firefox: cannot start directly on Debian 11.6 (low priority)

wonbug commented 1 year ago

Description

Firejailed Firefox can only start with firejail /usr/bin/firefox-esr - running firefox directly after firecfg fails

Steps to Reproduce

Install firejail and firefox from apt. Also tried compiling and installing firejail from source and got the same issue.

Expected behavior

I can run firefox to start Firejailed Firefox on Debian 11.6

Actual behavior

Error: in load: file "/usr/share/uim/lib/sigscheme-init.scm" not found
ExceptionHandler::GenerateDump cloned child 81
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...

Parent is shutting down, bye...

But firejail /usr/bin/firefox-esr works.

firefox is an alias for /usr/local/bin/firefox which is a symlink to /usr/bin/firejail

Behavior without a profile

Firefox starts and works well as expected.

Additional context

I filed a similar issue previously as https://github.com/netblue30/firejail/issues/5222

Environment

Debian 11.6, dwm window manager, zsh shell, firejail version 0.9.73 (rev C6BBDA)

Checklist

[X] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[X] I can reproduce the issue without custom modifications (e.g. globals.local).
[X] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[X] The profile (and redirect profile if exists) hasn't already been fixed upstream.
[X] I have performed a short search for similar issues (to avoid opening a duplicate).
- [X] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[X] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /home/wonbug/.config/firejail/firefox-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /home/wonbug/.config/firejail/disable-programs.local
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2623, child pid 2626
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 132.20 ms
Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features
Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm
Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
Error: in load: file "/usr/share/uim/lib/sigscheme-init.scm" not found
ExceptionHandler::GenerateDump cloned child 81
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...

Parent is shutting down, bye...

glitsj16 commented 1 year ago

Firejailed Firefox can only start with firejail /usr/bin/firefox-esr - running firefox directly after firecfg fails

Expected behaviour I can run firefox to start Firejailed Firefox on Debian 11.6

firefox and firefox-esr are two different browsers. If you installed firefox-esr it makes sense to call that directly by ... firefox-esr and not by firefox. So IMO this is not a firejail/firecfg issue. If you'd prefer to use firefox I guess you could manually change the symlinks under /usr/local/bin to fit your needs. Check our wiki FAQ usage section for reference.

kmk3 commented 1 year ago

So firejail /usr/bin/firefox-esr works but firejail /usr/bin/firefox doesn't?

Error: in load: file "/usr/share/uim/lib/sigscheme-init.scm" not found
ExceptionHandler::GenerateDump cloned child 81
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...

Parent is shutting down, bye...

Does it work with the following?

~/.config/firejail/firefox.local:

whitelist /usr/share/uim

~~It looks like include whitelist-usr-share-common.inc is missing from firefox-esr.profile but not from firefox.profile, which should likely have had the opposite effect.~~

Edit: Nevermind, firefox-esr.profile includes firefox.profile.

What version of firejail-profiles is installed?

Reading profile /home/wonbug/.config/firejail/firefox-common.local
Reading profile /home/wonbug/.config/firejail/disable-programs.local

Does it work when not including the above files?

netblue30 / firejail