github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3872] Screen sharing configuration on wayland #2435

New issue
Closed
opened 2026-05-05 09:06:42 -06:00 by gitea-mirror · 27 comments
gitea-mirror commented 2026-05-05 09:06:42 -06:00
Owner
Copy link

Originally created by @albinou on GitHub (Jan 5, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3872

Bug and expected behavior

Solution
This can be fixed by allowing the required DBUS message. This can be done by creating a ~/.config/firejail/firefox.local file with the following content:

dbus-user.talk org.freedesktop.portal.Desktop

There's no bug then?
No indeed, because I am not sure this DBUS message should be allowed by default.

I am just wondering if/where this should be documented because it is not specific to firefox.
Indeed, the same configuration could be required for other applications (like chromium, zoom, teams, ...).

Don't hesitate to ask me to propose a PR, I would be happy to help.

Originally created by @albinou on GitHub (Jan 5, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3872 **Bug and expected behavior** - Run firefox with the firefox profile - Open https://mozilla.github.io/webrtc-landing/gum_test.html - Click on "Screen Capture" - firefox asks for permission to share the screen but nothing is displayed **Solution** This can be fixed by allowing the required DBUS message. This can be done by creating a `~/.config/firejail/firefox.local` file with the following content: ``` dbus-user.talk org.freedesktop.portal.Desktop ``` **There's no bug then?** No indeed, because I am not sure this DBUS message should be allowed by default. I am just wondering if/where this should be documented because it is not specific to firefox. Indeed, the same configuration could be required for other applications (like chromium, zoom, teams, ...). Don't hesitate to ask me to propose a PR, I would be happy to help.
gitea-mirror commented 2026-05-05 09:06:45 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Jan 5, 2021):

If anyone wonders about how this screen capture works, it has been added to firefox 84 and requires pipewire. More information here: https://wiki.archlinux.org/index.php/Screen_capture#Via_the_WebRTC_protocol

<!-- gh-comment-id:754942885 --> @albinou commented on GitHub (Jan 5, 2021): If anyone wonders about how this screen capture works, it has been added to firefox 84 and requires pipewire. More information here: https://wiki.archlinux.org/index.php/Screen_capture#Via_the_WebRTC_protocol
gitea-mirror commented 2026-05-05 09:06:45 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 6, 2021):

This can be fixed by allowing the required DBUS message. This can be done by creating a ~/.config/firejail/firefox.local file with the following content:

Just that line? In my tests also whitelist ${RUNUSER}/pipewire-0 (w/o you get the prompt, but the shared screen in empty) and ignore noroot (which is known to break portals). See https://github.com/netblue30/firejail/pull/3766#issuecomment-738732173.

No indeed, because I am not sure this DBUS message should be allowed by default.

dbus-user.talk org.freedesktop.portal.* are considered sandbox safe and could be allowed by default.

<!-- gh-comment-id:755157982 --> @rusty-snake commented on GitHub (Jan 6, 2021): > This can be fixed by allowing the required DBUS message. This can be done by creating a ~/.config/firejail/firefox.local file with the following content: Just that line? In my tests also `whitelist ${RUNUSER}/pipewire-0` (w/o you get the prompt, but the shared screen in empty) and `ignore noroot` (which is known to break portals). See https://github.com/netblue30/firejail/pull/3766#issuecomment-738732173. > No indeed, because I am not sure this DBUS message should be allowed by default. `dbus-user.talk org.freedesktop.portal.*` are considered sandbox safe and could be allowed by default.
gitea-mirror commented 2026-05-05 09:06:46 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Jan 8, 2021):

Sorry for the late answer.

Just that line? In my tests also whitelist ${RUNUSER}/pipewire-0 (w/o you get the prompt, but the shared screen in empty) and ignore noroot (which is known to break portals). See #3766 (comment).

noroot is indeed set in my /etc/firejail/firefox-common.profile file (ArchLinux, firejail 0.9.64-2).
And I think ${RUNUSER}/pipewire-0 is not blacklisted because firefox-common.profile only includes disable-common.inc and the pipewire socket is not disabled.

No indeed, because I am not sure this DBUS message should be allowed by default.

dbus-user.talk org.freedesktop.portal.* are considered sandbox safe and could be allowed by default.

But does this mean that an untrusted app could get the screen content without the user being aware of it?

Cheers!

<!-- gh-comment-id:756941170 --> @albinou commented on GitHub (Jan 8, 2021): Sorry for the late answer. > Just that line? In my tests also `whitelist ${RUNUSER}/pipewire-0` (w/o you get the prompt, but the shared screen in empty) and `ignore noroot` (which is known to break portals). See [#3766 (comment)](https://github.com/netblue30/firejail/pull/3766#issuecomment-738732173). `noroot` is indeed set in my `/etc/firejail/firefox-common.profile` file (ArchLinux, firejail 0.9.64-2). And I think `${RUNUSER}/pipewire-0` is not blacklisted because firefox-common.profile only includes `disable-common.inc` and the pipewire socket is not disabled. > > No indeed, because I am not sure this DBUS message should be allowed by default. > > `dbus-user.talk org.freedesktop.portal.*` are considered sandbox safe and could be allowed by default. But does this mean that an untrusted app could get the screen content without the user being aware of it? Cheers!
gitea-mirror commented 2026-05-05 09:06:48 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 8, 2021):

Crazy, the first time I allow sharing it aborts immediately and the second allow always works.

I can confirm that it works with noroot.

And I think ${RUNUSER}/pipewire-0 is not blacklisted because firefox-common.profile only includes disable-common.inc and the pipewire socket is not disabled.

I was talking about whitelist, not (no)blacklist. That's a confusing difference in firejail. Anyway I checked and wruc is only in firefox-common.profile on master. If you add include whitelist-runuser-common.inc to your firefox.local, you will have the same.

But does this mean that an untrusted app could get the screen content without the user being aware of it?

Portals originate from flatpak and were developed with the intention to be exposed to a sandbox. Every flatpak can talk to org.freedesktop.portal.*.

Brief summary of their function: sandboxed program talks to org.freedesktop.portal.Desktop (that's the portal "frontend"). This request in forwarded by e.g. xdg-desktop-portal to e.g. org.freedesktop.impl.portal.desktop.gtk (that the portal backend). The program listening on org.freedesktop.impl.portal.ABC then displays a dialog/notification/... to the user.

<!-- gh-comment-id:756960424 --> @rusty-snake commented on GitHub (Jan 8, 2021): _Crazy, the first time I allow sharing it aborts immediately and the second allow always works._ I can confirm that it works with `noroot`. > And I think ${RUNUSER}/pipewire-0 is not blacklisted because firefox-common.profile only includes disable-common.inc and the pipewire socket is not disabled. I was talking about `whitelist`, not `(no)blacklist`. That's a confusing difference in firejail. Anyway I checked and wruc is only in firefox-common.profile on master. If you add `include whitelist-runuser-common.inc` to your firefox.local, you will have the same. > But does this mean that an untrusted app could get the screen content without the user being aware of it? Portals originate from flatpak and were developed with the intention to be exposed to a sandbox. Every flatpak can talk to `org.freedesktop.portal.*`. Brief summary of their function: sandboxed program talks to `org.freedesktop.portal.Desktop` (that's the portal "frontend"). This request in forwarded by e.g. `xdg-desktop-portal` to e.g. `org.freedesktop.impl.portal.desktop.gtk` (that the portal backend). The program listening on `org.freedesktop.impl.portal.ABC` then displays a dialog/notification/... to the user.
gitea-mirror commented 2026-05-05 09:06:48 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Jan 8, 2021):

Thanks for your explanation!

The program listening on org.freedesktop.impl.portal.ABC then displays a dialog/notification/... to the user.

In my case (Sway and xdg-desktop-portal-wlr), do you mean that xdg-desktop-portal-wlr should send a notification when the screen is shared? (notification sent over DBUS to a notification daemon (like mako in my case)?
Because I have no notification when sharing my screen :-/

<!-- gh-comment-id:756998680 --> @albinou commented on GitHub (Jan 8, 2021): Thanks for your explanation! > The program listening on `org.freedesktop.impl.portal.ABC` then displays a dialog/notification/... to the user. In my case (Sway and xdg-desktop-portal-wlr), do you mean that xdg-desktop-portal-wlr should send a notification when the screen is shared? (notification sent over DBUS to a notification daemon (like mako in my case)? Because I have no notification when sharing my screen :-/
gitea-mirror commented 2026-05-05 09:06:49 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 8, 2021):

Ok, if xdg-desktop-portal-wlr does this w/o user interaction that's bad.

Under GNOME (xdg-desktop-portal-gtk is the most developed portal implementation) I get a dialog what I want to share. Firefox has nothing to share until I click "Freigeben" (=share).

Dialog

pic1-fs8

pic2-fs8

In addition there is a orange indicator (everything else is white).
pic3-fs8

(notification sent over DBUS to a notification daemon (like mako in my case)?

I could found any spec saying a desktop-portal MUST ask/notifiy. However the idea of portal is that the user has the control (i.e. he/she is asked to allow a program access to something) and it is transparent to the user what happening (i.e. notifications or indicators). If the desktop-portal just allows everything, there is no advantage in using portal over direct access.

<!-- gh-comment-id:757007256 --> @rusty-snake commented on GitHub (Jan 8, 2021): Ok, if xdg-desktop-portal-wlr does this w/o user interaction that's bad. Under GNOME (xdg-desktop-portal-gtk is the most developed portal implementation) I get a dialog what I want to share. Firefox has nothing to share until I click "Freigeben" (=share). <details><summary>Dialog</summary> ![pic1-fs8](https://user-images.githubusercontent.com/41237666/104065524-cb07f380-51f7-11eb-801f-4047a11a847b.png) ![pic2-fs8](https://user-images.githubusercontent.com/41237666/104065540-d3602e80-51f7-11eb-8b5d-575ba98a9fee.png) </details> In addition there is a orange indicator (everything else is white). ![pic3-fs8](https://user-images.githubusercontent.com/41237666/104065552-d78c4c00-51f7-11eb-8823-bbfd3d40f35a.png) > (notification sent over DBUS to a notification daemon (like mako in my case)? I could found any spec saying a desktop-portal MUST ask/notifiy. However the idea of portal is that the user has the control (i.e. he/she is asked to allow a program access to something) and it is transparent to the user what happening (i.e. notifications or indicators). If the desktop-portal just allows everything, there is no advantage in using portal over direct access.
gitea-mirror commented 2026-05-05 09:06:50 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Jan 8, 2021):

Thank your very much for your screenshots, now I understand :-)

If the desktop-portal just allows everything, there is no advantage in using portal over direct access.

xdg-desktop-portal-wlr is a pretty new project and I think it is the only way to do screen-sharing under sway.

<!-- gh-comment-id:757022940 --> @albinou commented on GitHub (Jan 8, 2021): Thank your very much for your screenshots, now I understand :-) > If the desktop-portal just allows everything, there is no advantage in using portal over direct access. `xdg-desktop-portal-wlr` is a pretty new project and I think it is the only way to do screen-sharing under sway.
gitea-mirror commented 2026-05-05 09:06:51 -06:00
Author
Owner
Copy link

@Luticus commented on GitHub (Jan 26, 2021):

Just wanted to point out that if you try to run firefox so that it actually uses wayland (env GDK_BACKEND=wayland firefox), this solution appears to be broken.

I added the dbus-user.talk org.freedesktop.portal.* line and it launches, but does not resolve the issue. As soon as I added whitelist ${RUNUSER}/pipewire-0 line, firejail + firefox won't launch. If I instead add include whitelist-runuser-common.inc then it launches, but again, does not work.

I'm running firefox 85, wayland + KDE 5.20.5 on Debian Testing with the newest (working) pipewire version. I have tested firefox without using firejail and it does, indeed, work correctly. I've also tested obs studio screen recording on wayland and it work perfectly fine as well. So the issue remains that firejail is blocking something when firefox is told to use wayland as opposed to xwayland.

The proposed solutions here do seem to work on the default xwayland setup but for those of us who want a nice browsing experience on a touch screen laptop that isn't completely janky and broken, a real wayland backend is very much the only way to go. Hopefully there's a viable work around for this.

<!-- gh-comment-id:767806581 --> @Luticus commented on GitHub (Jan 26, 2021): Just wanted to point out that if you try to run firefox so that it actually uses wayland (**env GDK_BACKEND=wayland firefox**), this solution appears to be broken. I added the **dbus-user.talk org.freedesktop.portal.*** line and it launches, but does not resolve the issue. As soon as I added **whitelist ${RUNUSER}/pipewire-0** line, firejail + firefox won't launch. If I instead add **include whitelist-runuser-common.inc** then it launches, but again, does not work. I'm running firefox 85, wayland + KDE 5.20.5 on Debian Testing with the newest (working) pipewire version. I have tested firefox without using firejail and it does, indeed, work correctly. I've also tested obs studio screen recording on wayland and it work perfectly fine as well. So the issue remains that firejail is blocking something when firefox is told to use wayland as opposed to xwayland. The proposed solutions here do seem to work on the default xwayland setup but for those of us who want a nice browsing experience on a touch screen laptop that isn't completely janky and broken, a real wayland backend is very much the only way to go. Hopefully there's a viable work around for this.
gitea-mirror commented 2026-05-05 09:06:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 26, 2021):

Just wanted to point out that if you try to run firefox so that it actually uses wayland (env GDK_BACKEND=wayland firefox), this solution appears to be broken.

@Luticus Unrelated note: I always assumed that it's safer to use the officially supported MOZ_xxx env vars with Firefox, independent of DE. So to force FF to use Wayland that would be MOZ_ENABLE_WAYLAND=1.

<!-- gh-comment-id:767824429 --> @ghost commented on GitHub (Jan 26, 2021): > Just wanted to point out that if you try to run firefox so that it actually uses wayland (env GDK_BACKEND=wayland firefox), this solution appears to be broken. @Luticus Unrelated note: I always assumed that it's safer to use the officially supported MOZ_xxx env vars with Firefox, independent of DE. So to force FF to use Wayland that would be MOZ_ENABLE_WAYLAND=1.
gitea-mirror commented 2026-05-05 09:06:53 -06:00
Author
Owner
Copy link

@Luticus commented on GitHub (Jan 27, 2021):

@glitsj16 I'll give that a try. I've been using the GDK_BACKEND one for a while because when I researched it that's what I found and it seemed to work. I'll test with the one you suggest and see if it works/improves anything in any way.

<!-- gh-comment-id:767923338 --> @Luticus commented on GitHub (Jan 27, 2021): @glitsj16 I'll give that a try. I've been using the GDK_BACKEND one for a while because when I researched it that's what I found and it seemed to work. I'll test with the one you suggest and see if it works/improves anything in any way.
gitea-mirror commented 2026-05-05 09:06:54 -06:00
Author
Owner
Copy link

@Luticus commented on GitHub (Jan 27, 2021):

@glitsj16 So after testing the difference between using the two wayland methods, it seems MOZ_ENABLE_WAYLAND=1 simply "less forceful". What I mean is that when wayland fails for some reason Firefox will fall back on xwayland, whereas the GDK_BACKEND method will prevent Firefox from starting if it fails. At least that's how it seemed. When I used whitelist ${RUNUSER}/pipewire-0 with the MOZ_ENABLE_WAYLAND=1 method, Firefox did start but when I went to about:support "window protocol" it was using xwayland, and without the whitelist line, it used wayland. With the GDK_BACKEND method Firefox would not launch while whitelist ${RUNUSER}/pipewire-0 was in the ~/.config/firejail/firefox.local file. Without the whitelist line, Firefox works fine with wayland but doesn't work with pipewire.

<!-- gh-comment-id:767928624 --> @Luticus commented on GitHub (Jan 27, 2021): @glitsj16 So after testing the difference between using the two wayland methods, it seems **MOZ_ENABLE_WAYLAND=1** simply "less forceful". What I mean is that when wayland fails for some reason Firefox will fall back on xwayland, whereas the **GDK_BACKEND** method will prevent Firefox from starting if it fails. At least that's how it seemed. When I used **whitelist ${RUNUSER}/pipewire-0** with the **MOZ_ENABLE_WAYLAND=1** method, Firefox did start but when I went to about:support "window protocol" it was using xwayland, and without the whitelist line, it used wayland. With the **GDK_BACKEND** method Firefox would not launch while **whitelist ${RUNUSER}/pipewire-0** was in the ~/.config/firejail/firefox.local file. Without the whitelist line, Firefox works fine with wayland but doesn't work with pipewire.
gitea-mirror commented 2026-05-05 09:06:55 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 27, 2021):

@Luticus For reference, I found that info on the Arch Linux wiki. I'd be surprised if it changes anything related to this issue, that's why I used 'Unrelated note'...

<!-- gh-comment-id:767928936 --> @ghost commented on GitHub (Jan 27, 2021): @Luticus For reference, I found that info on the Arch Linux [wiki](https://wiki.archlinux.org/index.php/Firefox#Wayland). I'd be surprised if it changes anything related to this issue, that's why I used 'Unrelated note'...
gitea-mirror commented 2026-05-05 09:06:56 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Jan 27, 2021):

@Luticus: On ArchLinux, it is working fine but I am running firejail version 0.9.64-2 et its /etc/firejail/* profiles are probably different than yours.

Indeed, in my setup (profiles older than the ones on master), my /etc/firejail/firefox-common.profile file does not include whitelist-runuser-common.inc so I guess I don't have restrictions on data under the path ${RUNUSER}. This may explain why I don't need the whitelist ${RUNUSER}/pipewire-0 rule. I will try to run additional tests when I'll have some time.

<!-- gh-comment-id:768182946 --> @albinou commented on GitHub (Jan 27, 2021): @Luticus: On ArchLinux, it is working fine but I am running firejail version 0.9.64-2 et its /etc/firejail/* profiles are probably different than yours. Indeed, in my setup (profiles older than the ones on master), my /etc/firejail/firefox-common.profile file does not `include whitelist-runuser-common.inc` so I guess I don't have restrictions on data under the path `${RUNUSER}`. This may explain why I don't need the `whitelist ${RUNUSER}/pipewire-0` rule. I will try to run additional tests when I'll have some time.
gitea-mirror commented 2026-05-05 09:06:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 27, 2021):

So to force FF to use Wayland that would be MOZ_ENABLE_WAYLAND=1.

It maybe also changes some code paths which are unrelated to the rendering-backend-frontend like screensharing, because GDK_BACKEND is (maybe) (only) for gdk.

I'm running firefox 85, wayland + KDE 5.20.5

I guess it's the KDE. That a third protal implementation (I've GNOME and @albinou has sway).

(or the firefox 85 is the cause, I will test once fedora ships it in the next days.)

As soon as I added whitelist ${RUNUSER}/pipewire-0 line, firejail + firefox won't launch. If I instead add include whitelist-runuser-common.inc then it launches, but again, does not work.

If you add whitelist ${RUNUSER}/pipewire-0 w/o include whitelist-runuser-common.inc you're missing the whitelist ${RUNUSER}/wayland-0. Without access to the wayland socket wayland doesn't work (understandable).

my /etc/firejail/firefox-common.profile file does not include whitelist-runuser-common.inc so I guess I don't have restrictions on data under the path ${RUNUSER}. This may explain why I don't need the whitelist ${RUNUSER}/pipewire-0 rule.

That's it, w/o wruc you has full* access to ${RUNUSER}

*the blacklist from disable-common.inc is still used

When I used whitelist ${RUNUSER}/pipewire-0 with the MOZ_ENABLE_WAYLAND=1 method, Firefox did start but when I went to about:support "window protocol" it was using xwayland, and without the whitelist line, it used wayland. With the GDK_BACKEND method Firefox would not launch while whitelist ${RUNUSER}/pipewire-0 was in the ~/.config/firejail/firefox.local file.

Just use

ipc-namespace
blacklist /tmp/.X11-unix
<!-- gh-comment-id:768217354 --> @rusty-snake commented on GitHub (Jan 27, 2021): > So to force FF to use Wayland that would be MOZ_ENABLE_WAYLAND=1. It maybe also changes some code paths which are unrelated to the rendering-backend-frontend like screensharing, because GDK_BACKEND is (maybe) (only) for gdk. > I'm running firefox 85, wayland + KDE 5.20.5 I guess it's the KDE. That a third protal implementation (I've GNOME and @albinou has sway). (or the firefox 85 is the cause, I will test once fedora ships it in the next days.) > As soon as I added whitelist ${RUNUSER}/pipewire-0 line, firejail + firefox won't launch. If I instead add include whitelist-runuser-common.inc then it launches, but again, does not work. If you add `whitelist ${RUNUSER}/pipewire-0` w/o `include whitelist-runuser-common.inc` you're missing the `whitelist ${RUNUSER}/wayland-0`. Without access to the wayland socket wayland doesn't work (understandable). > my /etc/firejail/firefox-common.profile file does not include whitelist-runuser-common.inc so I guess I don't have restrictions on data under the path ${RUNUSER}. This may explain why I don't need the whitelist ${RUNUSER}/pipewire-0 rule. That's it, w/o wruc you has full* access to ${RUNUSER} *the blacklist from disable-common.inc is still used > When I used whitelist ${RUNUSER}/pipewire-0 with the MOZ_ENABLE_WAYLAND=1 method, Firefox did start but when I went to about:support "window protocol" it was using xwayland, and without the whitelist line, it used wayland. With the GDK_BACKEND method Firefox would not launch while whitelist ${RUNUSER}/pipewire-0 was in the ~/.config/firejail/firefox.local file. Just use ``` ipc-namespace blacklist /tmp/.X11-unix ```
gitea-mirror commented 2026-05-05 09:06:57 -06:00
Author
Owner
Copy link

@Luticus commented on GitHub (Jan 28, 2021):

@rusty-snake

Well I tried running my ~/.config/firejail/firefox.local in several different variations and none worked. Here's a list of some of the lines I tried:

ipc-namespace
blacklist /tmp/.x11-unix
dbus-user.talk org.freedesktop.impl.portal.desktop.kde
dbus-user.talk org.freedesktop.impl.portal.desktop.gtk
include whitelist-runuser-common.inc
whitelist ${RUNUSER}/pipewire-0
whitelist ${RUNUSER}/wayland-0

I wasn't sure if gtk apps would use the gtk backend so i installed it and enabled it just in case. The dbus lines were taken from the qdbus | grep portal command. I also tried with the dbus-user.talk org.freedesktop.portal.* setting, but with no success.

One thing I did notice is that once I added the include whitelist-runuser-common.inc with whitelist ${RUNUSER}/pipewire-0 the browser would launch with the wayland backend, but the screen share select window does not pop up. Again, if I run my Firefox with all the same setting, and exclude only firejail, then screen sharing works perfectly. So I know I don't need a different backend, or anything like that.

<!-- gh-comment-id:768801318 --> @Luticus commented on GitHub (Jan 28, 2021): @rusty-snake Well I tried running my ~/.config/firejail/firefox.local in several different variations and none worked. Here's a list of some of the lines I tried: ``` ipc-namespace blacklist /tmp/.x11-unix dbus-user.talk org.freedesktop.impl.portal.desktop.kde dbus-user.talk org.freedesktop.impl.portal.desktop.gtk include whitelist-runuser-common.inc whitelist ${RUNUSER}/pipewire-0 whitelist ${RUNUSER}/wayland-0 ``` I wasn't sure if gtk apps would use the gtk backend so i installed it and enabled it just in case. The dbus lines were taken from the **qdbus | grep portal** command. I also tried with the **dbus-user.talk org.freedesktop.portal.*** setting, but with no success. One thing I did notice is that once I added the include whitelist-runuser-common.inc with whitelist ${RUNUSER}/pipewire-0 the browser would launch with the wayland backend, but the screen share select window does not pop up. Again, if I run my Firefox with all the same setting, and exclude only firejail, then screen sharing works perfectly. So I know I don't need a different backend, or anything like that.
gitea-mirror commented 2026-05-05 09:06:58 -06:00
Author
Owner
Copy link

@Luticus commented on GitHub (Jan 28, 2021):

The issue is the noroot directive in firefox-common. If that is commented out, it works. Even if I completely remove the firefox.local file and make no other changes. I just had to stop using that noroot directive. Not sure if there's a work around where I can still use that and be able to use screen sharing, but for now I'll just leave it commented until there's a better workaround.

<!-- gh-comment-id:768805522 --> @Luticus commented on GitHub (Jan 28, 2021): The issue is the **noroot** directive in firefox-common. If that is commented out, it works. Even if I completely remove the firefox.local file and make no other changes. I just had to stop using that noroot directive. Not sure if there's a work around where I can still use that and be able to use screen sharing, but for now I'll just leave it commented until there's a better workaround.
gitea-mirror commented 2026-05-05 09:06:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 28, 2021):

FTR: The portal implementations at org.freedesktop.impl.portal.* are never directly accessed by programs. Only the programs listening on org.freedesktop.portal.* talk to the implementations.

<!-- gh-comment-id:768998772 --> @rusty-snake commented on GitHub (Jan 28, 2021): FTR: The portal implementations at `org.freedesktop.impl.portal.*` are never directly accessed by programs. Only the programs listening on `org.freedesktop.portal.*` talk to the implementations.
gitea-mirror commented 2026-05-05 09:06:58 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Feb 6, 2021):

@Luticus: My ArchLinux updated its firejail version and, FYI, I don't need to whitelist ${RUNUSER}/wayland-0

<!-- gh-comment-id:774543944 --> @albinou commented on GitHub (Feb 6, 2021): @Luticus: My ArchLinux updated its firejail version and, FYI, I don't need to whitelist ${RUNUSER}/wayland-0
gitea-mirror commented 2026-05-05 09:06:59 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 7, 2021):

@ anyone how is this confused about whitelisting:

If you use firejail <= 0.9.62 your firefox-common.profile has no wruc so you don't need whitelist ${RUNUSER}/pipewire-0. If you add it will pipewire-0 be the only file in /run/user/$UID. No wayland-0 (Wayland), bus(D-Bus) or pulse/native (PulseAudio).

If you use firejail >= 0.9.64 your firefox-common.profile has wruc and only file with a whitelist command will be in /run/user/$UID. Then you need to add whitelist ${RUNUSER}/pipewire-0.

<!-- gh-comment-id:774715876 --> @rusty-snake commented on GitHub (Feb 7, 2021): @ anyone how is this confused about whitelisting: If you use firejail <= 0.9.62 your firefox-common.profile has no wruc so you don't need `whitelist ${RUNUSER}/pipewire-0`. If you add it will `pipewire-0` be the only file in `/run/user/$UID`. No `wayland-0` (Wayland), `bus`(D-Bus) or `pulse/native` (PulseAudio). If you use firejail >= 0.9.64 your firefox-common.profile has wruc and only file with a `whitelist` command will be in `/run/user/$UID`. Then you need to add `whitelist ${RUNUSER}/pipewire-0`.
gitea-mirror commented 2026-05-05 09:06:59 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 8, 2021):

Summary: Wayland screen-sharing requires dbus-user.talk org.freedesktop.portal.Desktop and whitelist ${RUNUSER}/pipewire-0 and maybe ignore noroot (depending on portal impl?).

So @albinou feel free to open a PR with something like

# Uncomment (or add to your firefox.local) the following line if you want to use screen sharing under wayland.
#ignore noroot
#whitelist ${RUNUSER}/pipewire-0
#dbus-user.talk org.freedesktop.portal.Desktop
<!-- gh-comment-id:775381258 --> @rusty-snake commented on GitHub (Feb 8, 2021): Summary: Wayland screen-sharing requires `dbus-user.talk org.freedesktop.portal.Desktop` and `whitelist ${RUNUSER}/pipewire-0` and maybe `ignore noroot` (depending on portal impl?). So @albinou feel free to open a PR with something like ``` # Uncomment (or add to your firefox.local) the following line if you want to use screen sharing under wayland. #ignore noroot #whitelist ${RUNUSER}/pipewire-0 #dbus-user.talk org.freedesktop.portal.Desktop ```
gitea-mirror commented 2026-05-05 09:07:00 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Feb 9, 2021):

I can't get to link my pull request :-/
So here is the link: https://github.com/netblue30/firejail/pull/3966

<!-- gh-comment-id:776153245 --> @albinou commented on GitHub (Feb 9, 2021): I can't get to link my pull request :-/ So here is the link: https://github.com/netblue30/firejail/pull/3966
gitea-mirror commented 2026-05-05 09:07:00 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Feb 10, 2021):

The pull request has been merged. We can close this issue.

<!-- gh-comment-id:776521279 --> @albinou commented on GitHub (Feb 10, 2021): The pull request has been merged. We can close this issue.
gitea-mirror commented 2026-05-05 09:07:01 -06:00
Author
Owner
Copy link

@alxjsn commented on GitHub (Jun 22, 2021):

To get xdg-desktop-portal-wlr working with Sway on Arch Linux I needed the following lines for these various browsers:

Firefox

whitelist ${RUNUSER}/pipewire-0
dbus-user.talk org.freedesktop.portal.*
whitelist /usr/share/pipewire/client.conf

Google Chrome

whitelist ${RUNUSER}/pipewire-0
whitelist ${RUNUSER}/bus

Chromium

whitelist ${RUNUSER}/pipewire-0
whitelist ${RUNUSER}/bus
whitelist /usr/share/pipewire/client.conf
<!-- gh-comment-id:865910767 --> @alxjsn commented on GitHub (Jun 22, 2021): To get xdg-desktop-portal-wlr working with Sway on Arch Linux I needed the following lines for these various browsers: ## Firefox ``` whitelist ${RUNUSER}/pipewire-0 dbus-user.talk org.freedesktop.portal.* whitelist /usr/share/pipewire/client.conf ``` ## Google Chrome ``` whitelist ${RUNUSER}/pipewire-0 whitelist ${RUNUSER}/bus ``` ## Chromium ``` whitelist ${RUNUSER}/pipewire-0 whitelist ${RUNUSER}/bus whitelist /usr/share/pipewire/client.conf ```
gitea-mirror commented 2026-05-05 09:07:01 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 22, 2021):

whitelist /usr/share/pipewire/client.conf

Interesting. Maybe that's why screen-sharing it did not worked for me when I last tried/needed.

whitelist ${RUNUSER}/bus

Already in whitelist-runuser-common.inc

dbus-user.talk org.freedesktop.portal.*

and dbus-user.talk org.freedesktop.portal.Desktop shouldn't make any differences.

<!-- gh-comment-id:866117984 --> @rusty-snake commented on GitHub (Jun 22, 2021): > whitelist /usr/share/pipewire/client.conf Interesting. Maybe that's why screen-sharing it did not worked for me when I last tried/needed. > whitelist ${RUNUSER}/bus Already in whitelist-runuser-common.inc > dbus-user.talk org.freedesktop.portal.* and ` dbus-user.talk org.freedesktop.portal.Desktop` shouldn't make any differences.
gitea-mirror commented 2026-05-05 09:07:01 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Jun 22, 2021):

Very nice, thanks @alxjsn !
It wasn't working anymore on my side too so it fixed it :)

I only needed to add the following line to my firefox and chromium config:

whitelist /usr/share/pipewire/client.conf

@alxjsn: Do you want to propose a PR to add this (as comment) in config files? Or I can do it if you want.
Thanks!

<!-- gh-comment-id:866143229 --> @albinou commented on GitHub (Jun 22, 2021): Very nice, thanks @alxjsn ! It wasn't working anymore on my side too so it fixed it :) I only needed to add the following line to my firefox and chromium config: `whitelist /usr/share/pipewire/client.conf` @alxjsn: Do you want to propose a PR to add this (as comment) in config files? Or I can do it if you want. Thanks!
gitea-mirror commented 2026-05-05 09:07:02 -06:00
Author
Owner
Copy link

@alxjsn commented on GitHub (Jun 22, 2021):

@albinou @rusty-snake created a PR here: https://github.com/netblue30/firejail/pull/4368

<!-- gh-comment-id:866152432 --> @alxjsn commented on GitHub (Jun 22, 2021): @albinou @rusty-snake created a PR here: https://github.com/netblue30/firejail/pull/4368
gitea-mirror commented 2026-05-05 09:07:02 -06:00
Author
Owner
Copy link

@reagentoo commented on GitHub (Nov 26, 2021):

To get xdg-desktop-portal-gtk working with Gnome on Gentoo Linux I needed the following lines for these various applications:

Firefox

~/.config/firejail/firefox-common.local:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot
whitelist /usr/share/pipewire/client.conf

Google Chrome

(working w/o any additional firejail local configs)

Telegram Desktop

~/.config/firejail/telegram.local:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot
whitelist /usr/share/pipewire/client.conf

~/.config/firejail/whitelist-runuser-common.local:

whitelist ${RUNUSER}/pipewire-?
whitelist ${RUNUSER}/wayland-?

My current config:

gnome-base/gnome-shell-41.1
net-im/telegram-desktop-3.2.4
sys-apps/firejail-0.9.66
sys-apps/xdg-desktop-portal-1.10.1
sys-apps/xdg-desktop-portal-gtk-1.8.0
www-client/firefox-94.0.2
x11-wm/mutter-41.1

<!-- gh-comment-id:980433406 --> @reagentoo commented on GitHub (Nov 26, 2021): To get xdg-desktop-portal-gtk working with Gnome on Gentoo Linux I needed the following lines for these various applications: ## Firefox ~/.config/firejail/firefox-common.local: ``` dbus-user.talk org.freedesktop.portal.Desktop ignore noroot whitelist /usr/share/pipewire/client.conf ``` ## Google Chrome (working w/o any additional firejail local configs) ## Telegram Desktop ~/.config/firejail/telegram.local: ``` dbus-user.talk org.freedesktop.portal.Desktop ignore noroot whitelist /usr/share/pipewire/client.conf ``` ~/.config/firejail/whitelist-runuser-common.local: ``` whitelist ${RUNUSER}/pipewire-? whitelist ${RUNUSER}/wayland-? ``` ## ### My current config: gnome-base/gnome-shell-41.1 net-im/telegram-desktop-3.2.4 sys-apps/firejail-0.9.66 sys-apps/xdg-desktop-portal-1.10.1 sys-apps/xdg-desktop-portal-gtk-1.8.0 www-client/firefox-94.0.2 x11-wm/mutter-41.1
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2435
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?