github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5032] chromium: file dialog does not work #2858

New issue
Open
opened 2026-05-05 09:30:59 -06:00 by gitea-mirror · 22 comments
gitea-mirror commented 2026-05-05 09:30:59 -06:00
Owner
Copy link

Originally created by @omega3 on GitHub (Mar 11, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5032

Discussed in https://github.com/netblue30/firejail/discussions/5025

Originally posted by omega3 March 9, 2022

Chromium doesn't allow to upload file for example to imgur. I am using Chromium on Plasma KDE. Imgur shows error.

When I add nodbus it opens diffrent dialog, I guess it is gtk diolog - not Plasma KDE - and I can upload. But when I save file with this setting and this dialog I can't see them in Dolphin.

What to do?

Expected behavior would be to be able to download / upload files in Chromium from Plasma KDE dialog and when downloaded, see them in Dolphin.

I use chromium.local profile, which is basically the same as in /etc/Firejail and run Chromium like this:
firejail --private=/home/user/Data/jail/ --profile=/home/user/Data/jail/.config/firejail/chromium.local /usr/bin/chromium
I can download file from the Internet for example from Imgur to Downloads folder in this custom fake /home but at the same time I can't upload.
I added to chromium.local

include whitelist-common.inc

whitelist ~/Downloads
noblacklist ~/Downloads

but it doesn't work.

Giving full path or something like this:

whitelist ${HOME}/Downloads
noblacklist ${HOME}/Downloads
whitelist /home/user/Data/jail/Downloads
noblacklist /home/user/Data/jail/Downloads

also doesn't work.

firejail version 0.9.69

Operating System: Manjaro Linux
KDE Plasma Version: 5.24.2
KDE Frameworks Version: 5.91.0
Qt Version: 5.15.2
Kernel Version: 5.15.25-1-MANJARO (64-bit)
Graphics Platform: X11

This doesn't work:

firejail --private=/home/user/Data/jail/ --profile=/home/user/Data/jail/.config/firejail/chromium.local /usr/bin/chromium

Reading profile /home/user/Data/jail/.config/firejail/chromium.local
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1032, child pid 1033
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 272.35 ms
[1:1:0310/082301.559099:ERROR:content_main_runner_impl.cc(377)] Unable to load CDM /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so: odwzorowanie segmentu z obiektu dzielonego nie powiodło się)
[12:12:0310/082301.559401:ERROR:content_main_runner_impl.cc(377)] Unable to load CDM /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so: odwzorowanie segmentu z obiektu dzielonego nie powiodło się)
[4:29:0310/082301.806816:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:29:0310/082301.807026:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[36:36:0310/082302.560984:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
[4:100:0310/082302.634668:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634724:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634783:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634831:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634870:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:54:0310/082303.690763:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:54:0310/082303.690800:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled)
[4:54:0310/082303.691363:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[4:54:0310/082303.691381:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5
[4:54:0310/082304.075469:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:54:0310/082304.076786:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close)
[4:61:0310/082307.152013:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[4:61:0310/082307.152480:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
[37:47:0310/082338.362955:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[37:47:0310/082338.362996:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled)
[37:47:0310/082338.364082:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[37:47:0310/082338.364103:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5
[37:47:0310/082338.648748:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[37:47:0310/082338.648783:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close)

Parent is shutting down, bye...

This doesn't work:

firejail --private=/home/user/Data/jail/ --noprofile /usr/bin/chromium

Parent pid 1889, child pid 1890
Child process initialized in 26.64 ms
[34:34:0310/083007.020228:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
[4:113:0310/083007.366998:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[4:113:0310/083007.367944:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[4:113:0310/083007.368613:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[4:51:0310/083008.214835:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:51:0310/083008.214872:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled)
[4:51:0310/083008.217861:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[4:51:0310/083008.217904:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5
[4:51:0310/083008.566695:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:51:0310/083008.566733:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close)
[4:48:0310/083010.652529:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[4:48:0310/083010.652566:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()

Parent is shutting down, bye...

With this uploading works:

firejail --noprofile /usr/bin/chromium
Parent pid 2131, child pid 2132
Child process initialized in 28.29 ms
[2:93:0310/083059.708288:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[2:93:0310/083059.709199:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[2:93:0310/083059.709989:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[33:33:0310/083059.787593:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
[2:48:0310/083103.620897:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[2:48:0310/083103.621051:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()

Parent is shutting down, bye...

I am not sure about apparmor. I have it installed but as far I as remember I don't use it, perhaps I blocked it a long time ago. But Firefox works with default Firefox profile and upload works.

My chromium.local

# Firejail profile for chromium
# Description: A web browser built for speed, simplicity, and security
# This file is overwritten after every install/update
# Persistent local customizations
include chromium.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf

mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf
whitelist /usr/share/chromium

include whitelist-common.inc

whitelist ~/Downloads
noblacklist ~/Downloads

# private-bin chromium,chromium-browser,chromedriver

# Redirect
include chromium-common.profile
Originally created by @omega3 on GitHub (Mar 11, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5032 ### Discussed in https://github.com/netblue30/firejail/discussions/5025 <div type='discussions-op-text'> <sup>Originally posted by **omega3** March 9, 2022</sup> Chromium doesn't allow to upload file for example to imgur. I am using Chromium on Plasma KDE. Imgur shows error. When I add `nodbus` it opens diffrent dialog, I guess it is gtk diolog - not Plasma KDE - and I can upload. But when I save file with this setting and this dialog I can't see them in Dolphin. What to do? Expected behavior would be to be able to download / upload files in Chromium from Plasma KDE dialog and when downloaded, see them in Dolphin. I use `chromium.local` profile, which is basically the same as in /etc/Firejail and run Chromium like this: `firejail --private=/home/user/Data/jail/ --profile=/home/user/Data/jail/.config/firejail/chromium.local /usr/bin/chromium` I can download file from the Internet for example from Imgur to Downloads folder in this custom fake /home but at the same time I can't upload. I added to `chromium.local` ``` include whitelist-common.inc whitelist ~/Downloads noblacklist ~/Downloads ``` but it doesn't work. Giving full path or something like this: ``` whitelist ${HOME}/Downloads noblacklist ${HOME}/Downloads whitelist /home/user/Data/jail/Downloads noblacklist /home/user/Data/jail/Downloads ``` also doesn't work. ``` firejail version 0.9.69 Operating System: Manjaro Linux KDE Plasma Version: 5.24.2 KDE Frameworks Version: 5.91.0 Qt Version: 5.15.2 Kernel Version: 5.15.25-1-MANJARO (64-bit) Graphics Platform: X11 ``` This doesn't work: ``` firejail --private=/home/user/Data/jail/ --profile=/home/user/Data/jail/.config/firejail/chromium.local /usr/bin/chromium Reading profile /home/user/Data/jail/.config/firejail/chromium.local Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 1032, child pid 1033 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 272.35 ms [1:1:0310/082301.559099:ERROR:content_main_runner_impl.cc(377)] Unable to load CDM /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so: odwzorowanie segmentu z obiektu dzielonego nie powiodło się) [12:12:0310/082301.559401:ERROR:content_main_runner_impl.cc(377)] Unable to load CDM /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so: odwzorowanie segmentu z obiektu dzielonego nie powiodło się) [4:29:0310/082301.806816:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu [4:29:0310/082301.807026:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu [36:36:0310/082302.560984:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process. [4:100:0310/082302.634668:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu [4:100:0310/082302.634724:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu [4:100:0310/082302.634783:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu [4:100:0310/082302.634831:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu [4:100:0310/082302.634870:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu [4:54:0310/082303.690763:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying [4:54:0310/082303.690800:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled) [4:54:0310/082303.691363:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files [4:54:0310/082303.691381:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5 [4:54:0310/082304.075469:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying [4:54:0310/082304.076786:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close) [4:61:0310/082307.152013:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328. [4:61:0310/082307.152480:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability() [37:47:0310/082338.362955:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying [37:47:0310/082338.362996:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled) [37:47:0310/082338.364082:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files [37:47:0310/082338.364103:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5 [37:47:0310/082338.648748:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying [37:47:0310/082338.648783:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close) Parent is shutting down, bye... ``` This doesn't work: ``` firejail --private=/home/user/Data/jail/ --noprofile /usr/bin/chromium Parent pid 1889, child pid 1890 Child process initialized in 26.64 ms [34:34:0310/083007.020228:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process. [4:113:0310/083007.366998:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked. [4:113:0310/083007.367944:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked. [4:113:0310/083007.368613:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked. [4:51:0310/083008.214835:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying [4:51:0310/083008.214872:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled) [4:51:0310/083008.217861:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files [4:51:0310/083008.217904:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5 [4:51:0310/083008.566695:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying [4:51:0310/083008.566733:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close) [4:48:0310/083010.652529:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328. [4:48:0310/083010.652566:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability() Parent is shutting down, bye... ``` With this uploading works: ``` firejail --noprofile /usr/bin/chromium Parent pid 2131, child pid 2132 Child process initialized in 28.29 ms [2:93:0310/083059.708288:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked. [2:93:0310/083059.709199:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked. [2:93:0310/083059.709989:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked. [33:33:0310/083059.787593:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process. [2:48:0310/083103.620897:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328. [2:48:0310/083103.621051:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability() Parent is shutting down, bye... ``` I am not sure about apparmor. I have it installed but as far I as remember I don't use it, perhaps I blocked it a long time ago. But Firefox works with default Firefox profile and upload works. My chromium.local ``` # Firejail profile for chromium # Description: A web browser built for speed, simplicity, and security # This file is overwritten after every install/update # Persistent local customizations include chromium.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/chromium noblacklist ${HOME}/.config/chromium noblacklist ${HOME}/.config/chromium-flags.conf mkdir ${HOME}/.cache/chromium mkdir ${HOME}/.config/chromium whitelist ${HOME}/.cache/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf whitelist /usr/share/chromium include whitelist-common.inc whitelist ~/Downloads noblacklist ~/Downloads # private-bin chromium,chromium-browser,chromedriver # Redirect include chromium-common.profile ```
gitea-mirror commented 2026-05-05 09:31:01 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 11, 2022):

When I add nodbus it opens diffrent dialog, I guess it is gtk diolog - not Plasma KDE - and I can upload. But when I save file with this setting and this dialog I can't see them in Dolphin.

I'm not familiar with KDE but there's a comment on the last line in /etc/firejail/chromium-common.profile that you might try:

# The file dialog needs to work without d-bus.
?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1

As a quick test you can add it without the conditional, just to double-check if you can get your Plasma tools working in the sandbox. Add the below line to your chromium.local and run your command again:

env NO_CHROME_KDE_FILE_DIALOG=1

Does that change anything for the better?

<!-- gh-comment-id:1065135300 --> @ghost commented on GitHub (Mar 11, 2022): > When I add nodbus it opens diffrent dialog, I guess it is gtk diolog - not Plasma KDE - and I can upload. But when I save file with this setting and this dialog I can't see them in Dolphin. I'm not familiar with KDE but there's a comment on the last line in /etc/firejail/chromium-common.profile that you might try: ``` # The file dialog needs to work without d-bus. ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 ``` As a quick test you can add it without the conditional, just to double-check if you can get your Plasma tools working in the sandbox. Add the below line to your chromium.local and run your command again: ``` env NO_CHROME_KDE_FILE_DIALOG=1 ``` Does that change anything for the better?
gitea-mirror commented 2026-05-05 09:31:02 -06:00
Author
Owner
Copy link

@omega3 commented on GitHub (Mar 11, 2022):

I added like this: env NO_CHROME_KDE_FILE_DIALOG=1 both in
/etc/firejail/chromium-common.profile and chromium.local and no change.

<!-- gh-comment-id:1065305502 --> @omega3 commented on GitHub (Mar 11, 2022): I added like this: `env NO_CHROME_KDE_FILE_DIALOG=1` both in `/etc/firejail/chromium-common.profile` and `chromium.local` and no change.
gitea-mirror commented 2026-05-05 09:31:03 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 12, 2022):

Might be a duplicate of https://github.com/netblue30/firejail/issues/4965.

Try adding the below to your /home/user/Data/jail/.config/firejail/chromium.local

ignore whitelist /usr/share/mozilla/extensions
ignore whitelist /usr/share/webext
<!-- gh-comment-id:1065795543 --> @ghost commented on GitHub (Mar 12, 2022): Might be a duplicate of https://github.com/netblue30/firejail/issues/4965. Try adding the below to your /home/user/Data/jail/.config/firejail/chromium.local ``` ignore whitelist /usr/share/mozilla/extensions ignore whitelist /usr/share/webext ```
gitea-mirror commented 2026-05-05 09:31:03 -06:00
Author
Owner
Copy link

@omega3 commented on GitHub (Mar 12, 2022):

It doesn't change anything. I need to rephrase this: "Expected behavior would be to be able to download / upload files in Chromium from Plasma KDE dialog and when downloaded, see them in Dolphin."
I don't care what dialog chromium uses gtk or KDE. The problem is that I can't see the filed downloaded with gtk dialog in Dolphin. I could see them that would solve the problem. Maybe I should install something in my system?

The other thing is that when I run Chromium without Firejail it uses KDE dialog and uploads files correctly. So, the conclusion is there is something in profiles or firejail that makes a difference.

<!-- gh-comment-id:1065841736 --> @omega3 commented on GitHub (Mar 12, 2022): It doesn't change anything. I need to rephrase this: "Expected behavior would be to be able to download / upload files in Chromium from Plasma KDE dialog and when downloaded, see them in Dolphin." I don't care what dialog chromium uses gtk or KDE. The problem is that I can't see the filed downloaded with gtk dialog in Dolphin. I could see them that would solve the problem. Maybe I should install something in my system? The other thing is that when I run Chromium without Firejail it uses KDE dialog and uploads files correctly. So, the conclusion is there is something in profiles or firejail that makes a difference.
gitea-mirror commented 2026-05-05 09:31:04 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 12, 2022):

I don't care what dialog chromium uses gtk or KDE. The problem is that I can't see the filed downloaded with gtk dialog in Dolphin. I could see them that would solve the problem.

Does your dolphin run firejailed too?
You can transfer out the downloaded file(s) to your real filesystem for Dolphin:

--get=name|pid filename
    Retrieve the container file and store it on the host in the current working directory. The container is specified by name or PID.

Chromium doesn't allow to upload file for example to imgur. I am using Chromium on Plasma KDE. Imgur shows error.
The other thing is that when I run Chromium without Firejail it uses KDE dialog and uploads files correctly.

What does the Imgur error say exactly?

<!-- gh-comment-id:1065853584 --> @ghost commented on GitHub (Mar 12, 2022): > I don't care what dialog chromium uses gtk or KDE. The problem is that I can't see the filed downloaded with gtk dialog in Dolphin. I could see them that would solve the problem. Does your dolphin run firejailed too? You can transfer out the downloaded file(s) to your real filesystem for Dolphin: ``` --get=name|pid filename Retrieve the container file and store it on the host in the current working directory. The container is specified by name or PID. ``` > Chromium doesn't allow to upload file for example to imgur. I am using Chromium on Plasma KDE. Imgur shows error. > The other thing is that when I run Chromium without Firejail it uses KDE dialog and uploads files correctly. What does the Imgur error say exactly?
gitea-mirror commented 2026-05-05 09:31:06 -06:00
Author
Owner
Copy link

@omega3 commented on GitHub (Mar 12, 2022):

What does the Imgur error say exactly?

https://i.imgur.com/QvsTaQt.png

Does your dolphin run firejailed too?

No.

<!-- gh-comment-id:1065858040 --> @omega3 commented on GitHub (Mar 12, 2022): > What does the Imgur error say exactly? https://i.imgur.com/QvsTaQt.png > Does your dolphin run firejailed too? No.
gitea-mirror commented 2026-05-05 09:31:07 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 12, 2022):

I've put together a test profile to debug this. The private option is inside the file as you can see. Just to keep the command a bit shorter, shouldn't make any functional difference.

Please download this file, place it in your ~/Data/jail/.config/firejail dir as fj-issue-5032.profile and run with the debug option: $ firejail --debug --profile=~/Data/jail/.config/firejail/fj-issue-5032.profile /usr/bin/chromium | tee -a ~/Downloads/fj-issue-5032.log. Try downloading/uploading, do some browsing etceterea and when you're done, upload the resulting ~/Downloads/fj-issue-5032.log somewhere (or post it here, as you prefer). I still cannot reproduce, but I don't have KDE (which shouldn't really matter here).

<!-- gh-comment-id:1065952277 --> @ghost commented on GitHub (Mar 12, 2022): I've put together a test profile to debug this. The private option is inside the file as you can see. Just to keep the command a bit shorter, shouldn't make any functional difference. Please download [this file](https://gist.github.com/glitsj16/6b822a30ff1a7dc6de49dc569248c92d), place it in your ~/Data/jail/.config/firejail dir as `fj-issue-5032.profile` and run with the debug option: `$ firejail --debug --profile=~/Data/jail/.config/firejail/fj-issue-5032.profile /usr/bin/chromium | tee -a ~/Downloads/fj-issue-5032.log`. Try downloading/uploading, do some browsing etceterea and when you're done, upload the resulting ~/Downloads/fj-issue-5032.log somewhere (or post it here, as you prefer). I still cannot reproduce, but I don't have KDE (which shouldn't really matter here).
gitea-mirror commented 2026-05-05 09:31:07 -06:00
Author
Owner
Copy link

@omega3 commented on GitHub (Mar 13, 2022):

With fj-issue-5032.profile profile file dialog within Chromium couldn't be open.
https://i.imgur.com/1bnogBR.png
when I pressed "choose photo" nothing happened, no dialog appeared.
log and also output from terminal:
fj-issue-5032.log

The fact that dialog doesn't appear is caused by:
include chromium-common-hardened.inc.profile
but when I hashed it I still can't upload with above profile

<!-- gh-comment-id:1066053913 --> @omega3 commented on GitHub (Mar 13, 2022): With `fj-issue-5032.profile` profile file dialog within Chromium couldn't be open. https://i.imgur.com/1bnogBR.png when I pressed "choose photo" nothing happened, no dialog appeared. log and also output from terminal: [fj-issue-5032.log](https://github.com/netblue30/firejail/files/8239204/fj-issue-5032.log) The fact that dialog doesn't appear is caused by: `include chromium-common-hardened.inc.profile` but when I hashed it I still can't upload with above profile
gitea-mirror commented 2026-05-05 09:31:08 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 14, 2022):

I'm out of ideas on this one. Copy chromium.profile and chromium-common.profile from /etc/firejail to your ~/Data/jail/.config/firejail and start commenting lines until you get a working configuration.

<!-- gh-comment-id:1067157639 --> @ghost commented on GitHub (Mar 14, 2022): I'm out of ideas on this one. Copy chromium.profile and chromium-common.profile from /etc/firejail to your ~/Data/jail/.config/firejail and start commenting lines until you get a working configuration.
gitea-mirror commented 2026-05-05 09:31:09 -06:00
Author
Owner
Copy link

@Kebron718 commented on GitHub (Mar 20, 2022):

Hello omega3,

I've had the same problem with Chromium using openSUSE with KDE for a couple of months. Downloads only work directly into the downloads folder. Saving web pages only works using the print option. Uploads don’t work at all.
I found that uncommenting the noroot option in

/etc/firejail/chromium-common-hardened.inc.profile

does the trick for me.

However, I usually keep the noroot option enabled. I only disable it when I know that I want to upload something. Sometimes I just use Firefox instead in these rare occasions which has noroot enabled per default.

The hardened profile isn’t enabled per default in openSUSE. You have to manually uncomment the

include chromium-common-hardened.inc.profile

line in

/etc/firejail/chromium-common.profile

Maybe the noroot option is hidden somewhere else in one of the various profiles chromium uses.

<!-- gh-comment-id:1073343187 --> @Kebron718 commented on GitHub (Mar 20, 2022): Hello omega3, I've had the same problem with Chromium using openSUSE with KDE for a couple of months. Downloads only work directly into the downloads folder. Saving web pages only works using the print option. Uploads don’t work at all. I found that uncommenting the **noroot** option in ### /etc/firejail/chromium-common-hardened.inc.profile does the trick for me. However, I usually keep the **noroot** option enabled. I only disable it when I know that I want to upload something. Sometimes I just use Firefox instead in these rare occasions which has **noroot** enabled per default. The hardened profile isn’t enabled per default in openSUSE. You have to manually uncomment the ### include chromium-common-hardened.inc.profile line in ### /etc/firejail/chromium-common.profile Maybe the **noroot** option is hidden somewhere else in one of the various profiles chromium uses.
gitea-mirror commented 2026-05-05 09:31:09 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 21, 2022):

I found that uncommenting the noroot option ... does the trick for me.

@Kebron718 That's some impressive detective work. Never suspected noroot could have anything to do with uploading files in a web browser. But I'm not at all familiar with this one. Still, I wonder if any of you is using anything 'special' in ~/.config/chromium-flags.conf or wrapper scripts by any chance?

The hardened profile isn’t enabled per default in openSUSE.

The extra hardening is always disabled by default, regardless of distro.

Maybe the noroot option is hidden somewhere else in one of the various profiles chromium uses.

No it's only in chromium-common-hardened.inc.profile AFAICT (it should be).
So a one-liner ignore noroot placed in a ~/.config/firejail/chromium-common-hardened.inc.local should suffice for users facing this issue.

<!-- gh-comment-id:1073617401 --> @ghost commented on GitHub (Mar 21, 2022): > I found that uncommenting the noroot option ... does the trick for me. @Kebron718 That's some impressive detective work. Never suspected `noroot` could have anything to do with uploading files in a web browser. But I'm not at all familiar with this one. Still, I wonder if any of you is using anything 'special' in ~/.config/chromium-flags.conf or wrapper scripts by any chance? > The hardened profile isn’t enabled per default in openSUSE. The extra hardening is always disabled by default, regardless of distro. > Maybe the noroot option is hidden somewhere else in one of the various profiles chromium uses. No it's only in chromium-common-hardened.inc.profile AFAICT (it should be). So a one-liner `ignore noroot` placed in a `~/.config/firejail/chromium-common-hardened.inc.local` should suffice for users facing this issue.
gitea-mirror commented 2026-05-05 09:31:10 -06:00
Author
Owner
Copy link

@omega3 commented on GitHub (Mar 21, 2022):

Still, I wonder if any of you is using anything 'special' in ~/.config/chromium-flags.conf or wrapper scripts by any chance?
No, I don't.

Unfortunately, this didn't work for me.

This wiki shows many dbus options but I have no idea what they do.
https://man.archlinux.org/man/firejail.1.en
There was a discussion about dbus

Although I am not programmist I think that this issue may be connected to dbus options because with gtk dialog it works. The problem is how chromium in firejail "communicates" with kde system.

<!-- gh-comment-id:1073665095 --> @omega3 commented on GitHub (Mar 21, 2022): > Still, I wonder if any of you is using anything 'special' in ~/.config/chromium-flags.conf or wrapper scripts by any chance? No, I don't. Unfortunately, this didn't work for me. This wiki shows many dbus options but I have no idea what they do. https://man.archlinux.org/man/firejail.1.en There was a discussion about [dbus](https://github.com/netblue30/firejail/issues/3184) Although I am not programmist I think that this issue may be connected to dbus options because with gtk dialog it works. The problem is how chromium in firejail "communicates" with kde system.
gitea-mirror commented 2026-05-05 09:31:11 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 21, 2022):

Unfortunately, this didn't work for me.

Unfortunate to say the least.

This wiki shows many dbus options but I have no idea what they do.
There was a discussion about #3184

The discussion you're refering to is now reality. Has been for a while. Firejail has integrated xdg-dbus-proxy (you should install that package if it isn't!) and the 'newish' options are considered stable and pretty much feature-complete. This provides the much wanted finer-grained control earlier versions were missing. That implied implementing a more complex set of options to control D-Bus and I can see how that would need time to get familiar with. But in the case of chromium it's actually quite simple. By default chromium-common.profile grants full access to the D-Bus session bus and only blocks the system bus (which most programs don't need access to):

[...]
#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
dbus-system none
[...]

We already discussed NO_CHROME_KDE_FILE_DIALOG=1 above and it didn't make any difference for your issue as you reported. So I see only one more thing you can try in this D-Bus context and that's granting full access to the system bus too.

The problem is how chromium in firejail "communicates" with kde system.

Most, if not all the DE-related files for both GTK and QT/KDE reside in the included *.inc files in the profile. To check if you need anything additional stuff, try not including any of those, just as a test to see if that changes anything. Together with the above D-Bus remarks that brings me to the below ~/.config/firejail/chromium-common.local:

ignore include disable-common.inc
ignore include disable-programs.inc

ignore whitelist /usr/share/mozilla/extensions
ignore whitelist /usr/share/webext
ignore include whitelist-common.inc
ignore include whitelist-usr-share-common.inc

ignore dbus-system none

Just make sure you don't have anything in globals.local and existing chromium{,-common}.local files that might throw sand in the machine.

<!-- gh-comment-id:1073712286 --> @ghost commented on GitHub (Mar 21, 2022): > Unfortunately, this didn't work for me. Unfortunate to say the least. > This wiki shows many dbus options but I have no idea what they do. There was a discussion about #3184 The discussion you're refering to is now reality. Has been for a while. Firejail has integrated `xdg-dbus-proxy` (you should install that package if it isn't!) and the 'newish' options are considered stable and pretty much feature-complete. This provides the much wanted finer-grained control earlier versions were missing. That implied implementing a more complex set of options to control D-Bus and I can see how that would need time to get familiar with. But in the case of chromium it's actually quite simple. By default chromium-common.profile grants full access to the D-Bus session bus and only blocks the system bus (which most programs don't need access to): ``` [...] #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. dbus-system none [...] ``` We already discussed `NO_CHROME_KDE_FILE_DIALOG=1` above and it didn't make any difference for your issue as you reported. So I see only one more thing you can try in this D-Bus context and that's granting full access to the system bus too. > The problem is how chromium in firejail "communicates" with kde system. Most, if not all the DE-related files for both GTK and QT/KDE reside in the included *.inc files in the profile. To check if you need anything additional stuff, try not including any of those, just as a test to see if that changes anything. Together with the above D-Bus remarks that brings me to the below ~/.config/firejail/chromium-common.local: ``` ignore include disable-common.inc ignore include disable-programs.inc ignore whitelist /usr/share/mozilla/extensions ignore whitelist /usr/share/webext ignore include whitelist-common.inc ignore include whitelist-usr-share-common.inc ignore dbus-system none ``` Just make sure you don't have anything in globals.local and existing chromium{,-common}.local files that might throw sand in the machine.
gitea-mirror commented 2026-05-05 09:31:12 -06:00
Author
Owner
Copy link

@omega3 commented on GitHub (Mar 21, 2022):

It doesn't work.
the current setup is in ~/.config/firejail/:

chromium-common-hardened.inc.local
chromium-common.local
chromium.local

chromium-common-hardened.inc.local:

include chromium-common-hardened.inc.local

caps.drop all
nonewprivs
ignore noroot
protocol unix,inet,inet6,netlink
seccomp !chroot

chromium-common.local:

ignore include disable-common.inc
ignore include disable-programs.inc

ignore whitelist /usr/share/mozilla/extensions
ignore whitelist /usr/share/webext
ignore include whitelist-common.inc
ignore include whitelist-usr-share-common.inc

ignore dbus-system none

chromium.local


include chromium.local
include chromium-common.local
include chromium-common-hardened.inc.local

noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf

mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf
#whitelist /usr/share/chromium

whitelist ${HOME}/Data/jail/Downloads

ignore apparmor

env NO_CHROME_KDE_FILE_DIALOG=1
<!-- gh-comment-id:1074150585 --> @omega3 commented on GitHub (Mar 21, 2022): It doesn't work. the current setup is in` ~/.config/firejail/`: ``` chromium-common-hardened.inc.local chromium-common.local chromium.local ``` chromium-common-hardened.inc.local: ``` include chromium-common-hardened.inc.local caps.drop all nonewprivs ignore noroot protocol unix,inet,inet6,netlink seccomp !chroot ``` chromium-common.local: ``` ignore include disable-common.inc ignore include disable-programs.inc ignore whitelist /usr/share/mozilla/extensions ignore whitelist /usr/share/webext ignore include whitelist-common.inc ignore include whitelist-usr-share-common.inc ignore dbus-system none ``` chromium.local ``` include chromium.local include chromium-common.local include chromium-common-hardened.inc.local noblacklist ${HOME}/.cache/chromium noblacklist ${HOME}/.config/chromium noblacklist ${HOME}/.config/chromium-flags.conf mkdir ${HOME}/.cache/chromium mkdir ${HOME}/.config/chromium whitelist ${HOME}/.cache/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf #whitelist /usr/share/chromium whitelist ${HOME}/Data/jail/Downloads ignore apparmor env NO_CHROME_KDE_FILE_DIALOG=1 ```
gitea-mirror commented 2026-05-05 09:31:12 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 21, 2022):

File-dialog broken by noroot on KDE? Sounds like portals.

<!-- gh-comment-id:1074211982 --> @rusty-snake commented on GitHub (Mar 21, 2022): File-dialog broken by `noroot` on KDE? Sounds like portals.
gitea-mirror commented 2026-05-05 09:31:13 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 21, 2022):

File-dialog broken by noroot on KDE? Sounds like portals.

@rusty-snake Thanks for joining in. Obviously I don't understand the problem at hand and all I'm achieving here is confusing the OP. And myself for that matter. Twice already @omega3 said ignore noroot doesn't work for him, here and here. Also, like mentioned above, chrome-common.profile doesn't filter dbus-user. noroot can still break things on KDE, regardless of D-Bus user options?

<!-- gh-comment-id:1074312241 --> @ghost commented on GitHub (Mar 21, 2022): > File-dialog broken by noroot on KDE? Sounds like portals. @rusty-snake Thanks for joining in. Obviously I don't understand the problem at hand and all I'm achieving here is confusing the OP. And myself for that matter. Twice already @omega3 said `ignore noroot` doesn't work for him, [here](https://github.com/netblue30/firejail/issues/5032#issuecomment-1073665095) and [here](https://github.com/netblue30/firejail/issues/5032#issuecomment-1074150585). Also, like mentioned above, chrome-common.profile doesn't filter dbus-user. `noroot` can still break things on KDE, regardless of D-Bus user options?
gitea-mirror commented 2026-05-05 09:31:14 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 21, 2022):

Some xdg-desktop-portal implementations (in some versions) are broken (for some features) if the sandbox is started with noroot (I known that at least some xdg-desktop-portal-kde versions are affected (under some configurations)). (As you see I don't really know when it happens just that noroot + (some) xdg-desktop-portal impls + some conditions are broken). If chromium uses portals to get a native file-prompt, this may be an issue.

<!-- gh-comment-id:1074322420 --> @rusty-snake commented on GitHub (Mar 21, 2022): Some xdg-desktop-portal implementations (in some versions) are broken (for some features) if the sandbox is started with `noroot` (I known that at least some xdg-desktop-portal-kde versions are affected (under some configurations)). (As you see I don't really know when it happens just that `noroot` + (some) xdg-desktop-portal impls + some conditions are broken). If chromium uses portals to get a native file-prompt, this may be an issue.
gitea-mirror commented 2026-05-05 09:31:14 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 21, 2022):

@rusty-snake Thanks for providing context and insights. Sounds a real mess :-) With that many unknowns (the multiple some's in your observations) it would be very difficult to formulate a working solution without flooding the affected profiles with even more comments. See {cachy-browser,firefox.librewolf}.profiles for examples of what I mean. The current count of advisory lines in the dbus section of those is 13, not reassuring :-)

<!-- gh-comment-id:1074353135 --> @ghost commented on GitHub (Mar 21, 2022): @rusty-snake Thanks for providing context and insights. Sounds a real mess :-) With that many unknowns (the multiple `some's` in your observations) it would be very difficult to formulate a working solution without flooding the affected profiles with even more comments. See {cachy-browser,firefox.librewolf}.profiles for examples of what I mean. The current count of advisory lines in the dbus section of those is `13`, not reassuring :-)
gitea-mirror commented 2026-05-05 09:31:15 -06:00
Author
Owner
Copy link

@arrowgent commented on GitHub (Mar 29, 2022):

can confirm noroot portal issue with an Electron app when trying to open an "upload" dialog window

ERROR:select_file_dialog_impl_portal.cc(698)] Portal returned error: org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/PID/root

apt list xdg-dbus-proxy
xdg-dbus-proxy/bionic,bionic,bionic,now 0.1.3-1~18.04 amd64 [installed,automatic]
apt list xdg-desktop-portal
xdg-desktop-portal/bionic,bionic 1.12.1-1ubuntu1~18.04 amd64 [installed,automatic]

apt list firejail
firejail/bionic,now 0.9.68-3~0ubuntu18.04.0 amd64 [installed]

<!-- gh-comment-id:1082288512 --> @arrowgent commented on GitHub (Mar 29, 2022): can confirm `noroot` portal issue with an Electron app when trying to open an "upload" dialog window `ERROR:select_file_dialog_impl_portal.cc(698)] Portal returned error: org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/PID/root` apt list xdg-dbus-proxy `xdg-dbus-proxy/bionic,bionic,bionic,now 0.1.3-1~18.04 amd64 [installed,automatic]` apt list xdg-desktop-portal `xdg-desktop-portal/bionic,bionic 1.12.1-1ubuntu1~18.04 amd64 [installed,automatic]` apt list firejail `firejail/bionic,now 0.9.68-3~0ubuntu18.04.0 amd64 [installed]`
gitea-mirror commented 2026-05-05 09:31:15 -06:00
Author
Owner
Copy link

@AdamaTNT commented on GitHub (May 2, 2022):

I can also confirm that with Ubuntu 22.04 & using latest Google-Chrome, we are unable to upload anything as well.

I think one issue is that the --private=/folder is not being respected by all aspects of the jailed app, such as Gnome's file selection interface. On Ubuntu 20.04, when you used the open file dialog (CTRL+O), it would look like the opened location was the home folder of the user, while actually being the /folder it was jailed at. With 22.04, however, it always opens the actual $HOME folder and gives a list of all files and folders inside it, despite being unable to actually read any of the files when you try to open them.

Maybe what's happening is that there is some sort of a mismatch that prevents uploads: Gnome is sending one file location that uses the actual $HOME as a point of reference (which the jailed app doesn't have access), whereas the jailed app expects a file that matches the --private=/folder point of reference.

I thought this because, when trying to save files (as someone explained above), the only time a save succeeds is when the save targets $HOME/Downloads as selected by Gnome's file selection interface. All other attempts at saving at other locations fail. And when save succeeds, it actually saves to the jailed /folder/Downloads rather than the selected $HOME/Downloads in Gnome's file selection interface.

I have no real knowledge of the underlying infrastructure so I can't pinpoint the issue any further. This is just what I observe, maybe it will help.

Incidentally, the only error in the console output is:
Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied

<!-- gh-comment-id:1115146089 --> @AdamaTNT commented on GitHub (May 2, 2022): I can also confirm that with Ubuntu 22.04 & using latest Google-Chrome, we are unable to upload anything as well. I think one issue is that the --private=/folder is not being respected by all aspects of the jailed app, such as Gnome's file selection interface. On Ubuntu 20.04, when you used the open file dialog (CTRL+O), it would look like the opened location was the home folder of the user, while actually being the /folder it was jailed at. With 22.04, however, it always opens the actual $HOME folder and gives a list of all files and folders inside it, despite being unable to actually read any of the files when you try to open them. Maybe what's happening is that there is some sort of a mismatch that prevents uploads: Gnome is sending one file location that uses the actual $HOME as a point of reference (which the jailed app doesn't have access), whereas the jailed app expects a file that matches the --private=/folder point of reference. I thought this because, when trying to save files (as someone explained above), the only time a save succeeds is when the save targets $HOME/Downloads as selected by Gnome's file selection interface. All other attempts at saving at other locations fail. And when save succeeds, it actually saves to the jailed /folder/Downloads rather than the selected $HOME/Downloads in Gnome's file selection interface. I have no real knowledge of the underlying infrastructure so I can't pinpoint the issue any further. This is just what I observe, maybe it will help. Incidentally, the only error in the console output is: Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
gitea-mirror commented 2026-05-05 09:31:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 2, 2022):

The document-portal does not support firejail (or firejail does not support the document-portal, take it as you like).

<!-- gh-comment-id:1115256926 --> @rusty-snake commented on GitHub (May 2, 2022): The document-portal does not support firejail (or firejail does not support the document-portal, take it as you like).
gitea-mirror commented 2026-05-05 09:31:16 -06:00
Author
Owner
Copy link

@marek22k commented on GitHub (May 27, 2024):

Hello,
I am also unable to upload files in Ungoogled Chromium when Firejail is enabled:

[9:22:0527/125401.021993:ERROR:select_file_dialog_linux_portal.cc(760)] Portal returned error: org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/44295/root

Is there a workaround?

<!-- gh-comment-id:2133429951 --> @marek22k commented on GitHub (May 27, 2024): Hello, I am also unable to upload files in Ungoogled Chromium when Firejail is enabled: ``` [9:22:0527/125401.021993:ERROR:select_file_dialog_linux_portal.cc(760)] Portal returned error: org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/44295/root ``` Is there a workaround?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2858
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?