[GH-ISSUE #2833] mpv (w/ ytdl) fails, but ytdl works standalone

gitea-mirror commented

2026-05-05 08:26:31 -06:00

Owner

Originally created by @hautecodure on GitHub (Jul 6, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2833

Hi,

I seem to have a weird issue where im unable to use mpv ytdl, but ytdl works fine standalone.

Setup:

youtube-dl - 2019.07.02 (installed via pip in the user directory ~/.local/bin/youtube-dl)
mpv - 0.29.1
firejail - 0.9.60

Running:

firejail --profile=~/.config/firejail/custom.profile mpv --msg-level=ytdl_hook=debug -v "https://www.youtube.com/watch?v=tTGXBK69f0s"

Results in:

...
[ytdl_hook] Running: youtube-dl --no-warnings -J --flat-playlist --sub-format ass/srt/best --format bestvideo+bestaudio/best --all-subs --no-playlist -- https://www.youtube.com/watch?v=tTGXBK69f0s 
[ytdl_hook] youtube-dl failed: not found or not enough permissions 
[cplayer] finished playback, unrecognized file format (reason 4)
[cplayer] Failed to recognize file format.
[cplayer] 
[cplayer] 
[cplayer] Exiting... (Errors when loading file)
...

Running the command from the output above:

firejail --profile=~/.config/firejail/custom.profile youtube-dl --no-warnings -J --flat-playlist --sub-format ass/srt/best --format bestvideo+bestaudio/best --all-subs --no-playlist -- https://www.youtube.com/watch?v=tTGXBK69f0s

Seems to work as expected (youtube-dl returns a serialized JSON object).

The custom.profile, I'm currently testing with is the following:

whitelist ${HOME}/.local/bin/youtube-dl
whitelist ${HOME}/.local/lib/python3.7

include /etc/firejail/mpv.profile
include /etc/firejail/youtube-dl.profile

noblacklist ${PATH}/python3*
noblacklist /usr/lib/python3*

Any ideas how i might debug this further?

Originally created by @hautecodure on GitHub (Jul 6, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2833 Hi, I seem to have a weird issue where im unable to use `mpv` ytdl, but `ytdl` works fine standalone. Setup: - `youtube-dl` - 2019.07.02 (installed via `pip` in the user directory `~/.local/bin/youtube-dl`) - `mpv` - 0.29.1 - `firejail` - 0.9.60 Running: ``` firejail --profile=~/.config/firejail/custom.profile mpv --msg-level=ytdl_hook=debug -v "https://www.youtube.com/watch?v=tTGXBK69f0s" ``` Results in: ``` ... [ytdl_hook] Running: youtube-dl --no-warnings -J --flat-playlist --sub-format ass/srt/best --format bestvideo+bestaudio/best --all-subs --no-playlist -- https://www.youtube.com/watch?v=tTGXBK69f0s [ytdl_hook] youtube-dl failed: not found or not enough permissions [cplayer] finished playback, unrecognized file format (reason 4) [cplayer] Failed to recognize file format. [cplayer] [cplayer] [cplayer] Exiting... (Errors when loading file) ... ``` Running the command from the output above: ``` firejail --profile=~/.config/firejail/custom.profile youtube-dl --no-warnings -J --flat-playlist --sub-format ass/srt/best --format bestvideo+bestaudio/best --all-subs --no-playlist -- https://www.youtube.com/watch?v=tTGXBK69f0s ``` Seems to work as expected (`youtube-dl` returns a serialized JSON object). The `custom.profile`, I'm currently testing with is the following: ``` whitelist ${HOME}/.local/bin/youtube-dl whitelist ${HOME}/.local/lib/python3.7 include /etc/firejail/mpv.profile include /etc/firejail/youtube-dl.profile noblacklist ${PATH}/python3* noblacklist /usr/lib/python3* ``` Any ideas how i might debug this further?

gitea-mirror

2026-05-05 08:26:31 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:26:33 -06:00

Author

Owner

@ghost commented on GitHub (Jul 7, 2019):

@enilfodne I cannot reproduce, your first command works fine for me. What you're seeing might be due to youtube-dl parameters in your mpv config file(s). Both mpv and youtube-dl have a pile of options and I'm guessing you might have stale or breaking ytdl-raw-options hanging around. Does it work if you temporarily move any mpv configuration out of the way?

@ghost commented on GitHub (Jul 7, 2019): @enilfodne I cannot reproduce, your first command works fine for me. What you're seeing might be due to youtube-dl parameters in your mpv config file(s). Both mpv and youtube-dl have a pile of options and I'm guessing you might have stale or breaking `ytdl-raw-options` hanging around. Does it work if you temporarily move any mpv configuration out of the way?

gitea-mirror commented

2026-05-05 08:26:34 -06:00

Author

Owner

@hautecodure commented on GitHub (Jul 7, 2019):

Thanks for the suggestion, I've removed the configuration folder, but it doesn't seem to change anything (the log looks identical).

@hautecodure commented on GitHub (Jul 7, 2019): Thanks for the suggestion, I've removed the configuration folder, but it doesn't seem to change anything (the log looks identical).

gitea-mirror commented

2026-05-05 08:26:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

@enilfodne does mpv + ytdl work without firejail? (sudo firecfg --clear, mpv --msg-level=ytdl_hook=debug -v "https://www.youtube.com/watch?v=tTGXBK69f0s")

@rusty-snake commented on GitHub (Jul 7, 2019): @enilfodne does mpv + ytdl work without firejail? (`sudo firecfg --clear`, `mpv --msg-level=ytdl_hook=debug -v "https://www.youtube.com/watch?v=tTGXBK69f0s"`)

gitea-mirror commented

2026-05-05 08:26:35 -06:00

Author

Owner

@hautecodure commented on GitHub (Jul 7, 2019):

Yes, mpv works fine outside firejail.

Ok, so the culprit is that I've installed youtube-dl locally (pip install --user). When installed system-wide (sudo pip install), everything works as expected.

Any ideas how i can change my profile to accommodate a local install?

@hautecodure commented on GitHub (Jul 7, 2019): Yes, `mpv` works fine outside `firejail`. Ok, so the culprit is that I've installed `youtube-dl` locally (`pip install --user`). When installed system-wide (`sudo pip install`), everything works as expected. Any ideas how i can change my profile to accommodate a local install?

gitea-mirror commented

2026-05-05 08:26:36 -06:00

Author

Owner

@ghost commented on GitHub (Jul 7, 2019):

@enilfodne Nice catch. If you still want youtube-dl installed under your ${HOME}, I believe you'd need ignore noexec ${HOME} for 0.9.60. Both profiles have seen changes since that release, so you might look at these in git master to double-check if you're covering all bases in your custom profile. On a side-note, including both mpv.profile and youtube-dl.profile from /etc/firejail might cause unexpected conflicts. I would advise to make a single custom profile based on mpv.profile and add in what is needed to accommodate for a locally installed youtube-dl.

@ghost commented on GitHub (Jul 7, 2019): @enilfodne Nice catch. If you still want youtube-dl installed under your ${HOME}, I believe you'd need `ignore noexec ${HOME}` for 0.9.60. Both profiles have seen changes since that release, so you might look at these in git master to double-check if you're covering all bases in your custom profile. On a side-note, including both mpv.profile and youtube-dl.profile from /etc/firejail might cause unexpected conflicts. I would advise to make a single custom profile based on mpv.profile and add in what is needed to accommodate for a locally installed youtube-dl.

gitea-mirror commented

2026-05-05 08:26:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

@enilfodne

include /etc/firejail/mpv.profile
include /etc/firejail/youtube-dl.profile

Isn't a goog idea, because youtube-dl.profile contains machine-id which break sound, ...

whitelist ${HOME}/.local/bin/youtube-dl
whitelist ${HOME}/.local/lib/python3.7

mpv.profile and youtube-dl.profile are both no whitelisting profiles, that will break mpv-config and more.

noblacklist ${PATH}/python3*
noblacklist /usr/lib/python3*

mpv.profile already allow python.

Try as custom.profile:

quiet
include globals.local

ignore noexec ${HOME}

noblacklist ${HOME}/.config/mpv
noblacklist ${HOME}/.netrc

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

include whitelist-var-common.inc

apparmor
caps.drop all
netfilter
nodbus
nogroups
nonewprivs
noroot
nou2f
protocol unix,inet,inet6
seccomp
shell none
tracelog

disable-mnt
private-bin env,mpv,python*,youtube-dl
private-dev
private-tmp

@rusty-snake commented on GitHub (Jul 7, 2019): @enilfodne ``` include /etc/firejail/mpv.profile include /etc/firejail/youtube-dl.profile ``` Isn't a goog idea, because youtube-dl.profile contains `machine-id` which break sound, ... ``` whitelist ${HOME}/.local/bin/youtube-dl whitelist ${HOME}/.local/lib/python3.7 ``` mpv.profile and youtube-dl.profile are both no `whitelist`ing profiles, that will break mpv-config and more. ``` noblacklist ${PATH}/python3* noblacklist /usr/lib/python3* ``` `mpv.profile` already allow python. Try as `custom.profile`: ``` quiet include globals.local ignore noexec ${HOME} noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.netrc # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc include whitelist-var-common.inc apparmor caps.drop all netfilter nodbus nogroups nonewprivs noroot nou2f protocol unix,inet,inet6 seccomp shell none tracelog disable-mnt private-bin env,mpv,python*,youtube-dl private-dev private-tmp ```

gitea-mirror commented

2026-05-05 08:26:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

@glitsj16 was faster, but my network to slow 😀 .

@rusty-snake commented on GitHub (Jul 7, 2019): @glitsj16 was faster, but my network to slow :grinning: .

gitea-mirror commented

2026-05-05 08:26:37 -06:00

Author

Owner

@hautecodure commented on GitHub (Jul 7, 2019):

Thank you for the taking the time to write this.

It's working as expected, but only one minor issue remains. How can i get this integrated with a firefox profile? Reason being is that i want to utilize ff2mpv, which is a bridge between firefox and mpv.

@hautecodure commented on GitHub (Jul 7, 2019): Thank you for the taking the time to write this. It's working as expected, but only one minor issue remains. How can i get this integrated with a `firefox` profile? Reason being is that i want to utilize `ff2mpv`, which is a bridge between `firefox` and `mpv`.

gitea-mirror commented

2026-05-05 08:26:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

Or as a script to force mpv to use ytdl with serveral URLs and strict firejail sandbox:

#!/usr/bin/env zsh
while [[ -n "$@" ]]; do
        firejail --private --private-tmp --nodvd --notv --novideo --disable-mnt --ipc-namespace --private-etc="ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg,ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,protocols,services,rpc,alsa,asound.conf,pulse,machine-id,fonts,pango,X11,drirc,glvnd,mpv,youtube-dl" --ignore="noexec ${HOME}" mpv "ytdl://$1"
        shift
done

@rusty-snake commented on GitHub (Jul 7, 2019): Or as a script to force mpv to use ytdl with serveral URLs and strict firejail sandbox: ```zsh #!/usr/bin/env zsh while [[ -n "$@" ]]; do firejail --private --private-tmp --nodvd --notv --novideo --disable-mnt --ipc-namespace --private-etc="ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,alternatives,mime.types,xdg,ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,protocols,services,rpc,alsa,asound.conf,pulse,machine-id,fonts,pango,X11,drirc,glvnd,mpv,youtube-dl" --ignore="noexec ${HOME}" mpv "ytdl://$1" shift done ```

gitea-mirror commented

2026-05-05 08:26:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

@enilfodne firefox.local:

ignore noexec ${HOME}

whitelist ${HOME}/.local/bin/youtube-dl
whitelist ${HOME}/.local/lib/python3.7

First check if mpv+ytdl can run under the firefox profile.
firejail --profile=firefox mpv "ytdl://SOMETHING"

@rusty-snake commented on GitHub (Jul 7, 2019): @enilfodne `firefox.local`: ``` ignore noexec ${HOME} whitelist ${HOME}/.local/bin/youtube-dl whitelist ${HOME}/.local/lib/python3.7 ``` First check if mpv+ytdl can run under the firefox profile. `firejail --profile=firefox mpv "ytdl://SOMETHING"`

gitea-mirror commented

2026-05-05 08:26:38 -06:00

Author

Owner

@hautecodure commented on GitHub (Jul 7, 2019):

Apologies for misleading you, but the custom.profile above and the cli example are not working. I can execute youtube-dl, but mpv can't find it. It appears that ignore noexec ${HOME} is not enough.

@hautecodure commented on GitHub (Jul 7, 2019): Apologies for misleading you, but the `custom.profile` above and the `cli` example are not working. I can execute `youtube-dl`, but `mpv` can't find it. It appears that `ignore noexec ${HOME}` is not enough.

gitea-mirror commented

2026-05-05 08:26:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

@enilfodne firejail --noprofile mpv "ytdl://SOMETHING".
I'm assuming that ${HOME}/.local/bin/ is in $PATH.

@rusty-snake commented on GitHub (Jul 7, 2019): @enilfodne `firejail --noprofile mpv "ytdl://SOMETHING"`. I'm assuming that `${HOME}/.local/bin/` is in `$PATH`.

gitea-mirror commented

2026-05-05 08:26:39 -06:00

Author

Owner

@hautecodure commented on GitHub (Jul 7, 2019):

Yes ~/.local/bin is in PATH and the example above works (noprofile).

When trying to run it through (mpv) profile, it fails.

Its embarrassing, but i forgot to check the logs, clearly it states:

apparmor="DENIED" operation="exec" profile="firejail-default" name="/home/joffrey/.local/bin/youtube-dl" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

I've got mpv profile to work by:

adding ignore noexec ${HOME} to mpv.local
commenting apparmor from mpv.profile

Is there more info on the apparmor command, so i can debug this further?

@hautecodure commented on GitHub (Jul 7, 2019): Yes `~/.local/bin` is in `PATH` and the example above works (`noprofile`). When trying to run it through (`mpv`) profile, it fails. Its embarrassing, but i forgot to check the logs, clearly it states: ``` apparmor="DENIED" operation="exec" profile="firejail-default" name="/home/joffrey/.local/bin/youtube-dl" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 ``` I've got `mpv` profile to work by: - adding `ignore noexec ${HOME}` to `mpv.local` - commenting `apparmor` from `mpv.profile` Is there more info on the `apparmor` command, so i can debug this further?

gitea-mirror commented

2026-05-05 08:26:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

@enilfodne apparmor use the firejail-default AA profile. That you use AA make some error clear, but I'm wondering that you need to comment seccomp.

Is there more info on both commands and how i can debug this further?

seccomp: uncomment it (leave apparmor commentet), sudo journalctl | grep syscall

@rusty-snake commented on GitHub (Jul 7, 2019): @enilfodne `apparmor` use the firejail-default AA profile. That you use AA make some error clear, but I'm wondering that you need to comment `seccomp`. > Is there more info on both commands and how i can debug this further? `seccomp`: uncomment it (leave `apparmor` commentet), `sudo journalctl | grep syscall`

gitea-mirror commented

2026-05-05 08:26:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

You can first ignore apparmor, because if you want to firefox has a own AA profile AFAIK.

@rusty-snake commented on GitHub (Jul 7, 2019): You can first ignore `apparmor`, because if you want to firefox has a own AA profile AFAIK.

gitea-mirror commented

2026-05-05 08:26:40 -06:00

Author

Owner

@hautecodure commented on GitHub (Jul 7, 2019):

Removing apparmor from the firefox-common.profile (same with the mpv.profile) and everything works as expected.

Would this reduce the security or negatively impact the isolation when mpv and youtube-dl are spawned within the same firefox sandbox?

@hautecodure commented on GitHub (Jul 7, 2019): Removing `apparmor` from the `firefox-common.profile` (same with the `mpv.profile`) and everything works as expected. Would this reduce the security or negatively impact the isolation when `mpv` and `youtube-dl` are spawned within the same `firefox` sandbox?

gitea-mirror commented

2026-05-05 08:26:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

Would this reduce the security

Yes, you should consider tweaking the FF-AA-Profile instead, but there I can't help you.

@rusty-snake commented on GitHub (Jul 7, 2019): > Would this reduce the security Yes, you should consider tweaking the FF-AA-Profile instead, but there I can't help you.

gitea-mirror commented

2026-05-05 08:26:41 -06:00

Author

Owner

@hautecodure commented on GitHub (Jul 7, 2019):

After looking at firejail-default, there's a comment stating:

##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########

thus uncommenting:

#/{,run/firejail/mnt/oroot/}home/** ix,

Fixed all those problems and allowed me to re-enable apparmor on all profiles.

Thanks again for taking some time to help me debug this.

@hautecodure commented on GitHub (Jul 7, 2019): After looking at `firejail-default`, there's a comment stating: ``` ########## # Allow running programs only from well-known system directories. If you need # to run programs from your home directory, uncomment /home line. ########## ``` thus uncommenting: ```apparmor #/{,run/firejail/mnt/oroot/}home/** ix, ``` Fixed all those problems and allowed me to re-enable `apparmor` on all profiles. Thanks again for taking some time to help me debug this.

gitea-mirror commented

2026-05-05 08:26:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 7, 2019):

@enilfodne closing here, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Jul 7, 2019): @enilfodne closing here, please fell free to reopen if you have more questions.

Rows
Columns

[GH-ISSUE #2833] mpv (w/ ytdl) fails, but ytdl works standalone #1771