github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3776] ffmpeg profile breaks jellyfin transcoding #2380

New issue

Closed

opened 2026-05-05 09:03:42 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:03:42 -06:00

Owner

Originally created by @setpill on GitHub (Nov 26, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3776

Bug and expected behavior

Jellyfin uses ffmpeg under the hood to transcode video files. It writes (temporary) output files to /var/lib/jellyfin/transcodes/. However, the firejail ffmpeg profile disallows this, resulting in log entries like

[hls @ 0x556825785e40] Opening '/var/lib/jellyfin/transcodes/292bcf7633af7c10604b80d4e20d199d66.ts' for writing
[hls @ 0x556825785e40] Failed to open file '/var/lib/jellyfin/transcodes/292bcf7633af7c10604b80d4e20d199d66.ts'

No profile and disabling firejail

I was not able to change the way jellyfin calls ffmpeg, however I removed the /usr/local/bin/ffmpeg symlink to /usr/bin/firejail, after which transcodes started working again.

Reproduce
Steps to reproduce the behavior:

Run firecfg
Start jellyfin
Request a transcode
Look at the ffmpeg logs in /var/lib/jellyfin/log

Environment

Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release)

$ lsb_release -a
LSB Version:	1.4
Distributor ID:	Arch
Description:	Arch Linux
Release:	rolling
Codename:	n/a

Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)

$ firejail --version
firejail version 0.9.64

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Additional context
Other context about the problem like related errors to understand the problem.

Checklist

The upstream profile (and redirect profile if exists) have no changes fixing it.
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
Programs needed for interaction are listed in the profile.
A short search for duplicates was performed.
If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.

Originally created by @setpill on GitHub (Nov 26, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3776 **Bug and expected behavior** Jellyfin uses ffmpeg under the hood to transcode video files. It writes (temporary) output files to `/var/lib/jellyfin/transcodes/`. However, the firejail ffmpeg profile disallows this, resulting in log entries like ``` [hls @ 0x556825785e40] Opening '/var/lib/jellyfin/transcodes/292bcf7633af7c10604b80d4e20d199d66.ts' for writing [hls @ 0x556825785e40] Failed to open file '/var/lib/jellyfin/transcodes/292bcf7633af7c10604b80d4e20d199d66.ts' ``` **No profile and disabling firejail** I was not able to change the way jellyfin calls ffmpeg, however I removed the `/usr/local/bin/ffmpeg` symlink to `/usr/bin/firejail`, after which transcodes started working again. **Reproduce** Steps to reproduce the behavior: 1. Run firecfg 2. Start jellyfin 3. Request a transcode 4. Look at the ffmpeg logs in `/var/lib/jellyfin/log` **Environment** - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) ``` $ lsb_release -a LSB Version: 1.4 Distributor ID: Arch Description: Arch Linux Release: rolling Codename: n/a ``` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` $ firejail --version firejail version 0.9.64 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Additional context** Other context about the problem like related errors to understand the problem. **Checklist** - [x] The upstream profile (and redirect profile if exists) have no changes fixing it. - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] Programs needed for interaction are listed in the profile. - [x] A short search for duplicates was performed. - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.

gitea-mirror closed this issue

2026-05-05 09:03:43 -06:00

gitea-mirror commented

2026-05-05 09:03:45 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Nov 26, 2020):

Can you add the following to a new file /etc/firejail/ffmpeg.local:

whitelist /var/lib/jellyfin
writable-var

Also it seems kind of asinine to write such temporary files to disk?
Longterm maybe mount a tmpfs over that path?
No need to wear out your drive.

Aside: TIL you can't add markdown to email responses???

@SkewedZeppelin commented on GitHub (Nov 26, 2020): Can you add the following to a new file `/etc/firejail/ffmpeg.local`: ``` whitelist /var/lib/jellyfin writable-var ``` Also it seems kind of asinine to write such temporary files to disk? Longterm maybe mount a tmpfs over that path? No need to wear out your drive. Aside: TIL you can't add markdown to email responses???

gitea-mirror commented

2026-05-05 09:03:46 -06:00

Author

Owner

@setpill commented on GitHub (Nov 26, 2020):

Can confirm that fixes it. Even just writable-var is enough (without the whitelist). Does it make sense to restrict ffmpeg this way by default? It's a utility commonly used by other applications.

@setpill commented on GitHub (Nov 26, 2020): Can confirm that fixes it. Even just `writable-var` is enough (without the `whitelist`). Does it make sense to restrict `ffmpeg` this way by default? It's a utility commonly used by other applications.

gitea-mirror commented

2026-05-05 09:03:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 27, 2020):

curl, pandoc, tar, unzip, ... are not includes in firecfg.config by default because they frequently break programs calling them. IMHO we should exclude it too. If you call it in a terminal you can always prefix it with firejail and if a program calls it, it's better to firejail this program.

@rusty-snake commented on GitHub (Nov 27, 2020): curl, pandoc, tar, unzip, ... are not includes in firecfg.config by default because they frequently break programs calling them. IMHO we should exclude it too. If you call it in a terminal you can always prefix it with `firejail` and if a program calls it, it's better to firejail this program.

gitea-mirror commented

2026-05-05 09:03:47 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Nov 27, 2020):

it's better to firejail this program

agreed

but for services it should be restricted using systemd's built-in mechanisms.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing

@SkewedZeppelin commented on GitHub (Nov 27, 2020): > it's better to firejail this program agreed but for services it should be restricted using systemd's built-in mechanisms. https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing

gitea-mirror commented

2026-05-05 09:03:48 -06:00

Author

Owner

@setpill commented on GitHub (Nov 27, 2020):

So if I understand it correctly, the solution to this issue is to remove ffmpeg (and maybe ffmpeg-thumbnailer) from src/firecfg/firecfg.config?

@setpill commented on GitHub (Nov 27, 2020): So if I understand it correctly, the solution to this issue is to remove `ffmpeg` (and maybe `ffmpeg-thumbnailer`) from `src/firecfg/firecfg.config`?

gitea-mirror referenced this issue

2026-05-05 09:09:36 -06:00

[GH-ISSUE #3957] Error: execute permission denied for /usr/local/bin/firefox #2473

gitea-mirror referenced this issue

2026-05-05 10:17:11 -06:00

[PR #2386] [MERGED] Temporary fix for noexec ${HOME} breakage #4282