Hi Neville, 
O.K., so you´re using the same version that I have installed on my system.
It might have been.
From personal experience (and from a chat with firejail´s maintainer) I know there may be options in newer versions that weren´t accessible in former ones. Things are progressing.
But as we both are on the same version it´s not an issue here.
I was just wondering about the --nou2f issue. 
Cheers from Rosika 
@nevj :
Hi Neville,
How about this approach?:
Try using firefox´s built-in Developer Tools:
E.g. for this site Releases · BrowserWorks/Waterfox · GitHub
it looks like this on my system:
Hope it helps.
Cheers from Rosika
P.S.:
According to perplexity even with the restrictive sandbox, some cookies may still be allowed for basic functionality.
The key is to verify that third-party/tracking cookies are blocked while allowing essential first-party cookies if needed.
P.S. 2:
There may still be a way of completely disabling all cookies
Perhaps the following might be worth trying out.
Try to add these Firefox preferences:
--env=MOZ_DISABLE_CONTENT_SANDBOX=1
--env=MOZ_DISABLE_GMP_SANDBOX=1
--env=MOZ_DISABLE_RDD_SANDBOX=1
--pref network.cookie.cookieBehavior=2
The last entry should be the new one.
Just to add to the conversation and perhaps open it slightly.
If you take a debian mix and add cinnamon does it look the same as if it was running on a different base ?
So run open suse and add cinnamon
Or
Ubuntu with xfce
Debian with xfce
Suse with xfce
Ubuntu mate
Debian mate
Suse mate (not sure if that mix works never seen it mentioned)
Etc
It takes on the file manager of desktop etc or not
Same with other parts
Never tried, just now happy with lmde cinnamon.
Can they? I think there is plenty of things they can’t show, because it is illegal to show them. So, if this kind of manipulation was made illegal, then…
I believe that users should be able to choose which version will be presented to them - personalized or the one that looks identical to everybody.
Right. Obviously, I would hope. I meant within already established legal bounds.
I took it that the objection was showing something different to different users. That’s their choice. Just like it’s our choice to use the site or not.
Yes, browsers interpret the web page content and their presentation varies… but they do not alter the text or its meaning and they do not omit or add anything. They only change layout and colours and fonts. That is OK.
I guess you exclude local or targeted publicity from your example.
Hi Rosika,
That works , I now have
#!/usr/bin/bash
firejail --private-tmp --disable-mnt --nodbus --nodvd --nogroups --nonewprivs --noroot --notv --nou2f --novideo --private-cache --private-dev --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote --env=MOZ_DISABLE_CONTENT_SANDBOX=1 --env=MOZ_DISABLE_GMP_SANDBOX=1 --env=MOZ_DISABLE_RDD_SANDBOX=1 --pref network.cookie.cookieBehavior=2
But, when I tried to run waterfox in firejail it does not start
$ firejail waterfox
Reading profile /etc/firejail/waterfox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 8048, child pid 8049
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 156.86 ms
Error: no suitable waterfox executable found
Parent is shutting down, bye...
I do have /etc/firejail/waterfox.profile
I setup ~/.config/firejail/waterfox.profile
and added
whitelist /usr/local/src/Waterfox/waterfox
that did not help.
I am lost
Regards
Neville
Hi Neville,
The command you provided still displays the --nou2f option.
In your post #56 you said you had to remove this option, if I´m not mistaken.
Couldn´t this be the reason for the command to fail?
Cheers from Rosika
Hi Rosika,
Look carefully.
I had to remove the --no-u2f option
Really tricky
Waterfox is a separate problem.
Regards
Neville
Hi Neville,
I´m a bit confused.
--no-u2f isn´t available for me in the first place, just --nou2f.
Has the syntax changed?
On the other hand: you and I are using the same firejail version.
Cheers from Rosika
The original text you gave me from ChatGPT had both
That was obviously wrong
Hi Neville,
you are right. I stand corrected. 
Actually it was perplexity rather than ChatGPT which provided the command.
So you´re right. We must be very attentive.
Seems the solution to the problem lies here after all.
It obviously needs further investgation.
Thanks and many greetings from Rosika
Hi Rosika,
Dont be embarassed… that is one of the trickiest things I have encountered.
I think we need to modify waterfox .profile.
It will not even do firejail waterfox without any options.
I retested the safefox4 version… it works for 2 banks.
That is really secure. I just wanted to try with waterfox instead of firefox.
Regards
Neville
Hi @Rosika ,
I have got this far trying to do firejail waterfox
$ firejail --debug waterfox
...... lots of output
Starting application
LD_PRELOAD=(null)
execvp argument 0: waterfox
Child process initialized in 176.51 ms
Searching $PATH for waterfox
trying #/usr/local/bin/waterfox#
trying #/usr/bin/waterfox#
trying #/bin/waterfox#
trying #/usr/local/games/waterfox#
trying #/usr/games/waterfox#
trying #/sbin/waterfox#
trying #/usr/sbin/waterfox#
trying #/home/nevj/bin/waterfox#
trying #/common/bin/waterfox#
Error: no suitable waterfox executable found
monitoring pid 12
Sandbox monitor: waitpid 12 retval 12 status 256
Parent is shutting down, bye...
It seems it cant find /usr/local/bin/waterfox?
It is a link
$ ls -l /usr/local/bin
....
lrwxrwxrwx 1 root root 41 Mar 9 20:19 waterfox -> /usr/local/src/Waterfox/waterfox/waterfox
$ ls -l /usr/local/src/Waterfox/waterfox
....
-rwxr-xr-x 1 root root 898344 Mar 4 02:48 waterfox
-rwxr-xr-x 1 root root 898344 Mar 4 02:48 waterfox-bin
-rw-r--r-- 1 root root 1350 Mar 4 02:48 waterfox-bin.sig
-rw-r--r-- 1 root root 1350 Mar 4 02:48 waterfox.sig
It is there with adequate permissions?
Why cant it find it? It looked in /usr/local/bin.
Hi Neville,
I consulted perplexity for shedding some light this intriguing dilemma.
The issue your friend is encountering is related to how Firejail restricts access to certain directories and files for security purposes.
Even though the Waterfox executable exists and has the correct permissions, Firejail is not able to access it due to its sandboxing restrictions.To resolve this issue, there are a few potential solutions:
- Create a Firejail profile for Waterfox:
Create a file named waterfox.profile in /etc/firejail/ with the following content:include /etc/firejail/firefox.profile whitelist /usr/local/src/WaterfoxThen run Firejail with this profile:
firejail --profile=/etc/firejail/waterfox.profile waterfox
Use the --noprofile option:
This will disable the default profile restrictions, but it also reduces the security benefits of using Firejail:
firejail --noprofile waterfoxMove Waterfox to a standard location:
Instead of keeping Waterfox in /usr/local/src, consider moving it to /opt/waterfox. Then update the symlink:sudo mv /usr/local/src/Waterfox /opt/waterfox sudo ln -sf /opt/waterfox/waterfox/waterfox /usr/local/bin/waterfoxThis will allow Firejail to access the Waterfox directory.
These solutions should help Firejail locate and run the Waterfox executable. The first option is recommended as it provides a good balance between security and functionality
Personal remark:
In step 1 I myself would rather create waterfox.profile in ~/.config/firejail.
This way you´d avoid fiddling with the original waterfox profile which is located at /etc/firejail.
Plus: it wouldn´t get overwritten by future updates of firejail.
Hope it helps.
Many greetings from Rosika
If a website isn’t personalized then you will see only what the site owner wants you to see. Which means you will get 90% garbage and you will have to sift through it to find stuff you want to see.
The way to get a broader spectrum of information is to actively seek it out. If you are a liberal occasionally seek out conservative sites and vice versa for conservatives. Don’t be lazy and only look at what the site feeds you. Always fact check everything even (especially) that which you want to believe.
Now if your concern is not what is being fed to you but rather that others aren’t seeing what you want them to see then not personalizing content is insufficient. You still have to rely on the site owner to force feed ‘correct content’ to all of its subscribers. Of course, when that happens folks who don’t want to see ‘correct content’ leave the site.
Illegalizing personalising content will do more harm than good.
Hi Rosika,
I agree absolutely.
I have tried various modifications to waterfox.profile in ~/.config/firejail
I had
whitelist /usr/local/src/Waterfox/waterfox
instead of
whitelist /usr/local/src/Waterfox
I dont think that will make any difference
I think perplexity did not understand my filesystem
My binary is
/usr/local/src/Waterfox/waterfox/waterfox
abd there is a link to it in
/usr/local/bin
My current thinking is that firejail can not handle links.
I dont understand whether I should whitelist the link or the actual file location?
Do you know about links in firejail?
On point 3, I dont understand why /opt would be any different to /usr/local?
I tried it anyway
# mv /usr/local/src/Waterfox/waterfox /opt/waterfox
# ln -sf /opt/waterfox/waterfox /usr/local/bin/waterfox
and whitelist /opt/waterfox
$ firejail waterfox
Reading profile /home/nevj/.config/firejail/waterfox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 5684, child pid 5687
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 349.53 ms
Error: no suitable waterfox executable found
Parent is shutting down, bye...
No different… it cant find the executable
firejail --noprofile waterfox works
There is nothing wrong with the executable , the problem is with the waterfox.profile file
So I started commenting out lines in the default waterfox.profile file…I found the last line needs to be commented out, ie
# Firejail profile for waterfox
# This file is overwritten after every install/update
# Persistent local customizations
include waterfox.local
# Persistent global definitions
include globals.local
#noblacklist ${HOME}/.cache/waterfox
#noblacklist ${HOME}/.waterfox
mkdir ${HOME}/.cache/waterfox
mkdir ${HOME}/.waterfox
whitelist ${HOME}/.cache/waterfox
whitelist ${HOME}/.waterfox
# Add the next lines to your watefox.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla
# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
# Add the next line to your waterfox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be
# enabled in your firefox-common.local.
#private-etc waterfox
# Redirect
#include firefox-common.profile
Now I can do firejail waterfox and it works.
So what is in that included file that is so fatal?
I cant see anything that would interfere ???
Anyway, now I can get on with setting up waterfox in firejail for secure banking… like we did with firefox.
Thank you.
Regards
Neville
Good example actually… because in Australia liberal means conservative.
I wonder if an Australian web user would find a different definition of liberal in a search?
I tried… it does not seem to be tailoring my google search
Yes, you are really checking on 2 things.
I learnt years ago , when reading scientific papers, it is important to review all the original literature on a topic.
For example only reading reviews can give a biased outlook.
Web sites are largely like reviews… someone’s view of a topic, not the original published material.
@nevj :
Hi Neville,
I tried to push perplexity a little further. Let´s see if it´s of any help:
Firejail can handle symbolic links, but there are specific considerations and potential limitations when using them. Here’s how to address your friend’s concerns and verify the correct configuration:
Firejail and Symlinks:
Firejail resolves Symlinks to their Targets:
When you whitelist a symlink in Firejail, it actually resolves the symlink to its target. This means that whitelisting the symlink (/usr/local/bin/waterfox) or the actual file location (/usr/local/src/Waterfox/waterfox/waterfox) should work equivalently, as long as the target is accessible within the sandbox.Whitelisting Directories:
If you whitelist/usr/local/src/Waterfox, all files and subdirectories under it, includingwaterfox, will be accessible. However, if you whitelist/usr/local/src/Waterfox/waterfox, only files in that specific directory will be accessible.Potential Issues with Symlinks:
If the symlink points to a location outside the sandbox’s allowed paths, Firejail might block access.
Some users have reported issues with symlinks in Firejail profiles due to how whitelists are applied
Recommended Steps to Configure and Verify:
- Whitelist the Target Directory
Add this line to your Firejail profile (e.g.,~/.config/firejail/waterfox.profile):
whitelist /usr/local/src/WaterfoxThis ensures that the entire Waterfox directory is accessible.
Test with Debug Mode
Run Waterfox with Firejail in debug mode to see if it can access the binary:
firejail --debug waterfox
Look for lines indicating whether Firejail successfully resolves and accesses the target executable.Verify Access Inside the Sandbox:
Launch a shell inside Firejail and manually check access to both the symlink and its target:firejail --profile=~/.config/firejail/waterfox.profile bash ls -l /usr/local/bin/waterfox ls -l /usr/local/src/Waterfox/waterfoxAttempt to execute Waterfox directly using its full path:
/usr/local/src/Waterfox/waterfox/waterfox
Use
--noprofilefor Testing
Temporarily bypass all profiles to confirm that Firejail itself isn’t blocking access:
firejail --noprofile waterfoxSimplify by Moving Waterfox:
If issues persist, consider moving Waterfox to a more standard directory like/optand updating the symlink:sudo mv /usr/local/src/Waterfox /opt/ sudo ln -sf /opt/Waterfox/waterfox/waterfox /usr/local/bin/waterfoxTroubleshooting Tips:
Ensure there are no conflicting blacklist or restrictive rules in your profile.
If whitelisting doesn’t work as expected, try explicitly using noblacklist for the directory or file.
Check Firejail’s documentation or discussions for known limitations with symbolic links
By following these steps, you can ensure that Firejail is properly configured to handle both the symlink and its target executable.
Cheers from Rosika