Opening URLs outside the sandbox using unix sockets

[ScoreUnder]

In this case I am specifically thinking about opening the browser from a sandbox with Discord in. Rather than allowing it to open any URL I want to be able to provide a process like this:

1. a replacement browser program inside the sandbox scrapes the URL from its command line and sends it as a message via a unix socket or something to a counterpart waiting outside the sandbox
2. the program outside the sandbox presents the user with a message confirming that they want to browse to that site
3. the program will then open the browser at that URL, if the user allowed it

I have been told by others that if I'm going to do something like this, I "might as well not sandbox Discord at all", a sentiment with which I strongly disagree. Providing manually authorised and strongly restricted sandbox escapes isn't the same thing as having no security (and is in fact the main purpose of firejail's various options like X11 support), so if anyone wants to have that discussion, respectfully, I am not here for it.

Does anyone know how this might be possible with Firejail?

Relates to:

• [meta] Opening links outside of the sandbox #6462

[glitsj16]

Some time ago I created a few simple shell scripts to do something similar: https://github.com/glitsj16/firejail-handler-http. You might get some inspiration from those. It relies on xdg-open to temporarily store a file containing the URL from inside the sandbox, so not a unix socket. Outside the sandbox a counterpart script uses inotifywait to intercept the URL and pass it on to a web browser of choice (defaulting to Firefox). You will need to add something with zenity or the like to present the user with a basic allow/dismiss GUI.

[kmk3]

This is being tracked at:

• [meta] Opening links outside of the sandbox #6462

See the following for an example that uses unix pipes:

• Custom URL handlers and fireurl #5582