Firefox-based browsers have issues with cursor hiding in sway WM (NixOS)

[FarisFiroz]

Description

On a firejail sandboxed instance of firefox based browsers on swayWM, if the cursor is changed inside the browser, it has trouble changing back. This is most notable when the cursor is hidden such as when viewing a video. Once this happens, the cursor is forever hidden inside that window. Moving the cursor outside the window fixes it, but moving the cursor back inside the window breaks it.

Steps to reproduce

1. Use the default librewolf firejail profile and launch librewolf inside of firejail on swayWM. (You can also use firefox to achieve the same effect)
2. Open a video of some sort (Youtube).
3. Put mouse over video or fullscreen and wait for mouse to hide.
4. Once mouse hides, move the mouse.

Expected Behavior: Mouse unhides after moving it.
Actual Behavior: Mouse continues to stay hidden after moving it.

Extra testing

1. This issue is caused by firejail, running librewolf/firefox without firejail has no such issues.
2. This issue does not happen on KDE-PLASMA running wayland
3. This issue does not occur with chromium

Supplemental Information

Firejail version: 0.9.70
SwayWM version: 1.7
Distrobution: NixOS 22.11

[rusty-snake]

Can you test with --noprofile.

[FarisFiroz]

Yes, --noprofile allows for it to work as expected. I did just notice something though. I have a qt mouse when running with --noprofile or when not sand-boxed at all. However, when running with the librewolf.profile and firefox.profile, I do not. I believe this may be relevant.

[FarisFiroz]

I checked the console and now see this:

Gdk-Message: 10:01:17.733: Unable to load left_ptr from the cursor theme

but only when sandboxed with firejail using the librewolf profile. Thats a gtk error so honestly i'm a bit lost, maybe I was wrong in my last message about it being a qt cursor.

[glitsj16]

Gdk-Message: 10:01:17.733: Unable to load left_ptr from the cursor theme

See https://wiki.archlinux.org/title/Cursor_themes#Create_links_to_missing_cursors. In fact, that whole wiki page might be helpful to check. AFAIK mozilla browsers use GTK theming, so if you're using Qt cursor theme(s) this would make sense.

[FarisFiroz]

See https://wiki.archlinux.org/title/Cursor_themes#Create_links_to_missing_cursors. In fact, that whole wiki page might be helpful to check.

I read through this, but unfortunately I am using nixOS and don't have a .icons directory at all. I did however do a check, I am using the breeze gtk theme and not the breeze qt theme. They look identical so I got a bit confused.

[rusty-snake]

So the reason could be that the cursor icon isn't accessible by Firefox. Now the question is where is it installed or configured.

[FarisFiroz]

Okay so here is what I have found so far:

The theme is stored in the /nix/store. This is where all packages in nixOS are stored. (This may be different if using home-manager, but I am not.)

The good thing is, every node in the nix-store is immutable so I don't believe allowing read access to them from a container/sandbox poses any security risk.

That being said, It does mean that someone who is willing to look through my store can read the different packages, derivations, etc. that I have built, so it's not exactly the "best" solution.

[FarisFiroz]

Update: Allowing read-write access to the nix-store and nix-var does not fix anything

[kmk3]

Does this happen with firejail 0.9.72?

This does indeed seem like a path-related issue, so try disabling/commenting
all whitelist commands (for example, in librewolf.profile) to see if it works.

Then re-enable one by one to see which one breaks it.

If it does not change anything, considering that --noprofile works, try
doing the above for all commands in the profile (and included profiles).

[FarisFiroz]

It seems that uncommenting the inclusion of the Firefox.profile does do "something". It is able to find a theme. With that being said, this is not breeze-dark(my theme), I have no idea where it is getting this data from. That being said, this is an improvement from not having a theme whatsoever. I will look more into firefox.profile to see what is breaking from inside that.

[FarisFiroz]

Does this happen with firejail 0.9.72?

Unfortunately, nix packages doesn't have 0.9.72 even on the unstable branch.

[FarisFiroz]

I have found the issue.

The line

include whitelist-run-common.inc

breaks things.

Moreover

apparmor-replace

is not valid according to the errors I'm getting.

Will now look into whitelist-run-common.inc.

[FarisFiroz]

So it seems that trying to whitelist anything from the /run directory on nixos breaks things. I have tried to read and understand the debug log but I don't understand what's wrong. I have attached the debug output below.

output.txt

[glitsj16]

apparmor-replace is not valid according to the errors I'm getting.

We already ignore apparmor in librewolf.profile. To me it makes sense to also ignore apparmor-replace there. You could open a PR for that. Before doing so it might help if you could show the errors from which you conclude it 'is not valid'. I can't see anything related to AppArmor in your attached output.txt.

Also, as indicated by your output.txt there are several overrides (*.local files that get included too) in play here. I'm not suggesting there's something wrong with that. But it makes debugging this slightly more difficult without seeing their content. Please post those as well.

[FarisFiroz]

I can't see anything related to AppArmor in your attached output.txt.

Apologies, I uncommented apparmor-replace. Here is my error:

Error: line 36 in /home/faris/.config/FirejailProfiles/firefox-common.profile is invalid

Also, as indicated by your output.txt there are several overrides (*.local files that get included too) in play here. I'm not suggesting there's something wrong with that. But it makes debugging this slightly more difficult without seeing their content. Please post those as well.

Unfortunately, I have not set up any overrides, it must be nixos's doing. The only thing that I have done is copy paste the profiles into my home folder so I can edit them. (They are immutable by default due to nixos).

Just FYI, I uncommented most of the files in whitelist-run-common.inc when taking this output I was uncommenting and recommenting things as needed, I will set everything to default and take another output.

[glitsj16]

Error: line 36 in /home/faris/.config/FirejailProfiles/firefox-common.profile is invalid
...
Unfortunately, I have not set up any overrides, it must be nixos's doing.

Thank you for this info. Regarding apparmor-replace. That was introduced after 0.9.70 was released, so the error looks correct. I'm not familiar with nixos, nor with the way it packages Firejail. But seeing newer profiles mixed into an older release isn't exactly reassuring. If it was me I'd report such things on a OS bug tracker.

Alas, I'm clueless at the moment on how to proceed here to fix the issue. Hopefully you can find something to drop from or add to whitelist-run-common.inc.

[FarisFiroz]

But seeing newer profiles mixed into an older release isn't exactly reassuring. If it was me I'd report such things on a OS bug tracker.

This is my fault, It's difficult to find the immutable /etc/ specifically for the package and I found it easier to download the necessary files from the repo. I apologize.

I've included the other output directly using the immutable etc for the package.
output.txt

[glitsj16]

This is my fault...

No worries, that can happen. You're not the first one to try newer profiles on an older release to fix a problem. Just keep in mind that this is likely to create incompatibility issues and is not advised.

[...]
Starting application
LD_PRELOAD=(null)
execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.2008) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection.
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: BroadcastService: 
  receivedBroadcastMessage: handler for
  remote-settings/monitor_changes
  threw error:
  Message: Error: Polling for changes failed: The URI is malformed..
[...]

In this context we can ignore the VA-API part. Does librewolf 109.0 throw the same console error when started without firejail? The execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf indicates no URI was fed to it. Why it would complain about a malformed URI in such case is beyond me. What happens when you run it with https://example.org (or any other specific one you use regularly)?

[FarisFiroz]

Yes this is not an issue with firejail. It seems to do this regardless of if I put a valid URL in. Either way, this doesn't seem to inhibit the usability of the program.

[kmk3]

@glitsj16 on Jan 23:

[...]
Starting application
LD_PRELOAD=(null)
execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.2008) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection.
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: (new SyntaxError("The URI is malformed.", (void 0), 133))
console.error: BroadcastService: 
  receivedBroadcastMessage: handler for
  remote-settings/monitor_changes
  threw error:
  Message: Error: Polling for changes failed: The URI is malformed..
[...]

In this context we can ignore the VA-API part. Does librewolf 109.0 throw the
same console error when started without firejail? The execvp argument 0: /nix/store/ni0fhr4sxyxx9l627dpzzqss4842iwvq-librewolf-109.0-1/bin/librewolf
indicates no URI was fed to it. Why it would complain about a malformed URI
in such case is beyond me. What happens when you run it with
https://example.org (or any other specific one you use regularly)?

FWIW I get similar errors on Artix and the program seems to work fine (though
I'm not using any special themes). I think that these specific ones started on
109, but librewolf has been printing weird JS errors on startup for a while.

[glitsj16]

@kmk3 Thanks for these de-confusing details on latest librewolf :-)

It would be nice to find out if indeed whitelist-run-common.inc is (fully) broken on nixos. But at the moment I'm unable to install a third OS on my laptop to play around with it.

[FarisFiroz]

It would be nice to find out if indeed whitelist-run-common.inc is (fully) broken on nixos.

It is not "fully" broken as far as I can tell. whitelist-run-common.inc works fine(minus the cursor issue) when using the default firefox-common.profile in the immutable /etc. Unfortunately, it seems to fully break the minute I am using a firefox-common.profile not in the package's immutable /etc.

[glitsj16]

Unfortunately, it seems to fully break the minute I am using a firefox-common.profile not in the package's immutable /etc.

Can you create per-user overrides in ${HOME}/.config/firejail? In other words, you do have access to Firejail's overrides functionality on nixos, correct? Although syntactically different, the below should all have the same result.

$ cat ~/.config/firejail/firefox-common.local
ignore include whitelist-run-common.inc

Or

$ cat ~/.config/firejail/firefox-common.profile
ignore include whitelist-run-common.inc
include /etc/firejail/firefox-common.profile

Or

$ cat ~/.config/firejail/librewolf.local
ignore include whitelist-run-common.inc

[FarisFiroz]

• The overrides feature is working (at the very least, my .local file is being loaded). However,

ignore whitelist-run-common.inc

does nothing.

[glitsj16]

Glad to hear your overrides are being loaded. Less happy about the mistake I made :-) It should be ignore include whitelist-run-common.inc! My apologies. I've edited the examples with the correct option.

[FarisFiroz]

Less happy about the mistake I made :-)

No worries, it's nice to see that I can finally get back to debugging the issue.

Anyways yes, putting the new setting into firefox-common.local has the same behavior as using custom profiles.