firefox: cannot run if installed in $HOME

[opqriu]

I use Debian Stable.
I uninstalled firefox-esr.

After I downloaded the firefox-lasted.tar.xz file from the official site,
I unzipped it to the location "~/.firefox".

And I typed the following command:
sudo ln -s ~/.firefox/firefox /bin

Now, I am using Firefox normally.
And I installed firejail...

~$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 4277, child pid 4278
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup ,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,listumount,syslog,vmumount @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,_sysctl,afs_syscall,create_module,get_kernelscallgmodule,useymgfs,get_kernelscallgxsecurity,pms,getpm_callsg module,psyms, ,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,ioset_getio_events,io_setup ,mount,name_to_handle_at,nfsservctl,open_by_handle_at,pers onality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 151.25 ms
Error: no suitable firefox executable found

Parent is shutting down, bye...

It does not work.
Thank you for reading my question.

[reinerh]

The directory ~/.firefox is not whitelisted by default, that's why it can't find the binary (and any other file inside).

You could add new whitelisted directories to /etc/firejail/firefox.local.

whitelist ${HOME}/.firefox

Or you just move your installation to ~/.mozilla, which is already whitelisted.

[rusty-snake]

As already @reinerh said, you need to whitelist ${HOME}/.firefox so that it appears in the sandbox. In addition you need to ignore noexec ${HOME} and ignore apparmor (appamor make $HOME noexec too).

ignore apparmor
ignore noexec ${HOME}
whitelist ${HOME}/.firefox

EDIT: And you can add read-only ${HOME}/.firefox to /etc/firefox/disable-common.local so other jails can not modify it. Firefox will then need ignore read-only ${HOME}/.firefox to update itself.

[opqriu]

Very very thanks. Im happy. 😆😆😆