newsboat unable to launch default browser

[ayham-1]

Write clear, concise and in textual form.
When having firejail enabled (running firecfg), opening any link using the o key or a link number key, would just fail with: Unable to spawn browser. I don't think the default cfg has support for lynx.

Bug and expected behavior

• Describe the bug.
  Open feed, try opening browser
• What did you expect to happen?
  The browser to open.

No profile and disabling firejail

• What changed calling firejail --noprofile /path/to/program in a terminal?
  It worked.
• What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)?
  No such file or directory

Reproduce
Steps to reproduce the behavior:

1. Run in bash `newsboat
2. Try to spawn browser
3. error

Environment

• Arch Linux, 5.10.7.a-1-hardened
• FireJail version 0.9.64, apparmor support is enabled

Checklist

• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• I have performed a short search for similar issues (to avoid opening a duplicate).
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
• [?] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

debug output

OUTPUT OF `firejail --debug PROGRAM`

https://pastebin.com/ZLDusshM

[rusty-snake]

Maybe that helps: #3312.

[ayham-1]

Maybe that helps: #3312.

firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat
This works. Is there a chance I can make a PR through to add these into the default profile?

[glitsj16]

firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat
This works. Is there a chance I can make a PR through to add these into the default profile?

It's a bit odd that private-etc needs lynx,sh,gzip as these files do not exist on Arch Linux. I assume adding the below to your newsboat.local should work:

private-bin gzip,lynx,sh
private-etc lynx.cfg,lynx.lss

After doing so you can run firejail newsboat (if you don't use firecfg) or simply newsboat (if you do use firecfg) to have lynx support in the newsboat sandbox. A PR is always an option, but in all honesty I find it superfluous in this case. Firejail's .local overrides functionality is implemented exactly for situations like this. Did you try that already?

[ayham-1]

firejail --private-bin=lynx,sh,gzip --private-etc="lynx,sh,gzip,lynx.cfg,lynx.lss" newsboat
This works. Is there a chance I can make a PR through to add these into the default profile?

It's a bit odd that private-etc needs lynx,sh,gzip as these files do not exist on Arch Linux. I assume adding the below to your newsboat.local should work:

private-bin gzip,lynx,sh
private-etc lynx.cfg,lynx.lss

After doing so you can run firejail newsboat (if you don't use firecfg) or simply newsboat (if you do use firecfg) to have lynx support in the newsboat sandbox. A PR is always an option, but in all honesty I find it superfluous in this case. Firejail's .local overrides functionality is implemented exactly for situations like this. Did you try that already?

Yes, I already have it set up. But I think that the default browser should be at least supported in the official repos, this would set an example on changing the browser

[glitsj16]

Yes, I already have it set up. But I think that the default browser should be at least supported in the official repos, this would set an example on changing the browser

Now I understand! I am not familiar with newsboat so I installed it. Only after looking inside its config it became clear that when a BROWSER env var isn't set it falls back to lynx. So please do make a PR.

[ayham-1]

solved #3895

[ghost]

I am having a similar problem to this one. My default browser is Brave and have I firejail desktop configuration running. I would like to open links in a sandboxed Brave session, but I can only do this if running Newsboat outside of Firejail. I am able to launch a sandboxed version of Lynx from inside a sandboxed Newsboat by adding 'browser "/usr/local/bin/lynx %u"' to the config file or through the command line with 'set browser...'. The same strategy does not work with Brave.

[rusty-snake]

Try to add this to your newsboat.local:

ignore noexec /tmp
ignore noexec ${HOME}
ignore caps.drop all
ignore ipc-namespace
ignore no3d
ignore nonewprivs
ignore noroot
ignore novideo
ignore protocol
ignore seccomp
ignore private-bin
ignore private-etc
ignore private-tmp
ignore dbus-user none
ignore dbus-system none
ignore memory-deny-write-execute

noblacklist ${HOME}/.cache/BraveSoftware
noblacklist ${HOME}/.config/BraveSoftware
noblacklist ${HOME}/.config/brave
noblacklist ${HOME}/.config/brave-flags.conf
noblacklist ${HOME}/.gnupg
noblacklist /proc/config.gz
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki

mkdir ${HOME}/.cache/BraveSoftware
mkdir ${HOME}/.config/BraveSoftware
mkdir ${HOME}/.config/brave
whitelist ${HOME}/.cache/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/brave
whitelist ${HOME}/.config/brave-flags.conf
whitelist ${HOME}/.gnupg

caps.keep sys_admin,sys_chroot

[ghost]

@rusty-snake You mean ~/.newsboat or the ~/.local directory? I'm unsure where to find or create it?

[rusty-snake]

~/.config/firejail/newsboat.local

[ghost]

It works now! Would I just add similar lines for any application-related directories in ~ if I wanted to use other browsers at some point?

[rusty-snake]

You mean that you switch from brave to e.g. vivaldi, then yes. Just replace the brave specific noblacklist/mkdir/whitelist with the one form vivaldi. In addition, vivaldi does not need ignore noexec /tmp but ignore noexec /var, so you always need to look at the profiles (if something is broken).

Be warned, though, that this deactivates the half sandbox. If your system supports unprivileged userns you should add seccomp !chroot and remove

ignore caps.drop all
ignore nonewprivs
ignore noroot
ignore protocol
ignore seccomp
caps.keep sys_admin,sys_chroot

[rusty-snake]

If your system supports unprivileged userns you should …

… also uncomment chromium-common-hardened.inc

---

Much more secure way

Allow only the permissions required to run system-run and use.

Use the newsboat.local below instead the from above and configure xdg-open as browser (and add the xdg-open script) or configure /usr/bin/systemd-run --user --quiet --no-block /usr/bin/firejail /usr/bin/brave-browser %u directly.

newsboat.local:

noblacklist ${PATH}/systemd-run
ignore dbus-user none
dbus-user filter
dbus-user.talk org.freedesktop.systemd1
private-bin systemd-run

/usr/local/bin/xdg-open:

#!/bin/sh
systemd-run --user --quiet --no-block /usr/bin/xdg-open "$@"

EDIT: Added noblacklist ${PATH}/systemd-run. Forgot that we blacklist ${PATH}/systemd-run.