageKit directory Creating empty /run/firejail/mnt/dns-etc/gdb directory Creating empty /run/firejail/mnt/dns-etc/resolv.conf file Creating empty /run/firejail/mnt/dns-etc/inetd.d directory Creating empty /run/firejail/mnt/dns-etc/systemd directory Creating empty /run/firejail/mnt/dns-etc/hosts.allow file Creating empty /run/firejail/mnt/dns-etc/inetd.conf file Creating empty /run/firejail/mnt/dns-etc/ssl directory Mount-bind /run/firejail/mnt/dns-etc on top of /etc Current directory: /home/luky/temp/youtube DISPLAY=:1 parsed as 1 Masking all X11 sockets except /tmp/.X11-unix/X1 Mounting read-only /run/firejail/mnt/seccomp 2419 1744 0:78 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=2419 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 180 .. -rw-r--r-- luky luky 568 seccomp -rw-r--r-- luky luky 432 seccomp.32 -rw-r--r-- luky luky 0 seccomp.postexec -rw-r--r-- luky luky 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Running '/usr/bin/google-chrome-stable' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/usr/bin/google-chrome-stable' Child process initialized in 77.05 ms monitoring pid 4 [4:118:0712/115244.283472:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:118:0712/115244.283812:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files [4:118:0712/115244.284377:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files Fontconfig error: Cannot load default config file: No such file: (null) ```

[rusty-snake]

chromium* uses portals for it's file dialog.

Related/Duplicate of: #5032.

[rusty-snake]

firefox: Set widget.use-xdg-desktop-portal.file-picker=1 on about:config and you get the same.

[lukypko]

OK, I can confirm that when I set widget.use-xdg-desktop-portal.file-picker=1 in firefox, then firefox (immediately without a restart) is showing a content of $HOME folder, so behave exactly the same as in google-chrome.

It works without a package use-xdg-desktop-portalinstalled.

So I guess, it is not a plan to support that in a firejail, actually "the application" cannot access file content, just the "file picker".

Some other links: Support portals https://forum.manjaro.org/t/browsers-like-firefox-require-xdg-desktop-portal-package-to-use-os-default-file-manager/106933 https://bugzilla.mozilla.org/show_bug.cgi?id=1285711#c31 https://forum.manjaro.org/t/set-nemo-as-default-filemanager/83387/8

[rusty-snake]

it is not a plan to support that in a firejail

1. It would be more work than we have development power at firejail side at the moment.
2. It needs to be supported by x-d-p.

---

see also #4716

[marcalia]

I have the same problem with google-chrome running in firejail on debian 11 (xfce4) using the option --private=folder. Trying to upload a file via the dialogue results in an error complaining about a 0 byte file. Workaround: Opening a file via file://... in the address bar, this shows the intended folder structure, and copying the address into the upload dialogue by opening the input filed via ctrl+l leads to a successful upload.

[wonbug]

To pile on, I'm having a similar issue with google-chrome on Ubuntu 22.04.2 LTS. I confirmed it's running firejailed, yet the application is able to see the entirety of my disk, including the root directory. On a previous installation, it can only access the Downloads directory as one would expect. Do I need to take additional steps to limit what files Chrome can access?