github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3202] Dino does not open images in image viewer (gwenview) #2003

New issue
Closed
opened 2026-05-05 08:40:26 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 08:40:26 -06:00
Owner
Copy link

Originally created by @ericschdt on GitHub (Feb 5, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3202

If I run Dino outside of the sandbox it is a capable of opening images in gwenview.
However, once started firejailed, nothing happens if I press on the "open image" button.

dino_firejail_debug.log.txt

System

firejail 0.9.62
Dino 0.1.0
Archlinux

Additional notes

dino.profile from git master
gwenview.profile from git master

Originally created by @ericschdt on GitHub (Feb 5, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3202 If I run Dino outside of the sandbox it is a capable of opening images in gwenview. However, once started firejailed, nothing happens if I press on the "open image" button. [dino_firejail_debug.log.txt](https://github.com/netblue30/firejail/files/4159527/dino_firejail_debug.log.txt) ##### System firejail 0.9.62 Dino 0.1.0 Archlinux ##### Additional notes dino.profile from git master gwenview.profile from git master
gitea-mirror commented 2026-05-05 08:40:29 -06:00
Author
Owner
Copy link

@ericschdt commented on GitHub (Feb 5, 2020):

Similar to https://github.com/netblue30/firejail/issues/2655#issuecomment-484176771

firejail --build dino

makes it working, but if I invoke it now without the relaxed whitelisting

firejail dino

even if finally add

echo "private-bin gwenview" >> ~/.config/firejail/dino.profile

it still does not work. :-S

<!-- gh-comment-id:582409134 --> @ericschdt commented on GitHub (Feb 5, 2020): Similar to https://github.com/netblue30/firejail/issues/2655#issuecomment-484176771 ``` firejail --build dino ``` makes it working, but if I invoke it now without the relaxed whitelisting ``` firejail dino ``` even if finally add ``` echo "private-bin gwenview" >> ~/.config/firejail/dino.profile ``` it still does not work. :-S
gitea-mirror commented 2026-05-05 08:40:30 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 6, 2020):

firejail 0.9.62
...
dino.profile from git master
gwenview.profile from git master

I remember mentioning git profiles in #3200. Although on occasion that might seem to 'fix' things, it is not the recommended way of running firejail. Mixing profiles from git with a differently versioned firejail binary can be tricky and will bite you sooner or later. There simply is no guarantee that included functionality in the profile files installed under /etc/firejail is also present in the firejail binary. It also makes reporting issues and debugging them a bit more complicated for people trying to help. Seeing that your OS is Arch, if you want to try the latest firejail codebase, I suggest using firejail-git from the AUR. That way at least you have a proper 'base' set of files to start with and avoid version-induced incompatibilities. Just a suggestion.

Now, to the issue at hand. You mentioned that 'firejail --build dino' first made it work, but later on you mention invoking 'firejail dino' doesn't work. IMHO I think you might have missed saving the generated profile. The --build option is a one-time thing. If you want to keep using the generated profile, you will have to either save it to ~/.config/firejail manually (and edit it if needed) or use the --build=/path/to/profile instead. Can you show the generated profile here please?

<!-- gh-comment-id:583112762 --> @ghost commented on GitHub (Feb 6, 2020): > firejail 0.9.62 > ... > dino.profile from git master > gwenview.profile from git master I remember mentioning git profiles in #3200. Although on occasion that might seem to 'fix' things, it is not the recommended way of running firejail. Mixing profiles from git with a differently versioned firejail binary can be tricky and will bite you sooner or later. There simply is no guarantee that included functionality in the profile files installed under /etc/firejail is also present in the firejail binary. It also makes reporting issues and debugging them a bit more complicated for people trying to help. Seeing that your OS is Arch, if you want to try the latest firejail codebase, I suggest using [firejail-git](https://aur.archlinux.org/packages/firejail-git/) from the AUR. That way at least you have a proper 'base' set of files to start with and avoid version-induced incompatibilities. Just a suggestion. Now, to the issue at hand. You mentioned that 'firejail --build dino' first made it work, but later on you mention invoking 'firejail dino' doesn't work. IMHO I think you might have missed saving the generated profile. The `--build` option is a one-time thing. If you want to keep using the generated profile, you will have to either save it to ~/.config/firejail manually (and edit it if needed) or use the `--build=`/path/to/profile instead. Can you show the generated profile here please?
gitea-mirror commented 2026-05-05 08:40:31 -06:00
Author
Owner
Copy link

@ericschdt commented on GitHub (Feb 7, 2020):

If you want to keep using the generated profile, you will have to either save it to ~/.config/firejail manually (and edit it if needed) or use the --build=/path/to/profile instead.

I did it now (correctly, thanks!) and it works.

Can you show the generated profile here please?

Sure, here it is, I just stripped a few private folders:

############################################
# dino profile
############################################
# Persistent global definitions
# include /etc/firejail/globals.local

### basic blacklisting
include /etc/firejail/disable-common.inc
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
# include /etc/firejail/disable-programs.inc

### home directory whitelisting
whitelist ~/.local/share/gwenview
whitelist ~/
whitelist ~/Documents
whitelist ~/.local/share/gwenview/recentfolders
whitelist ~/.local/share/baloo
whitelist ~/.config/session
whitelist ~/Downloads
whitelist ~/Images
whitelist ~/.cache/mesa_shader_cache
whitelist ~/.drirc
whitelist ~/.gnupg
whitelist ~/.local/share/gwenview/icons/hicolor
whitelist ~/.local/bin
whitelist ~/.local/share/flatpak
whitelist ~/.local/share/flatpak/exports
whitelist ~/.local/share/flatpak/exports/share
whitelist ~/.local/share/applications
whitelist ~/.local/share/flatpak/exports/share/mime
whitelist ~/.local/share/mime
whitelist ~/.local/share/flatpak/exports/share/mime/video
whitelist ~/.local/share/mime/video
whitelist ~/.config/pkcs11
whitelist ~/.XCompose
whitelist ~/.pulse-cookie
whitelist ~/.icons/breeze_cursors
whitelist ~/.icons/breeze_cursors/cursors
whitelist ~/.local/share/icons
whitelist ~/.local/share/flatpak/exports/share/mime/
whitelist ~/.local/share/mime/
whitelist ~/.config/dconf
whitelist ~/.local/share/flatpak/exports/share/dconf/profile
whitelist ~/.local/share/glib-2.0/schemas
whitelist ~/.local/share/flatpak/exports/share/glib-2.0/schemas
whitelist ~/.fonts
whitelist ~/.local/share/fonts
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d
whitelist ~/.config/fontconfig
whitelist ~/.local/share/dino
whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.0
whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.14
whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.16
whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.18
whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.20
whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.22
whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.24
whitelist ~/.themes/Adwaita-dark/gtk-3.0
whitelist ~/.themes/Adwaita-dark/gtk-3.14
whitelist ~/.themes/Adwaita-dark/gtk-3.16
whitelist ~/.themes/Adwaita-dark/gtk-3.18
whitelist ~/.themes/Adwaita-dark/gtk-3.20
whitelist ~/.themes/Adwaita-dark/gtk-3.22
whitelist ~/.themes/Adwaita-dark/gtk-3.24
whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.0
whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.14
whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.16
whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.18
whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.20
whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.22
whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.24
whitelist ~/.config/gtk-3.0
whitelist ~/.Xdefaults-espc
include /etc/firejail/whitelist-common.inc

### filesystem

# private-tmp
# File accessed in /tmp directory:
# /tmp/firejail-strace.rlte9T,private-dev
private-etc group,drirc,mtab,kde5rc,ca-certificates,pkcs11,hosts,localtime,machine-id,dconf,fonts,gcrypt,xdg,gtk-3.0,login.defs,passwd,
whitelist /var/lib/snapd/desktop/gwenview/icons/hicolor/
whitelist /var/lib/flatpak/exports/share/gwenview/icons/hicolor/
whitelist /var/lib/snapd/snap/bin/gpgconf
whitelist /var/lib/snapd/desktop/applications
whitelist /var/lib/flatpak/exports/share/applications
whitelist /var/lib/snapd/desktop/mime/generic-icons
whitelist /var/lib/snapd/desktop/mime/icons
whitelist /var/lib/snapd/desktop/mime/subclasses
whitelist /var/lib/snapd/desktop/mime/aliases
whitelist /var/lib/flatpak/exports/share/mime/generic-icons
whitelist /var/lib/flatpak/exports/share/mime/icons
whitelist /var/lib/flatpak/exports/share/mime/subclasses
whitelist /var/lib/flatpak/exports/share/mime/aliases
whitelist /var/lib/flatpak/exports/share/mime/video/mp4.xml
whitelist /var/lib/dbus/machine-id
whitelist /var/lib/snapd/desktop/icons/icon-theme.cache
whitelist /var/lib/flatpak/exports/share/icons/icon-theme.cache
whitelist /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache
whitelist /var/lib/flatpak/exports/share/icons/hicolor/index.theme
whitelist /var/lib/snapd/desktop/mime//generic-icons
whitelist /var/lib/snapd/desktop/mime//icons
whitelist /var/lib/snapd/desktop/mime//subclasses
whitelist /var/lib/snapd/desktop/mime//aliases
whitelist /var/lib/flatpak/exports/share/mime//generic-icons
whitelist /var/lib/flatpak/exports/share/mime//icons
whitelist /var/lib/flatpak/exports/share/mime//subclasses
whitelist /var/lib/flatpak/exports/share/mime//aliases
whitelist /var/lib/snapd/desktop/dconf/profile/user
whitelist /var/lib/flatpak/exports/share/dconf/profile/user
whitelist /var/lib/flatpak/exports/share/glib-2.0/schemas/gschemas.compiled
whitelist /var/lib/snapd/desktop/glib-2.0/schemas/gschemas.compiled
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.0/gtk.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.14/gtk.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.16/gtk.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.18/gtk.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.20/gtk.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.22/gtk.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.24/gtk.css
whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.0/gtk-dark.css
whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.14/gtk-dark.css
whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.16/gtk-dark.css
whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.18/gtk-dark.css
whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.20/gtk-dark.css
whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.22/gtk-dark.css
whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.24/gtk-dark.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.0/gtk-dark.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.14/gtk-dark.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.16/gtk-dark.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.18/gtk-dark.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.20/gtk-dark.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.22/gtk-dark.css
whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.24/gtk-dark.css
private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail,
# private-lib
whitelist /usr/share/drirc.d
whitelist /usr/share/kservices5
whitelist /usr/share/gwenview
whitelist /usr/share/plasma
whitelist /usr/share/hwdata
whitelist /usr/share/kpackage
whitelist /usr/share/qt
whitelist /usr/share/applications
whitelist /usr/share/ca-certificates
whitelist /usr/share/p11-kit
whitelist /usr/share/pixmaps
whitelist /usr/share/icons
whitelist /usr/share/mime
whitelist /usr/share/dconf
whitelist /usr/share/glib-2.0
whitelist /usr/share/fonts
whitelist /usr/share/themes
whitelist /usr/share/locale
whitelist /usr/share/gtk-3.0
whitelist /usr/share/X11

### security filters
caps.drop all
nonewprivs
seccomp
# seccomp.keep futex,poll,nanosleep,recvmsg,read,write,wait4,stat,clone,munmap,openat,ioctl,execve,mmap,select,close,writev,sendmsg,lseek,lstat,mprotect,access,fstat,statx,fcntl,readlink,getdents64,getpid,sched_yield,pread64,brk,getxattr,recvfrom,rt_sigprocmask,set_robust_list,pwrite64,sendto,unlink,ppoll,socket,getrandom,fdatasync,sigaltstack,linkat,readlinkat,fstatfs,inotify_init,connect,rt_sigaction,setsockopt,madvise,rename,geteuid,getuid,uname,chmod,setresuid,pipe,setresgid,fchmod,arch_prctl,fadvise64,prctl,eventfd2,bind,inotify_rm_watch,chdir,getsockname,pipe2,getcwd,sched_getaffinity,prlimit64,inotify_init1,getgid,mkdir,shmget,mlock,kill,sched_setscheduler,set_tid_address,shmat,umask,shutdown,getegid,ftruncate,getsockopt,alarm,rt_sigreturn,memfd_create,sched_setaffinity,flock,getpgrp,inotify_add_watch,shmctl,sysinfo,getpeername,accept,shmdt,listen,getresuid,getresgid,clock_getres,mremap,getppid,gettid,restart_syscall,statfs,msync,dup,dup2,link,setsid
# 112 syscalls total
# Probably you will need to add more syscalls to seccomp.keep. Look for
# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
# running your sandbox.

### network
protocol unix,inet,inet6,netlink,
# net eth0
netfilter

### environment
shell none
<!-- gh-comment-id:583560800 --> @ericschdt commented on GitHub (Feb 7, 2020): > If you want to keep using the generated profile, you will have to either save it to ~/.config/firejail manually (and edit it if needed) or use the --build=/path/to/profile instead. I did it now (correctly, thanks!) and it works. > Can you show the generated profile here please? Sure, here it is, I just stripped a few private folders: ``` ############################################ # dino profile ############################################ # Persistent global definitions # include /etc/firejail/globals.local ### basic blacklisting include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc ### home directory whitelisting whitelist ~/.local/share/gwenview whitelist ~/ whitelist ~/Documents whitelist ~/.local/share/gwenview/recentfolders whitelist ~/.local/share/baloo whitelist ~/.config/session whitelist ~/Downloads whitelist ~/Images whitelist ~/.cache/mesa_shader_cache whitelist ~/.drirc whitelist ~/.gnupg whitelist ~/.local/share/gwenview/icons/hicolor whitelist ~/.local/bin whitelist ~/.local/share/flatpak whitelist ~/.local/share/flatpak/exports whitelist ~/.local/share/flatpak/exports/share whitelist ~/.local/share/applications whitelist ~/.local/share/flatpak/exports/share/mime whitelist ~/.local/share/mime whitelist ~/.local/share/flatpak/exports/share/mime/video whitelist ~/.local/share/mime/video whitelist ~/.config/pkcs11 whitelist ~/.XCompose whitelist ~/.pulse-cookie whitelist ~/.icons/breeze_cursors whitelist ~/.icons/breeze_cursors/cursors whitelist ~/.local/share/icons whitelist ~/.local/share/flatpak/exports/share/mime/ whitelist ~/.local/share/mime/ whitelist ~/.config/dconf whitelist ~/.local/share/flatpak/exports/share/dconf/profile whitelist ~/.local/share/glib-2.0/schemas whitelist ~/.local/share/flatpak/exports/share/glib-2.0/schemas whitelist ~/.fonts whitelist ~/.local/share/fonts whitelist ~/.fonts.conf whitelist ~/.fonts.conf.d whitelist ~/.config/fontconfig whitelist ~/.local/share/dino whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.0 whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.14 whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.16 whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.18 whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.20 whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.22 whitelist ~/.local/share/flatpak/exports/share/themes/Adwaita-dark/gtk-3.24 whitelist ~/.themes/Adwaita-dark/gtk-3.0 whitelist ~/.themes/Adwaita-dark/gtk-3.14 whitelist ~/.themes/Adwaita-dark/gtk-3.16 whitelist ~/.themes/Adwaita-dark/gtk-3.18 whitelist ~/.themes/Adwaita-dark/gtk-3.20 whitelist ~/.themes/Adwaita-dark/gtk-3.22 whitelist ~/.themes/Adwaita-dark/gtk-3.24 whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.0 whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.14 whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.16 whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.18 whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.20 whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.22 whitelist ~/.local/share/themes/Adwaita-dark/gtk-3.24 whitelist ~/.config/gtk-3.0 whitelist ~/.Xdefaults-espc include /etc/firejail/whitelist-common.inc ### filesystem # private-tmp # File accessed in /tmp directory: # /tmp/firejail-strace.rlte9T,private-dev private-etc group,drirc,mtab,kde5rc,ca-certificates,pkcs11,hosts,localtime,machine-id,dconf,fonts,gcrypt,xdg,gtk-3.0,login.defs,passwd, whitelist /var/lib/snapd/desktop/gwenview/icons/hicolor/ whitelist /var/lib/flatpak/exports/share/gwenview/icons/hicolor/ whitelist /var/lib/snapd/snap/bin/gpgconf whitelist /var/lib/snapd/desktop/applications whitelist /var/lib/flatpak/exports/share/applications whitelist /var/lib/snapd/desktop/mime/generic-icons whitelist /var/lib/snapd/desktop/mime/icons whitelist /var/lib/snapd/desktop/mime/subclasses whitelist /var/lib/snapd/desktop/mime/aliases whitelist /var/lib/flatpak/exports/share/mime/generic-icons whitelist /var/lib/flatpak/exports/share/mime/icons whitelist /var/lib/flatpak/exports/share/mime/subclasses whitelist /var/lib/flatpak/exports/share/mime/aliases whitelist /var/lib/flatpak/exports/share/mime/video/mp4.xml whitelist /var/lib/dbus/machine-id whitelist /var/lib/snapd/desktop/icons/icon-theme.cache whitelist /var/lib/flatpak/exports/share/icons/icon-theme.cache whitelist /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache whitelist /var/lib/flatpak/exports/share/icons/hicolor/index.theme whitelist /var/lib/snapd/desktop/mime//generic-icons whitelist /var/lib/snapd/desktop/mime//icons whitelist /var/lib/snapd/desktop/mime//subclasses whitelist /var/lib/snapd/desktop/mime//aliases whitelist /var/lib/flatpak/exports/share/mime//generic-icons whitelist /var/lib/flatpak/exports/share/mime//icons whitelist /var/lib/flatpak/exports/share/mime//subclasses whitelist /var/lib/flatpak/exports/share/mime//aliases whitelist /var/lib/snapd/desktop/dconf/profile/user whitelist /var/lib/flatpak/exports/share/dconf/profile/user whitelist /var/lib/flatpak/exports/share/glib-2.0/schemas/gschemas.compiled whitelist /var/lib/snapd/desktop/glib-2.0/schemas/gschemas.compiled whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.0/gtk.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.14/gtk.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.16/gtk.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.18/gtk.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.20/gtk.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.22/gtk.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.24/gtk.css whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.0/gtk-dark.css whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.14/gtk-dark.css whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.16/gtk-dark.css whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.18/gtk-dark.css whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.20/gtk-dark.css whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.22/gtk-dark.css whitelist /var/lib/snapd/desktop/themes/Adwaita-dark/gtk-3.24/gtk-dark.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.0/gtk-dark.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.14/gtk-dark.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.16/gtk-dark.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.18/gtk-dark.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.20/gtk-dark.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.22/gtk-dark.css whitelist /var/lib/flatpak/exports/share/themes/Adwaita-dark/gtk-3.24/gtk-dark.css private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail, # private-lib whitelist /usr/share/drirc.d whitelist /usr/share/kservices5 whitelist /usr/share/gwenview whitelist /usr/share/plasma whitelist /usr/share/hwdata whitelist /usr/share/kpackage whitelist /usr/share/qt whitelist /usr/share/applications whitelist /usr/share/ca-certificates whitelist /usr/share/p11-kit whitelist /usr/share/pixmaps whitelist /usr/share/icons whitelist /usr/share/mime whitelist /usr/share/dconf whitelist /usr/share/glib-2.0 whitelist /usr/share/fonts whitelist /usr/share/themes whitelist /usr/share/locale whitelist /usr/share/gtk-3.0 whitelist /usr/share/X11 ### security filters caps.drop all nonewprivs seccomp # seccomp.keep futex,poll,nanosleep,recvmsg,read,write,wait4,stat,clone,munmap,openat,ioctl,execve,mmap,select,close,writev,sendmsg,lseek,lstat,mprotect,access,fstat,statx,fcntl,readlink,getdents64,getpid,sched_yield,pread64,brk,getxattr,recvfrom,rt_sigprocmask,set_robust_list,pwrite64,sendto,unlink,ppoll,socket,getrandom,fdatasync,sigaltstack,linkat,readlinkat,fstatfs,inotify_init,connect,rt_sigaction,setsockopt,madvise,rename,geteuid,getuid,uname,chmod,setresuid,pipe,setresgid,fchmod,arch_prctl,fadvise64,prctl,eventfd2,bind,inotify_rm_watch,chdir,getsockname,pipe2,getcwd,sched_getaffinity,prlimit64,inotify_init1,getgid,mkdir,shmget,mlock,kill,sched_setscheduler,set_tid_address,shmat,umask,shutdown,getegid,ftruncate,getsockopt,alarm,rt_sigreturn,memfd_create,sched_setaffinity,flock,getpgrp,inotify_add_watch,shmctl,sysinfo,getpeername,accept,shmdt,listen,getresuid,getresgid,clock_getres,mremap,getppid,gettid,restart_syscall,statfs,msync,dup,dup2,link,setsid # 112 syscalls total # Probably you will need to add more syscalls to seccomp.keep. Look for # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while # running your sandbox. ### network protocol unix,inet,inet6,netlink, # net eth0 netfilter ### environment shell none ```
gitea-mirror commented 2026-05-05 08:40:32 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 7, 2020):

That looks fine. You could compare it with the default /etc/firejail/dino.profile to harden it a bit more while testing it still does what you want. Usual suspects that are good to have are options like:

no3d
nodvd
nogroups
noroot
nosound
notv
nou2f
novideo

private-dev
private-tmp
<!-- gh-comment-id:583625917 --> @ghost commented on GitHub (Feb 7, 2020): That looks fine. You could compare it with the default /etc/firejail/dino.profile to harden it a bit more while testing it still does what you want. Usual suspects that are good to have are options like: ``` no3d nodvd nogroups noroot nosound notv nou2f novideo private-dev private-tmp ```
gitea-mirror commented 2026-05-05 08:40:33 -06:00
Author
Owner
Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

@glitsj16 Thanks, I also added the recent list to dino.local. It works fine for now!

<!-- gh-comment-id:583834815 --> @ericschdt commented on GitHub (Feb 9, 2020): @glitsj16 Thanks, I also added the recent list to `dino.local`. It works fine for now!
gitea-mirror commented 2026-05-05 08:40:34 -06:00
Author
Owner
Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

Edit: For some reasons using Dino with
firejail --build=path/dino.local dino works fine, but afterwards starting Dino (*) makes my accounts no longer go online. :-/

Here are the erros dino throws:

(dino:27): dconf-WARNING **: 11:49:07.364: Unable to open ~/.local/share/flatpak/exports/share/dconf/profile/user: No access
(dino:27): GLib-GIO-WARNING **: 11:51:50.218: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/10860/root
(dino:27): xmpp-vala-CRITICAL **: 11:49:28.486: file ~/aur/dino-git/src/dino/xmpp-vala/src/core/xmpp_stream.vala: line 124: uncaught error: trying to write, but no stream open (xmpp-io-stream-error-quark, 1)

I already tried to whitelist

whitelist ~/aur/dino-git
whitelist ~/.local/share/

but with no success.

Edit: I should have overwritten dino.profile so at least the /proc/[number]/root error is gone and as well as the dconf error. Now I am still stuck with the xmpp-vala-CRITICAL error and

Warning: skipping drirc for private /etc
Warning: skipping kde5rc for private /etc
Warning: skipping gcrypt for private /etc

;)

<!-- gh-comment-id:583836336 --> @ericschdt commented on GitHub (Feb 9, 2020): Edit: For some reasons using Dino with `firejail --build=path/dino.local dino` works fine, but afterwards starting Dino (*) makes my accounts no longer go online. :-/ Here are the erros dino throws: ``` (dino:27): dconf-WARNING **: 11:49:07.364: Unable to open ~/.local/share/flatpak/exports/share/dconf/profile/user: No access (dino:27): GLib-GIO-WARNING **: 11:51:50.218: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/10860/root (dino:27): xmpp-vala-CRITICAL **: 11:49:28.486: file ~/aur/dino-git/src/dino/xmpp-vala/src/core/xmpp_stream.vala: line 124: uncaught error: trying to write, but no stream open (xmpp-io-stream-error-quark, 1) ``` I already tried to whitelist ``` whitelist ~/aur/dino-git whitelist ~/.local/share/ ``` but with no success. Edit: I should have overwritten `dino.profile` so at least the `/proc/[number]/root` error is gone and as well as the `dconf` error. Now I am still stuck with the `xmpp-vala-CRITICAL` error and ``` Warning: skipping drirc for private /etc Warning: skipping kde5rc for private /etc Warning: skipping gcrypt for private /etc ``` ;)
gitea-mirror commented 2026-05-05 08:40:34 -06:00
Author
Owner
Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

I took the original profile and for some reasons it now works (though Dino freezes with firejail sometimes :-( )

When I symlinked it again, I forgot about the cache and it actually started /usr/bin/dino and it still does not work. I am giving it up for now...

The following needs to be done anyway:

Though, I had to unblacklist the follwing folders in gwenview.local

noblacklist ${HOME}/.local/share/dino
noblacklist ${HOME}/.local/share/dino/files

no allow gwenview to view the images.

<!-- gh-comment-id:583841558 --> @ericschdt commented on GitHub (Feb 9, 2020): ~I took the original profile and for some reasons it now works (though Dino freezes with firejail sometimes :-( )~ When I symlinked it again, I forgot about the cache and it actually started `/usr/bin/dino` and it still does not work. I am giving it up for now... ---- The following needs to be done anyway: Though, I had to unblacklist the follwing folders in `gwenview.local` ``` noblacklist ${HOME}/.local/share/dino noblacklist ${HOME}/.local/share/dino/files ``` no allow gwenview to view the images.
gitea-mirror commented 2026-05-05 08:40:35 -06:00
Author
Owner
Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

Eh, here's the finally working solution:

dino.profile

# Firejail profile for dino
# Description: Modern XMPP Chat Client using GTK+/Vala
# This file is overwritten after every install/update
# Persistent local customizations
include dino.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.local/share/dino

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

mkdir ${HOME}/.local/share/dino
whitelist ${HOME}/.local/share/dino
whitelist ${HOME}/.local/share/dino/files
whitelist ${DOWNLOADS}
include whitelist-common.inc

caps.drop all
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none

disable-mnt
private-bin dino
private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail,
private-dev
# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
private-tmp

gwenview.local

noblacklist ${HOME}/.local/share/dino
noblacklist ${HOME}/.local/share/dino/files
<!-- gh-comment-id:583842118 --> @ericschdt commented on GitHub (Feb 9, 2020): Eh, here's the finally working solution: `dino.profile` ``` # Firejail profile for dino # Description: Modern XMPP Chat Client using GTK+/Vala # This file is overwritten after every install/update # Persistent local customizations include dino.local # Persistent global definitions include globals.local noblacklist ${HOME}/.local/share/dino include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino/files whitelist ${DOWNLOADS} include whitelist-common.inc caps.drop all netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp shell none disable-mnt private-bin dino private-bin gpgsm,gpg,gpgconf,gwenview,gio-launch-desktop,dino,bash,firejail, private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection private-tmp ``` `gwenview.local` ``` noblacklist ${HOME}/.local/share/dino noblacklist ${HOME}/.local/share/dino/files ```
gitea-mirror commented 2026-05-05 08:40:36 -06:00
Author
Owner
Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

@rusty-snake @glitsj16
it needs to read:
private-bin dino,gio-launch-desktop,gwenview

Dino won't start gwenview without gio-launch-desktop.

OT: and for gpg support it may need gpgsm,gpg,gpgconf.

<!-- gh-comment-id:583842613 --> @ericschdt commented on GitHub (Feb 9, 2020): @rusty-snake @glitsj16 it needs to read: `private-bin dino,gio-launch-desktop,gwenview` Dino won't start `gwenview` without `gio-launch-desktop`. ---- OT: and for `gpg` support it may need `gpgsm,gpg,gpgconf`.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2003
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?