Package: firejail-profiles Version: 0.9.54-1 Severity: important With the previous profiles, I could use the following firefox script:
exec /usr/bin/firejail --name=firefox firefox-esr "$@" and everything was fine. After starting firefox, I could open a new URL with it and didn't get any error. For instance: cventin:~> firefox http://localhost/ Reading profile /etc/firejail/firefox-esr.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: Sandbox name changed to firefox-1 Parent pid 20640, child pid 20641 Blacklist violations are logged to syslog Child process initialized in 124.80 ms Parent is shutting down, bye... cventin:~> With the new profile, the URL is still opened, but firejail now terminates with an exit status 1. For instance: cventin:~> firefox http://localhost/ Reading profile /etc/firejail/firefox-esr.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: Sandbox name changed to firefox-1 Parent pid 22332, child pid 22333 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Post-exec seccomp protector enabled Warning fseccomp: syscall "ni_syscall" not available on this platform Warning fseccomp: syscall "umount" not available on this platform Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 149.79 ms Parent is shutting down, bye... zsh: exit 1 firefox http://localhost/ cventin:~[1]> -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/12 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail-profiles depends on: ii firejail 0.9.54-1 firejail-profiles recommends no packages. firejail-profiles suggests no packages. -- no debconf information