librewolf: cannot open new URLs into running instance

[algor512]

Description

firejail --whitelist=$XDG_RUNTIME_DIR --appimage ~/.local/appimages/librewolf.AppImage -new-tab after firejail --whitelist=$XDG_RUNTIME_DIR --appimage ~/.local/appimages/librewolf.AppImage shows "Firefox is already running, but is not responding."

Steps to Reproduce

1. Run LC_ALL=C firejail --whitelist=$XDG_RUNTIME_DIR --appimage ~/.local/appimages/librewolf.AppImage
2. Run LC_ALL=C firejail --whitelist=$XDG_RUNTIME_DIR --appimage ~/.local/appimages/librewolf.AppImage -new-tab
3. Get a window saying "Firefox is already running, but is not responding."

Expected behavior

A new tab appears in the existing Librewolf instance.

Actual behavior

I get the message "Firefox is already running, but is not responding."

Behavior without a profile

It works as expected.

Additional context

I have to whitelist $XDG_RUNTIME_DIR (which is /tmp/1000-runtime-dir on my machine) in order to have
sound in my browser.

Environment

Linux 6.6.54_1 x86_64, Void Linux, firejail:

firejail version 0.9.72

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

$ firejail --whitelist=$XDG_RUNTIME_DIR --appimage ~/.local/appimages/librewolf.AppImage
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 1495, child pid 1500

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /tmp/1000-runtime-dir.f3y/doc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 193.96 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
output goes here

$ firejail --appimage ~/.local/appimages/librewolf.AppImage -new-tab "www.google.ru"
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 2392, child pid 2397

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 185.76 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
JavaScript error: resource://gre/modules/XULStore.sys.mjs, line 84: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.sys.mjs, line 84: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.sys.mjs, line 84: Error: Can't find profile
directory.
JavaScript error: resource://gre/modules/XULStore.sys.mjs, line 84: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.sys.mjs, line 84: Error: Can't find profile directory.

[rusty-snake]

• The profile (and redirect profile if exists) hasn't already been fixed upstream.

How did you checked this? Are you sure that the fix for #6413 isn't sufficient for you?

[algor512]

I've tried a few solutions for firefox, didn't think there would be anything specific for librewolf.

Adding just dbus-user.own io.gitlab.firefox.* to ~/.config/firejail/librewolf.profile doesn't solve the issue. However, I've tried to add

dbus-user filter
ignore dbus-user none
dbus-user.own io.gitlab.firefox.*

and it works!

Thank you, and sorry for the disturbance.