telegram: cannot open links in browser

[YorkZ]

Description

Unable to open hyperlinks in Telegram

Steps to Reproduce

1. Run in bash telegram-desktop
2. Click on a hyperlink in any chat

Expected behavior

The link should be opened in the web browser.

Actual behavior

The link isn't opened

Behavior without a profile

The link gets opened in the web browser when clicking it in Telegram.

Additional context

The issue went away after noblacklist bash and sh:

noblacklist ${PATH}/bash
noblacklist ${PATH}/sh

And I've open PR #4783 as a proposal to address the issue.

Environment

• Linux distribution and version: Arch Linux
• Firejail version: 0.9.66

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail telegram-desktop

Reading profile /etc/firejail/telegram-desktop.profile
Reading profile /etc/firejail/telegram.profile
Reading profile ~/.config/firejail/telegram.local
Reading profile ~/.config/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Ignoring "dbus-user.talk org.freedesktop.Notifications" and 3 other dbus-user filter rules.
Parent pid 58643, child pid 58644
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/11-lcdfilter-default.conf, cannot find inode
Warning: skipping pki for private /etc
Private /etc installed in 30.81 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 220.47 ms
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Warning: an existing sandbox was detected. /usr/bin/telegram-desktop will run without any additional sandboxing features

(telegram-desktop:20): Telegram-WARNING **: 21:12:37.431: Application was built without embedded fonts, this may lead to font issues.
[ALSOFT] (EE) Failed to set real-time priority for thread: Operation not permitted (1)
error: : cannot open
error: : cannot open
error: : cannot open
Failed to establish dbus connectionqt.svg: Error while inflating gzip file: SVG format check failed
Corrupt JPEG data: premature end of data segment
Launch failed (/usr/bin/xdg-open https://images.app.goo.gl/s6pqdz6AApaaNWTF6)

[glitsj16]

Aha, I think I see where the confusion discussed in PR #4783 stems from. As you state, your using firejail 0.9.66 on Arch Linux. That version indeed does not have private-bin enabled. That's brought in recently via this commit, so my earlier assumptions were off here. There have been other changes to telegram.profile since 0.9.66-3 from the official Arch Linux repo, regarding D-Bus. Here's my suggestion. Until we cut a new release you can add your needed fixes to a telegram.local override. For the PR you'll need to additionally add bash, sh and xdg-open to the now enabled private-bin. I'll add a comment about this to the PR too.

Hope this clears up the confusion. And thanks for reporting!

[YorkZ]

@glitsj16 Yep, I figured this out and have updated in the PR #4783 discussion. Could you check my comments there?

[glitsj16]

@YorkZ I just merged your PR and added credits to the README. Thanks again for your efforts and reporting. I'll close this but feel free to re-open if the issue returns.

Regards

[YorkZ]

@YorkZ I just merged your PR and added credits to the README. Thanks again for your efforts and reporting. I'll close this but feel free to re-open if the issue returns.

Thanks a lot for your help.