2

How can I whitelist a directory for execution with firejail?

In particular, I would like to execute Firefox Nightly in firejail. But I get the following error:

$ firejail --profile=/etc/firejail/firefox.profile --whitelist=$HOME/software/firefox-nightly ./firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 769552, child pid 769553
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 91.60 ms
Exec failed with error: Permission denied

and testing with a shell:

$ firejail --profile=/etc/firejail/firefox.profile --whitelist=$HOME/software/firefox-nightly sh
[...]
$ ls -l firefox
-rwxr-xr-x 1 vinc17 vinc17 16928 2020-05-16 13:22:44 firefox
$ ./firefox
sh: 2: ./firefox: Permission denied

Note: /etc/firejail/disable-exec.inc has noexec ${HOME}. But adding --ignore='noexec ${HOME}' just after firejail has no effect. Moving the directory under /usr/local has no effect either.

vinc17
  • 11,912
  • 38
  • 45
  • Hi, I'm not sure what the problem is, but I would probably try it with `firejail --noprofile` and see if it works. If so, try commenting out things in `firefox.profile` to try to narrow it down. Also, does firejail work for you with other executables? If so, what is different about this one? – Time4Tea Jul 02 '20 at 14:09

2 Answers2

2

I had the same problem, so I asked on the firejail GitHub repo. Here is the answer I received:

If you want to execute software from inside your home, you need to ignore noexec ${HOME} and ignore apparmor.

cat > ~/.config/firejail/firefox-developer-edition.local <<EOF
ignore noexec ${HOME}
ignore apparmor
whitelist ${HOME}/files/Portable/FirefoxDeveloperEdition
EOF

For you, the path would be slightly different, I guess:

whitelist ${HOME}/software/firefox-nightly

Ref: https://github.com/netblue30/firejail/issues/3794

James Hibbard
  • 136
  • 4
0

I encountered this error, and was able to work around it by commenting out apparmor in /etc/firejail/firefox-common.profile.

user85461
  • 101