[GH-ISSUE #3109] VLC xdg-screensaver access

gitea-mirror commented

2026-05-05 08:36:53 -06:00

Owner

Originally created by @sinner- on GitHub (Jan 3, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3109

Hello,

First of all just want to say thankyou for the amazing software.

I use Xscreensaver and I noticed that when I run firejail vlc and the "Disable screensaver" preference of vlc doesn't work.

Xscreensaver doesn't support DBus, vlc falls back to xdg-screensaver command when it can't find a screensaver using DBus.

Can the vlc profile be enhanced to give access for vlc to execute xdg-screensaver?

Originally created by @sinner- on GitHub (Jan 3, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3109 Hello, First of all just want to say thankyou for the amazing software. I use Xscreensaver and I noticed that when I run `firejail vlc` and the "Disable screensaver" preference of vlc doesn't work. Xscreensaver doesn't support DBus, vlc falls back to `xdg-screensaver` command when it can't find a screensaver using DBus. Can the vlc profile be enhanced to give access for vlc to execute `xdg-screensaver`?

gitea-mirror closed this issue

2026-05-05 08:36:54 -06:00

gitea-mirror commented

2026-05-05 08:36:56 -06:00

Author

Owner

@ghost commented on GitHub (Jan 3, 2020):

Hi, can you confirm that adding --private-bin=xdg-screensaver on the command line fixes your issue? Alternatively you can add private-bin=xdg-screensaver to a vlc.local file (either under /etc/firejail or ${HOME}/.config/vlc.local) and test things that way.

@ghost commented on GitHub (Jan 3, 2020): Hi, can you confirm that adding `--private-bin=xdg-screensaver` on the command line fixes your issue? Alternatively you can add `private-bin=xdg-screensaver` to a _vlc.local_ file (either under /etc/firejail or ${HOME}/.config/vlc.local) and test things that way.

gitea-mirror commented

2026-05-05 08:36:57 -06:00

Author

Owner

@sinner- commented on GitHub (Jan 3, 2020):

Hi @glitsj16 thanks for getting back to me!

I set my screensaver to 1 minute timeout and tested the following things:

No activity without vlc running, confirm the screensaver locks in 1 min.
Run vlc (disable screensaver preference enabled) without firejail, open a movie file and enter fullscreen, confirm the screensaver doesn't lock.
Run firejail vlc, open a movie file and enter fullscreen, confirm the screensaver locks in 1 min.
Run firejail --private-bin=xdg-screensaver vlc, open a movie file and enter fullscreen, screensaver still locks in 1 minute :(

I tried to run firejail --debug vlc and firejail --debug-blacklists vlc and waited 1 minute with a movie playing but no useful output was produced that shows what firejail is blocking.

@sinner- commented on GitHub (Jan 3, 2020): Hi @glitsj16 thanks for getting back to me! I set my screensaver to 1 minute timeout and tested the following things: 1. No activity without vlc running, confirm the screensaver locks in 1 min. 2. Run vlc (disable screensaver preference enabled) without firejail, open a movie file and enter fullscreen, confirm the screensaver doesn't lock. 3. Run `firejail vlc`, open a movie file and enter fullscreen, confirm the screensaver locks in 1 min. 4. Run `firejail --private-bin=xdg-screensaver vlc`, open a movie file and enter fullscreen, screensaver still locks in 1 minute :( I tried to run `firejail --debug vlc` and `firejail --debug-blacklists vlc` and waited 1 minute with a movie playing but no useful output was produced that shows what firejail is blocking.

gitea-mirror commented

2026-05-05 08:36:58 -06:00

Author

Owner

@ghost commented on GitHub (Jan 3, 2020):

@sinner- Hi, thanks for your detailed response. I'll install VLC and will try to dig around a bit. It could be that xdg-screensaver or VLC (or both) need additional commands in private-bin to work as expected. For now you might want to play with disabling private-bin alltogether (using --ignore=private-bin). If that doesn't help, I'd recommend commenting out options in /etc/firejail/vlc.profile one by one if you have the time to experiment. We'll get back to you.

@ghost commented on GitHub (Jan 3, 2020): @sinner- Hi, thanks for your detailed response. I'll install VLC and will try to dig around a bit. It could be that xdg-screensaver or VLC (or both) need additional commands in private-bin to work as expected. For now you might want to play with disabling private-bin alltogether (using `--ignore=private-bin`). If that doesn't help, I'd recommend commenting out options in /etc/firejail/vlc.profile one by one if you have the time to experiment. We'll get back to you.

gitea-mirror commented

2026-05-05 08:37:00 -06:00

Author

Owner

@ghost commented on GitHub (Jan 3, 2020):

@sinner- Hi again. After installing VLC and playing with its preferences (not even got to testing the firejail profile!) my machine encountered several system freezes (the ones that eventually require hard resets). I hope some other contributors chime in to help with debugging this issue, my machine simply doesn't like VLC, never has. My apologies for that. I'll keep following the thread and will add to the conversation when I have relevant info. It might help if you could add some details about your OS, desktop environment, firejail version etcetera in your next response. Good luck!

@ghost commented on GitHub (Jan 3, 2020): @sinner- Hi again. After installing VLC and playing with its preferences (not even got to testing the firejail profile!) my machine encountered several system freezes (the ones that eventually require hard resets). I hope some other contributors chime in to help with debugging this issue, my machine simply doesn't like VLC, never has. My apologies for that. I'll keep following the thread and will add to the conversation when I have relevant info. It might help if you could add some details about your OS, desktop environment, firejail version etcetera in your next response. Good luck!

gitea-mirror commented

2026-05-05 08:37:01 -06:00

Author

Owner

@sinner- commented on GitHub (Jan 3, 2020):

Hey again,

Thanks for trying!

Kernel 5.3.16-300.fc31.x86_6 on Fedora 31, using XFCE (where Xscreensaver is default), firejail 0.9.62.

I did some more experiments, the only thing based on your suggestion which worked is firejail --ignore=private-bin vlc.

The vlc.profile I have looks like this:

# Firejail profile for vlc
# Description: Multimedia player and streamer
# This file is overwritten after every install/update
# Persistent local customizations
include vlc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/vlc
noblacklist ${HOME}/.config/vlc
noblacklist ${HOME}/.local/share/vlc
noblacklist ${MUSIC}
noblacklist ${VIDEOS}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

include whitelist-var-common.inc

#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
caps.drop all
netfilter
#nodbus - dbus needed for MPRIS
nogroups
nonewprivs
noroot
nou2f
protocol unix,inet,inet6,netlink
seccomp
shell none

private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
private-dev
private-tmp

# mdwe is disabled due to breaking hardware accelerated decoding
#memory-deny-write-execute

I commented out all these lines:

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

and the screensaver still didn't get disabled :( so I assume it must be this line

private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc

which is causing this issue.

So I thought maybe vlc is invoking some other program which, after failing, vlc then invokes xdg-screensaver.

I found the reference in the vlc source code which invokes xdg-screensaver:
a15728e4c4/modules/misc/inhibit/xdg.c (L62)
but none of the other references in the modules/misc/inhibit path seem to invoke an external program in the same way:
https://github.com/videolan/vlc/search?q=posix_spawnp&unscoped_q=posix_spawnp

I couldn't understand the vlc code well enough to track the logic of how the inhibit module is invoked itself.

Is there any logging or soft mode or anything for firejail that will tell me what is being blocked as it occurs?

Thanks again.

@sinner- commented on GitHub (Jan 3, 2020): Hey again, Thanks for trying! Kernel 5.3.16-300.fc31.x86_6 on Fedora 31, using XFCE (where Xscreensaver is default), firejail 0.9.62. I did some more experiments, the only thing based on your suggestion which worked is `firejail --ignore=private-bin vlc`. The `vlc.profile` I have looks like this: ``` # Firejail profile for vlc # Description: Multimedia player and streamer # This file is overwritten after every install/update # Persistent local customizations include vlc.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/vlc noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.local/share/vlc noblacklist ${MUSIC} noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc include whitelist-var-common.inc #apparmor - on Ubuntu 18.04 it refuses to start without dbus access caps.drop all netfilter #nodbus - dbus needed for MPRIS nogroups nonewprivs noroot nou2f protocol unix,inet,inet6,netlink seccomp shell none private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc private-dev private-tmp # mdwe is disabled due to breaking hardware accelerated decoding #memory-deny-write-execute ``` I commented out all these lines: ``` include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc ``` and the screensaver still didn't get disabled :( so I assume it must be this line ``` private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc ``` which is causing this issue. So I thought maybe vlc is invoking some other program which, after failing, vlc then invokes `xdg-screensaver`. I found the reference in the vlc source code which invokes `xdg-screensaver`: https://github.com/videolan/vlc/blob/a15728e4c4f383c03fbfa73927a9ccb5e69932dd/modules/misc/inhibit/xdg.c#L62 but none of the other references in the `modules/misc/inhibit` path seem to invoke an external program in the same way: https://github.com/videolan/vlc/search?q=posix_spawnp&unscoped_q=posix_spawnp I couldn't understand the vlc code well enough to track the logic of how the inhibit module is invoked itself. Is there any logging or soft mode or anything for firejail that will tell me what is being blocked as it occurs? Thanks again.

gitea-mirror commented

2026-05-05 08:37:02 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 3, 2020):

On Fedora xdg-screensaver is a shell-script which talk also to dbus if it is used under GNOME, KDE, ...

I went through it and this came out:
--private-bin=sh,cat,which,readlink,basename,grep,cut,sed,dirname,dbus-send,x prop,gnome-default-applications-properties,kde-config,mv,hostna e,sleep,rm,xset,test,mktemp,ps,kill,dcop,perl,mate-screensaver-command,xscreensaver-command,xautolock

Maybe something is still missing and some programs are not necessary for you.

@rusty-snake commented on GitHub (Jan 3, 2020): On Fedora xdg-screensaver is a shell-script which talk also to dbus if it is used under GNOME, KDE, ... I went through it and this came out: `--private-bin=sh,cat,which,readlink,basename,grep,cut,sed,dirname,dbus-send,x prop,gnome-default-applications-properties,kde-config,mv,hostna e,sleep,rm,xset,test,mktemp,ps,kill,dcop,perl,mate-screensaver-command,xscreensaver-command,xautolock` Maybe something is still missing and some programs are not necessary for you.

gitea-mirror commented

2026-05-05 08:37:03 -06:00

Author

Owner

@sinner- commented on GitHub (Jan 3, 2020):

Thanks @rusty-snake, I think I will just comment out the private-bin ... line in the vlc profile file.

@sinner- commented on GitHub (Jan 3, 2020): Thanks @rusty-snake, I think I will just comment out the `private-bin ...` line in the vlc profile file.

gitea-mirror commented

2026-05-05 08:37:03 -06:00

Author

Owner

@kmille commented on GitHub (Feb 24, 2023):

On my Arch Linux (i3 starts xautolock), the following works (still not the minimum, just used trial and error). In ~/.config/firejail/vlc.local:
private-bin sh,cat,which,readlink,basename,grep,cut,sed,dirname,dbus-send,mv,rm,xset,test,mktemp,ps,kill,dcop,xautolock,xdg-screensaver

@kmille commented on GitHub (Feb 24, 2023): On my Arch Linux (i3 starts xautolock), the following works (still not the minimum, just used trial and error). In `~/.config/firejail/vlc.local`: `private-bin sh,cat,which,readlink,basename,grep,cut,sed,dirname,dbus-send,mv,rm,xset,test,mktemp,ps,kill,dcop,xautolock,xdg-screensaver`

Rows
Columns

[GH-ISSUE #3109] VLC xdg-screensaver access #1949