github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4785] Firefox on KDE & Wayland fails to show Qt file-picker using portals, old fixes do not work on new Firejail versions #2777

New issue

Closed

opened 2026-05-05 09:26:19 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:26:19 -06:00

Owner

Originally created by @alexdelorenzo on GitHub (Dec 19, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4785

Description

Using Firefox on KDE & Wayland with Firejail, setting GTK_USE_PORTAL=1 and the relevant about:config entries fails to show the Qt file-picker, or any file-picker at all, when opening the file dialog.

Previously, @rusty-snake addressed this issue on bug #3407 in May 2020, saying this:

To allow freedesktop portal access, you need to allow dbus (ignore nodbus) and IIRC noroot (ignore noroot). Alternative you could try to rmenv GTK_USE_PORTAL.

And:

Yes, the easiest way is to create a file called firefox.local in ~/.config/firejail and add there
ignore nodbus
ignore noroot
This will no longer work with firejail>=0.9.63, due to changes in the dbus handling of firejail

As of Firejail v0.9.66, ignore nodbus and ignore noroot don't seem to fix the issue.

However, I was able to fix this issue by creating a firefox.local file in ~/.config/firejail with the following content:

ignore dbus-user
ignore dbus-system

The problem is that I'm not sure how secure this is, or whether or not this is an equivalent fix to the fix that was given in May 2020.

Steps to Reproduce

Set widget.use-xdg-desktop-portal to true in Firefox's about:config
Set GTK_USE_PORTAL=1
Launch firejail firefox
Go to File -> Open... or hit Ctrl+O to open the file-picker

Expected behavior

Firefox should show the Qt file-picker.

Actual behavior

No file dialog opens. This error is printed in the console:

(firefox:9): Gtk-WARNING **: 21:08:46.166: Failed to measure available space: Error getting filesystem info for /var/log: No such file or directory                  
                                                                                                                                                                     
(firefox:9): Gtk-WARNING **: 21:08:46.169: Can't open portal file chooser: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceU
nknown

Behavior without a profile

Running Firefox without a profile works and shows the correct file-picker.

Environment

Manjaro on Linux 5.15.7
Firejail version (firejail --version): v0.9.66

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/firefox.profile                                                                                                                        
Reading profile ~/.config/firejail/firefox.local                                                                                                            
Reading profile /etc/firejail/whitelist-usr-share-common.inc                                                                                                         
Reading profile /etc/firejail/firefox-common.profile                                                                                                                 
Reading profile /etc/firejail/disable-common.inc                                                                                                                     
Reading profile /etc/firejail/disable-devel.inc                                                                                                                      
Reading profile /etc/firejail/disable-exec.inc                                                                                                                       
Reading profile /etc/firejail/disable-interpreters.inc                                                                                                               
Reading profile /etc/firejail/disable-programs.inc                                                                                                                   
Reading profile /etc/firejail/whitelist-common.inc                                                                                                                   
Reading profile /etc/firejail/whitelist-runuser-common.inc                                                                                                           
Reading profile /etc/firejail/whitelist-var-common.inc                                                                                                               
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,                                                                                               
Parent pid 3773705, child pid 3773708                                                                                                                                
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.                                           
Warning: /sbin directory link was not blacklisted                                                                                                                    
Warning: /usr/sbin directory link was not blacklisted                                                                                                                
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,                                                                                               
Child process initialized in 116.50 ms                                    
(firefox:9): Gtk-WARNING **: 21:08:46.166: Failed to measure available space: Error getting filesystem info for /var/log: No such file or directory                  
                                                                                                                                                                     
(firefox:9): Gtk-WARNING **: 21:08:46.169: Can't open portal file chooser: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceU
nknown

Originally created by @alexdelorenzo on GitHub (Dec 19, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4785 ### Description Using Firefox on KDE & Wayland with Firejail, setting ` GTK_USE_PORTAL=1` and the relevant `about:config` entries fails to show the Qt file-picker, or any file-picker at all, when opening the file dialog. Previously, @rusty-snake addressed this issue on bug #3407 in May 2020, [saying this](https://github.com/netblue30/firejail/issues/3407#issuecomment-625368686): > To allow freedesktop portal access, you need to allow dbus (`ignore nodbus`) and IIRC noroot (`ignore noroot`). Alternative you could try to `rmenv GTK_USE_PORTAL`. [And](https://github.com/netblue30/firejail/issues/3407#issuecomment-625434945): > Yes, the easiest way is to create a file called `firefox.local` in `~/.config/firejail` and add there > > ``` > ignore nodbus > ignore noroot > ``` > > _This will no longer work with firejail>=0.9.63, due to changes in the dbus handling of firejail_ As of Firejail v0.9.66, `ignore nodbus` and `ignore noroot` don't seem to fix the issue. However, I was able to fix this issue by creating a `firefox.local` file in `~/.config/firejail` with the following content: ``` ignore dbus-user ignore dbus-system ``` The problem is that I'm not sure how secure this is, or whether or not this is an equivalent fix to the fix that was given in May 2020. ### Steps to Reproduce 1) Set `widget.use-xdg-desktop-portal` to `true` in Firefox's `about:config` 2) Set ` GTK_USE_PORTAL=1` 3) Launch `firejail firefox` 4) Go to `File -> Open...` or hit Ctrl+O to open the file-picker ### Expected behavior Firefox should show the Qt file-picker. ### Actual behavior No file dialog opens. This error is printed in the console: ```bash (firefox:9): Gtk-WARNING **: 21:08:46.166: Failed to measure available space: Error getting filesystem info for /var/log: No such file or directory (firefox:9): Gtk-WARNING **: 21:08:46.169: Can't open portal file chooser: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceU nknown ``` ### Behavior without a profile Running Firefox without a profile works and shows the correct file-picker. ### Environment - Manjaro on Linux 5.15.7 - Firejail version (`firejail --version`): v0.9.66 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/firefox.profile Reading profile ~/.config/firejail/firefox.local Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3773705, child pid 3773708 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 116.50 ms (firefox:9): Gtk-WARNING **: 21:08:46.166: Failed to measure available space: Error getting filesystem info for /var/log: No such file or directory (firefox:9): Gtk-WARNING **: 21:08:46.169: Can't open portal file chooser: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceU nknown ``` </p> </details>

gitea-mirror

2026-05-05 09:26:19 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 09:26:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 19, 2021):

whether or not this is an equivalent fix to the fix that was given in May 2020.

ignore nodbus
ignore noroot

and

ignore dbus-user
ignore dbus-system
ignore noroot

are the same.

The problem is that I'm not sure how secure this is

Because we now have "Fine-grained D-Bus sandboxing", you can do it much more selective:

firefox.local:

dbus-user.talk org.freedesktop.portal.Desktop
ignore noroot # Maybe, depends on portal-impl, version and ??

@rusty-snake commented on GitHub (Dec 19, 2021): > whether or not this is an equivalent fix to the fix that was given in May 2020. ``` ignore nodbus ignore noroot ``` and ``` ignore dbus-user ignore dbus-system ignore noroot ``` are the same. > The problem is that I'm not sure how secure this is Because we now have "Fine-grained D-Bus sandboxing", you can do it much more selective: `firefox.local`: ``` dbus-user.talk org.freedesktop.portal.Desktop ignore noroot # Maybe, depends on portal-impl, version and ?? ```

gitea-mirror commented

2026-05-05 09:26:22 -06:00

Author

Owner

@alexdelorenzo commented on GitHub (Dec 24, 2021):

Awesome, thanks for the tip, @rusty-snake. Happy holidays!

@alexdelorenzo commented on GitHub (Dec 24, 2021): Awesome, thanks for the tip, @rusty-snake. Happy holidays!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2777

No description provided.

Rows
Columns