[GH-ISSUE #4884] Geeqie - protocol=unix disables map view #2801

New issue

Closed

opened 2026-05-05 09:27:26 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented 2026-05-05 09:27:26 -06:00

Owner

Copy link

Originally created by @jose1711 on GitHub (Jan 29, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4884

Description

With protocol unix in geeqie.profile one gets a blank map in map view:

Steps to Reproduce

Steps to reproduce the behavior

1. Run in bash LC_ALL=C firejail geeqie
2. Make sure View - Info Sidebar is enabled
3. Click [+] to Add pane - select GPS map
4. Locate an image with GPS metadata and select it

Expected behavior

You should get a map view in GPS map, similar to this:

Actual behavior

Map is blank, only pin is visible.

Behavior without a profile

Map is showing up.

Environment

• Linux distribution and version: Arch Linux x86_64
• Firejail version: 0.9.67-git (a6672757d1)

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @jose1711 on GitHub (Jan 29, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4884 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description With `protocol unix` in `geeqie.profile` one gets a blank map in map view:  ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run in bash `LC_ALL=C firejail geeqie` 2. Make sure View - Info Sidebar is enabled 3. Click [+] to Add pane - select GPS map 4. Locate an image with GPS metadata and select it ### Expected behavior You should get a map view in GPS map, similar to this:  ### Actual behavior Map is blank, only pin is visible. ### Behavior without a profile Map is showing up. ### Environment - Linux distribution and version: Arch Linux x86_64 - Firejail version: 0.9.67-git (a6672757d1d884d02538ac3f92b13f997ee3efbb) ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror closed this issue 2026-05-05 09:27:27 -06:00

gitea-mirror commented 2026-05-05 09:27:28 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 29, 2022):

Does protocol unix,inet,inet6 work?

<!-- gh-comment-id:1024867547 --> @rusty-snake commented on GitHub (Jan 29, 2022): Does `protocol unix,inet,inet6` work?

gitea-mirror commented 2026-05-05 09:27:29 -06:00

Author

Owner

Copy link

@jose1711 commented on GitHub (Jan 29, 2022):

Does protocol unix,inet,inet6 work?

It does.

<!-- gh-comment-id:1024867615 --> @jose1711 commented on GitHub (Jan 29, 2022): > Does `protocol unix,inet,inet6` work? It does.

gitea-mirror commented 2026-05-05 09:27:30 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 29, 2022):

The profile hasn't been touch for 5 year (if you ignore mass updates, ordering, ...). If you want you can try to if this one works.

geeqie.profile

# Firejail profile for geeqie
# Description: Image viewer using GTK+
# This file is overwritten after every install/update
# Persistent local customizations
include geeqie.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/geeqie
noblacklist ${HOME}/.config/geeqie
noblacklist ${HOME}/.local/share/geeqie

# If you have a /usr/libexec dir
#blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/geeqie
mkdir ${HOME}/.config/geeqie
mkdir ${HOME}/.local/share/geeqie
whitelist ${HOME}/.cache/geeqie
whitelist ${HOME}/.config/geeqie
whitelist ${HOME}/.local/share/geeqie
#whitelist /usr/share/geeqie if it exist
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
shell none
tracelog

# private-bin geeqie
private-cache
private-dev
private-tmp

dbus-user none
#dbus-user filter
#dbus-user.own org.geeqie.Geeqie
#dbus-user.talk ca.desrt.dconf
dbus-system none

<!-- gh-comment-id:1024868880 --> @rusty-snake commented on GitHub (Jan 29, 2022): The profile hasn't been touch for 5 year (if you ignore mass updates, ordering, ...). If you want you can try to if this one works. <details><summary>geeqie.profile</summary> ``` # Firejail profile for geeqie # Description: Image viewer using GTK+ # This file is overwritten after every install/update # Persistent local customizations include geeqie.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/geeqie noblacklist ${HOME}/.config/geeqie noblacklist ${HOME}/.local/share/geeqie # If you have a /usr/libexec dir #blacklist /usr/libexec include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/geeqie mkdir ${HOME}/.config/geeqie mkdir ${HOME}/.local/share/geeqie whitelist ${HOME}/.cache/geeqie whitelist ${HOME}/.config/geeqie whitelist ${HOME}/.local/share/geeqie #whitelist /usr/share/geeqie if it exist include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all machine-id netfilter nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp seccomp.block-secondary shell none tracelog # private-bin geeqie private-cache private-dev private-tmp dbus-user none #dbus-user filter #dbus-user.own org.geeqie.Geeqie #dbus-user.talk ca.desrt.dconf dbus-system none ``` </details>

gitea-mirror commented 2026-05-05 09:27:31 -06:00

Author

Owner

Copy link

@jose1711 commented on GitHub (Jan 29, 2022):

Thank you, will test this profile for a few weeks. Also not sure if inet,inet6 should be the default, perhaps it would be okay just to mention it in the comment. The best option would probably be to only allow communication with map servers (OpenStreetMap and OpenWeatherMap) but that is probably not achievable with firejail, is it?

<!-- gh-comment-id:1024872674 --> @jose1711 commented on GitHub (Jan 29, 2022): Thank you, will test this profile for a few weeks. Also not sure if `inet,inet6` should be the default, perhaps it would be okay just to mention it in the comment. The best option would probably be to only allow communication with map servers (OpenStreetMap and OpenWeatherMap) but that is probably not achievable with `firejail`, is it?

gitea-mirror commented 2026-05-05 09:27:32 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 29, 2022):

The best option would probably be to only allow communication with map servers (OpenStreetMap and OpenWeatherMap) but that is probably not achievable with firejail, is it?

In theory you can use netfilter, however OSM uses fastly.net. Allowing the IPs of such big CDNs (cloudflare, fastly, aws, ...) allows so much that it's not worth.

<!-- gh-comment-id:1024874586 --> @rusty-snake commented on GitHub (Jan 29, 2022): > The best option would probably be to only allow communication with map servers (OpenStreetMap and OpenWeatherMap) but that is probably not achievable with firejail, is it? In theory you can use `netfilter`, however OSM uses fastly.net. Allowing the IPs of such big CDNs (cloudflare, fastly, aws, ...) allows so much that it's not worth.

gitea-mirror commented 2026-05-05 09:27:33 -06:00

Author

Owner

Copy link

@jose1711 commented on GitHub (Jan 29, 2022):

The best option would probably be to only allow communication with map servers (OpenStreetMap and OpenWeatherMap) but that is probably not achievable with firejail, is it?

In theory you can use netfilter, however OSM uses fastly.net. Allowing the IPs of such big CDNs (cloudflare, fastly, aws, ...) allows so much that it's not worth.

Thank you, this is a bit off-topic but how about restricting DNS queries? Allow to request IP of tile.openstreetmap.org and restrict anything else.

<!-- gh-comment-id:1024911301 --> @jose1711 commented on GitHub (Jan 29, 2022): > > The best option would probably be to only allow communication with map servers (OpenStreetMap and OpenWeatherMap) but that is probably not achievable with firejail, is it? > > In theory you can use `netfilter`, however OSM uses fastly.net. Allowing the IPs of such big CDNs (cloudflare, fastly, aws, ...) allows so much that it's not worth. Thank you, this is a bit off-topic but how about restricting DNS queries? Allow to request IP of `tile.openstreetmap.org` and restrict anything else.

gitea-mirror commented 2026-05-05 09:27:34 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 29, 2022):

1. You can still access everything by IP if you restrict DNS queries. This would be a false sense of security.
2. You can use fdns to do so. For example if your goal is privacy (i.e. block telemetry), block ads, known malware&phising, ...
3. Even if we only allow the IP of tile.openstreetmap.org, there can still be hundreds of other domains behind that IP (because it's a CDN).

<!-- gh-comment-id:1024913070 --> @rusty-snake commented on GitHub (Jan 29, 2022): 1. You can still access everything by IP if you restrict DNS queries. This would be a false sense of security. 2. You can use [fdns](https://github.com/netblue30/fdns) to do so. For example if your goal is privacy (i.e. block telemetry), block ads, known malware&phising, ... 3. Even if we only allow the IP of `tile.openstreetmap.org`, there can still be hundreds of other domains behind that IP (because it's a CDN).

gitea-mirror commented 2026-05-05 09:27:35 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Feb 3, 2022):

OK, let's bring in protocol unix,inet,inet6

Fix here: d11a62564d

<!-- gh-comment-id:1029048311 --> @netblue30 commented on GitHub (Feb 3, 2022): OK, let's bring in protocol unix,inet,inet6 Fix here: https://github.com/netblue30/firejail/commit/d11a62564de4bd3d2a48e67fdadc81e634939128

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2801

No description provided.