github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3157] ffmpeg 4.2.2 does not work with the included firejail profile #1981

New issue

Closed

opened 2026-05-05 08:38:48 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 08:38:48 -06:00

Owner

Originally created by @the-lost-bit on GitHub (Jan 17, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3157

First I would like to thank all the developers for this really nice piece of security software.

My issue is with the latest version of FFmpeg, version 4.2.2 (pacman says 1:4.2.2-1). If I try to run ffmpeg like so, firejail ffmpeg, I get the following error:

/usr/bin/ffmpeg: error while loading shared libraries: libmfx.so.1: cannot open shared object file: No such file or directory

If I use the --noprofile option the above command runs without errors though, so it seems like this may be an issue with the included FFmpeg profile. The library that ffmpeg complains about is located in /opt/intel/mediasdk/lib This intel-directory was created (not by me) when I updated FFmpeg to the latest version.

There is no error when using the previous version of FFmpeg, that is 4.2.1 (pacman says 1:4.2.1-4). I tried to do some whitelisting of the above directory but to no avail. Hopefully someone more skilled in setting up profiles can help me on the way to solve this problem. I am a beginner.

Manjaro: 18.1.5
Firejail: 0.9.62
FFmpeg: 4.2.2

Originally created by @the-lost-bit on GitHub (Jan 17, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3157 First I would like to thank all the developers for this really nice piece of security software. My issue is with the latest version of **FFmpeg**, version **4.2.2** (pacman says 1:4.2.2-1). If I try to run ffmpeg like so, _firejail ffmpeg_, I get the following error: _/usr/bin/ffmpeg: error while loading shared libraries: libmfx.so.1: cannot open shared object file: No such file or directory_ If I use the _--noprofile_ option the above command runs without errors though, so it seems like this may be an issue with the included FFmpeg profile. The library that ffmpeg complains about is located in **_/opt/intel/mediasdk/lib_** This intel-directory was created (not by me) when I updated FFmpeg to the latest version. There is no error when using the previous version of FFmpeg, that is 4.2.1 (pacman says 1:4.2.1-4). I tried to do some whitelisting of the above directory but to no avail. Hopefully someone more skilled in setting up profiles can help me on the way to solve this problem. I am a beginner. **Manjaro: 18.1.5 Firejail: 0.9.62 FFmpeg: 4.2.2**

gitea-mirror closed this issue

2026-05-05 08:38:49 -06:00

gitea-mirror commented

2026-05-05 08:38:50 -06:00

Author

Owner

@ghost commented on GitHub (Jan 17, 2020):

@the-lost-bit We are aware of this. See #3147 and https://github.com/netblue30/firejail/pull/3150. To summarize: the ffmpeg profile saw some changes after releasing 0.9.62. Until a decision is made on a follow-up release you can fix this by adding

private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl

to your ffmpeg.local (or create that file if you don't have one yet). Would you be so kind as to confirm/deny whether the above changes fix the ffmpeg issue?

@ghost commented on GitHub (Jan 17, 2020): @the-lost-bit We are aware of this. See #3147 and https://github.com/netblue30/firejail/pull/3150. To summarize: the ffmpeg profile saw some changes after releasing 0.9.62. Until a decision is made on a follow-up release you can fix this by adding `private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl` to your ffmpeg.local (or create that file if you don't have one yet). Would you be so kind as to confirm/deny whether the above changes fix the ffmpeg issue?

gitea-mirror commented

2026-05-05 08:38:51 -06:00

Author

Owner

@the-lost-bit commented on GitHub (Jan 17, 2020):

Many thanks glitsj16 for the swift reply, and my apologies for not doing a proper search among the issues!

Yes, your suggested ffmpeg.local file seems to do the trick. I did note however that the issue persisted with youtube-dl which calls ffmpeg to merge video and audio after download, so I just made a youtube-dl.local file with the exact same contents as per your suggestion above, and indeed this works.

Are there any obvious negative security implications with my ad hoc solution to the youtube-dl+ffmpeg combo issue? Thanks again, and sorry if I went a bit off topic.

@the-lost-bit commented on GitHub (Jan 17, 2020): Many thanks **glitsj16** for the swift reply, and my apologies for not doing a proper search among the issues! Yes, your suggested _ffmpeg.local_ file seems to do the trick. I did note however that the issue persisted with _youtube-dl_ which calls _ffmpeg_ to merge video and audio after download, so I just made a _youtube-dl.local_ file with the exact same contents as per your suggestion above, and indeed this works. Are there any obvious negative security implications with my _ad hoc_ solution to the _youtube-dl+ffmpeg_ combo issue? Thanks again, and sorry if I went a bit off topic.

gitea-mirror commented

2026-05-05 08:38:52 -06:00

Author

Owner

@ghost commented on GitHub (Jan 17, 2020):

Many thanks glitsj16 for the swift reply, and my apologies for not doing a proper search among the issues!

@the-lost-bit No worries, that happens. A duplicate is still better than no report at all. Firejail by design relies heavily on user input for keeping profiles in good condition and your input is appreciated.

Yes, your suggested ffmpeg.local file seems to do the trick.

Great, thanks for confirming.

I did note however that the issue persisted with youtube-dl which calls ffmpeg to merge video and audio after download, so I just made a youtube-dl.local file with the exact same contents as per your suggestion above, and indeed this works.

Indeed, I forgot to mention youtube-dl. The relevant changes to that profile look like this:

private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf

... so you should be fine by replacing the private-etc line in your youtube-dl.local with the above.

Are there any obvious negative security implications with my ad hoc solution to the youtube-dl+ffmpeg combo issue?

None, your ad-hoc workarounds now offer the exact same security level as those in git master. It's only too bad the relevant profile changes happened after releasing firejail 0.9.62. I suggested a new release after users started reporting ffmpeg issues, but no decision on that yet. Just make a note to remove your private-etc .local fixes when a future update arrives, that will make those superfluous.

I'll close this, but do feel free to re-open when you notice anything fishy with your ffmpeg/youtube-dl usage. Thank you for the cooperation!

@ghost commented on GitHub (Jan 17, 2020): > Many thanks glitsj16 for the swift reply, and my apologies for not doing a proper search among the issues! @the-lost-bit No worries, that happens. A duplicate is still better than no report at all. Firejail by design relies heavily on user input for keeping profiles in good condition and your input is appreciated. > Yes, your suggested ffmpeg.local file seems to do the trick. Great, thanks for confirming. > I did note however that the issue persisted with youtube-dl which calls ffmpeg to merge video and audio after download, so I just made a youtube-dl.local file with the exact same contents as per your suggestion above, and indeed this works. Indeed, I forgot to mention youtube-dl. The relevant changes to that profile look like this: `private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf` ... so you should be fine by replacing the private-etc line in your youtube-dl.local with the above. > Are there any obvious negative security implications with my ad hoc solution to the youtube-dl+ffmpeg combo issue? None, your ad-hoc workarounds now offer the exact same security level as those in git master. It's only too bad the relevant profile changes happened after releasing firejail 0.9.62. I [suggested](https://github.com/netblue30/firejail/pull/3150#issuecomment-575161391) a new release after users started reporting ffmpeg issues, but no decision on that yet. Just make a note to remove your private-etc .local fixes when a future update arrives, that will make those superfluous. I'll close this, but do feel free to re-open when you notice anything fishy with your ffmpeg/youtube-dl usage. Thank you for the cooperation!

gitea-mirror commented

2026-05-05 08:38:53 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 17, 2020):

Duplicate of #3147

@rusty-snake commented on GitHub (Jan 17, 2020): Duplicate of #3147

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1981

No description provided.

Rows
Columns