github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3468] Interfering with Itch.io game #2179

New issue
Closed
opened 2026-05-05 08:51:35 -06:00 by gitea-mirror · 16 comments
gitea-mirror commented 2026-05-05 08:51:35 -06:00
Owner
Copy link

Originally created by @Tanath on GitHub (Jun 15, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3468

Bug and expected behavior
I've been attempting to install a game in Itch, and even with firejail disabled by default (sudo firejail --clean) it still gets interfered with by firejail. The Itch client isn't running in firejail, and the developer of the game doesn't know what firejail is:
https://itch.io/t/832898/asks-for-root-authentication-on-linux

Reproduce
Steps to reproduce the behavior:

  1. I installed the Itch client via AUR.
  2. I got this bundle, which got me the game.
  3. Installed game via Itch client from the bundle page.
  4. Got issue seen in Itch thread above.

Environment

  • Linux distribution and version: Manjaro
  • Firejail version: 0.9.62. Compile time support: all enabled.
  • What other programs interact with the affected program for the functionality? Unity3D.

Whatever it's running isn't listed in firejail --list when the pw request occurs.

Originally created by @Tanath on GitHub (Jun 15, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3468 **Bug and expected behavior** I've been attempting to install a game in Itch, and even with firejail disabled by default (`sudo firejail --clean`) it still gets interfered with by firejail. The Itch client isn't running in firejail, and the developer of the game doesn't know what firejail is: https://itch.io/t/832898/asks-for-root-authentication-on-linux **Reproduce** Steps to reproduce the behavior: 1. I installed the Itch client via AUR. 2. I got [this bundle](https://itch.io/b/520/bundle-for-racial-justice-and-equality), which got me the game. 3. Installed game via Itch client from the [bundle page](https://itch.io/my-purchases/bundles). 4. Got issue seen in [Itch thread](https://itch.io/t/832898/asks-for-root-authentication-on-linux) above. **Environment** - Linux distribution and version: Manjaro - Firejail version: 0.9.62. Compile time support: all enabled. - What other programs interact with the affected program for the functionality? Unity3D. --- Whatever it's running isn't listed in `firejail --list` when the pw request occurs.
gitea-mirror commented 2026-05-05 08:51:38 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 15, 2020):

Hi, I'm having lots of troubles trying to install this to check what might be going wrong. Used makepkg to build itch from AUR on my Arch Linux machine, but the itch-setup command keeps throwing this error:

2020/06/16 00:46:43 Fatal error: Warm-up error: while opening remote signature file: htfs.Open (initial request): htfs connect: Get https://broth.itch.ovh/itch/linux-amd64/25.4.0/signature/default?downloadSessionId=d90aa650-7f18-45df-ba1a-c28a8ca57928: unexpected EOF

At the moment I can't even get itch installed to try to reproduce. You mention using sudo firejail --clean, but I assume you meant sudo firecfg --clean, as firejail doesn't have a --clean option. To ensure firejail is disabled you can run the latter and remove any remaining symlinks in /usr/local/bin that point to /usr/bin/firejail. Looking at the source of itch-setup this seems to be an electron app. If that gets called via firejail it might begin to explain what you are seeing. But without any kind of log we're in the dark I'm afraid.

<!-- gh-comment-id:644436371 --> @ghost commented on GitHub (Jun 15, 2020): Hi, I'm having lots of troubles trying to install this to check what might be going wrong. Used makepkg to build itch from AUR on my Arch Linux machine, but the itch-setup command keeps throwing this error: > 2020/06/16 00:46:43 Fatal error: Warm-up error: while opening remote signature file: htfs.Open (initial request): htfs connect: Get https://broth.itch.ovh/itch/linux-amd64/25.4.0/signature/default?downloadSessionId=d90aa650-7f18-45df-ba1a-c28a8ca57928: unexpected EOF At the moment I can't even get itch installed to try to reproduce. You mention using `sudo firejail --clean`, but I assume you meant `sudo firecfg --clean`, as firejail doesn't have a --clean option. To ensure firejail is disabled you can run the latter and remove any remaining symlinks in /usr/local/bin that point to /usr/bin/firejail. Looking at the source of itch-setup this seems to be an electron app. If that gets called via firejail it might begin to explain what you are seeing. But without any kind of log we're in the dark I'm afraid.
gitea-mirror commented 2026-05-05 08:51:39 -06:00
Author
Owner
Copy link

@Tanath commented on GitHub (Jun 16, 2020):

I see the AUR package has been flagged out of date Flagged out-of-date (2020-06-07), and I haven't seen that error before. You could try downloading the file manually and putting it in the build directory, checking the hash, and updating it in the PKGBUILD if necessary.

Sorry, yes, I meant firecfg. And /usr/local/bin is empty. Itch is not running in firejail, which is confirmed with firejail --list and firejail --top.

<!-- gh-comment-id:644501988 --> @Tanath commented on GitHub (Jun 16, 2020): I see the [AUR package](https://aur.archlinux.org/packages/itch) has been flagged out of date `Flagged out-of-date (2020-06-07)`, and I haven't seen that error before. You could try downloading the file manually and putting it in the build directory, checking the hash, and updating it in the PKGBUILD if necessary. Sorry, yes, I meant firecfg. And `/usr/local/bin` is empty. Itch is not running in firejail, which is confirmed with `firejail --list` and `firejail --top`.
gitea-mirror commented 2026-05-05 08:51:40 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 16, 2020):

I really have no idea what's going on. However I've two debugging ideas:

  1. You can do a trick to prevent programs started by itch with firejail to run in a restrictive sandbox. firejail does not support transition or nesting, so if you start itch with firejail --noprofile is maybe works (if you believe in it hard enough 🤣 )
  2. firejail --list and firejail --top only show the sandboxes currently running, using sudo firemon does not clear the output, so you can also see very short living sandboxes (e.g. firejail ls).
<!-- gh-comment-id:644585966 --> @rusty-snake commented on GitHub (Jun 16, 2020): I really have no idea what's going on. However I've two debugging ideas: 1. You can do a trick to prevent programs started by itch with firejail to run in a restrictive sandbox. firejail does not support transition or nesting, so if you start itch with `firejail --noprofile` is maybe works (if you believe in it hard enough :rofl: ) 2. `firejail --list` and `firejail --top` only show the sandboxes currently running, using `sudo firemon` does not clear the output, so you can also see very short living sandboxes (e.g. `firejail ls`).
gitea-mirror commented 2026-05-05 08:51:41 -06:00
Author
Owner
Copy link

@Tanath commented on GitHub (Jun 16, 2020):

Running with firejail --noprofile itch still mentions firejail in the popup, I don't get the password prompt, but then it just fails silently and doesn't run the game.

When I try with firemon, the only new lines that appear are:

04:21:38 exec 2783879 (root) NEW SANDBOX: ./firejail --noprofile -- whoami
04:21:38 exit 2783879 (root) EXIT SANDBOX
04:21:42 exit 2779931 (tanath)
<!-- gh-comment-id:644613843 --> @Tanath commented on GitHub (Jun 16, 2020): Running with `firejail --noprofile itch` still mentions firejail in the popup, I don't get the password prompt, but then it just fails silently and doesn't run the game. When I try with firemon, the only new lines that appear are: ``` 04:21:38 exec 2783879 (root) NEW SANDBOX: ./firejail --noprofile -- whoami 04:21:38 exit 2783879 (root) EXIT SANDBOX 04:21:42 exit 2779931 (tanath) ```
gitea-mirror commented 2026-05-05 08:51:43 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 16, 2020):

I finally got itch installed and did some basic testing. Registering an account, downloading a game, running update checks, login etcetera all succeeded, even with a nicely hardened profile.

@Tanath Could you test this profile without having the firecfg-generated symlinks please?

$ cat ${HOME}/.config/firejail/itch.profile 
# Firejail profile for itch
# Description: The best way to play itch.io games
# This file is overwritten after every install/update
# Persistent local customizations
include itch.local
# Persistent global definitions
include globals.local

blacklist /tmp/.X11-unix

noblacklist ${HOME}/.config/itch
noblacklist ${HOME}/.itch
noblacklist ${HOME}/.local/share/pki
noblacklist ${HOME}/.pki

ignore noexec ${HOME}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.config/itch
mkdir ${HOME}/.itch
mkdir ${HOME}/.local/share/pki
mkdir ${HOME}/.pki
whitelist ${HOME}/.config/itch
whitelist ${HOME}/.itch
whitelist ${HOME}/.local/share/pki
whitelist ${HOME}/.pki
whitelist ${DOWNLOADS}

include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none
#tracelog - breaks on Arch

# For me this private-bin worked, but I only played one game - uncomment for more extensive testing.
# private-bin bash,itch,sh
private-cache
private-dev
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,machine-id,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11

# The D-Bus filtering syntax below is incompatible with 0.9.62, but it works with firejail from git.
# dbus-user filter
# dbus-user.talk org.freedesktop.Notifications
# dbus-system none
<!-- gh-comment-id:644618574 --> @ghost commented on GitHub (Jun 16, 2020): I finally got itch installed and did some basic testing. Registering an account, downloading a game, running update checks, login etcetera all succeeded, even with a nicely hardened profile. @Tanath Could you test this profile without having the firecfg-generated symlinks please? <details> <summary> $ cat ${HOME}/.config/firejail/itch.profile </summary> ``` # Firejail profile for itch # Description: The best way to play itch.io games # This file is overwritten after every install/update # Persistent local customizations include itch.local # Persistent global definitions include globals.local blacklist /tmp/.X11-unix noblacklist ${HOME}/.config/itch noblacklist ${HOME}/.itch noblacklist ${HOME}/.local/share/pki noblacklist ${HOME}/.pki ignore noexec ${HOME} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.config/itch mkdir ${HOME}/.itch mkdir ${HOME}/.local/share/pki mkdir ${HOME}/.pki whitelist ${HOME}/.config/itch whitelist ${HOME}/.itch whitelist ${HOME}/.local/share/pki whitelist ${HOME}/.pki whitelist ${DOWNLOADS} include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all netfilter nodvd nogroups nonewprivs noroot notv nou2f novideo protocol unix,inet,inet6,netlink seccomp shell none #tracelog - breaks on Arch # For me this private-bin worked, but I only played one game - uncomment for more extensive testing. # private-bin bash,itch,sh private-cache private-dev private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,machine-id,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11 # The D-Bus filtering syntax below is incompatible with 0.9.62, but it works with firejail from git. # dbus-user filter # dbus-user.talk org.freedesktop.Notifications # dbus-system none ``` </details>
gitea-mirror commented 2026-05-05 08:51:44 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 16, 2020):

Running with firejail --noprofile itch still mentions firejail in the popup, I don't get the password prompt, but then it just fails silently and doesn't run the game.

I still don't know what is happening on your end exactly. But a screenshot of that popup would be helpful.

<!-- gh-comment-id:644620965 --> @ghost commented on GitHub (Jun 16, 2020): > Running with firejail --noprofile itch still mentions firejail in the popup, I don't get the password prompt, but then it just fails silently and doesn't run the game. I still don't know what is happening on your end exactly. But a screenshot of that popup would be helpful.
gitea-mirror commented 2026-05-05 08:51:45 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 16, 2020):

@glitsj16
Link from OP: https://itch.io/t/832898/asks-for-root-authentication-on-linux
Screenshot in this thread: https://img.itch.zone/aW1nLzM2NDk5MTIucG5n/original/iZZzIb.png

<!-- gh-comment-id:644648983 --> @rusty-snake commented on GitHub (Jun 16, 2020): @glitsj16 Link from OP: https://itch.io/t/832898/asks-for-root-authentication-on-linux Screenshot in this thread: https://img.itch.zone/aW1nLzM2NDk5MTIucG5n/original/iZZzIb.png
gitea-mirror commented 2026-05-05 08:51:46 -06:00
Author
Owner
Copy link

@Tanath commented on GitHub (Jun 16, 2020):

I should mention I don't have this issue with other Itch games yet. Just the one.

I tried the pasted profile and got:

Reading profile /home/tanath/.config/firejail/itch.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Error: cannot access profile file: whitelist-runuser-common.inc

I tried commenting out that line and got an error: non-zero exit code 1 (1). Log says error while elevating, pkexec not found in path. I can't copy the text, and it'd be multiple pages to screenshot, so that's the gist of it. Here's the top:

Error log

<!-- gh-comment-id:644662023 --> @Tanath commented on GitHub (Jun 16, 2020): I should mention I don't have this issue with other Itch games yet. Just the one. I tried the pasted profile and got: ``` Reading profile /home/tanath/.config/firejail/itch.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Error: cannot access profile file: whitelist-runuser-common.inc ``` I tried commenting out that line and got an error: `non-zero exit code 1 (1)`. Log says error while elevating, pkexec not found in path. I can't copy the text, and it'd be multiple pages to screenshot, so that's the gist of it. Here's the top: ![Error log](https://i.imgur.com/LztpFrI.png)
gitea-mirror commented 2026-05-05 08:51:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 16, 2020):

Log says error while elevating, pkexec not found in path. I can't copy the text, and it'd be multiple pages to screenshot, so that's the gist of it. Here's the top:

pkexec is blocked by firejail (--noblacklist='${PATH}/pkexec' to allow it) and it is the programs that ask you for root-privs.

<!-- gh-comment-id:644670962 --> @rusty-snake commented on GitHub (Jun 16, 2020): > Log says error while elevating, pkexec not found in path. I can't copy the text, and it'd be multiple pages to screenshot, so that's the gist of it. Here's the top: pkexec is blocked by firejail (`--noblacklist='${PATH}/pkexec'` to allow it) and it is the programs that ask you for root-privs.
gitea-mirror commented 2026-05-05 08:51:48 -06:00
Author
Owner
Copy link

@Tanath commented on GitHub (Jun 16, 2020):

Yeah. I'm more interested in testing with firejail out of the way, but the only way I can think to do that is by completely uninstalling it since it gets run no matter what else I do. However I'm using it.

<!-- gh-comment-id:644674405 --> @Tanath commented on GitHub (Jun 16, 2020): Yeah. I'm more interested in testing with firejail out of the way, but the only way I can think to do that is by completely uninstalling it since it gets run no matter what else I do. However I'm using it.
gitea-mirror commented 2026-05-05 08:51:49 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 16, 2020):

When you used firemon, did you start itch with firejail --noprofile itch or /usr/bin/itch?

<!-- gh-comment-id:644727830 --> @rusty-snake commented on GitHub (Jun 16, 2020): When you used firemon, did you start itch with `firejail --noprofile itch` or `/usr/bin/itch`?
gitea-mirror commented 2026-05-05 08:51:49 -06:00
Author
Owner
Copy link

@Tanath commented on GitHub (Jun 16, 2020):

Without firejail. Here's with noprofile:

17:28:13 fork 3153138 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json daemon --transport tcp --keep-alive --dbpath /home/tanath/.config/itch/db/butler.db --address https://itch.io --user-agent itch/25.4.0 (linux) --destiny-pid 11
        child 3172671 /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json daemon --transport tcp --keep-alive --dbpath /home/tanath/.config/itch/db/butler.db --address https://itch.io --user-agent itch/25.4.0 (linux) --destiny-pid 11
17:28:13 exec 3172671 (tanath) ./firejail --version
17:28:15 exit 3172671 (tanath)
17:28:16 fork 3153138 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json daemon --transport tcp --keep-alive --dbpath /home/tanath/.config/itch/db/butler.db --address https://itch.io --user-agent itch/25.4.0 (linux) --destiny-pid 11
        child 3172673
17:28:16 exec 3172673 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json --elevate install-prereqs /tmp/butler-prereqs-plan.json208915775
17:28:16 fork 3172673 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json --elevate install-prereqs /tmp/butler-prereqs-plan.json208915775
        child 3172680 /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json --elevate install-prereqs /tmp/butler-prereqs-plan.json208915775
17:28:16 uid (1000:0) 3172680 (tanath)
17:28:16 exec 3172680 (tanath) pkexec /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler run --dir /home/tanath -- /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json install-prereqs /tmp/butler-prereqs-plan.json208915775
17:28:16 exit 3172680 (tanath)
17:28:16 exit 3172673 (tanath)

I've tried catching /tmp/butler-prereqs-plan.json* but it's too short-lived.

<!-- gh-comment-id:645022082 --> @Tanath commented on GitHub (Jun 16, 2020): Without firejail. Here's with noprofile: ``` 17:28:13 fork 3153138 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json daemon --transport tcp --keep-alive --dbpath /home/tanath/.config/itch/db/butler.db --address https://itch.io --user-agent itch/25.4.0 (linux) --destiny-pid 11 child 3172671 /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json daemon --transport tcp --keep-alive --dbpath /home/tanath/.config/itch/db/butler.db --address https://itch.io --user-agent itch/25.4.0 (linux) --destiny-pid 11 17:28:13 exec 3172671 (tanath) ./firejail --version 17:28:15 exit 3172671 (tanath) 17:28:16 fork 3153138 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json daemon --transport tcp --keep-alive --dbpath /home/tanath/.config/itch/db/butler.db --address https://itch.io --user-agent itch/25.4.0 (linux) --destiny-pid 11 child 3172673 17:28:16 exec 3172673 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json --elevate install-prereqs /tmp/butler-prereqs-plan.json208915775 17:28:16 fork 3172673 (tanath) /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json --elevate install-prereqs /tmp/butler-prereqs-plan.json208915775 child 3172680 /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json --elevate install-prereqs /tmp/butler-prereqs-plan.json208915775 17:28:16 uid (1000:0) 3172680 (tanath) 17:28:16 exec 3172680 (tanath) pkexec /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler run --dir /home/tanath -- /home/tanath/.config/itch/broth/butler/versions/15.17.0/butler --json install-prereqs /tmp/butler-prereqs-plan.json208915775 17:28:16 exit 3172680 (tanath) 17:28:16 exit 3172673 (tanath) ``` I've tried catching `/tmp/butler-prereqs-plan.json*` but it's too short-lived.
gitea-mirror commented 2026-05-05 08:51:50 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 1, 2020):

Does this game know about firejail? (strings path/to/extracted/game/files | grep firejail)

<!-- gh-comment-id:652225049 --> @rusty-snake commented on GitHub (Jul 1, 2020): Does this game know about firejail? (`strings path/to/extracted/game/files | grep firejail`)
gitea-mirror commented 2026-05-05 08:51:50 -06:00
Author
Owner
Copy link

@Tanath commented on GitHub (Jul 2, 2020):

No mention of firejail in game files.

<!-- gh-comment-id:652877160 --> @Tanath commented on GitHub (Jul 2, 2020): No mention of firejail in game files.
gitea-mirror commented 2026-05-05 08:51:50 -06:00
Author
Owner
Copy link

@bbhtt commented on GitHub (Jul 2, 2020):

Itch has it's own local per-game Firejail based sandbox (see in preference of the launcher and disable it). Butler is how the Itch manages, downloads and selects the correct launch for every game, I suppose it needs root access for installing it's own sandbox hence it's asking for so.

Itch's own sandbox creates an isolate-app.profile in /home/korte/.config/itch/apps/hidden-folks/.itch/isolate-app.profile where /home/Username/.config/itch/apps/GameName/ is folder for each game and .itch is a directory inside every game.

:~/.config/itch/apps/hidden-folks/.itch$ cat isolate-app.profile

include /etc/firejail/itch_game_/home/korte/.config/itch/apps/hidden-folks/Hidden Folks.x86_64.local
include /etc/firejail/itch_games_globals.local

noblacklist /home/korte/.config/itch/apps/hidden-folks/Hidden Folks.x86_64
noblacklist /home/korte/.config/itch/apps/hidden-folks
noblacklist /home/korte/.config/itch/apps/hidden-folks/.itch/temp
blacklist /home/korte/.config/itch/apps/hidden-folks/.itch

noblacklist ${HOME}/.config/itch/apps
blacklist   ${HOME}/.config/itch/*
blacklist   ${HOME}/.config/itch/apps/*

noblacklist ${HOME}/.config/kitch/apps
blacklist   ${HOME}/.config/kitch/*
blacklist   ${HOME}/.config/kitch/apps/*

blacklist ~/.config/chromium
blacklist ~/.config/chrome
blacklist ~/.mozilla

Itch's launcher executable is located in /home/korte/.itch/itch. I had to make some minor modifications to the profile given by @glitsj16, ran the launcher with it $ :~/.itch$ firejail --profile=/home/korte/.config/firejail/itch.profile ./itch, tested my library out and things work fine. As for the game in question, it also works fine. Note that itch's own sandbox needs to be disabled here.

itch.profile
Hidden Folks app log png
My test environment:

:~$ firejail --version
firejail version 0.9.62
System:
  Kernel: 5.4.0-40-generic x86_64 bits: 64 compiler: gcc v: 9.3.0 
  Desktop: Xfce 4.14.2 Distro: Ubuntu 20.04 LTS (Focal Fossa)

Itch app downloaded and installed from https://itch.io/app

<!-- gh-comment-id:652928321 --> @bbhtt commented on GitHub (Jul 2, 2020): Itch has it's own [local per-game Firejail based sandbox](https://itch.io/docs/itch/using/sandbox.html) (see in preference of the launcher and disable it). [Butler](https://github.com/itchio/butler) is how the Itch manages, downloads and selects the correct launch for every game, I suppose it needs root access for installing it's own sandbox hence it's asking for so. Itch's own sandbox creates an `isolate-app.profile` in `/home/korte/.config/itch/apps/hidden-folks/.itch/isolate-app.profile` where `/home/Username/.config/itch/apps/GameName/` is folder for each game and `.itch` is a directory inside every game. ``` :~/.config/itch/apps/hidden-folks/.itch$ cat isolate-app.profile include /etc/firejail/itch_game_/home/korte/.config/itch/apps/hidden-folks/Hidden Folks.x86_64.local include /etc/firejail/itch_games_globals.local noblacklist /home/korte/.config/itch/apps/hidden-folks/Hidden Folks.x86_64 noblacklist /home/korte/.config/itch/apps/hidden-folks noblacklist /home/korte/.config/itch/apps/hidden-folks/.itch/temp blacklist /home/korte/.config/itch/apps/hidden-folks/.itch noblacklist ${HOME}/.config/itch/apps blacklist ${HOME}/.config/itch/* blacklist ${HOME}/.config/itch/apps/* noblacklist ${HOME}/.config/kitch/apps blacklist ${HOME}/.config/kitch/* blacklist ${HOME}/.config/kitch/apps/* blacklist ~/.config/chromium blacklist ~/.config/chrome blacklist ~/.mozilla ``` Itch's launcher executable is located in `/home/korte/.itch/itch`. I had to make some minor modifications to the profile given by @glitsj16, ran the launcher with it `$ :~/.itch$ firejail --profile=/home/korte/.config/firejail/itch.profile ./itch`, tested my library out and things work fine. As for the game in question, it also works fine. Note that itch's own sandbox needs to be disabled here. [itch.profile](https://github.com/netblue30/firejail/files/4863525/itch.txt) [Hidden Folks app log png](https://user-images.githubusercontent.com/62639087/86348708-8fd8a680-bc4f-11ea-9453-165347189605.png) My test environment: ``` :~$ firejail --version firejail version 0.9.62 System: Kernel: 5.4.0-40-generic x86_64 bits: 64 compiler: gcc v: 9.3.0 Desktop: Xfce 4.14.2 Distro: Ubuntu 20.04 LTS (Focal Fossa) ``` Itch app downloaded and installed from https://itch.io/app
gitea-mirror commented 2026-05-05 08:51:51 -06:00
Author
Owner
Copy link

@Tanath commented on GitHub (Jul 2, 2020):

Ah! Thank you. That solves my issue. I didn't know Itch came with firejail. The password prompt is a one-time request coming from the Itch app not the game.

<!-- gh-comment-id:652940745 --> @Tanath commented on GitHub (Jul 2, 2020): Ah! Thank you. That solves my issue. I didn't know Itch came with firejail. The [password prompt is a one-time request coming from the Itch app](https://itch.io/docs/itch/using/sandbox/linux.html) not the game.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2179
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?