You are not logged in.
Pages: 1
I've often struggled with a particular use-case of firejail: I use it to lock down firefox, but often firefox needs to communicate with other apps (e.g. opening zoom meetings, opening links in Slack. I'm going to use Slack as the example here, because I often want to open Slack on its own, but sometimes I click a link which should open in Slack.
So, I have a `.local/share/applications` folder with `firefox.desktop` and `slack.desktop` both with the same sort of `Exec=` block (`firejail --apparmor firefox %u` and `firejail --apparmor slack -s %u`).
For some reason, opening apps from rofi (using the .desktop files) gives me completely different instances with different state to opening them from inside each other and I do not understand how to resolve this. Here's an example:
1. I open firefox from an i3 shortcut (which just runs `firejail --apparmor firefox`)
2. I open slack from rofi (which just uses the .desktop file)
3. if I check `firejail --list` I see:
~ > firejail --list
35913:gideon::firejail --apparmor firefox
41073:gideon::firejail --apparmor slack -sSo far, so good.
4. Slack isn't signed in, so I click "sign in" equivalent, and it opens firefox, but a different firefox instance because that firefox instance is not logged into any of the things the one opened in (1) is logged into. If I use `ps faux` to see what's going on I get this:
gideon 41073 0.0 0.0 4532 2716 ? S 18:47 0:00 firejail --apparmor slack -s
gideon 41074 0.0 0.0 6148 3024 ? S 18:47 0:00 \_ firejail --apparmor slack -s
gideon 41112 0.5 0.3 1459705408 206796 ? Sl 18:47 0:00 \_ slack -s
gideon 41115 0.0 0.0 34115952 59264 ? S 18:47 0:00 | \_ /usr/lib/slack/slack --type=zygote --no-zygote-sandbox
gideon 41152 0.4 0.5 34673300 329440 ? Sl 18:47 0:00 | | \_ /usr/lib/slack/slack --type=zygote --no-zygote-sandbox
gideon 41116 0.0 0.0 34115936 59904 ? S 18:47 0:00 | \_ /usr/lib/slack/slack --type=zygote
gideon 41118 0.0 0.0 34115964 13688 ? S 18:47 0:00 | | \_ /usr/lib/slack/slack --type=zygote
gideon 41236 0.8 0.3 1461621364 214936 ? Sl 18:47 0:01 | | \_ /usr/lib/slack/slack --type=zygote
gideon 41169 0.0 0.1 33919996 83012 ? Sl 18:47 0:00 | \_ /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --crashpad-handler-pid=60 --enable-crash-reporter=<stuff>
gideon 45556 0.0 0.0 9068 5484 ? S 18:49 0:00 | \_ /bin/sh /usr/local/bin/xdg-open https://myworkspace.slack.com/ssb/signin_redirect?<params>
gideon 45685 10.4 0.9 3533584 619940 ? Sl 18:49 0:04 | \_ /usr/lib/firefox/firefox https://myworkspace.slack.com/ssb/signin_redirect?<paramsand `firejail --list` still shows the same two instances as before (so now firefox is nested inside slack rather than Slack communicating with the original firefox instance)
~ > firejail --list
35913:gideon::firejail --apparmor firefox
41073:gideon::firejail --apparmor slack -s5. alright, so it's going to be a bit obtuse -- I copy the URL from the page it opens in the wrong firefox instance into the "good" firefox instance and it opens yet another Slack instance. And now, when I look at `ps faux` it shows this slack instance is nested inside the original firefox instance opened in (1)!
I have created some custom firejail configs for these apps to try to get them to talk to each other but this does not seem to be working:
firefox.local
# Whitelist aerc HTML emails aerc
whitelist /tmp/aerc-*
# Whitelist public folder
whitelist ${HOME}/public
# Give access to some binaries
private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,zoom,xdg-open,grep,sed,slack,aerc,ffmpeg
# Allow firefox to inhibit screensavers
dbus-user.talk org.freedesktop.ScreenSaver
# Give firefox access to common programmes/addons/plugins
include firefox-common-addons.profileslack.local
# Make it possible to interact with other programmes
private-bin bash,dbus-launch,dbus-send,env,xdg-open,xdg-mime,grep,sed,firefox,sh,which,zoom
# https://github.com/netblue30/firejail/issues/2946
seccomp !chrootI have found this super-duper confusing so if anyone knows what is going on / how to make programmes interact in an intuitive way while still using firejail to sandbox them then I would love a steer.
Last edited by gtf21 (2025-04-03 18:00:32)
Offline
Pages: 1