[GH-ISSUE #4855] chromium: no sound with pipewire #2795

New issue

Closed

opened 2026-05-05 09:26:59 -06:00 by gitea-mirror · 14 comments

gitea-mirror commented 2026-05-05 09:26:59 -06:00

Owner

Copy link

Originally created by @reinerh on GitHub (Jan 14, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4855

Someone on the Debian bug tracker reported that Chromium 97 no longer plays sound when firejailed.
I was able to reproduce that.

I narrowed it down to whitelists inside the HOME directory.
I.e. I disabled include whitelist-common.inc and all whitelist ${HOME}/... in chromium.profile and chromium-common.profile, and then sound was working again.
But I have problems figuring out which additional directory needs to be whitelisted.
I tried --trace (which just hangs and doesn't even open the Chromium window), --trace=file (which opens the windows, but does not load a website) and then used strace to log opened files.
But nothing looks sound-related in there.

Here is the console output with broken sound:

Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 7357, child pid 7358
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 159.96 ms
[10:47:0114/183941.858968:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950761:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950821:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950894:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950948:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950994:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
[54:54:0114/183942.086148:ERROR:sandbox_linux.cc(378)] InitializeSandbox() called with multiple threads in process gpu-process.
Fontconfig error: Cannot load default config file
[10:66:0114/183944.995596:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[10:66:0114/183944.995641:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
ALSA lib confmisc.c:855:(parse_card) cannot find card '0'
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory
ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1334:(snd_func_refer) error evaluating name
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5701:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2664:(snd_pcm_open_noupdate) Unknown PCM default
[164:164:0114/183946.144156:ERROR:alsa_util.cc(204)] PcmOpen: default,No such file or directory
ALSA lib confmisc.c:855:(parse_card) cannot find card '0'
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory
ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1334:(snd_func_refer) error evaluating name
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5701:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2664:(snd_pcm_open_noupdate) Unknown PCM default
[164:164:0114/183946.144541:ERROR:alsa_util.cc(204)] PcmOpen: plug:default,No such file or directory

Parent is shutting down, bye...

Originally created by @reinerh on GitHub (Jan 14, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4855 Someone on the Debian bug tracker [reported](https://bugs.debian.org/1003650) that Chromium 97 no longer plays sound when firejailed. I was able to reproduce that. I narrowed it down to whitelists inside the HOME directory. I.e. I disabled `include whitelist-common.inc` and all `whitelist ${HOME}/...` in chromium.profile and chromium-common.profile, and then sound was working again. But I have problems figuring out which additional directory needs to be whitelisted. I tried `--trace` (which just hangs and doesn't even open the Chromium window), `--trace=file` (which opens the windows, but does not load a website) and then used `strace` to log opened files. But nothing looks sound-related in there. Here is the console output with broken sound: ``` Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 7357, child pid 7358 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Child process initialized in 159.96 ms [10:47:0114/183941.858968:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:74:0114/183941.950761:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:74:0114/183941.950821:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:74:0114/183941.950894:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:74:0114/183941.950948:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:74:0114/183941.950994:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null) [54:54:0114/183942.086148:ERROR:sandbox_linux.cc(378)] InitializeSandbox() called with multiple threads in process gpu-process. Fontconfig error: Cannot load default config file [10:66:0114/183944.995596:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328. [10:66:0114/183944.995641:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability() ALSA lib confmisc.c:855:(parse_card) cannot find card '0' ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory ALSA lib confmisc.c:1334:(snd_func_refer) error evaluating name ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory ALSA lib conf.c:5701:(snd_config_expand) Evaluate error: No such file or directory ALSA lib pcm.c:2664:(snd_pcm_open_noupdate) Unknown PCM default [164:164:0114/183946.144156:ERROR:alsa_util.cc(204)] PcmOpen: default,No such file or directory ALSA lib confmisc.c:855:(parse_card) cannot find card '0' ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory ALSA lib confmisc.c:1334:(snd_func_refer) error evaluating name ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory ALSA lib conf.c:5701:(snd_config_expand) Evaluate error: No such file or directory ALSA lib pcm.c:2664:(snd_pcm_open_noupdate) Unknown PCM default [164:164:0114/183946.144541:ERROR:alsa_util.cc(204)] PcmOpen: plug:default,No such file or directory Parent is shutting down, bye... ```

gitea-mirror closed this issue 2026-05-05 09:27:01 -06:00

gitea-mirror commented 2026-05-05 09:27:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 14, 2022):

If no one else has an idea, I would suggest to narrow it down with something like for file in ./.*; do echo "whitelist $(realpath "$file")"; done.

<!-- gh-comment-id:1013454507 --> @rusty-snake commented on GitHub (Jan 14, 2022): If no one else has an idea, I would suggest to narrow it down with something like `for file in ./.*; do echo "whitelist $(realpath "$file")"; done`.

gitea-mirror commented 2026-05-05 09:27:03 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Jan 14, 2022):

@rusty-snake That was a very good idea, thanks.
I figured out that it is related to my setup... I'm using pipewire (which emulates pulseaudio) and have its runtime directory in ~/pipewire, which was blocked...
It worked for me after whitelisting the directory. So I guess there is a different problem for the original reporter. I'll ask them about their setup...

<!-- gh-comment-id:1013460666 --> @reinerh commented on GitHub (Jan 14, 2022): @rusty-snake That was a very good idea, thanks. I figured out that it is related to my setup... I'm using pipewire (which emulates pulseaudio) and have its runtime directory in `~/pipewire`, which was blocked... It worked for me after whitelisting the directory. So I guess there is a different problem for the original reporter. I'll ask them about their setup...

gitea-mirror commented 2026-05-05 09:27:05 -06:00

Author

Owner

Copy link

@antonv6 commented on GitHub (Jan 16, 2022):

The follow-up from Mad Horse on the original bug has a hint:

Failed to create secure directory (/run/user/1000/pulse): Operation not permitted

No idea what the new version of chromium means by "secure directory", but I added whitelist ${RUNUSER}/pulse (so the entire directory, not just pulse/native file) to chromium.local and now sound works through pipewire-pulse again.

<!-- gh-comment-id:1013831885 --> @antonv6 commented on GitHub (Jan 16, 2022): The follow-up from Mad Horse on the original bug has a hint: > Failed to create secure directory (/run/user/1000/pulse): Operation not permitted No idea what the new version of chromium means by "secure directory", but I added `whitelist ${RUNUSER}/pulse` (so the entire directory, not just pulse/native file) to chromium.local and now sound works through pipewire-pulse again.

gitea-mirror commented 2026-05-05 09:27:05 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 16, 2022):

https://bugs.gentoo.org/show_bug.cgi?id=699776

<!-- gh-comment-id:1013833075 --> @rusty-snake commented on GitHub (Jan 16, 2022): https://bugs.gentoo.org/show_bug.cgi?id=699776

gitea-mirror commented 2026-05-05 09:27:06 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jan 16, 2022):

I figured out that it is related to my setup... I'm using pipewire (which emulates pulseaudio) and have its runtime directory in ~/pipewire, which was blocked...
It worked for me after whitelisting the directory.

The directory will have to be hardcoded and activated by default by --private and --whitelist commands. For example we have alsa and pulse brought in by default by --private:

$ firejail --private find .
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 71558, child pid 71559
Child process initialized in 110.17 ms
.
./.config
./.config/pulse       <<<<<<<<<<<<<<
./.config/pulse/client.conf       <<<<<<<<<<<<<<
./.asoundrc       <<<<<<<<<<<<<<
./.Xauthority
./.bashrc
./.inputrc

Parent is shutting down, bye...

Do we know what directories (runtime and config under /home/username) are they using? My impression is pipewire is still under heavy development. I'm not sure what's happening in Fedora, probably this is where it will be deployed first. Anyway, I'm going for a test release (0.9.68~rc1) next week, the big release two weeks later. We can wait to bring in pipewire if needed.

<!-- gh-comment-id:1013887733 --> @netblue30 commented on GitHub (Jan 16, 2022): > I figured out that it is related to my setup... I'm using pipewire (which emulates pulseaudio) and have its runtime directory in ~/pipewire, which was blocked... > It worked for me after whitelisting the directory. The directory will have to be hardcoded and activated by default by --private and --whitelist commands. For example we have alsa and pulse brought in by default by --private: ````` $ firejail --private find . Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 71558, child pid 71559 Child process initialized in 110.17 ms . ./.config ./.config/pulse <<<<<<<<<<<<<< ./.config/pulse/client.conf <<<<<<<<<<<<<< ./.asoundrc <<<<<<<<<<<<<< ./.Xauthority ./.bashrc ./.inputrc Parent is shutting down, bye... ````` Do we know what directories (runtime and config under /home/username) are they using? My impression is pipewire is still under heavy development. I'm not sure what's happening in Fedora, probably this is where it will be deployed first. Anyway, I'm going for a test release (0.9.68~rc1) next week, the big release two weeks later. We can wait to bring in pipewire if needed.

gitea-mirror commented 2026-05-05 09:27:07 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Jan 16, 2022):

Do we know what directories (runtime and config under /home/username) are they using? My impression is pipewire is still under heavy development. I'm not sure what's happening in Fedora, probably this is where it will be deployed first. Anyway, I'm going for a test release (0.9.68~rc1) next week, the big release two weeks later. We can wait to bring in pipewire if needed.

Pipewire works actually fine. It's already whitelisted in includes:

inc/whitelist-runuser-common.inc
13:whitelist ${RUNUSER}/pipewire-?

inc/whitelist-usr-share-common.inc
48:whitelist /usr/share/pipewire

The problem I had was just very specific to my setup, as I have manually pointed the runtime path to somewhere else.
Though it's not yet clear what problem the OP has...

<!-- gh-comment-id:1013888598 --> @reinerh commented on GitHub (Jan 16, 2022): > Do we know what directories (runtime and config under /home/username) are they using? My impression is pipewire is still under heavy development. I'm not sure what's happening in Fedora, probably this is where it will be deployed first. Anyway, I'm going for a test release (0.9.68~rc1) next week, the big release two weeks later. We can wait to bring in pipewire if needed. Pipewire works actually fine. It's already whitelisted in includes: ``` inc/whitelist-runuser-common.inc 13:whitelist ${RUNUSER}/pipewire-? inc/whitelist-usr-share-common.inc 48:whitelist /usr/share/pipewire ``` The problem I had was just very specific to my setup, as I have manually pointed the runtime path to somewhere else. Though it's not yet clear what problem the OP has...

gitea-mirror commented 2026-05-05 09:27:08 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jan 16, 2022):

OK, thanks! If they come with a user file or directory under /home/username we'll make it default later.

<!-- gh-comment-id:1013891554 --> @netblue30 commented on GitHub (Jan 16, 2022): OK, thanks! If they come with a user file or directory under /home/username we'll make it default later.

gitea-mirror commented 2026-05-05 09:27:08 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 16, 2022):

FWIW man 4 pipewire.conf

$XDG_CONFIG_HOME/pipewire/pipewire.conf

/etc/pipewire/pipewire.conf

/usr/share/pipewire/pipewire.conf

These are the deamon config files, there is /usr/share/pipewire/client.conf but IDK if it has a user equivalent.

<!-- gh-comment-id:1013892073 --> @rusty-snake commented on GitHub (Jan 16, 2022): FWIW `man 4 pipewire.conf` ``` $XDG_CONFIG_HOME/pipewire/pipewire.conf /etc/pipewire/pipewire.conf /usr/share/pipewire/pipewire.conf ``` These are the deamon config files, there is `/usr/share/pipewire/client.conf` but IDK if it has a user equivalent.

gitea-mirror commented 2026-05-05 09:27:09 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jan 16, 2022):

pipewire/pipewire.conf

I'll make it default as ~/.config/pipewire/pipewire.conf

<!-- gh-comment-id:1013894331 --> @netblue30 commented on GitHub (Jan 16, 2022): > pipewire/pipewire.conf I'll make it default as ~/.config/pipewire/pipewire.conf

gitea-mirror commented 2026-05-05 09:27:10 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 16, 2022):

This file is read by pipewire (the deamon). IDK if the client library read's it too but I don't think so. If we allow it inside the sandbox, it must be read-only (it's turing complete and pipewire isn't sandboxed).

<!-- gh-comment-id:1013902863 --> @rusty-snake commented on GitHub (Jan 16, 2022): This file is read by pipewire (the deamon). IDK if the client library read's it too but I don't think so. If we allow it inside the sandbox, it must be read-only (it's turing complete and pipewire isn't sandboxed).

gitea-mirror commented 2026-05-05 09:27:10 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jan 16, 2022):

This file is read by pipewire (the deamon).

OK, so we don't need to add it for --private/--whitelist.

Question: is --nosound option working on a pipewire setup?

<!-- gh-comment-id:1013905238 --> @netblue30 commented on GitHub (Jan 16, 2022): > This file is read by pipewire (the deamon). OK, so we don't need to add it for --private/--whitelist. Question: is --nosound option working on a pipewire setup?

gitea-mirror commented 2026-05-05 09:27:11 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Jan 16, 2022):

Question: is --nosound option working on a pipewire setup?

Just tested it. firejail --nosound chromium is still able to play sound in youtube videos.

Edit: but as mentioned, I have my pipewire rundir (which has the socket) in a non-standard path.

<!-- gh-comment-id:1013905737 --> @reinerh commented on GitHub (Jan 16, 2022): > Question: is --nosound option working on a pipewire setup? Just tested it. `firejail --nosound chromium` is still able to play sound in youtube videos. Edit: but as mentioned, I have my pipewire rundir (which has the socket) in a non-standard path.

gitea-mirror commented 2026-05-05 09:27:11 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jan 16, 2022):

--nosound should be fine now if XDG_RUNTIME_DIR env variable is configured or if the socket is under /run/user/UID/pipewire-*

60231bd3ca

<!-- gh-comment-id:1013910022 --> @netblue30 commented on GitHub (Jan 16, 2022): --nosound should be fine now if XDG_RUNTIME_DIR env variable is configured or if the socket is under /run/user/_UID_/pipewire-* https://github.com/netblue30/firejail/commit/60231bd3ca5169d34813f073e9afb652253fa4e3

gitea-mirror commented 2026-05-05 09:27:11 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 3, 2022):

I think this one is closed.

<!-- gh-comment-id:1029040948 --> @netblue30 commented on GitHub (Feb 3, 2022): I think this one is closed.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2795

No description provided.