[GH-ISSUE #1690] firejail 0.9.52 breaks qbittorrent 4.0.3 (qt5-base 5.10.0) #1143

New issue

Closed

opened 2026-05-05 07:31:42 -06:00 by gitea-mirror · 16 comments

gitea-mirror commented 2026-05-05 07:31:42 -06:00

Owner

Copy link

Originally created by @trytip on GitHub (Dec 22, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1690

` ~ $ firejail qbittorrent
Reading profile /etc/firejail/qbittorrent.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 12775, child pid 12776
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 111.25 ms

Parent is shutting down, bye...
`
worked fine with firejail 0.9.50 which i had to downgrade to for now. not sure what other info you would need. firejail --noprofile qbittorrent works with 0.9.52. it is broke in arch linux latest xfce and also in mint linux mate 17.3

Originally created by @trytip on GitHub (Dec 22, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1690 ` ~ $ firejail qbittorrent Reading profile /etc/firejail/qbittorrent.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 12775, child pid 12776 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 111.25 ms Parent is shutting down, bye... ` worked fine with firejail 0.9.50 which i had to downgrade to for now. not sure what other info you would need. **firejail --noprofile qbittorrent** works with 0.9.52. it is broke in arch linux latest xfce and also in mint linux mate 17.3

gitea-mirror closed this issue 2026-05-05 07:31:44 -06:00

gitea-mirror commented 2026-05-05 07:31:47 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Dec 22, 2017):

Works for me without issues.

<!-- gh-comment-id:353655033 --> @Vincent43 commented on GitHub (Dec 22, 2017): Works for me without issues.

gitea-mirror commented 2026-05-05 07:31:49 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Dec 22, 2017):

I believe you but info that you provided is insufficient to reproduce it on my machine (Archlinux, qt5-base 5.10.0, qbittorrent 4.0.3, firejail 0.9.52.) I see some errors you have on terminal. What's your desktop environment? Can you test in different DE? It works for me in KDE plasma 5.11.4.

<!-- gh-comment-id:353688486 --> @Vincent43 commented on GitHub (Dec 22, 2017): I believe you but info that you provided is insufficient to reproduce it on my machine (Archlinux, qt5-base 5.10.0, qbittorrent 4.0.3, firejail 0.9.52.) I see some errors you have on terminal. What's your desktop environment? Can you test in different DE? It works for me in KDE plasma 5.11.4.

gitea-mirror commented 2026-05-05 07:31:51 -06:00

Author

Owner

Copy link

@trytip commented on GitHub (Dec 23, 2017):

firejail 0.9.52 also breaks qbittorrent 3.3.16 (qt5 5.2.1) in mint mate 17.3
replacing the /etc/firejail/qbittorrent.profile from 9.50 to 9.52 makes it work. i get the same errors in both arch/xfce as in mint/mate17.3

for now i will stick with 9.50 until i can figure out why /etc/firejail/qbittorrent.profile works in 9.50 and not in 9.52

<!-- gh-comment-id:353699290 --> @trytip commented on GitHub (Dec 23, 2017): firejail 0.9.52 also breaks qbittorrent 3.3.16 (qt5 5.2.1) in mint mate 17.3 replacing the **/etc/firejail/qbittorrent.profile** from 9.50 to 9.52 makes it work. i get the same errors in both arch/xfce as in mint/mate17.3 for now i will stick with 9.50 until i can figure out why **/etc/firejail/qbittorrent.profile** works in 9.50 and not in 9.52

gitea-mirror commented 2026-05-05 07:31:53 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Dec 23, 2017):

Try disabling options from /etc/firejail/qbittorrent.profile one by one until you find those which brakes stuff.

<!-- gh-comment-id:353713076 --> @Vincent43 commented on GitHub (Dec 23, 2017): Try disabling options from `/etc/firejail/qbittorrent.profile` one by one until you find those which brakes stuff.

gitea-mirror commented 2026-05-05 07:31:54 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Dec 24, 2017):

G'day @trytip . This isn't a case of no interest but little time. 😄 I at any rate have already been trying to replicate and fix this, but I haven't been able to duplicate it on my main Arch box (using MATE). I've already downloaded a Mint 17.3 MATE 64-bit iso but haven't been able to set up a virtual machine for it yet.
27/12/2017 update - unable to replicate on Mint 17.3 MATE either (qbittorrent 3.1.8, qt 4.8.6).

I suspect, though, that the line memory-deny-write-execute is to blame, since it was added to the qbittorrent profile by me after the release of firejail 0.9.50, and you say that the qbittorrent 0.9.50 profile works even in firejail 0.9.52. memory-deny-write-execute is one of those features that can be a bit tricky to implement properly and may cause issues for others even if we don't catch them in testing.

If you don't mind, I've reopened this. It's something we need to get fixed if possible.

<!-- gh-comment-id:353762402 --> @Fred-Barclay commented on GitHub (Dec 24, 2017): G'day @trytip . This isn't a case of no interest but little time. :smile: I at any rate have already been trying to replicate and fix this, but I haven't been able to duplicate it on my main Arch box (using MATE). I've already downloaded a Mint 17.3 MATE 64-bit iso but haven't been able to set up a virtual machine for it yet. 27/12/2017 update - unable to replicate on Mint 17.3 MATE either (qbittorrent 3.1.8, qt 4.8.6). I suspect, though, that the line `memory-deny-write-execute` is to blame, since it was added to the qbittorrent profile by me after the release of firejail 0.9.50, and you say that the qbittorrent 0.9.50 profile works even in firejail 0.9.52. `memory-deny-write-execute` is one of those features that can be a bit tricky to implement properly and may cause issues for others even if we don't catch them in testing. If you don't mind, I've reopened this. It's something we need to get fixed if possible.

gitea-mirror commented 2026-05-05 07:31:56 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Dec 24, 2017):

@trytip Developers are waiting for you to provide more info as nobody has reproduced your issue yet and they don't have crystal ball. It's possible that it something specific to your system config. I told you what to do. The ball is on your side.

<!-- gh-comment-id:353781682 --> @Vincent43 commented on GitHub (Dec 24, 2017): @trytip Developers are waiting for you to provide more info as nobody has reproduced your issue yet and they don't have crystal ball. It's possible that it something specific to your system config. I told you what to do. The ball is on your side.

gitea-mirror commented 2026-05-05 07:31:57 -06:00

Author

Owner

Copy link

@trytip commented on GitHub (Dec 25, 2017):

@Fred-Barclay thanx for the interest. i'm told to provide more info but not sure what else to input i use arch/xfce updated latest and linux mint mate/17.3 arch is qbittorrent 4.0.3 and in mint is 3.3.16 (x64 system for both)

in both systems if i use qbittorrent.profile from 9.50 it works with 9.52. made a video for the mint session but i can reproduce it identically in arch/xfce
https://youtu.be/Mu6T1J09eWQ

i don't use system wide firejail configuration only for chrome/palemoon/qbittorrent and both browsers work with 9.52

not sure if it's relevant but i use an ipfilter.dat in qbittorrent loaded from .local/share/data/qBittorrent/ makes no difference if i start with or without

<!-- gh-comment-id:353882917 --> @trytip commented on GitHub (Dec 25, 2017): @Fred-Barclay thanx for the interest. i'm told to provide more info but not sure what else to input i use arch/xfce updated latest and linux mint mate/17.3 arch is qbittorrent 4.0.3 and in mint is 3.3.16 (x64 system for both) in both systems if i use qbittorrent.profile from 9.50 it works with 9.52. made a video for the mint session but i can reproduce it identically in arch/xfce https://youtu.be/Mu6T1J09eWQ i don't use system wide firejail configuration only for chrome/palemoon/qbittorrent and both browsers work with 9.52 not sure if it's relevant but i use an ipfilter.dat in qbittorrent loaded from .local/share/data/qBittorrent/ makes no difference if i start with or without

gitea-mirror commented 2026-05-05 07:31:58 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Dec 27, 2017):

If you had time to work through the profile from 0.9.52 by commenting out the lines:

include /etc/firejail/whitelist-var-common.inc
shell none
private-bin qbittorrent
memory-deny-write-execute
noexec ${HOME}
noexec /tmp

and then uncomment them one-by-one, starting qbittorrent each time until you find the line that kills it. That would be a huge help. 😄
(To comment, add a # to the beginning of the line - for instance, shell none would become # shell none.)

Cheers!
Fred

<!-- gh-comment-id:354162245 --> @Fred-Barclay commented on GitHub (Dec 27, 2017): If you had time to work through the profile from 0.9.52 by commenting out the lines: ``` include /etc/firejail/whitelist-var-common.inc shell none private-bin qbittorrent memory-deny-write-execute noexec ${HOME} noexec /tmp ``` and then uncomment them one-by-one, starting qbittorrent each time until you find the line that kills it. That would be a huge help. 😄 (To comment, add a `#` to the beginning of the line - for instance, `shell none` would become `# shell none`.) Cheers! Fred

gitea-mirror commented 2026-05-05 07:31:59 -06:00

Author

Owner

Copy link

@GSF1200S commented on GitHub (Dec 27, 2017):

I'm not the OP but I also have firejail and qbittorrent on Arch Linux. I too found that qbittorrent failed to load with firejail 0.9.52.

First I checked when I updated Firejail and then went to a btrfs snapshot prior to that date checking qbittorrent.profile (which was 0.9.50's profile). I commented out the changes in the later profile and it worked, so then went one by one re-enabling them. For me memory-deny-write-execute prevented qbittorrent's interface from showing up, though terminal output didnt suggest anything catastrophic. Firejail's debug output didn't help me right off- I planned to dig through things more when I had time. @Fred-Barclay I can post firejails debug output later when I am home if that would help.

I had one other issue with the later profile- the python search function of qbittorrent didnt work if I had private-bin qbittorrent enabled in the profile- commenting it out saw that feature work again. I don't know if I should file a new bug report for this, whether its a known tradeoff for security, or if a bug report already exists- I haven't had a chance to look.

<!-- gh-comment-id:354170240 --> @GSF1200S commented on GitHub (Dec 27, 2017): I'm not the OP but I also have firejail and qbittorrent on Arch Linux. I too found that qbittorrent failed to load with firejail 0.9.52. First I checked when I updated Firejail and then went to a btrfs snapshot prior to that date checking qbittorrent.profile (which was 0.9.50's profile). I commented out the changes in the later profile and it worked, so then went one by one re-enabling them. For me memory-deny-write-execute prevented qbittorrent's interface from showing up, though terminal output didnt suggest anything catastrophic. Firejail's debug output didn't help me right off- I planned to dig through things more when I had time. @Fred-Barclay I can post firejails debug output later when I am home if that would help. I had one other issue with the later profile- the python search function of qbittorrent didnt work if I had private-bin qbittorrent enabled in the profile- commenting it out saw that feature work again. I don't know if I should file a new bug report for this, whether its a known tradeoff for security, or if a bug report already exists- I haven't had a chance to look.

gitea-mirror commented 2026-05-05 07:32:00 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Dec 27, 2017):

Thanks @GSF1200S ! That debug output would certainly be helpful.

I had one other issue with the later profile- the python search function of qbittorrent didnt work if I had private-bin qbittorrent enabled in the profile- commenting it out saw that feature work again

Can you try adding python* to the private-bin filter?

<!-- gh-comment-id:354178820 --> @Fred-Barclay commented on GitHub (Dec 27, 2017): Thanks @GSF1200S ! That debug output would certainly be helpful. > I had one other issue with the later profile- the python search function of qbittorrent didnt work if I had private-bin qbittorrent enabled in the profile- commenting it out saw that feature work again Can you try adding `python*` to the private-bin filter?

gitea-mirror commented 2026-05-05 07:32:02 -06:00

Author

Owner

Copy link

@GSF1200S commented on GitHub (Dec 28, 2017):

Can you try adding python* to the private-bin filter?

Had to create another private-bin line for python*, but it works fine now.

That debug output would certainly be helpful.

Going to use a Debian pastebin because it isn't crap, but to clarify I am on Arch with this run: https://paste.debian.net/1002690/

<!-- gh-comment-id:354291018 --> @GSF1200S commented on GitHub (Dec 28, 2017): > Can you try adding python* to the private-bin filter? Had to create another private-bin line for python*, but it works fine now. > That debug output would certainly be helpful. Going to use a Debian pastebin because it isn't crap, but to clarify I am on Arch with this run: https://paste.debian.net/1002690/

gitea-mirror commented 2026-05-05 07:32:03 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Dec 28, 2017):

Okay, can you copy this to ~/.config/firejail/qbittorrent.profile and see if everything works?

# Firejail profile for qbittorrent
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/qbittorrent.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.cache/qBittorrent
noblacklist ${HOME}/.config/qBittorrent
noblacklist ${HOME}/.config/qBittorrentrc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

mkdir ${HOME}/.cache/qBittorrent
mkdir ${HOME}/.config/qBittorrent
mkdir ${HOME}/.local/share/data/qBittorrent
whitelist  ${DOWNLOADS}
whitelist ${HOME}/.cache/qBittorrent
whitelist ${HOME}/.config/qBittorrent
whitelist ${HOME}/.config/qBittorrentrc
whitelist ${HOME}/.local/share/data/qBittorrent
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
machine-id
netfilter
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none

private-bin qbittorrent,python*
private-dev
private-tmp

noexec ${HOME}
noexec /tmp

Thanks!

<!-- gh-comment-id:354344498 --> @Fred-Barclay commented on GitHub (Dec 28, 2017): Okay, can you copy this to ~/.config/firejail/qbittorrent.profile and see if everything works? ``` # Firejail profile for qbittorrent # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/qbittorrent.local # Persistent global definitions include /etc/firejail/globals.local noblacklist ${HOME}/.cache/qBittorrent noblacklist ${HOME}/.config/qBittorrent noblacklist ${HOME}/.config/qBittorrentrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/qBittorrent mkdir ${HOME}/.config/qBittorrent mkdir ${HOME}/.local/share/data/qBittorrent whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/qBittorrent whitelist ${HOME}/.config/qBittorrent whitelist ${HOME}/.config/qBittorrentrc whitelist ${HOME}/.local/share/data/qBittorrent include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc caps.drop all machine-id netfilter nodvd nogroups nonewprivs noroot nosound notv novideo protocol unix,inet,inet6,netlink seccomp shell none private-bin qbittorrent,python* private-dev private-tmp noexec ${HOME} noexec /tmp ``` Thanks!

gitea-mirror commented 2026-05-05 07:32:05 -06:00

Author

Owner

Copy link

@GSF1200S commented on GitHub (Dec 28, 2017):

I just edited /etc/firejail/qbittorrent.profile directly (and made sure nothing existed in ~/.config/firejail)- works fine! Application loads, python search functions work, and everything else I tested.

<!-- gh-comment-id:354348418 --> @GSF1200S commented on GitHub (Dec 28, 2017): I just edited /etc/firejail/qbittorrent.profile directly (and made sure nothing existed in ~/.config/firejail)- works fine! Application loads, python search functions work, and everything else I tested.

gitea-mirror commented 2026-05-05 07:32:06 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Dec 29, 2017):

Awesome, thanks @GSF1200S !

@trytip I think this should get everything so I'll close for now, but feel to comment/reopen if this doesn't work for you (or just to say that it does work). 😄 I would recommend you move back to 0.9.52 (if you haven't already) - you can use the updated, working qbittorrent profile by copying https://raw.githubusercontent.com/netblue30/firejail/281ad508084018c34acef505412450bfde0a6ab7/etc/qbittorrent.profile to ~./config/firejail/qbittorrent.profile (or editing the profile in /etc/).

Cheers and thanks for the report!
Fred

<!-- gh-comment-id:354378197 --> @Fred-Barclay commented on GitHub (Dec 29, 2017): Awesome, thanks @GSF1200S ! @trytip I think this should get everything so I'll close for now, but feel to comment/reopen if this doesn't work for you (or just to say that it does work). :smile: I would recommend you move back to 0.9.52 (if you haven't already) - you can use the updated, working qbittorrent profile by copying https://raw.githubusercontent.com/netblue30/firejail/281ad508084018c34acef505412450bfde0a6ab7/etc/qbittorrent.profile to ~./config/firejail/qbittorrent.profile (or editing the profile in /etc/). Cheers and thanks for the report! Fred

gitea-mirror commented 2026-05-05 07:32:08 -06:00

Author

Owner

Copy link

@trytip commented on GitHub (Dec 30, 2017):

thank you @Fred-Barclay and @GSF1200S the new qbittorrent.profile works. i also replaced it in etc/firejail of my ARCH Linux install.

thanx again for your patience and for the sandbox. this issue can remain CLOSED

<!-- gh-comment-id:354562992 --> @trytip commented on GitHub (Dec 30, 2017): thank you @Fred-Barclay and @GSF1200S the new qbittorrent.profile **works**. i also replaced it in etc/firejail of my ARCH Linux install. thanx again for your patience and for the sandbox. this issue can remain CLOSED

gitea-mirror commented 2026-05-05 07:32:09 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Dec 30, 2017):

That's great! Cheers!

<!-- gh-comment-id:354566393 --> @Fred-Barclay commented on GitHub (Dec 30, 2017): That's great! Cheers!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1143

No description provided.