github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3697] Need help for spectacle's profile #2329

New issue
Closed
opened 2026-05-05 09:01:03 -06:00 by gitea-mirror · 16 comments
gitea-mirror commented 2026-05-05 09:01:03 -06:00
Owner
Copy link

Originally created by @CodeArtisan00 on GitHub (Oct 25, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3697

here's my spectacle profile (with some problems)

include spectacle.local        
include globals.local

noblacklist ${PICTURES}
noblacklist ${HOME}/.config/spectaclerc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

whitelist ${HOME}/.config/spectaclerc
whitelist /usr/share/dbus-1/interfaces/org.kde.Spectacle.xml
whitelist /usr/share/dbus-1/services/org.kde.Spectacle.service
whitelist /usr/share/doc/HTML
whitelist /usr/share/kconf_update
whitelist /usr/share/knotifications5/spectacle.notifyrc
whitelist /usr/share/metainfo/org.kde.spectacle.appdata.xml
whitelist /usr/share/qlogging-categories5/spectacle.categories

caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

disable-mnt
private-bin spectacle
private-cache
private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
private-dev
private-tmp

dbus-user filter
dbus-user.own org.kde.spectacle

dbus-system none

it's taking screenshot as it should but having some benign problems.

Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown") - this could be resolved by dbus-user.talk org.kde.kglobalaccel

but if autosave is on then it also shows Couldn't start kuiserver from org.kde.kuiserver.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown") - which I still haven't been able to resolve.

inside of firejail, spectacle can't save any changed config & it shows kf.config.core: Couldn't write "/home/arx/.config/spectaclerc" . Disk full? - don't know how to resolve this one also.

In pic1 clicking on 'open containing folder' shows pic2 instead of the folder.

apart from config issue rest of these issues can be resolved by not using dbus-user filter. So using just dbus-system none can resolve this annoying issues.

Originally created by @CodeArtisan00 on GitHub (Oct 25, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3697 here's my spectacle profile (with some problems) ``` include spectacle.local include globals.local noblacklist ${PICTURES} noblacklist ${HOME}/.config/spectaclerc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc whitelist ${HOME}/.config/spectaclerc whitelist /usr/share/dbus-1/interfaces/org.kde.Spectacle.xml whitelist /usr/share/dbus-1/services/org.kde.Spectacle.service whitelist /usr/share/doc/HTML whitelist /usr/share/kconf_update whitelist /usr/share/knotifications5/spectacle.notifyrc whitelist /usr/share/metainfo/org.kde.spectacle.appdata.xml whitelist /usr/share/qlogging-categories5/spectacle.categories caps.drop all ipc-namespace netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp shell none tracelog disable-mnt private-bin spectacle private-cache private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl private-dev private-tmp dbus-user filter dbus-user.own org.kde.spectacle dbus-system none ``` it's taking screenshot as it should but having some benign problems. `Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")` - this could be resolved by `dbus-user.talk org.kde.kglobalaccel` but if autosave is on then it also shows `Couldn't start kuiserver from org.kde.kuiserver.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")` - which I still haven't been able to resolve. inside of firejail, spectacle can't save any changed config & it shows `kf.config.core: Couldn't write "/home/arx/.config/spectaclerc" . Disk full?` - don't know how to resolve this one also. In [pic1](https://imgur.com/CRwk9S5) clicking on 'open containing folder' shows [pic2](https://imgur.com/EEhQvAj) instead of the folder. apart from config issue rest of these issues can be resolved by not using `dbus-user filter`. So using just `dbus-system none` can resolve this annoying issues.
gitea-mirror commented 2026-05-05 09:01:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 26, 2020):

The D-Bus issues can be solved by adding dbus-user.talk rules.

The config issue is likely #1793.

<!-- gh-comment-id:716446823 --> @rusty-snake commented on GitHub (Oct 26, 2020): The D-Bus issues can be solved by adding `dbus-user.talk` rules. The config issue is likely #1793.
gitea-mirror commented 2026-05-05 09:01:07 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Oct 26, 2020):

The D-Bus issues can be solved by adding dbus-user.talk rules.

The config issue is likely #1793.

so regarding config issue,there's no hope.
& regarding dbus-user.talk rules, which portals should I allow?

<!-- gh-comment-id:716451004 --> @CodeArtisan00 commented on GitHub (Oct 26, 2020): > The D-Bus issues can be solved by adding `dbus-user.talk` rules. > > The config issue is likely #1793. so regarding config issue,there's no hope. & regarding `dbus-user.talk` rules, which portals should I allow?
gitea-mirror commented 2026-05-05 09:01:08 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Oct 26, 2020):

regarding config issue,just ran a firejail --trace for spectacle & noticed spectacle creates some sorta tmp files in ~/.config. here's the name of those files spectaclerc.lock, spectaclerc.csEzzf, spectaclerc.SQLdit -this is inside firejail's sandbox.

when I ran firejail --noprofile , there was just only spectaclerc.lock.
But problem is that file is not there when the sandbox is starting.So I don't think regular blacklist/whitelist will have any effect on it.

is there anyway to allow firejail to add that file at the beginning then after whitelisting & blacklisting all the paths, remove that particular file?

<!-- gh-comment-id:716464991 --> @CodeArtisan00 commented on GitHub (Oct 26, 2020): regarding config issue,just ran a `firejail --trace` for spectacle & noticed spectacle creates some sorta tmp files in `~/.config`. here's the name of those files `spectaclerc.lock`, `spectaclerc.csEzzf`, `spectaclerc.SQLdit` -this is inside firejail's sandbox. when I ran `firejail --noprofile` , there was just only `spectaclerc.lock`. But problem is that file is not there when the sandbox is starting.So I don't think regular blacklist/whitelist will have any effect on it. is there anyway to allow `firejail` to add that file at the beginning then after whitelisting & blacklisting all the paths, remove that particular file?
gitea-mirror commented 2026-05-05 09:01:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 26, 2020):

I've no experience with the D-Bus service from KDE, so I can't help you here.

regarding the config file: The issue is that whitelisted files can not be renamed (#2874). That's a technical limitation from bind mounting. However you can rename files inside a whielisted directory. So I just had the idea for a workaround using XDG_CONFIG_HOME.

What happens if you add

mkdir ${HOME}/.config/spectacle
whitelist ${HOME}/.config/spectacle
env XDG_CONFIG_HOME=/home/USER/.config/spectacle

(IDK if $HOME works inside XDG_CONFIG_HOME)

<!-- gh-comment-id:716468502 --> @rusty-snake commented on GitHub (Oct 26, 2020): I've no experience with the D-Bus service from KDE, so I can't help you here. ---- regarding the config file: The issue is that whitelisted files can not be renamed (#2874). That's a technical limitation from bind mounting. However you can rename files inside a whielisted directory. So I just had the idea for a workaround using `XDG_CONFIG_HOME`. What happens if you add ``` mkdir ${HOME}/.config/spectacle whitelist ${HOME}/.config/spectacle env XDG_CONFIG_HOME=/home/USER/.config/spectacle ``` (IDK if $HOME works inside XDG_CONFIG_HOME)
gitea-mirror commented 2026-05-05 09:01:09 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Oct 26, 2020):

yes. change in config persists. . so you have changed base directory, I mean you have changed {HOME}/.config to {HOME}/.config/spectacle for spectacle only. How other files & folders will be whitelisted which are in {HOME}/.config? will symlink work?

<!-- gh-comment-id:716480571 --> @CodeArtisan00 commented on GitHub (Oct 26, 2020): yes. change in config persists. . so you have changed base directory, I mean you have changed `{HOME}/.config` to `{HOME}/.config/spectacle` for spectacle only. How other files & folders will be whitelisted which are in `{HOME}/.config`? will symlink work?
gitea-mirror commented 2026-05-05 09:01:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 26, 2020):

ln -s ../foo .config/spectacle/foo and whitelist ${HOME}/.config/foo should work.

<!-- gh-comment-id:716491166 --> @rusty-snake commented on GitHub (Oct 26, 2020): `ln -s ../foo .config/spectacle/foo` and `whitelist ${HOME}/.config/foo` should work.
gitea-mirror commented 2026-05-05 09:01:09 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Oct 26, 2020):

ln -s ../foo .config/spectacle/foo and whitelist ${HOME}/.config/foo should work.

yea, symlink works.
apart from spectaclerc, every other needed files'/folders' symlink worked

regarding the config file: The issue is that whitelisted files can not be renamed

didn't get the renaming part? I was talking about adding spectaclerc.lock at the beginning of starting the sandbox & then after creating whitelisting & blacklisting, remove that spectaclerc.lock. No need for other files or renaming. If after allowing spectaclerc.lock, spectacle still needs to create those spectaclerc.randomletter then obviously that method won't work.

<!-- gh-comment-id:716636598 --> @CodeArtisan00 commented on GitHub (Oct 26, 2020): > `ln -s ../foo .config/spectacle/foo` and `whitelist ${HOME}/.config/foo` should work. yea, symlink works. apart from `spectaclerc`, every other needed files'/folders' symlink worked > regarding the config file: The issue is that whitelisted files can not be renamed didn't get the renaming part? I was talking about adding `spectaclerc.lock` at the beginning of starting the sandbox & then after creating whitelisting & blacklisting, remove that `spectaclerc.lock`. No need for other files or renaming. If after allowing `spectaclerc.lock`, spectacle still needs to create those `spectaclerc.randomletter` then obviously that method won't work.
gitea-mirror commented 2026-05-05 09:01:10 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 26, 2020):

specracle (or kde and some others in general) try to write such files safe againt crashes.

  1. create new config file (spectaclerc.XXXXXX) and write + flush it
  2. remove old config file
  3. rename spectaclerc.XXXXXX to spectaclerc
<!-- gh-comment-id:716641806 --> @rusty-snake commented on GitHub (Oct 26, 2020): specracle (or kde and some others in general) try to write such files safe againt crashes. 1. create new config file (spectaclerc.XXXXXX) and write + flush it 2. remove old config file 3. rename spectaclerc.XXXXXX to spectaclerc
gitea-mirror commented 2026-05-05 09:01:10 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Oct 28, 2020):

but if autosave is on then it also shows Couldn't start kuiserver from org.kde.kuiserver.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown") - which I still haven't been able to resolve.

this is resolved by dbus-user.talk org.kde.JobViewServer

In pic1 clicking on 'open containing folder' shows pic2 instead of the folder.

this can be resolved by dbus-user.talk org.freedesktop.FileManager1. One problem though this only works if one instance of dolphin is already on.

<!-- gh-comment-id:718038196 --> @CodeArtisan00 commented on GitHub (Oct 28, 2020): > but if autosave is on then it also shows `Couldn't start kuiserver from org.kde.kuiserver.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")` - which I still haven't been able to resolve. this is resolved by `dbus-user.talk org.kde.JobViewServer` > In [pic1](https://imgur.com/CRwk9S5) clicking on 'open containing folder' shows [pic2](https://imgur.com/EEhQvAj) instead of the folder. this can be resolved by `dbus-user.talk org.freedesktop.FileManager1`. One problem though this only works if one instance of dolphin is already on.
gitea-mirror commented 2026-05-05 09:01:11 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Oct 29, 2020):

this can be resolved by dbus-user.talk org.freedesktop.FileManager1. One problem though this only works if one instance of dolphin is already on.

well. it works. I just had blacklist /run/dbus in globals.local.
my current spectacle profile is

include spectacle.local
include globals.local

noblacklist ${PICTURES}
noblacklist ${HOME}/.config/spectaclerc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc
include whitelist-usr-share-common.inc

whitelist ${HOME}/.config/spectaclerc

caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
seccomp
shell none
tracelog

disable-mnt
private-bin spectacle
private-cache
private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
private-dev
private-tmp

dbus-user filter
dbus-user.own org.kde.spectacle
dbus-user.talk org.freedesktop.FileManager1
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kglobalaccel

dbus-system none

does it look good or should I change something?

<!-- gh-comment-id:718901455 --> @CodeArtisan00 commented on GitHub (Oct 29, 2020): > this can be resolved by `dbus-user.talk org.freedesktop.FileManager1`. One problem though this only works if one instance of dolphin is already on. well. it works. I just had `blacklist /run/dbus` in `globals.local`. my current spectacle profile is ``` include spectacle.local include globals.local noblacklist ${PICTURES} noblacklist ${HOME}/.config/spectaclerc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-var-common.inc include whitelist-usr-share-common.inc whitelist ${HOME}/.config/spectaclerc caps.drop all ipc-namespace netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo seccomp shell none tracelog disable-mnt private-bin spectacle private-cache private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl private-dev private-tmp dbus-user filter dbus-user.own org.kde.spectacle dbus-user.talk org.freedesktop.FileManager1 dbus-user.talk org.kde.JobViewServer dbus-user.talk org.kde.kglobalaccel dbus-system none ``` does it look good or should I change something?
gitea-mirror commented 2026-05-05 09:01:11 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 29, 2020):

I made a draft to bring it upstream. Assuming it does not need internet access and all the dbus-user.talk rules are required.

# Firejail profile for spectacle
# Description: DESCRIPTION
# This file is overwritten after every install/update
# Persistent local customizations
include spectacle.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/spectaclerc
noblacklist ${PICTURES}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkfile  ${HOME}/.config/spectaclerc
whitelist ${HOME}/.config/spectaclerc
whitelist ${PICTURES}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
net none
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none
tracelog

disable-mnt
private-bin spectacle
private-cache
private-dev
private-etc alternatives,fonts,ld.so.conf
private-tmp

dbus-user filter
dbus-user.own org.kde.spectacle
dbus-user.talk org.freedesktop.FileManager1
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kglobalaccel
dbus-system none
  • add header and sort
  • netfilter->net none
  • protocol unix
  • private-etc remove ca-certificates,crypto-policies,pki,resolv.conf,ssl
  • remove ipc-namespace
  • add apparmor, machine-id
  • whitelist ${PICTURES}
  • TODO: description
  • TODO: add blacklist to disable-programs.inc
<!-- gh-comment-id:718910762 --> @rusty-snake commented on GitHub (Oct 29, 2020): I made a draft to bring it upstream. Assuming it does not need internet access and all the dbus-user.talk rules are required. ``` # Firejail profile for spectacle # Description: DESCRIPTION # This file is overwritten after every install/update # Persistent local customizations include spectacle.local # Persistent global definitions include globals.local noblacklist ${HOME}/.config/spectaclerc noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkfile ${HOME}/.config/spectaclerc whitelist ${HOME}/.config/spectaclerc whitelist ${PICTURES} include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all machine-id net none no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix seccomp shell none tracelog disable-mnt private-bin spectacle private-cache private-dev private-etc alternatives,fonts,ld.so.conf private-tmp dbus-user filter dbus-user.own org.kde.spectacle dbus-user.talk org.freedesktop.FileManager1 dbus-user.talk org.kde.JobViewServer dbus-user.talk org.kde.kglobalaccel dbus-system none ``` - add header and sort - `netfilter`->`net none` - `protocol unix` - `private-etc` remove `ca-certificates,crypto-policies,pki,resolv.conf,ssl` - remove `ipc-namespace` - add `apparmor`, `machine-id` - `whitelist ${PICTURES}` - TODO: description - TODO: add blacklist to disable-programs.inc
gitea-mirror commented 2026-05-05 09:01:12 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Oct 30, 2020):

a bit busy lately, sorry for the delay.

Assuming it does not need internet access

for normal functioning it doesn't need internet but it has a sharing feature.& for that it needs internet & kipi plugins & probably some other dbus-user.talk rules. At this moment I don't have kipi plugins installed on my system.

all the dbus-user.talk rules are required.

required rules are

dbus-user.own org.kde.spectacle
dbus-user.talk org.freedesktop.FileManager1

* remove `ipc-namespace`

what is the implication of having it & not having it? just curious to know. I thought security wise it would be better having it.

<!-- gh-comment-id:719828410 --> @CodeArtisan00 commented on GitHub (Oct 30, 2020): a bit busy lately, sorry for the delay. > Assuming it does not need internet access for normal functioning it doesn't need internet but it has a sharing feature.& for that it needs internet & kipi plugins & probably some other `dbus-user.talk` rules. At this moment I don't have kipi plugins installed on my system. > all the dbus-user.talk rules are required. required rules are ```dbus-user filter dbus-user.own org.kde.spectacle dbus-user.talk org.freedesktop.FileManager1 ``` > * remove `ipc-namespace` what is the implication of having it & not having it? just curious to know. I thought security wise it would be better having it.
gitea-mirror commented 2026-05-05 09:01:12 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

required rules are

so the other ones are for what?

what is the implication of having it & not having it? just curious to know. I thought security wise it would be better having it.

It breaks some X11-extensions which can make graphic issues (shadows, ...) or performance lost. So upstram policy is to not add it no GUI profiles. However it works fine under Wayland and sometime under Xorg (Arch Linux + Xorg works always AFAIK). I have it in my globals.local and have no issues apart from black-borders around pop-ups in Tor-Browser.

<!-- gh-comment-id:719906057 --> @rusty-snake commented on GitHub (Oct 31, 2020): > required rules are so the other ones are for what? > what is the implication of having it & not having it? just curious to know. I thought security wise it would be better having it. It breaks some X11-extensions which can make graphic issues (shadows, ...) or performance lost. So upstram policy is to not add it no GUI profiles. However it works fine under Wayland and sometime under Xorg (Arch Linux + Xorg works always AFAIK). I have it in my globals.local and have no issues apart from black-borders around pop-ups in Tor-Browser.
gitea-mirror commented 2026-05-05 09:01:13 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Nov 1, 2020):

so the other ones are for what?

I added those at that time as spectacle was showing errors regarding those but after seeing your profile I was looking for some documentation of those dbus-user.talk rules.

  • org.kde.kglobalaccel
    KGlobalAccel - in case of kdeconnect it controls volume. It looks like kglobalaccel makes use of some sorta special shortcuts. but in the context of spectacle,I don't know what exactly it does.

  • org.kde.JobViewServer & org.kde.kuiserver
    it seems these two are intertwined in some manner. JobViewServer is needed to see the progress of jobs in the notification are. In case of kuiserver I'm a bit confused. Need to go through some relevant documentation. By looking at some random post,it seems kuiserver also tracks job progression. But whether it does that through its own api or via JobViewServer api is not clear to me. In case of, plasma-integration for firefox I had to allow both of these otherwise it was not showing anything in the notification area. So,my guess is that both of these are needed for proper functioning of that feature.But, spectacle doesn't seem to need that in my usecase.

Moreover I don't see breakage if I don't allow any of these but there are these error messages
Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")
Couldn't start kuiserver from org.kde.kuiserver.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown") - this one I get if I enable autosave.

If someone in future reports any breakage, then we can start from these two.

<!-- gh-comment-id:720099023 --> @CodeArtisan00 commented on GitHub (Nov 1, 2020): > so the other ones are for what? I added those at that time as spectacle was showing errors regarding those but after seeing your profile I was looking for some documentation of those `dbus-user.talk` rules. - org.kde.kglobalaccel [KGlobalAccel](https://api.kde.org/frameworks/kglobalaccel/html/index.html) - in case of `kdeconnect` it controls [volume](https://userbase.kde.org/KDE_Connect/Tutorials/Useful_commands#Volume_control). It looks like kglobalaccel makes use of some sorta special shortcuts. but in the context of spectacle,I don't know what exactly it does. - org.kde.JobViewServer & org.kde.kuiserver it seems these two are intertwined in some manner. `JobViewServer` is needed to see the progress of jobs in the notification are. In case of `kuiserver` I'm a bit confused. Need to go through some relevant documentation. By looking at some random post,it seems `kuiserver` also tracks job progression. But whether it does that through its own api or via `JobViewServer` api is not clear to me. In case of, plasma-integration for firefox I had to allow both of these otherwise it was not showing anything in the notification area. So,my guess is that both of these are needed for proper functioning of that feature.But, spectacle doesn't seem to need that in my usecase. Moreover I don't see breakage if I don't allow any of these but there are these error messages `Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")` `Couldn't start kuiserver from org.kde.kuiserver.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")` - this one I get if I enable autosave. If someone in future reports any breakage, then we can start from these two.
gitea-mirror commented 2026-05-05 09:01:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 1, 2020):

If it works w/o them, I would say we add them commented. Would you like to create a PR.

# Firejail profile for spectacle
# Description: DESCRIPTION
# This file is overwritten after every install/update
# Persistent local customizations
include spectacle.local
# Persistent global definitions
include globals.local

# Uncomment the following lines to use sharing services.
#netfilter
#ignore net none
#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
#protocol unix,inet,inet6

noblacklist ${HOME}/.config/spectaclerc
noblacklist ${PICTURES}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkfile  ${HOME}/.config/spectaclerc
whitelist ${HOME}/.config/spectaclerc
whitelist ${PICTURES}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
net none
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none
tracelog

disable-mnt
private-bin spectacle
private-cache
private-dev
private-etc alternatives,fonts,ld.so.conf
private-tmp

dbus-user filter
dbus-user.own org.kde.spectacle
dbus-user.talk org.freedesktop.FileManager1
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kglobalaccel
dbus-system none

what's left:

  • add it to firecfg.config
  • add a blacklist to disable-programs.inc
  • add description
<!-- gh-comment-id:720111922 --> @rusty-snake commented on GitHub (Nov 1, 2020): If it works w/o them, I would say we add them commented. Would you like to create a PR. ``` # Firejail profile for spectacle # Description: DESCRIPTION # This file is overwritten after every install/update # Persistent local customizations include spectacle.local # Persistent global definitions include globals.local # Uncomment the following lines to use sharing services. #netfilter #ignore net none #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl #protocol unix,inet,inet6 noblacklist ${HOME}/.config/spectaclerc noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkfile ${HOME}/.config/spectaclerc whitelist ${HOME}/.config/spectaclerc whitelist ${PICTURES} include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all machine-id net none no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix seccomp shell none tracelog disable-mnt private-bin spectacle private-cache private-dev private-etc alternatives,fonts,ld.so.conf private-tmp dbus-user filter dbus-user.own org.kde.spectacle dbus-user.talk org.freedesktop.FileManager1 #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kglobalaccel dbus-system none ``` what's left: - add it to firecfg.config - add a blacklist to disable-programs.inc - add description
gitea-mirror commented 2026-05-05 09:01:13 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Nov 1, 2020):

Would you like to create a PR

ok...doing that.

<!-- gh-comment-id:720137389 --> @CodeArtisan00 commented on GitHub (Nov 1, 2020): > Would you like to create a PR ok...doing that.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2329
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?