github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3938] vlc: no video playback (seccomp) #2461

New issue
Closed
opened 2026-05-05 09:08:42 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 09:08:42 -06:00
Owner
Copy link

Originally created by @MrFrank17 on GitHub (Jan 31, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3938

Hi,

VLC is no showing videos with the standard profile (using Kubuntu 20.10).
If I start it with firejail --noprofile vlc everything is fine as expected.

Starting vlc normally, journalctl --boot --pager-end --follow gives me that:

audit[615706]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined pid=615706 comm="vlc" exe="/usr/local/bin/vlc" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f476f3c667d code=0x0
Jan 31 16:13:50 frank-laptop kernel: audit: type=1326 audit(1612106030.242:57): auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined pid=615706 comm="vlc" exe="/usr/local/bin/vlc" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f476f3c667d code=0x0
Jan 31 16:13:55 frank-laptop firejail[620322]: blacklist violation - sandbox 1853, exe kioslave5, syscall open64, path /proc/sys/kernel/core_pattern
Jan 31 16:13:55 frank-laptop firejail[620324]: blacklist violation - sandbox 1853, exe kioslave5, syscall open64, path /proc/sys/kernel/core_pattern

Any ideas?

Thanks
Frank

Originally created by @MrFrank17 on GitHub (Jan 31, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3938 Hi, VLC is no showing videos with the standard profile (using Kubuntu 20.10). If I start it with `firejail --noprofile vlc` everything is fine as expected. Starting vlc normally, `journalctl --boot --pager-end --follow` gives me that: audit[615706]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined pid=615706 comm="vlc" exe="/usr/local/bin/vlc" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f476f3c667d code=0x0 Jan 31 16:13:50 frank-laptop kernel: audit: type=1326 audit(1612106030.242:57): auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined pid=615706 comm="vlc" exe="/usr/local/bin/vlc" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f476f3c667d code=0x0 Jan 31 16:13:55 frank-laptop firejail[620322]: blacklist violation - sandbox 1853, exe kioslave5, syscall open64, path /proc/sys/kernel/core_pattern Jan 31 16:13:55 frank-laptop firejail[620324]: blacklist violation - sandbox 1853, exe kioslave5, syscall open64, path /proc/sys/kernel/core_pattern Any ideas? Thanks Frank
gitea-mirror 2026-05-05 09:08:42 -06:00
  • closed this issue
  • added the
    duplicate
         label
gitea-mirror commented 2026-05-05 09:08:46 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 31, 2021):

Duplicate of #3219, replace seccomp with seccomp !kcmp in vlc.profile.

<!-- gh-comment-id:770409790 --> @rusty-snake commented on GitHub (Jan 31, 2021): Duplicate of #3219, replace `seccomp` with `seccomp !kcmp` in vlc.profile.
gitea-mirror commented 2026-05-05 09:08:46 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Jan 31, 2021):

Thanks, playback works now!
Something minor: it seems access to some KDE configuration files is still blocked (eg I am using a dark theme and without firejail vlc adapts to that style. Now it is shown in light colors. Also the filebrowser dialog has not all of my individual settings).The journal log shows nothing meaningful ...

<!-- gh-comment-id:770414493 --> @MrFrank17 commented on GitHub (Jan 31, 2021): Thanks, playback works now! Something minor: it seems access to some KDE configuration files is still blocked (eg I am using a dark theme and without firejail vlc adapts to that style. Now it is shown in light colors. Also the filebrowser dialog has not all of my individual settings).The journal log shows nothing meaningful ...
gitea-mirror commented 2026-05-05 09:08:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 31, 2021):

vlc is a whitelisting profile, if you want to play files stored somewhere else then Desktop/Downloads/Music/Pictures/Videos you must add a whitelist ${HOME}/path/to/file_or_dir to whitelist-player-common.local. Files which store settings like for your Qt-theme should be whitelisted (and maybe read-onlyed) in whitelist-common.inc, looks like there are some paths missing. Do you know where KDE stores this?

<!-- gh-comment-id:770416175 --> @rusty-snake commented on GitHub (Jan 31, 2021): vlc is a whitelisting profile, if you want to play files stored somewhere else then Desktop/Downloads/Music/Pictures/Videos you must add a `whitelist ${HOME}/path/to/file_or_dir` to `whitelist-player-common.local`. Files which store settings like for your Qt-theme should be `whitelist`ed (and maybe `read-only`ed) in `whitelist-common.inc`, looks like there are some paths missing. Do you know where KDE stores this?
gitea-mirror commented 2026-05-05 09:08:48 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Jan 31, 2021):

I used vlc.local, but good to know that there are other ways as well.
Sorry, no idea how KDE handles that (or which folders are used).
I hoped to see a blacklist (or in this case a whitelist?) violation in the journal output.

<!-- gh-comment-id:770439895 --> @MrFrank17 commented on GitHub (Jan 31, 2021): I used `vlc.local`, but good to know that there are other ways as well. Sorry, no idea how KDE handles that (or which folders are used). I hoped to see a blacklist (or in this case a whitelist?) violation in the journal output.
gitea-mirror commented 2026-05-05 09:08:49 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 1, 2021):

blacklist (or in this case a whitelist?) violation in the journal output.

Will not happen for missing whitelist. However, you can firejail --build=~/vlc.profile vlc and then compare all the whitelist ${HOME}/....

<!-- gh-comment-id:770620587 --> @rusty-snake commented on GitHub (Feb 1, 2021): > blacklist (or in this case a whitelist?) violation in the journal output. Will not happen for missing `whitelist`. However, you can `firejail --build=~/vlc.profile vlc` and then compare all the `whitelist ${HOME}/...`.
gitea-mirror commented 2026-05-05 09:08:50 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Feb 1, 2021):

Oh, wasn't aware about that possibility!
Was still a lot to look up - I added this in vlc.local.
Note these are the additional ones, have not checked if they all really needed. Maybe you can give me a hint ...

include /etc/firejail/whitelist-common.inc
include whitelist-usr-share-common.inc

whitelist ${HOME}/.local/share/RecentDocuments
whitelist ${HOME}/.local/share/kioslave5/icons/hicolor
whitelist ${HOME}/.cache/thumbnails
whitelist ${HOME}/.config/pulse
whitelist ${HOME}/.pulse-cookie
whitelist ${HOME}/.cache/thumbnails
whitelist ${HOME}/.Xdefaults-frank-laptop
whitelist ${HOME}/.cache/mesa_shader_cache
whitelist /usr/share/kioslave5
whitelist /usr/share/texmf
whitelist /usr/share/vlc
whitelist /usr/share/kubuntu-default-settings

To have it fully functional I commented also out all the disable*.inc in vlc.profile. That's for sure too much, but I did not had the time to look into that.

<!-- gh-comment-id:771183082 --> @MrFrank17 commented on GitHub (Feb 1, 2021): Oh, wasn't aware about that possibility! Was still a lot to look up - I added this in vlc.local. Note these are the additional ones, have not checked if they all really needed. Maybe you can give me a hint ... include /etc/firejail/whitelist-common.inc include whitelist-usr-share-common.inc whitelist ${HOME}/.local/share/RecentDocuments whitelist ${HOME}/.local/share/kioslave5/icons/hicolor whitelist ${HOME}/.cache/thumbnails whitelist ${HOME}/.config/pulse whitelist ${HOME}/.pulse-cookie whitelist ${HOME}/.cache/thumbnails whitelist ${HOME}/.Xdefaults-frank-laptop whitelist ${HOME}/.cache/mesa_shader_cache whitelist /usr/share/kioslave5 whitelist /usr/share/texmf whitelist /usr/share/vlc whitelist /usr/share/kubuntu-default-settings To have it fully functional I commented also out all the disable*.inc in vlc.profile. That's for sure too much, but I did not had the time to look into that.
gitea-mirror commented 2026-05-05 09:08:50 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 2, 2021):

${HOME}/.local/share/RecentDocuments, ${HOME}/.cache/thumbnails: what the name says
${HOME}/.config/pulse, ${HOME}/.pulse-cookie: pulse audio
${HOME}/.cache/mesa_shader_cache: just a cache
/usr/share: system-wide, not relevant for theme change by user

<!-- gh-comment-id:771573016 --> @rusty-snake commented on GitHub (Feb 2, 2021): `${HOME}/.local/share/RecentDocuments`, `${HOME}/.cache/thumbnails`: what the name says `${HOME}/.config/pulse`, `${HOME}/.pulse-cookie`: pulse audio `${HOME}/.cache/mesa_shader_cache`: just a cache `/usr/share`: system-wide, not relevant for theme change by user
gitea-mirror commented 2026-05-05 09:08:51 -06:00
Author
Owner
Copy link

@MrFrank17 commented on GitHub (Feb 2, 2021):

Ok, I works now!
The solution is surprisingly simple after all I have tried out - I added to my local profile:
noblacklist ${DOCUMENTS}
noblacklist ${PICTURES}
Not sure why this enough, but well, it works ...

<!-- gh-comment-id:771986008 --> @MrFrank17 commented on GitHub (Feb 2, 2021): Ok, I works now! The solution is surprisingly simple after all I have tried out - I added to my local profile: `noblacklist ${DOCUMENTS}` `noblacklist ${PICTURES}` Not sure why this enough, but well, it works ...
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2461
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?