Hi Rosika,
I agree absolutely.
I have tried various modifications to waterfox.profile in ~/.config/firejail
I had
whitelist /usr/local/src/Waterfox/waterfox
instead of
whitelist /usr/local/src/Waterfox
I dont think that will make any difference
I think perplexity did not understand my filesystem
My binary is
/usr/local/src/Waterfox/waterfox/waterfox
abd there is a link to it in
/usr/local/bin
My current thinking is that firejail can not handle links.
I dont understand whether I should whitelist the link or the actual file location?
Do you know about links in firejail?
On point 3, I dont understand why /opt would be any different to /usr/local?
I tried it anyway
# mv /usr/local/src/Waterfox/waterfox /opt/waterfox
# ln -sf /opt/waterfox/waterfox /usr/local/bin/waterfox
and whitelist /opt/waterfox
$ firejail waterfox
Reading profile /home/nevj/.config/firejail/waterfox.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 5684, child pid 5687
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 349.53 ms
Error: no suitable waterfox executable found
Parent is shutting down, bye...
No different… it cant find the executable
firejail --noprofile waterfox
works
There is nothing wrong with the executable , the problem is with the waterfox.profile file
So I started commenting out lines in the default waterfox.profile file…I found the last line needs to be commented out, ie
# Firejail profile for waterfox
# This file is overwritten after every install/update
# Persistent local customizations
include waterfox.local
# Persistent global definitions
include globals.local
#noblacklist ${HOME}/.cache/waterfox
#noblacklist ${HOME}/.waterfox
mkdir ${HOME}/.cache/waterfox
mkdir ${HOME}/.waterfox
whitelist ${HOME}/.cache/waterfox
whitelist ${HOME}/.waterfox
# Add the next lines to your watefox.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla
# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
# Add the next line to your waterfox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be
# enabled in your firefox-common.local.
#private-etc waterfox
# Redirect
#include firefox-common.profile
Now I can do firejail waterfox
and it works.
So what is in that included file that is so fatal?
I cant see anything that would interfere ???
Anyway, now I can get on with setting up waterfox in firejail for secure banking… like we did with firefox.
Thank you.
Regards
Neville