Firejail `wrapedBinaries` calling each other

When we have thunderbird and firefox both in firejail’s wrappedBinaries, we run into trouble trying to click links from thunderbird. This is the configuration:

programs.firejail = {
  enable = true;
  wrappedBinaries = let browserExtraArgs = [
    "*" # For screen sharing
    "--whitelist=~/Pictures" # For uploading screenshots
    # for running firefox from thunderbird
    # without this clicking a link opens the application picker
  ]; in {
    firefox = {
      executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
      extraArgs = browserExtraArgs;
    thunderbird = {
      executable = "${pkgs.lib.getBin pkgs.thunderbird}/bin/thunderbird";
      profile = "${pkgs.firejail}/etc/firejail/thunderbird.profile";
      extraArgs = browserExtraArgs;

and we get this error:

/run/current-system/sw/bin/firefox: line 2: /run/wrappers/bin/firejail: No such file or directory

I tried adding --whitelist=/run/wrappers/bin/firejail, but it has no effect. I also thought maybe it’s failing to find the interpreter, so I ran patchelf --print-interpreter /run/wrappers/bin/firejail and stuck the output in --whitelist= but that also didn’t help.

The basic issue here is that you’re trying to run the wrapped firefox from within the jail set up for thunderbird. In the first instance you’re hitting path problems because either it, or the firejail program, don’t exist, but even if you solve that you’ll then hit a problem trying to run firejail without sufficient privileges.

What you need is a jail that has both of the unwrapped executables in the one environment (or at least something for thunderbird to invoke that can launch a url via the xdg portal / dbus to the running browser elsewhere)