qutebrowser: links do not open in the existing instance

[aleprovencio]

Description

Until upgrading firejail to this last release, I used to open links on external apps and they would open on a new qutebrowser tab.

Steps to Reproduce

Steps to reproduce the behavior

1. Run a firejailed qutebrowser
2. Open a link from external app, ex: kitty's open_url_with_hints

Expected behavior

The link would open a new tab of the already running qutebrowser instance

Actual behavior

A new qutebrowser instance is opened with the link

Behavior without a profile

The same happens

Additional context

I've had to make other adjustments on my qutebrowser.local as well after this upgrade, but couldn't figure this one out. I've tried things like ignore dbus-system none and dbus-user.own org.qutebrowser.* without success.

Environment

• Arch Linux
• Firejail 0.9.72

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

 LC_ALL=C firejail qutebrowser
Reading profile /etc/firejail/qutebrowser.profile
Reading profile /home/aleprovencio/.config/firejail/qutebrowser.local
Reading profile /etc/firejail/allow-lua.inc
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/allow-python2.inc
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /home/aleprovencio/.config/firejail/whitelist-common.local
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown,
Parent pid 804258, child pid 804265
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 135.12 ms
Private /usr/etc installed in 0.01 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot,!name_to_handle_at, check list: @default-keep, prelist: unknown,unknown,
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 594.76 ms
[15:36:0118/103157.250946:ERROR:address_tracker_linux.cc(214)] Could not bind NETLINK socket: Address already in use (98)

[glitsj16]

I've had to make other adjustments on my qutebrowser.local as well after this upgrade, but couldn't figure this one out. I've tried things like ignore dbus-system none and dbus-user.own org.qutebrowser.* without success.

It would be helpful if you could post your qutebrowser.local here. I'm asuming you've added include allow-lua.inc to that for some reason, as that isn't in /etc/firejail/qutebrowser.profile. You also have a whitelist-common.local according to the above output. Please post that as well.

I'm not normally using qutebrowser on my Arch Linux box, but I do have it installed to work on its profile on occasion. IMO it's unlikely this is D-Bus related. Very few applications need access to the system bus, and AFAICT qutebrowser doesn't expose any D-Bus addresses of its own (checked with d-feet). Without additional info my only advice at the moment is to disable the newly added options (one by one) from the 0.9.72 qutebrowser.profile so you can get as close as possible to the former 0.9.70 version that used to work for you.

Potential culprits:

• include allow-bin-sh.inc + include disable-shell.inc (if bash is not your shell)
• include disable-exec.inc (if you use a qutebrowser wrapper script under ${HOME} for example)

[aleprovencio]

Thank you for your help. Below are my local files, I hope comments are self-explanatory of my doings.

whitelist-common.local

# dotfiles are symlinked
whitelist ${HOME}/.local/share/code/aleprovencio-config

qutebrowser.local

# troubleshooting: https://github.com/netblue30/firejail/issues/5601#issuecomment-1396196058
#ignore apparmor
#ignore disable-mnt
#ignore private-dev
#ignore private-etc
#ignore private-tmp
#ignore disable-shell
#ignore noroot
#ignore dbus-system none
#dbus-user filter
#dbus-user.own org.qutebrowser.*
#noblacklist ${PATH}/fish

# pywal
ignore private-cache
whitelist ${HOME}/.cache/wal

# userscripts
ignore include disable-exec.inc

# editor.command
ignore read-only ${HOME}/.local/share/nvim
#blacklisted by disable-interpreters.inc
include allow-lua.inc
#blacklisted by disable-programs.inc
noblacklist ${HOME}/.config/kitty
#whitelist
whitelist /usr/share/nvim
whitelist ${HOME}/.config/kitty
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.local/share/nvim
whitelist ${HOME}/.config/nvim
whitelist ${HOME}/.cache/nvim
whitelist ${HOME}/.local/share/nvim

# mpv/yt-dlp
#blacklisted by disable-programs.inc
noblacklist ${HOME}/.config/mpv
noblacklist ${HOME}/.config/yt-dlp
#whitelist
whitelist ${HOME}/.config/mpv
whitelist ${HOME}/.config/yt-dlp

# zathura
#blacklisted by disable-programs.inc
noblacklist ${HOME}/.config/zathura
#whitelist
whitelist ${HOME}/.config/zathura

[rusty-snake]

ignore include disable-exec.inc

IIRC qutebrowser now has apparmor.
Also, if you only need ${HOME} executable you can be more specific. So try to replace this line with

ignore apparmor
ignore noexec ${HOME}

[The-Compiler]

qutebrowser upstream here - this is related to qutebrowser not being able to access its unix socket in /run/user/$UID/qutebrowser/ipc-<hash>. An user reported that they get:

ipc:send_to_running_instance:476 Connecting to /run/user/1011/qutebrowser/ipc-34c336827b750ba10a020fd62ec4664f
ipc:send_to_running_instance:506 No existing instance present (error 2)

when starting qutebrowser, which means qutebrowser then opens in a new process.

2 seems to be QLocalSocket::ServerNotFoundError, i.e. I suppose it got an ENOENT for that file.

[Dieterbe]

could be due to #5389 ?

[glitsj16]

@The-Compiler @Dieterbe Thanks for the info! It looks like we need an additional

whitelist ${RUNUSER}/qutebrowser

in qutebrowser.profile.

@aleprovencio Can you confirm your issue is fixed when adding that to your qutebrowser.local? I'll fix it in master when you confirm it solves it. Or you can open a PR yourself.

[rusty-snake]

Remember to mkdir it too.

[aleprovencio]

It does work, thank you all for your time

[Dieterbe]

Thank you! open source power !! 👯