You are not logged in.

#1 2021-02-11 14:32:00

serat
Member
Registered: 2020-01-19
Posts: 13

[solved] firejail: firefox missing profile with profile sync daemon

Hi,
I use firefox inside a firejail. And I have enabled profile sync daemon (psd) to cache the browser profiles, including the firefox profiles.

After a recent update (possibly in the last month or so), firefox fails to start and complains about missing profiles.

I traced the problem to firejail failing to mount /run/user/$UID/firefox.main-profile (which is created by psd) inside the firejail. firefox (with firejail) starts up correctly if psd is stopped.

Is there any way to explicitly ask firejail to allow access to the /run/user/$UID/firefox.main-profile. Whitelisting it does not seem to work.

Last edited by serat (2021-02-18 06:53:27)

Offline

#2 2021-02-11 18:44:03

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,229

Re: [solved] firejail: firefox missing profile with profile sync daemon

I'm not sure if you suffer the same issue I have / had, you can try:
put this in firefox.local (~/.config/firejail/)

ignore include whitelist-runuser-common.inc

and let me know if that works.

Offline

#3 2021-02-18 06:52:48

serat
Member
Registered: 2020-01-19
Posts: 13

Re: [solved] firejail: firefox missing profile with profile sync daemon

It works!! Thank you so much.

Last edited by serat (2021-02-19 02:15:22)

Offline

#4 2021-02-18 07:34:30

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,229

Re: [solved] firejail: firefox missing profile with profile sync daemon

Yes I thought so, but,  This means you have worked around a know issue,for now.
You might want to take a look at this post on firejail issue tracker (see) https://github.com/netblue30/firejail/issues/3952
There's also a bugreport on Arch, it'll lead you to a different report on github (see) https://bugs.archlinux.org/task/69523
So, as you can see, it's not solved, just a workaround.

Offline

#5 2021-02-19 02:20:15

serat
Member
Registered: 2020-01-19
Posts: 13

Re: [solved] firejail: firefox missing profile with profile sync daemon

Thanks.

Instead of

ignore include whitelist-runuser-common.inc

I put the following into ~/config/firejail/firefox.local

noblacklist ${RUNUSER}/*-firefox-*
whitelist ${RUNUSER}/*-firefox-*

And it still works. Anyway, I'll track the issue and see when it gets resolved.

Offline

#6 2021-02-19 04:07:54

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,229

Re: [solved] firejail: firefox missing profile with profile sync daemon

@serat, if that's the only thing you've done .. read the bug report again!
Also the reason why this is a good idea to add, I won't judge anything but if you want to be sure, you can ask in my issue on github;-)
Anyway,the reason I added these lines + one in global.local is to harden psd on advice of glitsj16.

I can also live without the 'ignore' line in my 'FF.local' but not because those to lines were added!
Something has changed on either FF or Arch which made that line unnecessary(I have not been able to figure out what)
Anyway, be sure to read the reports again is my advice..

Offline

#7 2021-02-20 04:34:09

serat
Member
Registered: 2020-01-19
Posts: 13

Re: [solved] firejail: firefox missing profile with profile sync daemon

Not sure if I understand. Is it because your psd is also running in a firejail that you added the "ignore" line in your globals.local? 

For me, only FF is running in a firejail.

Offline

#8 2021-02-20 05:41:50

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,229

Re: [solved] firejail: firefox missing profile with profile sync daemon

Well, that's why you should have read my bug report( the one on Arch) carefully, at least the last 7 posts made to it!
You then would've noticed I figured out the real problem for FF at that moment was that specific 'include whitelist-runuser-common.inc' list.

Now mostly you don't need to tweak anything, if you do have to(which wont occur regularly) you do that in the locals.
The specific rules you have added were put there as an advice to harden Firefox while using 'psd - profile-sync-daemon' by a Firejail enthusiast / developer.

What I want to say is I don't know the exact impact if you simply add these rules but wouldn't need them.
My knowledge in Firejail goes a while, I can write a profile for a program but to understand it by full, I'm still busy with that.
So if you don't know the exact impact of some rules, you should at least find out why you're going to use it or you may potentially weaken hardening instead of strengthen it, although you can never get any weaker than the point you started from which of course is a big plus. Firejail is not like a firewall which can actually weaken security(luckily)
By reading you're last message I felt I needed to write this, what you do with it in the end is your choice;-)

Offline

Board footer

Powered by FluxBB