Automatic Firejail of Home Manager's Librewolf does not work

testplayername · October 7, 2022, 9:36am

I am on NixOS unstable, using a flake-based configuration and running Sway.

I am trying to install the Wayland version of Librewolf (a Firefox fork) and always run it in a Firejail sandbox.

Home Manager supports customizing about:config options by adding entries in the attrset home-manager.users.<username>.programs.librewolf.settings which is very cool. I also want to unconditionally run Librewolf in a Firejail sandbox, meaning that every time librewolf is called in a terminal, firejail librewolf actually runs instead. Launching through Librewolf’s desktop file should have the same behavior.

Configuration attempt

My configuration for (attempting) to set this up looks like:

home-manager.users.my-cool-username.librewolf = {
  enable = true;
  package = pkgs.librewolf-wayland;
  settings = {
    "webgl.disable" = true;
    "middlemouse.paste" = false;
    # ... other configuration options ...
  };
};

programs.firejail = {
  enable = true;
  wrappedBinaries.librewolf = {
    executable = "${lib.getBin pkgs.librewolf-wayland}/bin/librewolf";
  };
};

With this configuration, I expect running librewolf in a terminal to launch Librewolf in a Firejail sandbox, but unsandboxed Librewolf launches instead. Directly running firejail librewolf works as expected.

After some digging, this problem appears similar to this post. However, the workaround as described in that thread (namely, do not include the package in environment.systemPackages) does not apply because I am not (directly) installing Librewolf through environment.systemPackages.

Issues

I see two independent issues that need to be solved or worked-around:

Including an entry for Librewolf in programs.firejail.wrappedBinaries creates a symlink at /run/current-system/sw/bin/librewolf, and Home Manager’s Librewolf module places its symlink at /etc/profiles/per-user/my-cool-username/bin/librewolf. This is problematic because, in PATH, /etc/profiles/per-user/my-cool-username is before /run/current-system/sw/bin and this explains why the terminal command librewolf does not involve Firejail at all.
The symlink that the Firejail module creates looks like:

exec /run/wrappers/bin/firejail -- /nix/store/<hash>-librewolf-105.0-1/bin/librewolf "$@"

This is not good because the Librewolf binary is directly run, ignoring Home Manager’s Librewolf wrapper (there is quite a lot of lines in that wrapper).

So far, (2) does not seem to cause any real problems for my machine specifically. Launching Librewolf without its wrapper has just one issue: Librewolf does not launch in Wayland mode because environment variable MOZ_ENABLE_WAYLAND=1 is set via the wrapper. This is easy to workaround by just setting the environment variable in the terminal emulator’s config, but fixing the config of one module by changing the config of another barely-related module is not very clean. I don’t know what the other parts of the Librewolf wrapper do.

Possible solutions and workarounds

firejail librewolf works, and this is the workaround I am using now, but I want Librewolf to always launch in a Firejail sandbox. This workaround does not work when launching through the desktop file.
Create a new wrapper that simply runs firejail /etc/profiles/per-user/my-cool-username/bin/librewolf and somehow make running the command librewolf launch the new wrapper instead. I have no idea how to do this in NixOS though.
Directly modify the Librewolf wrapper. The only change is prefixing the correct string with “firejail”. Preferably, this can be done with an overlay or override that affects where the wrapper is defined, but as far as I can tell the wrapper is created with a Bash build script that is not easy to override. There is a note about making xdg-open overridable at runtime but I have no idea what this really means and how this can help.

throwachimera · February 28, 2025, 10:22pm

Heya, I stumbled onto this topic while searcing for a solution to the exact same issue. Did you manage to fix this? If not what did you end up doing instead? Thanks.

testplayername · March 1, 2025, 12:29am

I do not have a proper solution to this problem (a proper solution means typing and running librewolf in a shell will always launch Librewolf in a Firejail sandbox). I believe the best way to implement a solution is with a Home Manager module, which someone did make at firejail: add module by VAWVAW · Pull Request #3675 · nix-community/home-manager · GitHub though this pull request is over a year old and is still unmerged. I have not tried this pull request myself but, unless the pull request is merged and assuming it works, the pull request can be added and used as a custom Home Manager module to any Nix configuration.

vaw · March 1, 2025, 11:24am

Hi, I am the author of the PR. It is just a copy of the nixos module adapted for home-manager.

I am no longer using the module and have created a program wrapper instead. This approach fixes a few of the problems I had with the module:

overrides like the ones the firefox module makes still work
the unwrapped program is not referenced in your config
all other files in the derivation are still exposed and reference the right binary (like .desktop files)

The con is that you have to rebuild the package you want to wrap. This isn’t that big of a deal for me since I only wrap programs that are downloaded as blob as well as firefox which is only a wrapper for firefox-unwrapped.

Example usage:

      (inputs.nixos-lib.lib.wrapFirejailBinary {
        inherit pkgs lib;
        package = pkgs.tor-browser;
        profile = "${pkgs.firejail}/etc/firejail/tor-browser.profile";
        extraArgs = [ "--private" ];
      })