[GH-ISSUE #3971] mpv no longer uses user config

gitea-mirror commented

2026-05-05 09:10:03 -06:00

Owner

Originally created by @rieje on GitHub (Feb 11, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3971

Bug and expected behavior

mpv (with firejail) no longer uses user config config.

What did you expect to happen?

It should use my mpv config.

No profile and disabling firejail

What changed calling firejail --noprofile /path/to/program in a terminal?

It works as expected, no bug.

Environment

Arch Linux, linux kernel 5.1.14-arch1-1

Additional context

This bug is experienced is introduced on firejail-0.9.64.2-1 and also apparent on latest version 0.9.64.4-1. Downgrading back to firejail-0.9.64-2 fixes this bug. I have done no modification of any firejail or mpv settings or setup.

Checklist

The profile (and redirect profile if exists) hasn't already been fixed upstream.
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
I have performed a short search for similar issues (to avoid opening a duplicate).

OUTPUT OF firejail --debug PROGRAM. I also have an mpv.local.

Originally created by @rieje on GitHub (Feb 11, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3971 **Bug and expected behavior** mpv (with firejail) no longer uses user config config. - What did you expect to happen? It should use my mpv config. **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? It works as expected, no bug. **Environment** - Arch Linux, linux kernel 5.1.14-arch1-1 **Additional context** This bug is experienced is introduced on firejail-0.9.64.2-1 and also apparent on latest version 0.9.64.4-1. Downgrading back to firejail-0.9.64-2 fixes this bug. I have done no modification of any firejail or mpv settings or setup. **Checklist** - [X] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [X] I have performed a short search for similar issues (to avoid opening a duplicate). ---------------------- [OUTPUT](https://pastebin.com/tdkDngr1) OF `firejail --debug PROGRAM`. I also have an [mpv.local](https://pastebin.com/1AzzzJJ).

gitea-mirror closed this issue

2026-05-05 09:10:04 -06:00

gitea-mirror commented

2026-05-05 09:10:06 -06:00

Author

Owner

@ghost commented on GitHub (Feb 11, 2021):

From your debug output (L18):

[...]
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.talk org.freedesktop.Notifications".
[...]

Our recent code and profiles rely heavily on D-Bus filtering with xdg-dbus-proxy for extra protection. I would advise to install it.

I'm on Arch Linux too and for me mpv is working as expected when firejailed. But alas, your mpv.local from pastebin.com 404's so it's a bit hard to get eyes on what's exactly happening on your machine.

@ghost commented on GitHub (Feb 11, 2021): From your debug output (L18): ``` [...] Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.talk org.freedesktop.Notifications". [...] ``` Our recent code and profiles rely heavily on D-Bus filtering with `xdg-dbus-proxy` for extra protection. I would advise to install it. I'm on Arch Linux too and for me mpv is working as expected when firejailed. But alas, your mpv.local from pastebin.com 404's so it's a bit hard to get eyes on what's exactly happening on your machine.

gitea-mirror commented

2026-05-05 09:10:07 -06:00

Author

Owner

@ghost commented on GitHub (Feb 11, 2021):

@rusty-snake Maybe we should consider adding a copy of all .local files used by the application when the --debug flag is used. Shouldn't add too much overhead I think and can make the debugging experience a bit more pleasant.

@ghost commented on GitHub (Feb 11, 2021): @rusty-snake Maybe we should consider adding a copy of all .local files used by the application when the --debug flag is used. Shouldn't add too much overhead I think and can make the debugging experience a bit more pleasant.

gitea-mirror commented

2026-05-05 09:10:08 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 11, 2021):

... and all profiles/includes in ~/.config/firejail. Although it is still possible to modify the profile in /etc/firejail directly.

@rieje is you configuration stored in the default location (~/.config/mpv) or somewhere else? And is it just mpv configuration such as tls-verify=yes/hwdec=auto or are (external) scripts involved?

f71db5299f/etc/profile-m-z/mpv.profile (L14-L25)

@rusty-snake commented on GitHub (Feb 11, 2021): ... and all profiles/includes in ~/.config/firejail. Although it is still possible to modify the profile in /etc/firejail directly. @rieje is you configuration stored in the default location (~/.config/mpv) or somewhere else? And is it just mpv configuration such as `tls-verify=yes`/`hwdec=auto` or are (external) scripts involved? https://github.com/netblue30/firejail/blob/f71db5299fd3bb9b06254a2e002b24ac7506518c/etc/profile-m-z/mpv.profile#L14-L25

gitea-mirror commented

2026-05-05 09:10:09 -06:00

Author

Owner

@rieje commented on GitHub (Feb 11, 2021):

@glitsj16 I installed xdg-dbus-proxy again and tried, same thing. Here's the OUTPUT with it installed. Here's the added mpv.local.

@rusty-snake Yea, my config is basic at ~/.config/mpv/mpv.conf.

@rieje commented on GitHub (Feb 11, 2021): @glitsj16 I installed xdg-dbus-proxy again and tried, same thing. Here's the [OUTPUT](https://pastebin.com/tMtLD68s) with it installed. Here's the added [mpv.local](https://pastebin.com/iTsZnkCY). @rusty-snake Yea, my config is [basic](https://pastebin.com/vEwjNNGk) at ~/.config/mpv/mpv.conf.

gitea-mirror commented

2026-05-05 09:10:10 -06:00

Author

Owner

@ghost commented on GitHub (Feb 12, 2021):

I installed xdg-dbus-proxy

Good, the debug log confirms that is working as expected. Keep it installed!

Your pastebin'ed mpv.local is a bit unexpected, there's your problem IMO. Why all the ignores? By ignoring all the whitelist options (and not including whitelist-common.inc) you basically turn the profile in what we call a 'blacklist' profile, which is less secure that the original 'whitelist' profile designed for mpv. That would explain why your mpv config(s) are not respected. I also see you're trying to work around some stuff from disable-exec.inc and disable-shell.inc. The reason why escapes me - please elaborate why you try to do this - but you're not making it easy on yourself by doing it like that in a mpv.local. May I suggest moving your existing mpv.local out of the way and retest with the below mpv.local instead:

ignore noexec ${HOME}
include allow-bin-sh.inc

dbus-user filter
dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

# for AMD gpu--'seccomp' by itself causes mpv not to play video--see https://github.com/netblue30/firejail/issues/3219
ignore seccomp
seccomp !kcmp

private-bin bash,dash,mkdir,sh;touch,notify-send,trash-put

@ghost commented on GitHub (Feb 12, 2021): > I installed xdg-dbus-proxy Good, the debug log confirms that is working as expected. Keep it installed! Your pastebin'ed mpv.local is a bit unexpected, there's your problem IMO. Why all the ignores? By ignoring all the whitelist options (and not including whitelist-common.inc) you basically turn the profile in what we call a 'blacklist' profile, which is less secure that the original 'whitelist' profile designed for mpv. That would explain why your mpv config(s) are not respected. I also see you're trying to work around some stuff from disable-exec.inc and disable-shell.inc. The reason why escapes me - please elaborate why you try to do this - but you're not making it easy on yourself by doing it like that in a mpv.local. May I suggest moving your existing mpv.local out of the way and retest with the below mpv.local instead: ``` ignore noexec ${HOME} include allow-bin-sh.inc dbus-user filter dbus-user.talk org.freedesktop.Notifications ignore dbus-user none # for AMD gpu--'seccomp' by itself causes mpv not to play video--see https://github.com/netblue30/firejail/issues/3219 ignore seccomp seccomp !kcmp private-bin bash,dash,mkdir,sh;touch,notify-send,trash-put ```

gitea-mirror commented

2026-05-05 09:10:10 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 12, 2021):

s/ignore include whitelist-players.inc/ignore include whitelist-player-common.inc/g

ignore seccomp
seccomp !kcmp

Your first line causes the second one to be ignored. IIRC it works even w/o ignore seccomp

private-bin bash,dash,mkdir,sh ; -> , touch,notify-send,trash-put

ignore whitelist /usr/share/lua
ignore whitelist /usr/share/lua*
ignore whitelist /usr/share/vulkan

Just more breaktage w/o ignore include wusc.

@rusty-snake commented on GitHub (Feb 12, 2021): `s/ignore include whitelist-players.inc/ignore include whitelist-player-common.inc/g` > ``` > ignore seccomp > seccomp !kcmp > ``` Your first line causes the second one to be ignored. IIRC it works even w/o `ignore seccomp` > private-bin bash,dash,mkdir,sh **; -> ,** touch,notify-send,trash-put > ignore whitelist /usr/share/lua ignore whitelist /usr/share/lua* ignore whitelist /usr/share/vulkan Just more breaktage w/o `ignore include wusc`.

gitea-mirror commented

2026-05-05 09:10:11 -06:00

Author

Owner

@rieje commented on GitHub (Feb 12, 2021):

@glitsj16 @rusty-snake Ok, that works so I'll close the issue, thanks. But now I'm no longer able to use a simple script bound to a hotkey. mpv gives the error Starting subprocess failed: init when using the hotkey.

For my old mpv.local, from trial and error, I needed those ignores for the script to work properly (not sure if I could be more restrictive with them). If I add them to the new mpv.local, using the hotkey results in [input] No key binding found for key 'Ctrl+DEL' with script not executing.

To be clear, there's no issues with mpv running the script with my old mpv.local on firejail-0.9.64.2.

@rieje commented on GitHub (Feb 12, 2021): @glitsj16 @rusty-snake Ok, that works so I'll close the issue, thanks. But now I'm no longer able to use a [simple script](https://github.com/netblue30/firejail/issues/3635#issuecomment-696956153) bound to a hotkey. mpv gives the error `Starting subprocess failed: init` when using the hotkey. For my old mpv.local, from trial and error, I needed those ignores for the script to work properly (not sure if I could be more restrictive with them). If I add them to the new mpv.local, using the hotkey results in `[input] No key binding found for key 'Ctrl+DEL'` with script not executing. To be clear, there's no issues with mpv running the script with my old mpv.local on firejail-0.9.64.2.

gitea-mirror commented

2026-05-05 09:10:11 -06:00

Author

Owner

@ghost commented on GitHub (Feb 13, 2021):

But now I'm no longer able to use a simple script bound to a hotkey.

I took a quick look at https://github.com/netblue30/firejail/issues/3635 and came up with a fix that works for me. Try adding one of the below snippets to your mpv.local. The first one should be used when your mpv-testme script resides in ${HOME}/bin and comes with the (unavoidable) side-effect of all scripts in there being executable inside the sandbox:

# allow running a subprocess
include allow-bin-sh.inc
private-bin bash,sh
# allow commands running in subprocess
ignore noexec ${HOME}
whitelist ${HOME}/bin
private-bin notify-send
# allow D-Bus notification
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

On the contrary, if you place your mpv-testme in /usr/local/bin you can go with this:

# allow running a subprocess
include allow-bin-sh.inc
private-bin bash,sh
# allow commands running in subprocess
private-bin mpv-testme,notify-send
# allow D-Bus notification
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

If you wonder why the second option needs mpv-testme to be referenced in private-bin while the first one works without it, join in. That bit escapes me and is just something I noticed during testing.

HTH

@ghost commented on GitHub (Feb 13, 2021): > But now I'm no longer able to use a simple script bound to a hotkey. I took a quick look at https://github.com/netblue30/firejail/issues/3635 and came up with a fix that works for me. Try adding _one_ of the below snippets to your mpv.local. The first one should be used when your mpv-testme script resides in ${HOME}/bin and comes with the (unavoidable) side-effect of all scripts in there being executable inside the sandbox: ``` # allow running a subprocess include allow-bin-sh.inc private-bin bash,sh # allow commands running in subprocess ignore noexec ${HOME} whitelist ${HOME}/bin private-bin notify-send # allow D-Bus notification dbus-user filter dbus-user.talk org.freedesktop.Notifications ignore dbus-user none ``` On the contrary, if you place your mpv-testme in /usr/local/bin you can go with this: ``` # allow running a subprocess include allow-bin-sh.inc private-bin bash,sh # allow commands running in subprocess private-bin mpv-testme,notify-send # allow D-Bus notification dbus-user filter dbus-user.talk org.freedesktop.Notifications ignore dbus-user none ``` If you wonder why the second option needs mpv-testme to be referenced in private-bin while the first one works without it, join in. That bit escapes me and is just something I noticed during testing. HTH

gitea-mirror commented

2026-05-05 09:10:12 -06:00

Author

Owner

@rieje commented on GitHub (Feb 13, 2021):

Works great and I should be able to easily adapt for more scripts in the future, thanks!

@rieje commented on GitHub (Feb 13, 2021): Works great and I should be able to easily adapt for more scripts in the future, thanks!

Rows
Columns

[GH-ISSUE #3971] mpv no longer uses user config #2482