github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4667] mpv does not see files in certain directories #2740

New issue
Closed
opened 2026-05-05 09:24:19 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 09:24:19 -06:00
Owner
Copy link

Originally created by @rieje on GitHub (Nov 4, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4667

Description

mpv using firejail does not see file (see output below under "Log") in certain directories/drives. Some directories/drives have no issues. No issues whatsoever when firejail is not used.

Expected behavior

mpv plays video.

Actual behavior

mpv did not play video (see output below under "Log").

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /usr/bin/mpv <file> in a terminal?

Video plays as expected.

Environment

  • Linux distribution and version: Arch Linux
  • Firejail version: 0.9.66

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail /usr/bin/mpv <file> (current directory ~/rieje/temp/temp2/video.mkv). Specified file both using relative path and absolute path.

[file] Cannot open file '/home/rieje/temp/temp2/video.mkv': No such file or directory
Failed to open /home/rieje/temp/temp2/video.mkv.

Output of LC_ALL=C firejail --debug /usr/bin/mpv `: https://0x0.st/-5i2.txt

Originally created by @rieje on GitHub (Nov 4, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4667 ### Description mpv using firejail does not see file (see output below under "Log") in certain directories/drives. Some directories/drives have no issues. No issues whatsoever when firejail is not used. ### Expected behavior mpv plays video. ### Actual behavior mpv did not play video (see output below under "Log"). ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /usr/bin/mpv <file>` in a terminal?_ Video plays as expected. ### Environment - Linux distribution and version: Arch Linux - Firejail version: 0.9.66 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). ### Log Output of `LC_ALL=C firejail /usr/bin/mpv <file>` (current directory `~/rieje/temp/temp2/video.mkv`). Specified `file` both using relative path and absolute path. ``` [file] Cannot open file '/home/rieje/temp/temp2/video.mkv': No such file or directory Failed to open /home/rieje/temp/temp2/video.mkv. ``` Output of <code>LC_ALL=C firejail --debug /usr/bin/mpv <file>`: https://0x0.st/-5i2.txt
gitea-mirror 2026-05-05 09:24:19 -06:00
  • closed this issue
  • added the
    notabug
         label
gitea-mirror commented 2026-05-05 09:24:22 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Nov 4, 2021):

[file] Cannot open file '/home/rieje/temp/temp2/video.mkv': No such file or directory

The current mpv profile allows playing media files found in whitelisted paths from whitelist-player-common.inc:

[...]
# common whitelist for all media players

whitelist ${DESKTOP}
whitelist ${DOWNLOADS}
whitelist ${MUSIC}
whitelist ${PICTURES}
whitelist ${VIDEOS}

What happens when you add whitelist ${HOME}/temp/temp2 to mpv.local OR whitelist-player-common.local? If that works, you can add other paths you want to allow accordingly.

<!-- gh-comment-id:960470047 --> @ghost commented on GitHub (Nov 4, 2021): > [file] Cannot open file '/home/rieje/temp/temp2/video.mkv': No such file or directory The current mpv profile allows playing media files found in whitelisted paths from [whitelist-player-common.inc](https://github.com/netblue30/firejail/blob/master/etc/inc/whitelist-player-common.inc): ``` [...] # common whitelist for all media players whitelist ${DESKTOP} whitelist ${DOWNLOADS} whitelist ${MUSIC} whitelist ${PICTURES} whitelist ${VIDEOS} ``` What happens when you add `whitelist ${HOME}/temp/temp2` to mpv.local OR whitelist-player-common.local? If that works, you can add other paths you want to allow accordingly.
gitea-mirror commented 2026-05-05 09:24:22 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Nov 5, 2021):

@glitsj16 I thought it might be the case where firejail whitelists e.g. all XDG user dirs, but I am still able to play a video from /data/torrents/torrented even though neither /data nor /data/torrents/torrented are explicitly whitelisted. Anyway, I whitelisted ${HOME}/temp/temp2 in mpv.local as you've suggested and that works.

I have the following:

XDG_DESKTOP_DIR="$HOME/"
XDG_DOCUMENTS_DIR="$HOME/documents"
XDG_DOWNLOAD_DIR="$HOME/downloads"
XDG_VIDEOS_DIR="$HOME/videos"
XDG_MUSIC_DIR="$HOME/music"
XDG_PICTURES_DIR="$HOME/pictures"

I do not have a symlink to e.g. /data from "$HOME" or any other whitelisted directories (if that matters, i.e. if whitelisting follows symlinked sub directories) and a grep on whitelist in /etc/firejail and ~/.config/firejail did not show the directory as being whitelisted.

<!-- gh-comment-id:961572956 --> @rieje commented on GitHub (Nov 5, 2021): @glitsj16 I thought it might be the case where firejail whitelists e.g. all XDG user dirs, but I am still able to play a video from `/data/torrents/torrented` even though neither `/data` nor `/data/torrents/torrented` are explicitly whitelisted. Anyway, I whitelisted `${HOME}/temp/temp2` in mpv.local as you've suggested and that works. I have the following: XDG_DESKTOP_DIR="$HOME/" XDG_DOCUMENTS_DIR="$HOME/documents" XDG_DOWNLOAD_DIR="$HOME/downloads" XDG_VIDEOS_DIR="$HOME/videos" XDG_MUSIC_DIR="$HOME/music" XDG_PICTURES_DIR="$HOME/pictures" I do not have a symlink to e.g. `/data` from "$HOME" or any other whitelisted directories (if that matters, i.e. if whitelisting follows symlinked sub directories) and a `grep` on `whitelist` in `/etc/firejail` and `~/.config/firejail` did not show the directory as being whitelisted.
gitea-mirror commented 2026-05-05 09:24:22 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Nov 5, 2021):

I thought it might be the case where firejail whitelists e.g. all XDG user dirs, but I am still able to play a video from /data/torrents/torrented even though neither /data nor /data/torrents/torrented are explicitly whitelisted.

Not all XDG dirs are whitelisted (as shown above). Place a video file into ${DOCUMENTS} (your $HOME/documents) for example and try to play it with mpv. MPV should not be able to open files in that location.

As to your /data folder. This is not specifically blacklisted anywhere in Firejail AFAICT. Does your user owns that dir or anything below it? You might want to blacklist /data in your globals.local and noblacklist /data in mpv.local to block firejailed apps other than mpv from accessing that path.

<!-- gh-comment-id:961724989 --> @ghost commented on GitHub (Nov 5, 2021): > I thought it might be the case where firejail whitelists e.g. all XDG user dirs, but I am still able to play a video from `/data/torrents/torrented` even though neither `/data` nor `/data/torrents/torrented` are explicitly whitelisted. Not all XDG dirs are whitelisted (as shown above). Place a video file into ${DOCUMENTS} (your $HOME/documents) for example and try to play it with mpv. MPV _should_ not be able to open files in that location. As to your `/data` folder. This is not specifically blacklisted anywhere in Firejail AFAICT. Does your user owns that dir or anything below it? You might want to `blacklist /data` in your `globals.local` and `noblacklist /data` in `mpv.local` to block firejailed apps other than mpv from accessing that path.
gitea-mirror commented 2026-05-05 09:24:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 5, 2021):

In firejail 0.9.66 you should be able to whitelist inside /data.

<!-- gh-comment-id:961726580 --> @rusty-snake commented on GitHub (Nov 5, 2021): In firejail 0.9.66 you should be able to `whitelist` inside `/data`.
gitea-mirror commented 2026-05-05 09:24:24 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Nov 5, 2021):

@glitsj16 Yes, /data is owned by the user. Where can why a user owned directory is not automatically blacklisted to understand more?

<!-- gh-comment-id:962024654 --> @rieje commented on GitHub (Nov 5, 2021): @glitsj16 Yes, /data is owned by the user. Where can why a user owned directory is not automatically blacklisted to understand more?
gitea-mirror commented 2026-05-05 09:24:24 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 26, 2021):

@rieje commented on Nov 5:

@glitsj16 Yes, /data is owned by the user. Where can why a user owned
directory is not automatically blacklisted to understand more?

/data is not part of the Linux FHS nor a directory that exists by default on
most distros AFAIK.

I know that there are pages on the Arch Wiki that suggest putting things in
/data, but it does not exist in Arch by default.

firejail only blacklists paths that either exist by default or that are very
common (see /etc/firejail/disable-common.inc and
/etc/firejail/disable-programs.inc) and users are expected to add their custom
directories to their own profiles (such as on globals.local). Maybe /data
could be added to disable-common.inc, but I don't know if it's a good idea, as
it's unclear what exactly would be in there for any given user, so it could
cause more confusion than it's worth.

<!-- gh-comment-id:980051866 --> @kmk3 commented on GitHub (Nov 26, 2021): @rieje commented [on Nov 5](https://github.com/netblue30/firejail/issues/4667#issuecomment-962024654): > @glitsj16 Yes, /data is owned by the user. Where can why a user owned > directory is not automatically blacklisted to understand more? /data is not part of the Linux FHS nor a directory that exists by default on most distros AFAIK. I know that there are pages on the Arch Wiki that suggest putting things in /data, but it does not exist in Arch by default. firejail only blacklists paths that either exist by default or that are very common (see /etc/firejail/disable-common.inc and /etc/firejail/disable-programs.inc) and users are expected to add their custom directories to their own profiles (such as on globals.local). _Maybe_ /data could be added to disable-common.inc, but I don't know if it's a good idea, as it's unclear what exactly would be in there for any given user, so it could cause more confusion than it's worth.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2740
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?