[GH-ISSUE #4414] Can't open atril from within calibre #2658

New issue

Closed

opened 2026-05-05 09:19:02 -06:00 by gitea-mirror · 14 comments

gitea-mirror commented 2026-05-05 09:19:02 -06:00

Owner

Copy link

Originally created by @Boruch-Baum on GitHub (Jul 21, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4414

In debian, using firejail 0.9.64.4, calibre 5.16.1, and atril 1.20.3 and using the default firejail profiles: From within firejail /usr/bin/calibre, I can't open/view a document with atril.

What does work:

1. firejail atril foo.pdf
2. calibre (without firejail) and opening a pdf with atril
3. firejail calibre and opening a pdf with zathura or mupdf

In the following output from firejail --debug calibre, note that the first line spawned when askin to view a pdf is the line beginning "Error seteuid":

libGL error: failed to open drm device: No such file or directory
libGL error: failed to load driver: i965
DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused
Failed to check for plugin update: [Errno -3] Temporary failure in name resolution
Traceback (most recent call last):
  File "/usr/lib/calibre/calibre/gui2/notify.py", line 182, in get_notifier
    ans = get_dbus_notifier()
  File "/usr/lib/calibre/calibre/gui2/notify.py", line 110, in get_dbus_notifier
    session_bus = dbus.SessionBus()
  File "/usr/lib/python3/dist-packages/dbus/_dbus.py", line 212, in __new__
    return Bus.__new__(cls, Bus.TYPE_SESSION, private=private,
  File "/usr/lib/python3/dist-packages/dbus/_dbus.py", line 102, in __new__
    bus = BusConnection.__new__(subclass, bus_type, mainloop=mainloop)
  File "/usr/lib/python3/dist-packages/dbus/bus.py", line 124, in __new__
    bus = cls._new_for_bus(address_or_type, mainloop=mainloop)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused
Exception in thread Thread-7:
Traceback (most recent call last):
  File "/usr/lib/python3.9/threading.py", line 954, in _bootstrap_inner
    self.run()
  File "/usr/lib/calibre/calibre/utils/mdns.py", line 42, in run
    _all_ip_addresses = self.get_all_ips()
  File "/usr/lib/calibre/calibre/utils/mdns.py", line 26, in get_all_ips
    for x in netifaces.interfaces():
OSError: [Errno 95] Operation not supported
Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~

(atril:128): dbind-WARNING **: 20:57:58.021: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-wovbrEqM41: Connection refused

(atril:128): Gtk-WARNING **: 20:57:58.034: Theme parsing error: gtk.css:92:25: Failed to import: Error opening file /usr/share/themes/Boje-Night/gtk-3.0/unity.css: No such file or directory

Sandbox monitor: waitpid 8 retval 8 status 0
Warning: removing 1 bytes from stdin

Parent is shutting down, bye...

---

EDIT by @rusty-snake: Code-block

Originally created by @Boruch-Baum on GitHub (Jul 21, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4414 In debian, using firejail 0.9.64.4, calibre 5.16.1, and atril 1.20.3 and using the default firejail profiles: From within firejail /usr/bin/calibre, I can't open/view a document with atril. What does work: 1) firejail atril foo.pdf 2) calibre (without firejail) and opening a pdf with atril 3) firejail calibre and opening a pdf with zathura or mupdf In the following output from `firejail --debug calibre`, note that the first line spawned when askin to view a pdf is the line beginning "Error seteuid": ``` libGL error: failed to open drm device: No such file or directory libGL error: failed to load driver: i965 DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused Failed to check for plugin update: [Errno -3] Temporary failure in name resolution Traceback (most recent call last): File "/usr/lib/calibre/calibre/gui2/notify.py", line 182, in get_notifier ans = get_dbus_notifier() File "/usr/lib/calibre/calibre/gui2/notify.py", line 110, in get_dbus_notifier session_bus = dbus.SessionBus() File "/usr/lib/python3/dist-packages/dbus/_dbus.py", line 212, in __new__ return Bus.__new__(cls, Bus.TYPE_SESSION, private=private, File "/usr/lib/python3/dist-packages/dbus/_dbus.py", line 102, in __new__ bus = BusConnection.__new__(subclass, bus_type, mainloop=mainloop) File "/usr/lib/python3/dist-packages/dbus/bus.py", line 124, in __new__ bus = cls._new_for_bus(address_or_type, mainloop=mainloop) dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused Exception in thread Thread-7: Traceback (most recent call last): File "/usr/lib/python3.9/threading.py", line 954, in _bootstrap_inner self.run() File "/usr/lib/calibre/calibre/utils/mdns.py", line 42, in run _all_ip_addresses = self.get_all_ips() File "/usr/lib/calibre/calibre/utils/mdns.py", line 26, in get_all_ips for x in netifaces.interfaces(): OSError: [Errno 95] Operation not supported Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~ (atril:128): dbind-WARNING **: 20:57:58.021: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-wovbrEqM41: Connection refused (atril:128): Gtk-WARNING **: 20:57:58.034: Theme parsing error: gtk.css:92:25: Failed to import: Error opening file /usr/share/themes/Boje-Night/gtk-3.0/unity.css: No such file or directory Sandbox monitor: waitpid 8 retval 8 status 0 Warning: removing 1 bytes from stdin Parent is shutting down, bye... ``` --- EDIT by @rusty-snake: Code-block

gitea-mirror 2026-05-05 09:19:02 -06:00

• closed this issue
• added the
  stale
  label

gitea-mirror commented 2026-05-05 09:19:04 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2021):

Running program A in the sandbox made for program B is something that maybe works and maybe don't work.

profile diffs

$ fjp diff atril calibre
The following commands are unique to atril.profile:
include atril.local
noblacklist  ${HOME}/.cache/atril
noblacklist  ${HOME}/.config/atril
include disable-interpreters.inc
machine-id
no3d
protocol unix
seccomp
tracelog
private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
private-etc alternatives,fonts,ld.so.cache

The following commands are unique to calibre.profile:
include calibre.local
noblacklist  ${HOME}/.cache/calibre
noblacklist  ${HOME}/.config/calibre
apparmor
netfilter
protocol unix,inet,inet6,netlink
seccomp !chroot
$ fjp diff zathura calibre
The following commands are unique to zathura.profile:
include zathura.local
noblacklist ${HOME}/.config/zathura
noblacklist ${HOME}/.local/share/zathura
include disable-interpreters.inc
include disable-shell.inc
include disable-write-mnt.inc
mkdir ${HOME}/.config/zathura
mkdir ${HOME}/.local/share/zathura
whitelist /usr/share/doc
whitelist /usr/share/zathura
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
machine-id
net none
protocol unix
seccomp
seccomp.block-secondary
tracelog
private-bin zathura
private-cache
private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
dbus-user none
dbus-system none
read-only ${HOME}
read-write ${HOME}/.config/zathura
read-write ${HOME}/.local/share/zathura

The following commands are unique to calibre.profile:
include calibre.local
noblacklist ${HOME}/.cache/calibre
noblacklist ${HOME}/.config/calibre
netfilter
protocol unix,inet,inet6,netlink
seccomp !chroot
$ fjp diff mupdf calibre
The following commands are unique to mupdf.profile:
include mupdf.local
include disable-interpreters.inc
machine-id
net none
protocol unix
seccomp
tracelog
private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
dbus-user none
dbus-system none

The following commands are unique to calibre.profile:
include calibre.local
include globals.local
noblacklist ${HOME}/.cache/calibre
noblacklist ${HOME}/.config/calibre
netfilter
protocol unix,inet,inet6,netlink
seccomp !chroot

<!-- gh-comment-id:890468872 --> @rusty-snake commented on GitHub (Aug 1, 2021): Running program A in the sandbox made for program B is something that maybe works and maybe don't work. <details><summary>profile diffs</summary> ```console $ fjp diff atril calibre The following commands are unique to atril.profile: include atril.local noblacklist ${HOME}/.cache/atril noblacklist ${HOME}/.config/atril include disable-interpreters.inc machine-id no3d protocol unix seccomp tracelog private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote private-etc alternatives,fonts,ld.so.cache The following commands are unique to calibre.profile: include calibre.local noblacklist ${HOME}/.cache/calibre noblacklist ${HOME}/.config/calibre apparmor netfilter protocol unix,inet,inet6,netlink seccomp !chroot $ fjp diff zathura calibre The following commands are unique to zathura.profile: include zathura.local noblacklist ${HOME}/.config/zathura noblacklist ${HOME}/.local/share/zathura include disable-interpreters.inc include disable-shell.inc include disable-write-mnt.inc mkdir ${HOME}/.config/zathura mkdir ${HOME}/.local/share/zathura whitelist /usr/share/doc whitelist /usr/share/zathura include whitelist-runuser-common.inc include whitelist-usr-share-common.inc machine-id net none protocol unix seccomp seccomp.block-secondary tracelog private-bin zathura private-cache private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id dbus-user none dbus-system none read-only ${HOME} read-write ${HOME}/.config/zathura read-write ${HOME}/.local/share/zathura The following commands are unique to calibre.profile: include calibre.local noblacklist ${HOME}/.cache/calibre noblacklist ${HOME}/.config/calibre netfilter protocol unix,inet,inet6,netlink seccomp !chroot $ fjp diff mupdf calibre The following commands are unique to mupdf.profile: include mupdf.local include disable-interpreters.inc machine-id net none protocol unix seccomp tracelog private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload dbus-user none dbus-system none The following commands are unique to calibre.profile: include calibre.local include globals.local noblacklist ${HOME}/.cache/calibre noblacklist ${HOME}/.config/calibre netfilter protocol unix,inet,inet6,netlink seccomp !chroot ``` </details>

gitea-mirror commented 2026-05-05 09:19:05 -06:00

Author

Owner

Copy link

@Boruch-Baum commented on GitHub (Aug 1, 2021):

On 2021-08-01 00:41, rusty-snake wrote:

Running program A in the sandbox made for program B is something that
maybe works and maybe don't work.
profile diffs

$ fjp diff atril calibre
$ fjp diff zathura calibre
$ fjp diff mupdf calibre

I don't seem to have a local copy of the fjp tool installed (debian).
Where / how can I get it so that I can see exactly what's happening
locally?

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:890483662 --> @Boruch-Baum commented on GitHub (Aug 1, 2021): On 2021-08-01 00:41, rusty-snake wrote: > Running program A in the sandbox made for program B is something that > maybe works and maybe don't work. > profile diffs > > $ fjp diff atril calibre > $ fjp diff zathura calibre > $ fjp diff mupdf calibre I don't seem to have a local copy of the fjp tool installed (debian). Where / how can I get it so that I can see exactly what's happening locally? -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

gitea-mirror commented 2026-05-05 09:19:06 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2021):

fjp is a unoffical tool from me.
repo: https://github.com/rusty-snake/fjp
website: https://rusty-snake.github.io/fjp/
latest release: https://github.com/rusty-snake/fjp/releases/tag/v0.2.0 (v0.3.0-rc1 will come soon)

<!-- gh-comment-id:890486255 --> @rusty-snake commented on GitHub (Aug 1, 2021): fjp is a unoffical tool from me. repo: https://github.com/rusty-snake/fjp website: https://rusty-snake.github.io/fjp/ latest release: https://github.com/rusty-snake/fjp/releases/tag/v0.2.0 (v0.3.0-rc1 will come soon)

gitea-mirror commented 2026-05-05 09:19:07 -06:00

Author

Owner

Copy link

@Boruch-Baum commented on GitHub (Aug 1, 2021):

Thanks.

On 2021-08-01 02:45, rusty-snake wrote:

fjp is a unoffical tool from me.
repo: [1]https://github.com/rusty-snake/fjp

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:890488469 --> @Boruch-Baum commented on GitHub (Aug 1, 2021): Thanks. On 2021-08-01 02:45, rusty-snake wrote: > fjp is a unoffical tool from me. > repo: [1]https://github.com/rusty-snake/fjp -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

gitea-mirror commented 2026-05-05 09:19:08 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2021):

Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~

BTW this is a firejail error, if you remove the firecfg symlink, it might work.
But why does mupdf work, it should have a firecfg symlink too.

<!-- gh-comment-id:890490061 --> @rusty-snake commented on GitHub (Aug 1, 2021): > Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not permitted~ BTW this is a firejail error, if you remove the firecfg symlink, it might work. But why does mupdf work, it should have a firecfg symlink too.

gitea-mirror commented 2026-05-05 09:19:09 -06:00

Author

Owner

Copy link

@Boruch-Baum commented on GitHub (Aug 1, 2021):

I think I have the calibre/atril problem solved.

What seems to have been breaking things is that setting 'net none' in my
calibre.local file was disabling dbus (bug?, documented?). This is
important to me because I'm frightened by calibre's demands for internet
access (to places like amazon.com, etc) and can never be sure of its
scope. For many users, such access may be desirable (eg. to search,
sync, and purchase ebooks directly from calibre), but they probably are
not the type of people who would be interested in firejail in the first place.

Based upon my re-reading of the firejail-profile man page, I have
updated my calibre.local with two additional lines, so it looks like this:

net none
dbus-user filter
dbus-user.talk org.freedesktop.*

My tests indicate that this allows atril and disables internet.

Remaining questions for me:

1. Am I doing this correctly?

2. Should I be more restrictive somehow in the use of the dbus filters?

3. Should 'net none' really be killing dbus access?

On 2021-08-01 03:14, rusty-snake wrote:

 Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not
 permitted~

BTW that a firejail error, if you remove the firecfg symlink, it might
work.

I'm not using symlinks. I modify my local copy of the *.desktop file.
Doing so also allows me to do the following (very long line follows may show
up as word-wrapped in your email viewer):

Exec=env CALIBRE_USE_DARK_PALETTE=0 CALIBRE_USE_SYSTEM_THEME=true QT_QPA_PLATFORMTHEME=qt5ct cpulimit -l 50 -- firejail /usr/bin/calibre %F

But why does mupdf work, it should have a firecfg symlink too.

Aaahh. In my local setup mupdf has no symlink and no modified *.desktop
file (I have mupdf installed for its pdf manipulation tools, not for its
viewer. It was just that while trying to figure out this problem I tried
using it as an alternative).

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:890505291 --> @Boruch-Baum commented on GitHub (Aug 1, 2021): I think I have the calibre/atril problem solved. What seems to have been breaking things is that setting 'net none' in my calibre.local file was disabling dbus (bug?, documented?). This is important to me because I'm frightened by calibre's demands for internet access (to places like amazon.com, etc) and can never be sure of its scope. For many users, such access may be desirable (eg. to search, sync, and purchase ebooks directly from calibre), but they probably are not the type of people who would be interested in firejail in the first place. Based upon my re-reading of the firejail-profile man page, I have updated my calibre.local with two additional lines, so it looks like this: net none dbus-user filter dbus-user.talk org.freedesktop.* My tests indicate that this allows atril and disables internet. Remaining questions for me: 1) Am I doing this correctly? 2) Should I be more restrictive somehow in the use of the dbus filters? 3) Should 'net none' really be killing dbus access? On 2021-08-01 03:14, rusty-snake wrote: > Error seteuid: ../include/euid_common.h:44 EUID_USER: Operation not > permitted~ > > BTW that a firejail error, if you remove the firecfg symlink, it might > work. I'm not using symlinks. I modify my local copy of the *.desktop file. Doing so also allows me to do the following (very long line follows may show up as word-wrapped in your email viewer): Exec=env CALIBRE_USE_DARK_PALETTE=0 CALIBRE_USE_SYSTEM_THEME=true QT_QPA_PLATFORMTHEME=qt5ct cpulimit -l 50 -- firejail /usr/bin/calibre %F > But why does mupdf work, it should have a firecfg symlink too. Aaahh. In my local setup mupdf has no symlink and no modified *.desktop file (I have mupdf installed for its pdf manipulation tools, not for its viewer. It was just that while trying to figure out this problem I tried using it as an alternative). -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

gitea-mirror commented 2026-05-05 09:19:09 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2021):

setting 'net none' in my calibre.local

If you have modified settings, you should say it already in OP. Even if they seem to be unrelated to the error message/behaviour as there can be strange side effects.

dbus-user.talk org.freedesktop.*

Why using D-Bus filtering at all with this rule?
This allows (org.freedesktop.DBus), org.freedesktop.Flatpak, org.freedesktop.Notifications, org.freedesktop.PackageKit, org.freedesktop.ScreenSaver, org.freedesktop.Tracker3.Miner.Files.Control, org.freedesktop.impl.portal.PermissionStore, org.freedesktop.impl.portal.desktop.gtk, org.freedesktop.portal.Flatpak, org.freedesktop.secrets, org.freedesktop.systemd1.

Am I doing this correctly?

What's your goal?
General: Adding command to .locals to make things work is right.

Should I be more restrictive somehow in the use of the dbus filters?

See above. btw from where did you got the org.freedesktop.*?

Should 'net none' really be killing dbus access?

If you use abstract sockets, yes.

<!-- gh-comment-id:890519033 --> @rusty-snake commented on GitHub (Aug 1, 2021): > setting 'net none' in my calibre.local If you have modified settings, you should say it already in OP. Even if they seem to be unrelated to the error message/behaviour as there can be strange side effects. > dbus-user.talk org.freedesktop.* Why using D-Bus filtering at all with this rule? This allows (`org.freedesktop.DBus`), `org.freedesktop.Flatpak`, `org.freedesktop.Notifications`, `org.freedesktop.PackageKit`, `org.freedesktop.ScreenSaver`, `org.freedesktop.Tracker3.Miner.Files.Control`, `org.freedesktop.impl.portal.PermissionStore`, `org.freedesktop.impl.portal.desktop.gtk`, `org.freedesktop.portal.Flatpak`, `org.freedesktop.secrets`, `org.freedesktop.systemd1`. > Am I doing this correctly? What's your goal? General: Adding command to .locals to make things work is right. > Should I be more restrictive somehow in the use of the dbus filters? See above. btw from where did you got the `org.freedesktop.*`? > Should 'net none' really be killing dbus access? If you use abstract sockets, yes.

gitea-mirror commented 2026-05-05 09:19:10 -06:00

Author

Owner

Copy link

@Boruch-Baum commented on GitHub (Aug 1, 2021):

On 2021-08-01 06:16, rusty-snake wrote:

 setting 'net none' in my calibre.local

If you have modified settings, you should say it already in OP. Even if
they seem to be unrelated to the error message/behaviour as there can
be strange side effects.

Sorry. As soon as I realized that the file existed, I reported it.

 dbus-user.talk org.freedesktop.*

Why using D-Bus filtering at all with this rule?

In order to try to debug, I decided to launch firejail from a console in
order to see what it was sending to STDERR. One message was:
"DBusExport: Failed to connect to
DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer:
Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused"

So I tried that dbus socket, ie.:

dbus-user.talk org.freedesktop.*

However, that caused firejail to send an error message to the console:

Ignoring "dbus-user.talk org.freedesktop.*".

So, I went back to the man page, and saw in the example given that the
dbus.user-talk line was preceded by a line 'dbus filter' and the
documentation seems to say that both are needed. Now I see that line
'dbus filter' alone is enough to enable atril.

This allows (org.freedesktop.DBus), org.freedesktop.Flatpak,
org.freedesktop.Notifications, org.freedesktop.PackageKit,
org.freedesktop.ScreenSaver,
org.freedesktop.Tracker3.Miner.Files.Control,
org.freedesktop.impl.portal.PermissionStore,
org.freedesktop.impl.portal.desktop.gtk,
org.freedesktop.portal.Flatpak, org.freedesktop.secrets,
org.freedesktop.systemd1.

 Am I doing this correctly?

What's your goal?

1. Calibre should have no internet access.
2. Calibre should be able to launch atril.
3. The rules (dbus) should not be overly permissive.

General: Adding command to .locals to make things work is right.

 Should I be more restrictive somehow in the use of the dbus filters?

See above.

I went one-by-one and tested each of the items you listed above, using
an ignore statement to eliminate the others, and it seems none of the
org.freedesktop rules are necessary, and some other dbus feature is
being white-listed by the general statement 'dbus filter'.

btw from where did you got the org.freedesktop.*?

I saw an error message on my console: "DBusExport: Failed to connect to
DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer:
Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused"

Thanks for the support and time you've been giving me on this. I hope
maybe something comes of it that can be useful for others, somehow.

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:890532570 --> @Boruch-Baum commented on GitHub (Aug 1, 2021): On 2021-08-01 06:16, rusty-snake wrote: > setting 'net none' in my calibre.local > > If you have modified settings, you should say it already in OP. Even if > they seem to be unrelated to the error message/behaviour as there can > be strange side effects. Sorry. As soon as I realized that the file existed, I reported it. > > dbus-user.talk org.freedesktop.* > > Why using D-Bus filtering at all with this rule? In order to try to debug, I decided to launch firejail from a console in order to see what it was sending to STDERR. One message was: "DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused" So I tried that dbus socket, ie.: dbus-user.talk org.freedesktop.* However, that caused firejail to send an error message to the console: Ignoring "dbus-user.talk org.freedesktop.*". So, I went back to the man page, and saw in the example given that the dbus.user-talk line was preceded by a line 'dbus filter' and the documentation seems to say that both are needed. Now I see that line 'dbus filter' alone is enough to enable atril. > This allows (org.freedesktop.DBus), org.freedesktop.Flatpak, > org.freedesktop.Notifications, org.freedesktop.PackageKit, > org.freedesktop.ScreenSaver, > org.freedesktop.Tracker3.Miner.Files.Control, > org.freedesktop.impl.portal.PermissionStore, > org.freedesktop.impl.portal.desktop.gtk, > org.freedesktop.portal.Flatpak, org.freedesktop.secrets, > org.freedesktop.systemd1. > Am I doing this correctly? > > What's your goal? 1) Calibre should have no internet access. 2) Calibre should be able to launch atril. 3) The rules (dbus) should not be overly permissive. > General: Adding command to .locals to make things work is right. > > Should I be more restrictive somehow in the use of the dbus filters? > > See above. I went one-by-one and tested each of the items you listed above, using an ignore statement to eliminate the others, and it seems *none* of the org.freedesktop rules are necessary, and some other dbus feature is being white-listed by the general statement 'dbus filter'. > btw from where did you got the org.freedesktop.*? I saw an error message on my console: "DBusExport: Failed to connect to DBUS session bus, with error: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /tmp/dbus-EnYpF9rDQk: Connection refused" Thanks for the support and time you've been giving me on this. I hope maybe something comes of it that can be useful for others, somehow. -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

gitea-mirror commented 2026-05-05 09:19:11 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2021):

1. org.freedesktop.DBus.Error.NoServer is the error type and not the name it tried to access. Unfortunately it does not say which name it tries to access
2. Does it work with just dbus-user filter (no dbus-user.{own,talk})? And with dbus-user none? (<<The rules (dbus) should not be overly permissive.)
3. net none is enough to disable internet access. As alternative you can set protocol unix,netlink+ignore protocol. If you only care about amazon connections (i.e. your goal is privacy) maybe eve dns 0.0.0.0 works. (<<Calibre should have no internet access.)

<!-- gh-comment-id:890534084 --> @rusty-snake commented on GitHub (Aug 1, 2021): 1. `org.freedesktop.DBus.Error.NoServer` is the error type and not the name it tried to access. Unfortunately it does not say which name it tries to access 2. Does it work with just `dbus-user filter` (no `dbus-user.{own,talk}`)? And with `dbus-user none`? (<<The rules (dbus) should not be overly permissive.) 3. `net none` is enough to disable internet access. As alternative you can set `protocol unix,netlink`+`ignore protocol`. If you only care about amazon connections (i.e. your goal is privacy) maybe eve `dns 0.0.0.0` works. (<<Calibre should have no internet access.)

gitea-mirror commented 2026-05-05 09:19:11 -06:00

Author

Owner

Copy link

@Boruch-Baum commented on GitHub (Aug 1, 2021):

On 2021-08-01 07:53, rusty-snake wrote:

2. Does it work with just dbus-user filter (no dbus-user.{own,talk})?

Yes, it does launch atril that way.

And with dbus-user none? (<<The rules (dbus) should not be overly
permissive.)

No, it does not launch atril with that rule.

3. net none is enough to disable internet access. As alternative you
   can set protocol unix,netlink+ignore protocol. If you only care
   about amazon connections (i.e. your goal is privacy) maybe eve dns
   0.0.0.0 works. (<<Calibre should have no internet access.)

Do I need both protocol lines in my calibre.local file? In my testing it
seems that line 'protocol unix,netlink' was sufficient to eliminate
internet access even without the other line 'ignore protocol'. What I
get on STDERR on the console with just the single line is:

Warning: networking feature is disabled in Firejail configuration file
Warning: more than one protocol list is present, "unix,netlink" will be
installed

Currently, my calibre.local file looks like this:

net none

protocol unix,netlink

ignore protocol

dbus-user filter

dbus-system none

This does cut off internet and allows atril. I then delayed responding
to you because I thought it may be over-permissive in that allows any
other program to launched. Ideally, it should be limited to
(specific/common/known) document viewers.

So I ran some (many) tests (which could have been expedited with some
kind of strace help probably) and I've come up with the following which
is working for me for documents of type djvu, epub, and pdf. If it can
be useful to you or to some firejail users, that would be great. Note
that I've only been testing this for a matter of minutes, so if you
think it has potential you may still want to wait and get back to me
after further 'life' testing. Also, calibre is chock full of features
that I don't use, so the following may need more permissiveness.

noblacklist /usr/bin/atril*
noblacklist /usr/bin/awk
noblacklist /usr/bin/basename
noblacklist /usr/bin/calibre*
noblacklist /usr/bin/cpulimit
noblacklist /usr/bin/cut
noblacklist /usr/bin/ebook-*
noblacklist /usr/bin/evince
noblacklist /usr/bin/djview
noblacklist /usr/bin/fail2ban*
noblacklist /usr/bin/faillog
noblacklist /usr/bin/file
noblacklist /usr/bin/firecfg
noblacklist /usr/bin/firejail
noblacklist /usr/bin/firejail-ui
noblacklist /usr/bin/firemon
noblacklist /usr/bin/firetools
noblacklist /usr/bin/gawk
noblacklist /usr/bin/mupdf
noblacklist /usr/bin/okular
noblacklist /usr/bin/pdf*
noblacklist /usr/bin/print*
noblacklist /usr/bin/python*
noblacklist /usr/bin/which
noblacklist /usr/bin/www-browser
noblacklist /usr/bin/xpdf
noblacklist /usr/bin/x-www-browser
noblacklist /usr/bin/xdg*
noblacklist /usr/bin/zathura
blacklist /usr/bin/*

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:890552883 --> @Boruch-Baum commented on GitHub (Aug 1, 2021): On 2021-08-01 07:53, rusty-snake wrote: > 2. Does it work with just dbus-user filter (no dbus-user.{own,talk})? Yes, it does launch atril that way. > And with dbus-user none? (<<The rules (dbus) should not be overly > permissive.) No, it does *not* launch atril with that rule. > 3. net none is enough to disable internet access. As alternative you > can set protocol unix,netlink+ignore protocol. If you only care > about amazon connections (i.e. your goal is privacy) maybe eve dns > 0.0.0.0 works. (<<Calibre should have no internet access.) Do I need both protocol lines in my calibre.local file? In my testing it seems that line 'protocol unix,netlink' was sufficient to eliminate internet access even without the other line 'ignore protocol'. What I get on STDERR on the console with just the single line is: Warning: networking feature is disabled in Firejail configuration file Warning: more than one protocol list is present, "unix,netlink" will be installed Currently, my calibre.local file looks like this: # net none protocol unix,netlink # ignore protocol # dbus-user filter # dbus-system none This does cut off internet and allows atril. I then delayed responding to you because I thought it may be over-permissive in that allows any other program to launched. Ideally, it should be limited to (specific/common/known) document viewers. So I ran some (many) tests (which could have been expedited with some kind of strace help probably) and I've come up with the following which is working for me for documents of type djvu, epub, and pdf. If it can be useful to you or to some firejail users, that would be great. Note that I've only been testing this for a matter of minutes, so if you think it has potential you may still want to wait and get back to me after further 'life' testing. Also, calibre is chock full of features that I don't use, so the following may need more permissiveness. noblacklist /usr/bin/atril* noblacklist /usr/bin/awk noblacklist /usr/bin/basename noblacklist /usr/bin/calibre* noblacklist /usr/bin/cpulimit noblacklist /usr/bin/cut noblacklist /usr/bin/ebook-* noblacklist /usr/bin/evince noblacklist /usr/bin/djview noblacklist /usr/bin/fail2ban* noblacklist /usr/bin/faillog noblacklist /usr/bin/file noblacklist /usr/bin/firecfg noblacklist /usr/bin/firejail noblacklist /usr/bin/firejail-ui noblacklist /usr/bin/firemon noblacklist /usr/bin/firetools noblacklist /usr/bin/gawk noblacklist /usr/bin/mupdf noblacklist /usr/bin/okular noblacklist /usr/bin/pdf* noblacklist /usr/bin/print* noblacklist /usr/bin/python* noblacklist /usr/bin/which noblacklist /usr/bin/www-browser noblacklist /usr/bin/xpdf noblacklist /usr/bin/x-www-browser noblacklist /usr/bin/xdg* noblacklist /usr/bin/zathura blacklist /usr/bin/* -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

gitea-mirror commented 2026-05-05 09:19:12 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2021):

dbus-user filter 👍, dbus-user none 👎

I know this behaviour from some Qt programs with File Open Dialogs (e.g. d0004b845d)
However, I think here it is something else (maybe).

Do I need both protocol lines in my calibre.local file? In my testing it
seems that line 'protocol unix,netlink' was sufficient to eliminate
internet access even without the other line 'ignore protocol'.

That changed in firejail 0.9.66

Warning: more than one protocol list is present, "unix,netlink" will be
installed

See above

Warning: networking feature is disabled in Firejail configuration file

Debian package default, nothing to worry (only net <iface|bridge|tap>, net*, ip*, ... are disable but not net none)

I thought it may be over-permissive

It is. If you can, use

net none
protocol unix,netlink
ignore protocol
dbus-user filter

• net none: Always add net none if you can, it blocks sandbox escapes via abstract unix sockets
• protocol unix,netlink: If it does not need inet,inet6, why permit it
• ignore protocol: firejail >= 0.9.66
• dbus-user filter: (here) to workaround net none breakage

allows any other program to launched. Ideally, it should be limited to (specific/common/known) document viewers.

Note that everything that can be done by other programs can be done by calibre too. (from a permission point of view)

blacklist /usr/bin/*

• If your system does not have a unified file-system, there is /bin
• Why not simply use private-bin?

<!-- gh-comment-id:890556172 --> @rusty-snake commented on GitHub (Aug 1, 2021): > `dbus-user filter` :+1:, `dbus-user none` :-1: I know this behaviour from some Qt programs with File Open Dialogs (e.g. d0004b845d074d6a1bffa1b4212dd3782f4999c3) However, I think here it is something else (maybe). > Do I need both protocol lines in my calibre.local file? In my testing it seems that line 'protocol unix,netlink' was sufficient to eliminate internet access even without the other line 'ignore protocol'. That changed in firejail 0.9.66 > Warning: more than one protocol list is present, "unix,netlink" will be installed See above > Warning: networking feature is disabled in Firejail configuration file Debian package default, nothing to worry (only `net <iface|bridge|tap>`, `net*`, `ip*`, ... are disable but not `net none`) > I thought it may be over-permissive It is. If you can, use ``` net none protocol unix,netlink ignore protocol dbus-user filter ``` - `net none`: Always add `net none` if you can, it blocks sandbox escapes via abstract unix sockets - `protocol unix,netlink`: If it does not need `inet,inet6`, why permit it - `ignore protocol`: firejail >= 0.9.66 - `dbus-user filter`: (here) to workaround `net none` breakage > allows any other program to launched. Ideally, it should be limited to (specific/common/known) document viewers. Note that everything that can be done by other programs can be done by calibre too. (from a permission point of view) > blacklist /usr/bin/* - If your system does not have a unified file-system, there is `/bin` - Why not simply use `private-bin`?

gitea-mirror commented 2026-05-05 09:19:12 -06:00

Author

Owner

Copy link

@Boruch-Baum commented on GitHub (Aug 1, 2021):

On 2021-08-01 10:11, rusty-snake wrote:

 I thought it may be over-permissive

It is. If you can, use
net none
protocol unix,netlink
ignore protocol
dbus-user filter

OK. I'll do that.

Would it be helpful to also add dbus-system none? It doesn't seem to
hurt.

 blacklist /usr/bin/*

 * If your system does not have a unified file-system, there is /bin
 * Why not simply use private-bin?

The first honest answer is that I didn't remember that it existed.

The more important second honest answer is that I just tried it and for
it to work would require me to perform more work, ie. to discover and
explicitly include the /bin executables needed by calibre.

---- pause as I do more work before hitting send ----

Below is what I have so far that works. It seems sufficient to add just
shells, greps, readlink, and sed to the prior list. However, as I
mentioned in my prior email, calibre has many features and plugins and
my testing so far has been limited to opening, adding, and deleting
ebooks.

private-bin atril*,awk,basename,calibre*,cpulimit,cut,ebook-,evince,djview,fail2ban,faillog,file,firecfg,firejail,firejail-ui,firemon,firetools,gawk,gv,mupdf,okular,pdf*,print*,python*,which,www-browser,xpdf,x-www-browser,xdg*,zathura,bash,dash,egrep,grep,readlink,sed,sh,sh.distrib

Some of the regexes there could be eliminated with some thought (eg.
python stuff).

--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

<!-- gh-comment-id:890566981 --> @Boruch-Baum commented on GitHub (Aug 1, 2021): On 2021-08-01 10:11, rusty-snake wrote: > I thought it may be over-permissive > > It is. If you can, use > net none > protocol unix,netlink > ignore protocol > dbus-user filter OK. I'll do that. Would it be helpful to also add dbus-system none? It doesn't seem to hurt. > blacklist /usr/bin/* > > * If your system does not have a unified file-system, there is /bin > * Why not simply use private-bin? The first honest answer is that I didn't remember that it existed. The more important second honest answer is that I just tried it and for it to work would require me to perform more work, ie. to discover and explicitly include the /bin executables needed by calibre. ---- pause as I do more work before hitting send ---- Below is what I have so far that works. It seems sufficient to add just shells, greps, readlink, and sed to the prior list. However, as I mentioned in my prior email, calibre has many features and plugins and my testing so far has been limited to opening, adding, and deleting ebooks. private-bin atril*,awk,basename,calibre*,cpulimit,cut,ebook-*,evince,djview,fail2ban*,faillog,file,firecfg,firejail,firejail-ui,firemon,firetools,gawk,gv,mupdf,okular,pdf*,print*,python*,which,www-browser,xpdf,x-www-browser,xdg*,zathura,bash,dash,egrep,grep,readlink,sed,sh,sh.distrib Some of the regexes there could be eliminated with some thought (eg. python stuff). -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

gitea-mirror commented 2026-05-05 09:19:12 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 1, 2021):

Would it be helpful to also add dbus-system none? It doesn't seem to
hurt.

Yes

and for
it to work would require me to perform more work, ie. to discover and
explicitly include the /bin executables needed by calibre.

You can generate one with firejail --build calibre.

<!-- gh-comment-id:890567467 --> @rusty-snake commented on GitHub (Aug 1, 2021): > Would it be helpful to also add dbus-system none? It doesn't seem to hurt. Yes > and for it to work would require me to perform more work, ie. to discover and explicitly include the /bin executables needed by calibre. You can generate one with `firejail --build calibre`.

gitea-mirror commented 2026-05-05 09:19:13 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 9, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

<!-- gh-comment-id:939310795 --> @rusty-snake commented on GitHub (Oct 9, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2658

No description provided.