1

I have custom links in my personal wiki to do routine tasks on my computer. For example, when I click the URL mysecretprotocol://launch-calculator, Firefox would run ~/.bin/run-from-firefox launch-calculator (a script I wrote) which in turn runs /usr/bin/gnome-calculator. To configure this in Firefox, I opened about:config, created the config option network.protocol-handler.expose.mysecretprotocol, and set it to false.

This worked well for years. However, when I upgraded to Ubuntu 22.04, the custom links stopped working. Now, when I click a custom link, nothing visible happens but this line is added to /var/log/syslog:

May 18 18:30:01 localhost kernel: [76081.618924] audit: type=1400 audit(1652895001.147:1326): apparmor="DENIED" operation="exec" profile="snap.firefox.firefox" name="/run/user/1000/doc/7d7ed56a/run-from-firefox" pid=47023 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

How do I make these custom links work again while still running Firefox as a snap? (I do not want to move to a way of running Firefox that Canonical does not support.)

Related resources:

Update: I realized that the Zoom client for Linux does exactly what I want. I click on a Zoom meeting link, it opens a page on the Zoom website, and that page launches the Zoom client (/usr/bin/zoom) without any further interaction, even when Firefox is installed as a snap. (The first time I did this, Firefox prompted me for permission.) How can I do this for my own program?

bitinerant
  • 720
  • 4
  • 10
  • Snaps are isolated by design, with limited connections to the rest of the system. The Firefox snap is only allowed to see your `/home` directory. Why do you insist on the Snap version? ([link](https://askubuntu.com/questions/1399383/how-to-install-firefox-as-a-traditional-deb-package-without-snap-in-ubuntu-22/1399385#1399385)) – harrymc May 18 '22 at 17:54
  • @harrymc - the script I want Firefox to run is in my home directory. Besides, I have root on the system, so I should be able to modify what is needed to allow Firefox to run my script. If I install Firefox as a deb or Flatpack, this is something extra I will have to support for years to come. I want a long-term, low-support option. Also, my understanding is that the snap version of Firefox is more secure, though I have not done the research. – bitinerant May 18 '22 at 17:59
  • The problem might be that run-from-firefox does not reside in home. – harrymc May 18 '22 at 18:02
  • 1
    IIUC, Snap doesn't allow custom protocol handlers at all. The ones that work are on a hardcoded whitelist (here: https://github.com/snapcore/snapd/blob/master/usersession/userd/launcher.go) – user2543253 May 31 '22 at 12:07
  • Just a guess here. I'm a server guy and my approach works when a client needs their apache2 web server (running as a limited user such as "www-data") to run a command ordinarily resered for root. Look at your /etc/sudoers file and give appropriate permissions for the script you want firefox to execute. Also consider "ssh" being the command against root@localhost which should provide Power of God to run anything to that user (anywhere, in fact). If it's all local and you have no security concerns. – TheSatinKnight Jun 03 '22 at 21:47

0 Answers0