Do you start chrome from the terminal or the GUI? According to the description, environment.variables only affects shells: “These variables will be set on shell initialisation”
printenv | rg DOWNLOADS also yields DOWNLOADS=/home/myusername/Desktop
I am starting Chromium from the GUI.
How can i set $DOWNLOADS globally, so that it is respected by Chromium launched from GUI? I was under the impression, that environment.variables does just that, opposed to setting the environment variable in my config.fish.
environment.sessionVariables = { DOWNLOADS = "\${HOME}/Desktop"; }; and environment.sessionVariables = rec { DOWNLOADS = "\${HOME}/Desktop"; }; also work with printenv but chromium also shows insufficient permission.
environment.sessionVariables are set through PAM and should affect everything in the usersession.
The question is, is how is firejail started? Does it see the variable, or is there somehow a demon running, which again has yet another set of variables to see?
Ps: have you checked the generated wrapper?
Have you checked if you see same behaviour when starting chrome from terminal?
Have you checked if the profile generated is indeed the same?
Have you checked if somewhere down the wrapper chain something overwrites Downloads env var?
Thank you for your suggestions. I tried the following:
Running Chromium from the terminal leads to the same permission error.
Downloading the original firejail profiles from github and referencing them in the firejail wrapper for chromium also leads to the same permission error.
I don’t know how the check the generated wrapper and “down the wrapper chain” as you suggested (i’m fairly new to Nixos and still don’t really understand its inner workings). Could you please elaborate on that?
which chromium tells you where to find the wrapper, use cat or an editor to inspect it. Read the scripts and see if the are what you would expect. Follow each of the final exec calls and check their “prelude” until you reach the binary eventually.
Also, some programs might be wrapped to run in a fake FHS environment. It might be that this nesting will cause trouble. Though I do not know whether or not chromium is affected by this.
Another thing, eventual ARG0 will probably be something like .chromium-unwrapped, it might be that firejail recognizes this as an unprviliged child process. Perhaps you need to somehow whitelist it.
I tinkered around a bit (hadn’t yet time to follow the wrappers) but when specifying a custom chromium.profile and launching chromium from the terminal, i noticed that it does load the custom profile, but also loads the profiles from the nix store. I didn’t expect this behaviour and thought it would only look into the custom.profile (just as a side note).
When launching chromium from the terminal, fIrejail complains about a missing dbus connection and ev_ca_root_metadata.cc. Has this an impact on file permission?
~ ❯ chromium 3m 59s
Reading profile /home/myusername/Dokumente/Install/Linux/Firejail/chromium.profile
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/chromium.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/globals.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/chromium-common.profile
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/chromium-common.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-common.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-common.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-devel.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-devel.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-exec.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-exec.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-interpreters.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-interpreters.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-programs.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-programs.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-xdg.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/disable-xdg.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-common.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-common.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-run-common.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-run-common.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-runuser-common.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-runuser-common.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-usr-share-common.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-usr-share-common.local
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-var-common.inc
Reading profile /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/etc/firejail/whitelist-var-common.local
Parent pid 6006, child pid 6007
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 37.29 ms
Gtk-Message: 21:19:44.562: Failed to load module "colorreload-gtk-module"
Gtk-Message: 21:19:44.562: Failed to load module "window-decorations-gtk-module"
[5:31:0913/211944.573236:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[5:31:0913/211944.573266:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
libva error: /run/opengl-driver/lib/dri/nvidia_drv_video.so init failed
[5:265:0913/211946.977181:ERROR:ev_root_ca_metadata.cc(290)] Failed to register OID: 0
In case $DOWNLOADS isn’t resolved properly by firejail, i whitelisted the explicit path to my Desktop, but to no avail. The permissions error still comes up.
Maybe Chromium does not work, because it has it’s own sandbox…
With command: man firejail
One gets for example:
--build=profile-file
The command builds a whitelisted profile, and saves it in profile-file. The program is run in a very relaxed sandbox, with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not
supported. Chromium and Chromium-based browsers will not work.
Example:
$ firejail --build=vlc.profile vlc ~/Videos/test.mp4
