Add missing paths for:
* lua (for mpv)
* mplayer
* mpv
* smplayer
* vlc
Apparently mpv plugins may break without the lua path; see commit
ccff014de ("fix Lua in mpv.profile", 2020-07-28) / issue #3554.
Command used to search for relevant profiles:
$ git grep -IE -l '/\.?(s?mplayer|mpv|vlc)' -- etc
This is a follow-up to commit e4ebbfafe ("profiles: ensure allow-lua
where mpv is allowed (#6555)", 2024-11-29).
Currently whitespace is left as is within an entry.
In a `protocol` entry, if there is whitespace between the command and
its argument or around an item, the item in question is dropped from the
output.
Changes:
* `protocol`: Strip all whitespace in the argument
* Other commands: Strip leading/trailing whitespace around each item,
including any extra whitespace between a command and its argument
Note: Whitespace characters inside paths are left as is, as some paths
(such as `Foo Bar` may contain spaces.
Before:
$ printf 'private-bin a,b\nprivate-bin a,b\nprivate-bin b,a\nprivate-bin C,A B\nprotocol unix,net\nprotocol inet,unix\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile
sort.py: checking 1 profile(s)...
foo.profile:5:-protocol unix,net
foo.profile:5:+protocol
foo.profile:6:-protocol inet,unix
foo.profile:6:+protocol unix
After:
$ printf 'private-bin a,b\nprivate-bin a,b\nprivate-bin b,a\nprivate-bin C,A B\nprotocol unix,net\nprotocol inet,unix\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile
sort.py: checking 1 profile(s)...
foo.profile:2:-private-bin a,b
foo.profile:2:+private-bin a,b
foo.profile:3:-private-bin b,a
foo.profile:3:+private-bin a,b
foo.profile:4:-private-bin C,A B
foo.profile:4:+private-bin A B,C
foo.profile:5:-protocol unix,net
foo.profile:5:+protocol unix
foo.profile:6:-protocol inet,unix
foo.profile:6:+protocol unix,inet
Currently the output is mangled if the last item on the line contains
trailing whitespace and is moved when sorting.
So remove trailing whitespace in all lines (that is, not just in lines
containing supported commands).
Leave leading whitespace as is for now since it could potentially be
used for indentation.
Before:
$ printf '# hello world \nprivate-bin a,b \nprivate-bin b,a \nprivate-bin a,b\n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile | tr ' ' .
sort.py:.checking.1.profile(s)...
foo.profile:3:-private-bin.b,a..
foo.profile:3:+private-bin.a..,b
After:
$ printf '# hello world \nprivate-bin a,b \nprivate-bin b,a \n' \
>foo.profile
$ ./contrib/sort.py -n foo.profile | tr ' ' .
sort.py:.checking.1.profile(s)...
foo.profile:1:-#.hello.world..
foo.profile:1:+#.hello.world
foo.profile:2:-private-bin.a,b..
foo.profile:2:+private-bin.a,b
foo.profile:3:-private-bin.b,a..
foo.profile:3:+private-bin.a,b
Rename `line` to `original_line` to make it less likely to accidentally
read from/write to it instead of the fixed line.
Rename `fixed_line` to `line` to make the code shorter since it is now
referenced much more often (up to 3 times in the same line of code) than
the original line.
See also commit aa17ca5fc ("sort.py: rename protocols to
original_protocols", 2022-10-17) / PR #5429.
This is currently only present in `private-etc` in mutt.profile, though
it may also be used by other programs that use GNU TLS.
This was added to mutt.profile on commit a8a8e33bc ("Add whitelisting to
mutt; improve geary, new profile for neomutt", 2020-12-28) / PR #3849.
Relates to #6400.
mpv crashes if luajit is blocked:
$ firejail --quiet --noprofile \
--include=/etc/firejail/disable-interpreters.inc /usr/bin/mpv
/usr/bin/mpv: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied
So make sure that allow-lua.inc is always included when mpv paths (such
as ~/.config/mpv) are allowed.
Environment: luajit 2.1.1727870382-1, mpv 1:0.39.0-3 on Artix Linux.
Related commits:
* db2bdaadd ("add lua support for mpv (#3243)", 2020-02-24) /
PR #3243
* d6a6fb905 ("Allow Lua for mpv in dolphin.profile", 2020-04-18) /
issue #3363
* f3585e539 ("fixes, closes, enhances, improvements, and so on",
2020-11-09) /
issue #3686
* 3ec523f11 ("profiles: anki: allow lua", 2024-11-14) /
PR #6545
As reported by @kmille[1]:
The current `tesseract` profile breaks `ocrmypdf`:
kmille@linbox:scans ocrmypdf C.pdf del.pdf
Scanning contents ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1/1 0:00:00
1 Error, could not create hOCR output file: No such file or directory tesseract.py:253
1 Error, could not create TXT output file: No such file or directory tesseract.py:253
OCR ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0% 0/1 -:--:--
An exception occurred while executing the pipeline _common.py:294
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/ocrmypdf/_pipelines/_common.py", line 259, in
cli_exception_handler
return fn(options, plugin_manager)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]
File "/usr/lib/python3.12/pathlib.py", line 840, in stat
return os.stat(self, follow_symlinks=follow_symlinks)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ocrmypdf.io.0od81kk5/000001_ocr_hocr.hocr'
These are some of the commands that run in background:
[...]
2024/11/23 22:13:53 PID=403915 UID=0 CMD=/usr/bin/firejail /usr/bin/tesseract --list-langs
2024/11/23 22:13:53 PID=403917 UID=0 CMD=/run/firejail/lib/fcopy /usr/bin/text2image /run/firejail/mnt/bin
2024/11/23 22:13:53 PID=403939 UID=1000 CMD=gs -dQUIET [...] -f /tmp/ocrmypdf.io.0od81kk5/origin.pdf
[...]
2024/11/23 22:14:03 PID=403953 UID=0 CMD=tesseract -l eng /tmp/ocrmypdf.io.0od81kk5/000001_ocr.png [...]
Fixes#6550.
[1] https://github.com/netblue30/firejail/issues/6550#issue-2686607038
Reported-by: @kmille
Suggested-by: @kmille
According to @rusty-snake[1]:
> Distributions started to replace wget with wget2 (I.e. `wget` and
> `wget2` are the same binary where one of them is a symlink to the
> other).
So move all custom entries (other than `private-bin`) from wget2.profile
into wget.profile and turn wget2.profile into more of a redirect to
wget.profile.
[1] https://github.com/netblue30/firejail/pull/6542#pullrequestreview-2426287045
wget appears to require access to this directory for HSTS & HPKP.
Without access to this directory, I get the following error when running
wget:
Failed to read HSTS data
Failed to read HPKP data
Failed to write HSTS file
This fixes it.
Make them match the comments in profile.template.
Command used to search for potential issues:
$ git grep -E '# Allow [A-Z][A-Za-z]+ .* \(blacklisted'
Added on commit 3af6c4068 ("Add Chatterino profile", 2022-12-24) /
PR #5556.
Anki uses mpv to play media, which requires the lua interpreter.
Without this, anki displays this error in the console and falls back to
mplayer:
mpv: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 854, in setup_audio
mpvManager = MpvManager(base_folder, media_folder)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 408, in __init__
super().__init__(window_id=None, debug=False)
File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 442, in __init__
super().__init__(*args, **kwargs)
File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 104, in __init__
self._start_socket()
File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 194, in _start_socket
raise MPVProcessError("unable to start process")
aqt.mpv.MPVProcessError: unable to start process
mpv too old or failed to open, reverting to mplayer
While gamepads apparently work fine in the Steam client itself, `nou2f`
appears to make gamepads unresponsive inside certain games while using
"Steam Input" (possibly due to `nou2f` blocking access to `/dev/hidraw*`
devices).
This issue reportedly affects at least the following games on Steam:
"Undertale", "Persona 4 Golden" and "Persona 5 Royal".
Disable nou2f to ensure that gamepads can be used.
Relates to #6523.
Reported-by: @opqriu
There are multiple reports in #6121 that dnsmasq does not work when
called by libvirt:
$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq [...]) unexpected exit status 1: Error: PATH environment variable not set
Also, note that this is a server program, so it might be better to
disable it by default anyway.
Reported-by: @marek22k
This fixes access to Thunderbird system policies, which can be set
system-wide via `/etc/thunderbird/policies/policies.json`.
Users can also use this directory to set different default preferences.
Relates to #6400#6435.
