Problem Description: When I run google-chrome-stable in firejail I get no internet access!
I want to run chrome in firejail.
I’ve done:
sudo apt install firejail
sudo apt install firejail-profiles
firejail --version shows: 0.9.72
The below is with completely unmodified profile files, straight from isntall:
When I run I get the following:
$ firejail google-chrome-stable
Reading profile /etc/firejail/google-chrome-stable.profile
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 15484, child pid 15485
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 96.91 ms
[4:30:1214/175848.625858:ERROR:dbus/bus.cc:406] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:30:1214/175848.970341:ERROR:dbus/bus.cc:406] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:30:1214/175848.970471:ERROR:dbus/bus.cc:406] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
(chrome:4): dbind-WARNING **: 17:58:49.034: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus: No such file or directory
[4:30:1214/175849.113864:ERROR:dbus/bus.cc:406] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:30:1214/175849.113903:ERROR:dbus/bus.cc:406] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[4:4:1214/175849.116376:ERROR:dbus/object_proxy.cc:573] Failed to call method: org.freedesktop.systemd1.Manager.StartTransientUnit: object_path= /org/freedesktop/systemd1: org.freedesktop.DBus.Error.InvalidArgs: Process 4 is a kernel thread, refusing.
[4:4:1214/175849.120094:ERROR:dbus/object_proxy.cc:573] Failed to call method: org.freedesktop.DBus.Properties.GetAll: object_path= /org/freedesktop/UPower/devices/DisplayDevice: unknown error type:
Created TensorFlow Lite XNNPACK delegate for CPU.
[4:32:1214/175851.180587:ERROR:google_apis/gcm/engine/registration_request.cc:275] Registration URL fetching failed.
Chrome runs, but any attempt to use the browser results in:
No internet
Try:
Checking the network cables, modem, and router
Reconnecting to Wi-Fi
ERR_INTERNET_DISCONNECTED
To be clear, Chrome internet access works just fine if I dont try to run it in firejail.
I tried uncommenting:
network yes
in /etc/firejail/firejail.config
That eliminated the “Warning: networking feature is disabled in Firejail configuration file” message, but chrome still has no internet access.
I attempted:
firejail google-chrome-stable --net=eth0
but this also did not grant internet access.
This isn’t a Chrome issue, it’s Firejail blocking network/DBus access by default.
A quick test is to run Chrome with host networking:
firejail --net=host google-chrome-stable
If that works, the issue is the Firejail profile. The recommended fix is to adjust the Chrome profile to allow NetworkManager via DBus. You can also confirm by testing:
firejail --noprofile google-chrome-stable
If internet works without the profile, then the profile needs DBus/network permissions enabled.
Thank you so VERY much for replying! Sorry for the slow response.
This isn’t a Chrome issue
I recognize that. I just don’t understand what is wrong in my profile.
firejail google-chrome-stable --net=host
This starts chrome, BUT, not only no internet access, but it won’t even allow the keyboard to type in chrome.
firejail --noprofile google-chrome-stable
This works!!! At least, sort of. Chrome starts, AND gets internet access.
BUT, the chrome browser has full access to any file on my computer. At least, when I go to an “upload a file” site, it opens a file dialog with access to everything on my machine. So I’m assuming that means that anything running in the browser could get read access to any file on my system?
What I want is to run chrome with ONLY access to it’s own folder.
What do I need to fix in the profile to make that happen?
Or am I misunderstanding how sandboxing works?
If I am in a firejailed session of chrome, and I go to a website that asks me to upload a file. It opens a file dialog, and my entire home folder, and all attached drives, are all available for upload, then that means that the browser has access to all of those files? Correct?
So that if I get it sandboxed the way I want, the browser should have access to the internet, and any files in it’s own folder, and perhaps the download folder, and nothing else?
And, I think I HAVE been misunderstanding how sandboxing works in a browser.
It looks like the BROWSER has access to the file dialog, and therefore to all files on the system, but the webpage (or application) running within the browser does NOT. The webpage can trigger the file dialog, but can not get to any files without the user deliberately clicking to make it so.
Is this understanding correct? Because if it is, I probably do not need any extra security for this beyond the built in browser sandboxing.
The browser itself has access to the file dialog and the local file system, because it is a native application running on your machine.
A webpage or web app inside the browser does not have direct access to your files.
The webpage can request that a file dialog be opened, but it cannot read or browse any files unless you explicitly select them.
Even then, the webpage only gets access to the specific file(s) you chose, not your entire system or folders.
In simple terms:
The browser acts as a trusted intermediary. A website can only see what you deliberately allow it to see.
As long as you are using a modern, up-to-date browser and you are cautious with browser extensions and downloads, the built-in browser sandboxing is generally sufficient for this use case.
Extra security layers are usually only needed in edge cases, such as malicious extensions, rare browser vulnerabilities, or running untrusted local executables — not for normal file uploads via a website.
So, issue here is that I WILL be using a browser extension. It is supposedly a completely safe and trustworthy browser extension. But I’m not a trusting soul.
It looks like, if I’m running a browser extension and I want to absolutely ensure good behavior, I’ll need to set up a firejail or apparmor profile that will limit access to the filesystem, while still allowing access to the internet.
You’re basically on the right track. A browser extension runs inside the browser sandbox, so it already cannot access your filesystem unless you explicitly allow it (for example via a file picker).
If you want extra peace of mind:
Using Firejail with your browser is a reasonable and simple extra layer
AppArmor also works, but it’s more complex and usually not necessary for this case
For most users: A fully updated browser + minimal extension permissions is already enough Firejail is optional, not required
So you’re thinking about this correctly — just don’t overcomplicate it unless you have a very high threat model.
A fully updated browser + minimal extension permissions is already enough