[GH-ISSUE #2808] KDE Plasma 5.16: file pickers and Dolphin require access to ${HOME}/.config/kioslaverc #1761

New issue

Closed

opened 2026-05-05 08:25:55 -06:00 by gitea-mirror · 21 comments

gitea-mirror commented 2026-05-05 08:25:55 -06:00

Owner

Copy link

Originally created by @ayhc on GitHub (Jun 28, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2808

Running Fedora 30 (with Plasma 5.16 from a third-party repo) and Firejail 0.9.60.

Actual behaviour: Opening Dolphin, or opening the file picker in LibreOffice, results in an error message saying that ${HOME}/.config/kioslaverc cannot be accessed.

Expected behaviour: No error message

Workaround: Manually add the following to the Dolphin and LibreOffice profiles:

noblacklist ${HOME}/.config/kioslaverc

Originally created by @ayhc on GitHub (Jun 28, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2808 Running Fedora 30 (with Plasma 5.16 from a third-party repo) and Firejail 0.9.60. Actual behaviour: Opening Dolphin, or opening the file picker in LibreOffice, results in an error message saying that ${HOME}/.config/kioslaverc cannot be accessed. Expected behaviour: No error message Workaround: Manually add the following to the Dolphin and LibreOffice profiles: `noblacklist ${HOME}/.config/kioslaverc`

gitea-mirror closed this issue 2026-05-05 08:25:56 -06:00

gitea-mirror commented 2026-05-05 08:25:57 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jun 29, 2019):

Can you please check if, instead of noblacklisting, read-write ${HOME}/.config/kioslaverc resolves the issue as well? And is there something broken or you just see a warning?

<!-- gh-comment-id:506954459 --> @smitsohu commented on GitHub (Jun 29, 2019): Can you please check if, instead of noblacklisting, `read-write ${HOME}/.config/kioslaverc` resolves the issue as well? And is there something broken or you just see a warning?

gitea-mirror commented 2026-05-05 08:25:58 -06:00

Author

Owner

Copy link

@ayhc commented on GitHub (Jun 29, 2019):

read-write ${HOME}/.config/kioslaverc did not solve the problem.

I did not see any breakage other than the warning message.

<!-- gh-comment-id:506977438 --> @ayhc commented on GitHub (Jun 29, 2019): `read-write ${HOME}/.config/kioslaverc` did not solve the problem. I did not see any breakage other than the warning message.

gitea-mirror commented 2026-05-05 08:25:59 -06:00

Author

Owner

Copy link

@dalechyn commented on GitHub (Jun 29, 2019):

I am using Plasma with Dolphin, but on the ParrotOS and haven't met this issue.

<!-- gh-comment-id:506989347 --> @dalechyn commented on GitHub (Jun 29, 2019): I am using Plasma with Dolphin, but on the ParrotOS and haven't met this issue.

gitea-mirror commented 2026-05-05 08:26:00 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jun 29, 2019):

smitsohu@smitsohu:/etc/firejail> grep -r kioslaverc
disable-common.inc:read-only ${HOME}/.config/kioslaverc
disable-common.inc:read-only ${HOME}/.kde/share/config/kioslaverc
disable-common.inc:read-only ${HOME}/.kde4/share/config/kioslaverc
whitelist-common.inc:whitelist ${HOME}/.config/kioslaverc
whitelist-common.inc:whitelist ${HOME}/.kde/share/config/kioslaverc
whitelist-common.inc:whitelist ${HOME}/.kde4/share/config/kioslaverc

Firejail doesn't blacklist this file in the default configuration, did you maybe add this command somewhere?

<!-- gh-comment-id:506993488 --> @smitsohu commented on GitHub (Jun 29, 2019): ``` smitsohu@smitsohu:/etc/firejail> grep -r kioslaverc disable-common.inc:read-only ${HOME}/.config/kioslaverc disable-common.inc:read-only ${HOME}/.kde/share/config/kioslaverc disable-common.inc:read-only ${HOME}/.kde4/share/config/kioslaverc whitelist-common.inc:whitelist ${HOME}/.config/kioslaverc whitelist-common.inc:whitelist ${HOME}/.kde/share/config/kioslaverc whitelist-common.inc:whitelist ${HOME}/.kde4/share/config/kioslaverc ``` Firejail doesn't blacklist this file in the default configuration, did you maybe add this command somewhere?

gitea-mirror commented 2026-05-05 08:26:01 -06:00

Author

Owner

Copy link

@ayhc commented on GitHub (Jul 2, 2019):

Haven't added kioslaverc to any blacklists - ran grep -r kioslaverc in /etc/firejail and got this:

$ grep -r kioslaverc
whitelist-common.inc:whitelist ${HOME}/.config/kioslaverc
whitelist-common.inc:whitelist ${HOME}/.kde/share/config/kioslaverc
whitelist-common.inc:whitelist ${HOME}/.kde4/share/config/kioslaverc
dolphin.local:# Get rid of "~/.config/kioslaverc not writable" error message
dolphin.local:noblacklist ${HOME}/.config/kioslaverc
disable-common.inc:read-only ${HOME}/.config/kioslaverc
disable-common.inc:read-only ${HOME}/.kde/share/config/kioslaverc
disable-common.inc:read-only ${HOME}/.kde4/share/config/kioslaverc
libreoffice.local:# Get rid of "~/.config/kioslaverc not writable" error message
libreoffice.local:noblacklist ${HOME}/.config/kioslaverc

(I added libreoffice.local and dolphin.local as a workaround, as discussed above)

<!-- gh-comment-id:507802606 --> @ayhc commented on GitHub (Jul 2, 2019): Haven't added kioslaverc to any blacklists - ran `grep -r kioslaverc` in /etc/firejail and got this: ``` $ grep -r kioslaverc whitelist-common.inc:whitelist ${HOME}/.config/kioslaverc whitelist-common.inc:whitelist ${HOME}/.kde/share/config/kioslaverc whitelist-common.inc:whitelist ${HOME}/.kde4/share/config/kioslaverc dolphin.local:# Get rid of "~/.config/kioslaverc not writable" error message dolphin.local:noblacklist ${HOME}/.config/kioslaverc disable-common.inc:read-only ${HOME}/.config/kioslaverc disable-common.inc:read-only ${HOME}/.kde/share/config/kioslaverc disable-common.inc:read-only ${HOME}/.kde4/share/config/kioslaverc libreoffice.local:# Get rid of "~/.config/kioslaverc not writable" error message libreoffice.local:noblacklist ${HOME}/.config/kioslaverc ``` (I added libreoffice.local and dolphin.local as a workaround, as discussed above)

gitea-mirror commented 2026-05-05 08:26:01 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 2, 2019):

@ayhc just to be complete, you also didn't add it under ~/.config/firejail?

<!-- gh-comment-id:507811326 --> @rusty-snake commented on GitHub (Jul 2, 2019): @ayhc just to be complete, you also didn't add it under ~/.config/firejail?

gitea-mirror commented 2026-05-05 08:26:01 -06:00

Author

Owner

Copy link

@ayhc commented on GitHub (Jul 2, 2019):

@rusty-snake can confirm that ~/.config/firejail is empty.

<!-- gh-comment-id:507819980 --> @ayhc commented on GitHub (Jul 2, 2019): @rusty-snake can confirm that ~/.config/firejail is empty.

gitea-mirror commented 2026-05-05 08:26:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 2, 2019):

I think you are not using firejail compiled from git, so #1235 would be the answer why noblacklist works even there is no blacklist.

<!-- gh-comment-id:507821222 --> @rusty-snake commented on GitHub (Jul 2, 2019): I think you are not using firejail compiled from git, so #1235 would be the answer why noblacklist works even there is no blacklist.

gitea-mirror commented 2026-05-05 08:26:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 2, 2019):

@ayhc try ignore read-only ${HOME}/.config/kioslaverc

<!-- gh-comment-id:507829794 --> @rusty-snake commented on GitHub (Jul 2, 2019): @ayhc try `ignore read-only ${HOME}/.config/kioslaverc`

gitea-mirror commented 2026-05-05 08:26:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 2, 2019):

may related to #2480.

<!-- gh-comment-id:507831259 --> @rusty-snake commented on GitHub (Jul 2, 2019): may related to #2480.

gitea-mirror commented 2026-05-05 08:26:03 -06:00

Author

Owner

Copy link

@ayhc commented on GitHub (Jul 2, 2019):

@rusty-snake ignore read-only ${HOME}/.config/kioslaverc works.

<!-- gh-comment-id:507832041 --> @ayhc commented on GitHub (Jul 2, 2019): @rusty-snake `ignore read-only ${HOME}/.config/kioslaverc` works.

gitea-mirror commented 2026-05-05 08:26:03 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 2, 2019):

I played a little bit and think I found the issue.

$ grep 'read-only ${HOME}/.bashrc' /etc/firejail/*.inc
/etc/firejail/disable-common.inc:read-only ${HOME}/.bashrc
$ firejail touch .bashrc
Read-only file system
$ firejail --read-write=~/.bashrc touch .bashrc
Read-only file system
$ firejail --ignore='read-only ${HOME}/.bashrc' touch .bashrc
works
$ firejail --read-write='${HOME}/.bashrc' --profile=/etc/firejail/disable-common.inc  touch .bashrc
Read-only file system
$ firejail --profile=/etc/firejail/disable-common.inc --read-write='${HOME}/.bashrc' touch .bashrc
works

Where do you add the read-write? The read-write must parsed after the read-only.
=> To add read-write to .local (or as an command line argument) files doesn't work, it must be added after include disable-common.inc.

@ayhc, can you confirm that the following also work:

cp /etc/firejail/PROFILE ~/.config/firejail/PROFILE
echo "read-write ${HOME}/.config/kioslaverc" >> ~/.config/firejail/PROFILE

<!-- gh-comment-id:507834870 --> @rusty-snake commented on GitHub (Jul 2, 2019): I played a little bit and think I found the issue. ``` $ grep 'read-only ${HOME}/.bashrc' /etc/firejail/*.inc /etc/firejail/disable-common.inc:read-only ${HOME}/.bashrc $ firejail touch .bashrc Read-only file system $ firejail --read-write=~/.bashrc touch .bashrc Read-only file system $ firejail --ignore='read-only ${HOME}/.bashrc' touch .bashrc works $ firejail --read-write='${HOME}/.bashrc' --profile=/etc/firejail/disable-common.inc touch .bashrc Read-only file system $ firejail --profile=/etc/firejail/disable-common.inc --read-write='${HOME}/.bashrc' touch .bashrc works ``` Where do you add the `read-write`? The `read-write` **must** parsed **after** the `read-only`. => To add `read-write` to `.local` (or as an command line argument) files doesn't work, it must be added after `include disable-common.inc`. @ayhc, can you confirm that the following also work: ``` cp /etc/firejail/PROFILE ~/.config/firejail/PROFILE echo "read-write ${HOME}/.config/kioslaverc" >> ~/.config/firejail/PROFILE ```

gitea-mirror commented 2026-05-05 08:26:04 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 5, 2019):

On another note, I find it quite surprising that a file picker asks for write access to kioslaverc.

If there are no problems with functionality, it should be ok to just ignore this warning.

<!-- gh-comment-id:508837194 --> @smitsohu commented on GitHub (Jul 5, 2019): On another note, I find it quite surprising that a file picker asks for write access to kioslaverc. If there are no problems with functionality, it should be ok to just ignore this warning.

gitea-mirror commented 2026-05-05 08:26:04 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Jul 6, 2019):

Is kioslaverc security sensitive file?

<!-- gh-comment-id:508927799 --> @Vincent43 commented on GitHub (Jul 6, 2019): Is `kioslaverc` security sensitive file?

gitea-mirror commented 2026-05-05 08:26:04 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 7, 2019):

Is kioslaverc security sensitive file?

I think so, KDE apps go there to check if a proxy server should be used.

On yet another note, should Gnome's dconf database be read-only as well?

<!-- gh-comment-id:508982582 --> @smitsohu commented on GitHub (Jul 7, 2019): > Is kioslaverc security sensitive file? I think so, KDE apps go there to check if a proxy server should be used. On yet another note, should Gnome's dconf database be read-only as well?

gitea-mirror commented 2026-05-05 08:26:05 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 7, 2019):

@smitsohu

On yet another note, should Gnome's dconf database be read-only as well?

${HOME}/.config/dconf is in whitelist-common.inc. Making it read-only would cripple user config changes for GNOME apps. We already have a great override mechanism with the *.local files, so if it is made read-only the worst-case scenario is that people who like it will have to override. We could safely make it read-only for profiles that don't need the GNOME-specific functionality (e.g. KDE apps, daemons), but for those we can just as well blacklist it alltogether IMHO.

<!-- gh-comment-id:508984545 --> @ghost commented on GitHub (Jul 7, 2019): @smitsohu > On yet another note, should Gnome's dconf database be read-only as well? ${HOME}/.config/dconf is in `whitelist-common.inc`. Making it read-only would cripple user config changes for GNOME apps. We already have a great override mechanism with the *.local files, so if it is made read-only the worst-case scenario is that people who like it will have to override. We could safely make it read-only for profiles that don't need the GNOME-specific functionality (e.g. KDE apps, daemons), but for those we can just as well blacklist it alltogether IMHO.

gitea-mirror commented 2026-05-05 08:26:05 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 7, 2019):

But iirc all writes to the database are via D-Bus. This would mean dconf writes escape the sandbox as long as there is no nodbus option.

In my fantasy (I cannot try it out in this moment) only the daemon would need a ignore read-only ${HOME}/.config/dconf.

<!-- gh-comment-id:508985608 --> @smitsohu commented on GitHub (Jul 7, 2019): But iirc all writes to the database are via D-Bus. This would mean dconf writes escape the sandbox as long as there is no `nodbus` option. In my fantasy (I cannot try it out in this moment) only the daemon would need a `ignore read-only ${HOME}/.config/dconf`.

gitea-mirror commented 2026-05-05 08:26:06 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 7, 2019):

@smitsohu You're correct. As far as I know all dconf access relies on D-Bus, I don't see GNOME changing that any time soon. Only now that you pointed out explicitly that without nodbus all profiles writing to dconf are inherently insecure I get where you're going with this. That does indeed change things rather dramatically. We should test your fantasy and act accordingly :+:.

<!-- gh-comment-id:508986540 --> @ghost commented on GitHub (Jul 7, 2019): @smitsohu You're correct. As far as I know all dconf access relies on D-Bus, I don't see GNOME changing that any time soon. Only now that you pointed out explicitly that without `nodbus` all profiles writing to dconf are inherently insecure I get where you're going with this. That does indeed change things rather dramatically. We should test your fantasy and act accordingly :+:.

gitea-mirror commented 2026-05-05 08:26:06 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 7, 2019):

Use xdg-dbus-proxy https://github.com/netblue30/firejail/issues/2683#issuecomment-491023735 or netns-exec https://github.com/netblue30/firejail/issues/2683#issuecomment-495919268.

On restricting dbus sandbox escape we can do more.

<!-- gh-comment-id:508987491 --> @rusty-snake commented on GitHub (Jul 7, 2019): Use `xdg-dbus-proxy` https://github.com/netblue30/firejail/issues/2683#issuecomment-491023735 or `netns-exec` https://github.com/netblue30/firejail/issues/2683#issuecomment-495919268. On restricting dbus sandbox escape we can do more.

gitea-mirror commented 2026-05-05 08:26:06 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 7, 2019):

without nodbus all profiles writing to dconf are inherently insecure

Possibly an attacker doesn't even need to use the D-Bus interface. If I understand it right this is just a convention, thought to reduce the risk of database corruption.

The database is user writable, a malicious process can (possibly) go to the file directly. If that is the case, it would be useful to mount it read-only (especially as it is exposed through whitelist-common.inc).

<!-- gh-comment-id:508987686 --> @smitsohu commented on GitHub (Jul 7, 2019): > without nodbus all profiles writing to dconf are inherently insecure Possibly an attacker doesn't even need to use the D-Bus interface. If I understand it right this is just a convention, thought to reduce the risk of database corruption. The database is user writable, a malicious process can (possibly) go to the file directly. If that is the case, it would be useful to mount it read-only (especially as it is exposed through whitelist-common.inc).

gitea-mirror commented 2026-05-05 08:26:07 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2019):

@ayhc
I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

<!-- gh-comment-id:517146362 --> @rusty-snake commented on GitHub (Aug 1, 2019): @ayhc I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

gitea-mirror referenced this issue 2026-05-05 10:13:01 -06:00

[PR #1761] [MERGED] Allow Spotify to run Zenity #4061

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1761

No description provided.