github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5127] spectacle: cannot take screenshots (KDE Wayland) #2889

New issue
Open
opened 2026-05-05 09:32:49 -06:00 by gitea-mirror · 44 comments
gitea-mirror commented 2026-05-05 09:32:49 -06:00
Owner
Copy link

Originally created by @wushangwei on GitHub (May 2, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5127

Description

Spectacle not working under KDE Wayland. It opens, but complains "Could not take a screenshot". However it works under x11 session.

Steps to Reproduce

  1. Click the spectacle desktop shortcut and doesn't work.

  2. kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop, doesn't work.
    Logs are shown in Log section.

  3. To reduce the dbus errors above, I created ~/.config/firejail/spectacle.local with the following content:

dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kglobalaccel
dbus-user.talk org.kde.KWin
dbus-user.talk org.kde.plasmashell
dbus-user.talk org.kde.KWin.ScreenShot2

Run the command above again, DBus errors are gone, but left with Screenshot request failed: "The process is not authorized to take a screenshot". Still doesn't work.

Expected behavior

Spectacle should take screenshots normally under KDE Wayland.

Actual behavior

Cannot take screenshots under KDE Wayland. Does not affect X11 session. Console outputs are provided above.
If I modify the desktop file, replace "spectacle" with "/usr/bin/spectacle", it will take screenshot normally.

Behavior without a profile

LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop

Logs are shown in Log Section. Console output is similar with the one after modifying spectacle.local. Doesn't work either.

Additional context

If simply edit the spectacle desktop file and change the Exec from "spectacle" to "/usr/bin/spectacle", it will work normally.

Environment

  • Arch Linux
  • firejail version 0.9.68
  • KDE Wayland

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop 

kf.kio.core: Malformed JSON protocol file for protocol: "trash" , number of the ExtraNames fields should match the number of ExtraTypes fields
kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Reading profile /etc/firejail/spectacle.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc                                                                        
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31315, child pid 31326
1 program installed in 2.10 ms                                 
Warning: skipping alternatives for private /etc
Private /etc installed in 6.27 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 114.17 ms
Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
kf.config.core: Couldn't write "/home/nikki/.config/spectaclerc" . Disk full?
Error calling KWin DBus interface: "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (没有那个文件或目录)
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap
"applications.menu"  not found in  ()

Parent is shutting down, bye...

Output of kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop after modifying spectacle.local 

kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Reading profile /etc/firejail/spectacle.profile
Reading profile /home/nikki/.config/firejail/spectacle.local
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc                                                                        
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 32061, child pid 32075
1 program installed in 2.35 ms                                       
Warning: skipping alternatives for private /etc
Private /etc installed in 5.47 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 115.37 ms
Screenshot request failed: "The process is not authorized to take a screenshot"
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory)
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap
"applications.menu"  not found in  ()

Parent is shutting down, bye...

Output of LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop 

Parent pid 32543, child pid 32544
Child process initialized in 10.20 ms
kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Warning: an existing sandbox was detected. /usr/bin/spectacle will run without any additional sandboxing features
Screenshot request failed: "The process is not authorized to take a screenshot"
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap

Parent is shutting down, bye...

Output of LC_ALL=C firejail --noprofile kioclient exec /usr/share/applications/org.kde.spectacle.desktop 

Parent pid 32875, child pid 32876
Child process initialized in 14.83 ms
kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Screenshot request failed: "The process is not authorized to take a screenshot"
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap

Parent is shutting down, bye...

Originally created by @wushangwei on GitHub (May 2, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5127 ### Description Spectacle not working under KDE Wayland. It opens, but complains "Could not take a screenshot". However it works under x11 session. ### Steps to Reproduce 1. Click the spectacle desktop shortcut and doesn't work. 2. kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop, doesn't work. Logs are shown in Log section. 3. To reduce the dbus errors above, I created ~/.config/firejail/spectacle.local with the following content: ```shell dbus-user.talk org.kde.JobViewServer dbus-user.talk org.kde.kglobalaccel dbus-user.talk org.kde.KWin dbus-user.talk org.kde.plasmashell dbus-user.talk org.kde.KWin.ScreenShot2 ``` Run the command above again, DBus errors are gone, but left with Screenshot request failed: "The process is not authorized to take a screenshot". Still doesn't work. ### Expected behavior Spectacle should take screenshots normally under KDE Wayland. ### Actual behavior Cannot take screenshots under KDE Wayland. Does not affect X11 session. Console outputs are provided above. If I modify the desktop file, replace "spectacle" with "/usr/bin/spectacle", it will take screenshot normally. ### Behavior without a profile LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop Logs are shown in Log Section. Console output is similar with the one after modifying spectacle.local. Doesn't work either. ### Additional context If simply edit the spectacle desktop file and change the Exec from "spectacle" to "/usr/bin/spectacle", it will work normally. ### Environment - Arch Linux - firejail version 0.9.68 - KDE Wayland ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop</code></summary> <p> ``` kf.kio.core: Malformed JSON protocol file for protocol: "trash" , number of the ExtraNames fields should match the number of ExtraTypes fields kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Reading profile /etc/firejail/spectacle.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 31315, child pid 31326 1 program installed in 2.10 ms Warning: skipping alternatives for private /etc Private /etc installed in 6.27 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Child process initialized in 114.17 ms Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown") Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" kf.config.core: Couldn't write "/home/nikki/.config/spectaclerc" . Disk full? Error calling KWin DBus interface: "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (没有那个文件或目录) qt.qpa.wayland: Wayland does not support QWindow::requestActivate() qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap "applications.menu" not found in () Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop</code> after modifying spectacle.local</summary> <p> ``` kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Reading profile /etc/firejail/spectacle.profile Reading profile /home/nikki/.config/firejail/spectacle.local Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 32061, child pid 32075 1 program installed in 2.35 ms Warning: skipping alternatives for private /etc Private /etc installed in 5.47 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Child process initialized in 115.37 ms Screenshot request failed: "The process is not authorized to take a screenshot" libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory) qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap "applications.menu" not found in () Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop</code></summary> <p> ``` Parent pid 32543, child pid 32544 Child process initialized in 10.20 ms kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Warning: an existing sandbox was detected. /usr/bin/spectacle will run without any additional sandboxing features Screenshot request failed: "The process is not authorized to take a screenshot" qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --noprofile kioclient exec /usr/share/applications/org.kde.spectacle.desktop</code></summary> <p> ``` Parent pid 32875, child pid 32876 Child process initialized in 14.83 ms kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Screenshot request failed: "The process is not authorized to take a screenshot" qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap Parent is shutting down, bye... ``` </p> </details>
gitea-mirror added the
bug
 label 2026-05-05 09:32:49 -06:00
gitea-mirror commented 2026-05-05 09:32:51 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 3, 2022):

Behavior without a profile

Can you create an empty spectacle.profile in ~/.config/firejail and kill all running spectacle processes and try again.

<!-- gh-comment-id:1116332030 --> @rusty-snake commented on GitHub (May 3, 2022): > Behavior without a profile Can you create an empty `spectacle.profile` in `~/.config/firejail` and kill all running spectacle processes and try again.
gitea-mirror commented 2026-05-05 09:32:52 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 8, 2022):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

<!-- gh-comment-id:1149823309 --> @rusty-snake commented on GitHub (Jun 8, 2022): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.
gitea-mirror commented 2026-05-05 09:32:53 -06:00
Author
Owner
Copy link

@kiasoc5 commented on GitHub (Jun 10, 2022):

Is this related to https://bugs.kde.org/show_bug.cgi?id=446628 ?

<!-- gh-comment-id:1152671091 --> @kiasoc5 commented on GitHub (Jun 10, 2022): Is this related to https://bugs.kde.org/show_bug.cgi?id=446628 ?
gitea-mirror commented 2026-05-05 09:32:54 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 10, 2022):

Could be.

<!-- gh-comment-id:1152712274 --> @rusty-snake commented on GitHub (Jun 10, 2022): Could be.
gitea-mirror commented 2026-05-05 09:32:55 -06:00
Author
Owner
Copy link

@kiasoc5 commented on GitHub (Jun 11, 2022):

I think it is related because if I run firecfg clean and delete ~/.local/share/applications/org.kde.spectacle.desktop, then spectacle works but firejail spectacle does not.

<!-- gh-comment-id:1152955529 --> @kiasoc5 commented on GitHub (Jun 11, 2022): I think it is related because if I run `firecfg clean` and delete `~/.local/share/applications/org.kde.spectacle.desktop`, then `spectacle` works but `firejail spectacle` does not.
gitea-mirror commented 2026-05-05 09:32:57 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 15, 2023):

From #5245: spectacle does not even work with

$ cat ~/.config/firejail/spectacle.profile
include noprofile.profile
<!-- gh-comment-id:1383176536 --> @rusty-snake commented on GitHub (Jan 15, 2023): From #5245: spectacle does not even work with ```console $ cat ~/.config/firejail/spectacle.profile include noprofile.profile ```
gitea-mirror commented 2026-05-05 09:32:57 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 15, 2023):

Somebody needs to investigate how the Wayland implementations works and what is breaking it.

<!-- gh-comment-id:1383176895 --> @rusty-snake commented on GitHub (Jan 15, 2023): Somebody needs to investigate how the Wayland implementations works and what is breaking it.
gitea-mirror commented 2026-05-05 09:32:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 15, 2023):

Maybe (I'm guessing around) it works with join-or-start spectacle (maybe in combination with include noprofile.profile and nothing else). Or when the dbus activation is firejailed as well using firecfg.py.

<!-- gh-comment-id:1383177999 --> @rusty-snake commented on GitHub (Jan 15, 2023): Maybe (I'm guessing around) it works with `join-or-start spectacle` (maybe in combination with `include noprofile.profile` and nothing else). Or when the dbus activation is firejailed as well using [firecfg.py](https://github.com/rusty-snake/firecfg.py).
gitea-mirror commented 2026-05-05 09:32:59 -06:00
Author
Owner
Copy link

@vendion commented on GitHub (Jan 15, 2023):

The following debug information has been generated from the following environment:

Distro: Arch Linux
Firejail version: firejail version 0.9.72 (installed from firejail-git 0.9.72rc1.r8990.c93ac4186-1 in the AUR)
KDE Plasma: 5.26.5
noprofile.profile set via $HOME/.config/firejail/spectacle.profile

Output of LC_ALL=C firejail --debug /usr/bin/spectacle 

Building quoted command line: '/usr/bin/spectacle'
Command name #spectacle#
Found spectacle.profile profile in /home/vendion/.config/firejail directory
Reading profile /home/vendion/.config/firejail/spectacle.profile
Found noprofile.profile profile in /etc/firejail directory
Reading profile /etc/firejail/noprofile.profile
DISPLAY=:1 parsed as 1
Using the local network stack
Initializing child process
Parent pid 43373, child pid 43374
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /usr
3936 1865 254:6 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/root rw
mountid=3936 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Create the new utmp file
Mount the new utmp file
Disable /home/vendion/.config/firejail
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Not blacklist /sys/fs
Not blacklist /sys/module
Current directory: /home/vendion
DISPLAY=:1 parsed as 1
Masking all X11 sockets except /tmp/.X11-unix/X1
Mounting read-only /run/firejail/mnt/seccomp
3960 3933 0:103 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=3960 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             120 ..
-rw-r--r-- vendion  vendion          616 seccomp
-rw-r--r-- vendion  vendion          432 seccomp.32
-rw-r--r-- vendion  vendion            0 seccomp.postexec
-rw-r--r-- vendion  vendion            0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/spectacle
Child process initialized in 9.78 ms
monitoring pid 2

Screenshot request failed: "The process is not authorized to take a screenshot"
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap
Sandbox monitor: waitpid 2 retval 2 status 0

Parent is shutting down, bye...
<!-- gh-comment-id:1383179221 --> @vendion commented on GitHub (Jan 15, 2023): The following debug information has been generated from the following environment: Distro: Arch Linux Firejail version: firejail version 0.9.72 (installed from firejail-git 0.9.72rc1.r8990.c93ac4186-1 in the AUR) KDE Plasma: 5.26.5 `noprofile.profile` set via _$HOME/.config/firejail/spectacle.profile_ <details> <summary>Output of <code>LC_ALL=C firejail --debug /usr/bin/spectacle</code></summary> <p> ``` Building quoted command line: '/usr/bin/spectacle' Command name #spectacle# Found spectacle.profile profile in /home/vendion/.config/firejail directory Reading profile /home/vendion/.config/firejail/spectacle.profile Found noprofile.profile profile in /etc/firejail directory Reading profile /etc/firejail/noprofile.profile DISPLAY=:1 parsed as 1 Using the local network stack Initializing child process Parent pid 43373, child pid 43374 Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /usr 3936 1865 254:6 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/root rw mountid=3936 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Create the new utmp file Mount the new utmp file Disable /home/vendion/.config/firejail Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Not blacklist /sys/fs Not blacklist /sys/module Current directory: /home/vendion DISPLAY=:1 parsed as 1 Masking all X11 sockets except /tmp/.X11-unix/X1 Mounting read-only /run/firejail/mnt/seccomp 3960 3933 0:103 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=3960 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 120 .. -rw-r--r-- vendion vendion 616 seccomp -rw-r--r-- vendion vendion 432 seccomp.32 -rw-r--r-- vendion vendion 0 seccomp.postexec -rw-r--r-- vendion vendion 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/spectacle Child process initialized in 9.78 ms monitoring pid 2 Screenshot request failed: "The process is not authorized to take a screenshot" qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap Sandbox monitor: waitpid 2 retval 2 status 0 Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 09:32:59 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 15, 2023):

https://github.com/flameshot-org/flameshot/issues/1380#issue-812908678:

  • KWin requires you to use the D-Bus.
  • KWin enforces security by ensuring you have the X-KDE-DBUS-Restricted-Interfaces key with the value org.kde.kwin.Screenshot.
  • KWin uses something called KApplicationTrader to find the desktop file of the process and check if the aforementioned key exists. It compare the Exec key in the desktop files and the executable location obtained from procfs to do so.
  • Flameshot does not specify the full path to the binary in it's desktop file, unlike Spectacle.
  • Flameshot sets the X-KDE-DBUS-Restricted-Interfaces key to org_kde_kwin_effect-screenshot instead of org.kde.kwin.Screenshot.

That's what I'm feared.

executable location obtained from procfs

May relates to #5035. I'm not sure which pid it exactly looks at and which file it uses and if this then works or not.

Update: Relates to #5035 because it looks at /proc/<pid>/exe and then the pid doesn't matter.

And this symlink needs to return the same path as used by Exec= in the desktop file.

https://github.com/KDE/kwin/blob/master/src/wayland/utils/executable_path_proc.cpp
https://github.com/KDE/kservice/blob/master/src/services/kapplicationtrader.cpp
Seem to be the relevant files

If we can foul KApplicationTrader it would be the simplest workaround.

full path to the binary in it's desktop file

This becomes really difficult to implement. If possible at all.

<!-- gh-comment-id:1383179762 --> @rusty-snake commented on GitHub (Jan 15, 2023): https://github.com/flameshot-org/flameshot/issues/1380#issue-812908678: > * KWin requires you to use the D-Bus. > * KWin enforces security by ensuring you have the `X-KDE-DBUS-Restricted-Interfaces` key with the value `org.kde.kwin.Screenshot`. > * KWin uses something called KApplicationTrader to find the desktop file of the process and check if the aforementioned key exists. It compare the `Exec` key in the desktop files and the **executable location obtained from procfs** to do so. > * Flameshot does not specify the **full path to the binary in it's desktop file**, unlike Spectacle. > * Flameshot sets the `X-KDE-DBUS-Restricted-Interfaces` key to `org_kde_kwin_effect-screenshot` instead of `org.kde.kwin.Screenshot`. That's what I'm feared. > executable location obtained from procfs ~May relates to #5035. I'm not sure which pid it exactly looks at and which file it uses and if this then works or not.~ Update: Relates to #5035 because it looks at `/proc/<pid>/exe` and then the pid doesn't matter. And this symlink needs to return the same path as used by `Exec=` in the desktop file. https://github.com/KDE/kwin/blob/master/src/wayland/utils/executable_path_proc.cpp https://github.com/KDE/kservice/blob/master/src/services/kapplicationtrader.cpp Seem to be the relevant files If we can foul KApplicationTrader it would be the simplest workaround. > full path to the binary in it's desktop file This becomes really difficult to implement. If possible at all.
gitea-mirror commented 2026-05-05 09:33:00 -06:00
Author
Owner
Copy link

@jaredmo commented on GitHub (May 12, 2023):

I'm having the same issue. In the interim I commented Spectacle out of /etc/firejail/firecfg.config and deleted the .desktop file in .local/share/applications.

This works until the next time firecfg runs (which for me is every update). The desktop file is regenerated. How can that be prevented?

<!-- gh-comment-id:1545622861 --> @jaredmo commented on GitHub (May 12, 2023): I'm having the same issue. In the interim I commented Spectacle out of `/etc/firejail/firecfg.config` and deleted the .desktop file in `.local/share/applications`. This works until the next time `firecfg` runs (which for me is every update). The desktop file is regenerated. How can that be prevented?
gitea-mirror commented 2026-05-05 09:33:01 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (May 12, 2023):

I'm having the same issue. In the interim I commented Spectacle out of
/etc/firejail/firecfg.config and deleted the .desktop file in
.local/share/applications.

This works until the next time firecfg runs (which for me is every update).
The desktop file is regenerated. How can that be prevented?

Removing it from firecfg.config should have been enough; see also:

As a workaround, manually create an override in ~/bin and/or
~/.local/share/applications that calls /usr/bin/spectacle instead of just
spectacle.

<!-- gh-comment-id:1545731039 --> @kmk3 commented on GitHub (May 12, 2023): > I'm having the same issue. In the interim I commented Spectacle out of > `/etc/firejail/firecfg.config` and deleted the .desktop file in > `.local/share/applications`. > > This works until the next time `firecfg` runs (which for me is every update). > The desktop file is regenerated. How can that be prevented? Removing it from firecfg.config should have been enough; see also: * <https://github.com/netblue30/firejail/issues/2097> * <https://github.com/netblue30/firejail/issues/5245> As a workaround, manually create an override in ~/bin and/or ~/.local/share/applications that calls `/usr/bin/spectacle` instead of just `spectacle`.
gitea-mirror commented 2026-05-05 09:33:01 -06:00
Author
Owner
Copy link

@jaredmo commented on GitHub (May 12, 2023):

5245 is exactly what I experienced. For now I replaced the file in .local/share/applications with the original as a stopgap. That way firecfg thinks the file already exists and doesn't attempt to recreate.

<!-- gh-comment-id:1545799689 --> @jaredmo commented on GitHub (May 12, 2023): [5245](https://github.com/netblue30/firejail/issues/5245) is exactly what I experienced. For now I replaced the file in `.local/share/applications` with the original as a stopgap. That way firecfg thinks the file already exists and doesn't attempt to recreate.
gitea-mirror commented 2026-05-05 09:33:01 -06:00
Author
Owner
Copy link

@secretmango commented on GitHub (Sep 4, 2023):

I can confirm this is still happening, Fedora 38, KDE 5.27.3

<!-- gh-comment-id:1705749008 --> @secretmango commented on GitHub (Sep 4, 2023): I can confirm this is still happening, Fedora 38, KDE 5.27.3
gitea-mirror commented 2026-05-05 09:33:02 -06:00
Author
Owner
Copy link

@alexpyattaev commented on GitHub (Sep 12, 2023):

Update: you need to remove two offending rules to get it to work on Wayland:

  • noroot // This breaks access to render device
  • private-dev // This makes device node invisible (so it can not be accessed)

With these changes it appears to work fine on firejail version 0.9.72 on Arch.

<!-- gh-comment-id:1715299608 --> @alexpyattaev commented on GitHub (Sep 12, 2023): Update: you need to remove two offending rules to get it to work on Wayland: - noroot // This breaks access to render device - private-dev // This makes device node invisible (so it can not be accessed) With these changes it appears to work fine on firejail version 0.9.72 on Arch.
gitea-mirror commented 2026-05-05 09:33:02 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 13, 2023):

@alexpyattaev Nice find. Can you open a PR and fix our spectacle.profile?

<!-- gh-comment-id:1716802352 --> @ghost commented on GitHub (Sep 13, 2023): @alexpyattaev Nice find. Can you open a PR and fix our spectacle.profile?
gitea-mirror commented 2026-05-05 09:33:03 -06:00
Author
Owner
Copy link

@alexpyattaev commented on GitHub (Sep 13, 2023):

I am not sure if my "fix" is a good one. In particular, I am unsure if a
narrower profile would work, or even what exactly noroot command does:)
Should I make a PR?

ke 13. syysk. 2023 klo 4.34 glitsj16 @.***> kirjoitti:

@alexpyattaev https://github.com/alexpyattaev Nice find. Can you open a
PR and fix our spectacle.profile?


Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/5127#issuecomment-1716802352,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABNIL3XIWPE6RMPXG6C52VDX2EETXANCNFSM5U2YRVUA
.
You are receiving this because you were mentioned.Message ID:
@.***>

<!-- gh-comment-id:1717014876 --> @alexpyattaev commented on GitHub (Sep 13, 2023): I am not sure if my "fix" is a good one. In particular, I am unsure if a narrower profile would work, or even what exactly noroot command does:) Should I make a PR? ke 13. syysk. 2023 klo 4.34 glitsj16 ***@***.***> kirjoitti: > @alexpyattaev <https://github.com/alexpyattaev> Nice find. Can you open a > PR and fix our spectacle.profile? > > — > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/5127#issuecomment-1716802352>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABNIL3XIWPE6RMPXG6C52VDX2EETXANCNFSM5U2YRVUA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >
gitea-mirror commented 2026-05-05 09:33:03 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 13, 2023):

I am not sure if my "fix" is a good one. In particular, I am unsure if a narrower profile would work, or even what exactly noroot command does:)
Should I make a PR?

That's understandable, although your reasoning looks sound to me. Let's wait for the OP and others to chime in before acting on this.

<!-- gh-comment-id:1717712041 --> @ghost commented on GitHub (Sep 13, 2023): > I am not sure if my "fix" is a good one. In particular, I am unsure if a narrower profile would work, or even what exactly noroot command does:) Should I make a PR? That's understandable, although your [reasoning](https://github.com/netblue30/firejail/issues/5127#issuecomment-1715299608) looks sound to me. Let's wait for the OP and others to chime in before acting on this.
gitea-mirror commented 2026-05-05 09:33:03 -06:00
Author
Owner
Copy link

@alexpyattaev commented on GitHub (Sep 13, 2023):

That's understandable, although your reasoning looks sound to me.

Well that is what makes it scary - it is just good enough to pass the "sanity check" while being made entirely of guesswork and assumptions. Kinda like GPT4 programming.

<!-- gh-comment-id:1718029737 --> @alexpyattaev commented on GitHub (Sep 13, 2023): > That's understandable, although your [reasoning](https://github.com/netblue30/firejail/issues/5127#issuecomment-1715299608) looks sound to me. Well that is what makes it scary - it is just good enough to pass the "sanity check" while being made entirely of guesswork and assumptions. Kinda like GPT4 programming.
gitea-mirror commented 2026-05-05 09:33:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 13, 2023):

noroot was already known since https://github.com/netblue30/firejail/issues/5127#issuecomment-1383179762

<!-- gh-comment-id:1718080659 --> @rusty-snake commented on GitHub (Sep 13, 2023): noroot was already known since https://github.com/netblue30/firejail/issues/5127#issuecomment-1383179762
gitea-mirror commented 2026-05-05 09:33:04 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 13, 2023):

UPDATE: more testing carried out on my OpenSUSE Tumbleweed with KDE Wayland

  • confirming that both ignore noroot and ignore private-dev are needed
  • additional D-Bus user filtering is also needed: d-feet shows org.kde.KWin.Screenshot2 besides the already present org.kde.{S,s}pectacle and several other org.kde.KWin.* addresses
  • adding to the complexity is that apparently spectacle can do screenrecording (in webm or mp4 format) too (so we better open up ${VIDEOS} and drop no3d)

I'll need some more time putting together a profile that can deliver all this functionality in a reasonably secure way.

<!-- gh-comment-id:1718387295 --> @ghost commented on GitHub (Sep 13, 2023): UPDATE: more testing carried out on my OpenSUSE Tumbleweed with KDE Wayland - confirming that both `ignore noroot` and `ignore private-dev` are needed - additional D-Bus user filtering is also needed: d-feet shows `org.kde.KWin.Screenshot2` besides the already present `org.kde.{S,s}pectacle` and several other `org.kde.KWin.*` addresses - adding to the complexity is that apparently spectacle can do `screenrecording` (in webm or mp4 format) too (so we better open up ${VIDEOS} and drop `no3d`) I'll need some more time putting together a profile that can deliver all this functionality in a reasonably secure way.
gitea-mirror commented 2026-05-05 09:33:04 -06:00
Author
Owner
Copy link

@alexpyattaev commented on GitHub (Sep 14, 2023):

There is additional aspect to this. Apparently, the ~/.local/share/applications/org.kde.spectacle.desktop that firecfg makes somehow manages to make dbus forget that the application has X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1 permission, which in turn makes Pipewire daemon deny access to the screen recording.

Removing the .desktop file fixes the issue (as the system builtin file is used instead), but firejail remakes the user's local file making spectacle to fail starting. I am unsure what the problem is, as the line in .desktop that enables access to pipewire is still in place.

<!-- gh-comment-id:1719448629 --> @alexpyattaev commented on GitHub (Sep 14, 2023): There is additional aspect to this. Apparently, the ~/.local/share/applications/org.kde.spectacle.desktop that firecfg makes somehow manages to make dbus forget that the application has X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1 permission, which in turn makes Pipewire daemon deny access to the screen recording. Removing the .desktop file fixes the issue (as the system builtin file is used instead), but firejail remakes the user's local file making spectacle to fail starting. I am unsure what the problem is, as the line in .desktop that enables access to pipewire is still in place.
gitea-mirror commented 2026-05-05 09:33:05 -06:00
Author
Owner
Copy link

@secretmango commented on GitHub (Sep 14, 2023):

something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?

<!-- gh-comment-id:1720259711 --> @secretmango commented on GitHub (Sep 14, 2023): something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?
gitea-mirror commented 2026-05-05 09:33:05 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 15, 2023):

@alexpyattaev I did notice the 'weirdness' of the spectacle desktop file(s) too. Not exactly sure what firecfg does to it (personally never used it), but AFAICT its coded with the assumption that replacing DBusActivatable=true with DBusActivatable=false avoids D-Bus activation. But there's no such entree in the spectacle desktop file AFAICT. Maybe using firecfg.py from @rusty-snake might help here, don't know.

Anyway, here are my latest findings. Note that I've always opted to start the app with its -l flag (Launch Spectacle without taking a screenshot) from CLI to keep output sane while experimenting

$ QT_QPA_PLATFORM=wayland firejail --ignore=quiet /usr/bin/spectacle -l

Putting together a reliably working dbus-user filter combo (for both screenshot and screenrecording) drove me nuts. Too many variables, too many complications... IMO we should better drop it alltogether from spectacle's profile. Obviously this is open for debate and just my opinion, no more, no less.

  • always needed
    • ignore noroot
    • ignore private-dev <-- NOT NEEDED
  • allow everything on the session bus (no dbus-user filtering)

If anyone wants to test/confirm/deny, here's my proposed spectacle.profile:

$ cat ~/.config/firejail/spectacle.profile 
# Firejail profile for spectacle
# Description: Spectacle is a simple application for capturing desktop screenshots.
# This file is overwritten after every install/update
# Persistent local customizations
include spectacle.local
# Persistent global definitions
include globals.local

# Add the next lines to your spectacle.local to use sharing services.
#netfilter
#ignore net none
#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
#protocol unix,inet,inet6

noblacklist ${HOME}/.config/spectaclerc
noblacklist ${PICTURES}
noblacklist ${VIDEOS}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

mkfile ${HOME}/.config/spectaclerc
whitelist ${HOME}/.config/spectaclerc
whitelist ${DOWNLOADS}
whitelist ${PICTURES}
whitelist ${VIDEOS}
whitelist /usr/share/kconf_update/spectacle_*
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
#machine-id
net none
#no3d
nodvd
nogroups
noinput
nonewprivs
noprinters
#noroot
#nosound
notv
nou2f
novideo
protocol unix
seccomp
seccomp.block-secondary
tracelog

disable-mnt
private-bin spectacle
private-cache
private-dev
private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
private-tmp

# finding a reliably working dbus-user filtering combo for
# screenshot/screenrecording functionality failed - help wanted
#dbus-user filter
#dbus-user.own org.kde.spectacle
#dbus-user.own org.kde.Spectacle
#dbus-user.talk org.freedesktop.FileManager1
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kglobalaccel
dbus-system none

restrict-namespaces

HTH

<!-- gh-comment-id:1720334848 --> @ghost commented on GitHub (Sep 15, 2023): @alexpyattaev I did notice the 'weirdness' of the spectacle desktop file(s) too. Not exactly sure what `firecfg` does to it (personally never used it), but AFAICT its coded with the assumption that replacing `DBusActivatable=true` with `DBusActivatable=false` avoids D-Bus activation. But there's no such entree in the spectacle desktop file AFAICT. Maybe using [firecfg.py](https://github.com/netblue30/firejail/issues/5127#issuecomment-1383177999) from @rusty-snake might help here, don't know. Anyway, here are my latest findings. Note that I've always opted to start the app with its `-l` flag (Launch Spectacle without taking a screenshot) from CLI to keep output sane while experimenting ```sh $ QT_QPA_PLATFORM=wayland firejail --ignore=quiet /usr/bin/spectacle -l ``` Putting together a reliably working `dbus-user filter` combo (for both screenshot and screenrecording) drove me nuts. Too many variables, too many complications... IMO we should better drop it alltogether from spectacle's profile. Obviously this is open for debate and just my opinion, no more, no less. - always needed - `ignore noroot` - ~~`ignore private-dev`~~ <-- NOT NEEDED - allow everything on the session bus (no dbus-user filtering) If anyone wants to test/confirm/deny, here's my proposed spectacle.profile: <details> <summary> $ cat ~/.config/firejail/spectacle.profile </summary> ```sh # Firejail profile for spectacle # Description: Spectacle is a simple application for capturing desktop screenshots. # This file is overwritten after every install/update # Persistent local customizations include spectacle.local # Persistent global definitions include globals.local # Add the next lines to your spectacle.local to use sharing services. #netfilter #ignore net none #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl #protocol unix,inet,inet6 noblacklist ${HOME}/.config/spectaclerc noblacklist ${PICTURES} noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-xdg.inc mkfile ${HOME}/.config/spectaclerc whitelist ${HOME}/.config/spectaclerc whitelist ${DOWNLOADS} whitelist ${PICTURES} whitelist ${VIDEOS} whitelist /usr/share/kconf_update/spectacle_* include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all #machine-id net none #no3d nodvd nogroups noinput nonewprivs noprinters #noroot #nosound notv nou2f novideo protocol unix seccomp seccomp.block-secondary tracelog disable-mnt private-bin spectacle private-cache private-dev private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp # finding a reliably working dbus-user filtering combo for # screenshot/screenrecording functionality failed - help wanted #dbus-user filter #dbus-user.own org.kde.spectacle #dbus-user.own org.kde.Spectacle #dbus-user.talk org.freedesktop.FileManager1 #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kglobalaccel dbus-system none restrict-namespaces ``` </details> HTH
gitea-mirror commented 2026-05-05 09:33:06 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 15, 2023):

something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?

@firefoxlover Hard to tell whether those are related. Are you seeing all that on KDE Wayland? Or how should we understand your comment in this issues context? Please try to describe exactly what broke where. One thing is clear though, Flatpak and Firejail don't mix:
eb5c97197b/src/man/firejail.1.in (L82-L84)

<!-- gh-comment-id:1720344208 --> @ghost commented on GitHub (Sep 15, 2023): > something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles? @firefoxlover Hard to tell whether those are related. Are you seeing all that on KDE Wayland? Or how should we understand your comment in this issues context? Please try to describe exactly what broke where. One thing is clear though, Flatpak and Firejail don't mix: https://github.com/netblue30/firejail/blob/eb5c97197b699dbb8ba69e798c86e5e97c36e17e/src/man/firejail.1.in#L82-L84
gitea-mirror commented 2026-05-05 09:33:06 -06:00
Author
Owner
Copy link

@alexpyattaev commented on GitHub (Sep 15, 2023):

something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?

Firefox and chrome work just fine for me. In Firejail both of them. So I do not think it is 100% related.

<!-- gh-comment-id:1720601390 --> @alexpyattaev commented on GitHub (Sep 15, 2023): > something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles? Firefox and chrome work just fine for me. In Firejail both of them. So I do not think it is 100% related.
gitea-mirror commented 2026-05-05 09:33:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 15, 2023):

Firefox Screenshots: Not blocked by firejail, check your Firefox profile.

Ctrl+P: Unrelated => new issue

<!-- gh-comment-id:1721384390 --> @rusty-snake commented on GitHub (Sep 15, 2023): Firefox Screenshots: Not blocked by firejail, check your Firefox profile. Ctrl+P: Unrelated => new issue
gitea-mirror commented 2026-05-05 09:33:07 -06:00
Author
Owner
Copy link

@secretmango commented on GitHub (Sep 21, 2023):

This is not my experience though. After removing the .desktop entry generated by firejail it suddenly worked again. I didnt change anything on the profile. Ctrl+P always crashed, and screenshots had really weird issues, getting the wrong areas etc.

I expected a wayland bug but on the same system, different user profile the bugs where completely gone.

After removing the firejail .desktop files, everything was working again.

<!-- gh-comment-id:1729525770 --> @secretmango commented on GitHub (Sep 21, 2023): This is not my experience though. After removing the .desktop entry generated by firejail it suddenly worked again. I didnt change anything on the profile. Ctrl+P always crashed, and screenshots had really weird issues, getting the wrong areas etc. I expected a wayland bug but on the same system, different user profile the bugs where completely gone. After removing the firejail .desktop files, everything was working again.
gitea-mirror commented 2026-05-05 09:33:08 -06:00
Author
Owner
Copy link

@IPlayZed commented on GitHub (Dec 19, 2023):

Removing the local desktop file solves the issue, but that is just a workaround, doesn't solve the actual problem.
This also happens to me when launching spectacle from the terminal. My terminal is a Flatpak installation.
Full log:

Reading profile /etc/firejail/spectacle.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 383424, child pid 383428
1 program installed in 3.50 ms
Warning: skipping alternatives for private /etc
Warning: skipping ld.so.preload for private /etc
Private /etc installed in 7.35 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 138.24 ms
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory)
On Wayland, Spectacle requires KDE Plasma's KWin compositor, which does not seem to be available. Use Spectacle on KDE Plasma, or use a different screenshot tool.
Failed to create secure directory (/run/user/60311/pulse): Permission denied
ALSA lib confmisc.c:855:(parse_card) cannot find card '0'
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory
ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1342:(snd_func_refer) error evaluating name
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5727:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2675:(snd_pcm_open_noupdate) Unknown PCM default
kf.notifications: Failed to play sound with canberra: File or data not found

at this point the GUI error message pops up, after hitting OK on it, the log continues:

Remember requesting the interface on your desktop file: X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1
Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")
"applications.menu"  not found in  ()
QPainter::begin: Paint device returned engine == 0, type: 3
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::worldTransform: Painter not active
QPainter::scale: Painter not active
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::end: Painter not active, aborted
QPainter::begin: Paint device returned engine == 0, type: 3
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::worldTransform: Painter not active
QPainter::scale: Painter not active
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::end: Painter not active, aborted

Spectacle's window opens, but no screenshot is taken.
I set up Pacman to auto generate these entries.

<!-- gh-comment-id:1863518298 --> @IPlayZed commented on GitHub (Dec 19, 2023): Removing the local desktop file solves the issue, but that is just a workaround, doesn't solve the actual problem. This also happens to me when launching `spectacle` from the terminal. My terminal is a Flatpak installation. Full log: ```log Reading profile /etc/firejail/spectacle.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 383424, child pid 383428 1 program installed in 3.50 ms Warning: skipping alternatives for private /etc Warning: skipping ld.so.preload for private /etc Private /etc installed in 7.35 ms Private /usr/etc installed in 0.00 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 138.24 ms libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory) On Wayland, Spectacle requires KDE Plasma's KWin compositor, which does not seem to be available. Use Spectacle on KDE Plasma, or use a different screenshot tool. Failed to create secure directory (/run/user/60311/pulse): Permission denied ALSA lib confmisc.c:855:(parse_card) cannot find card '0' ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory ALSA lib confmisc.c:1342:(snd_func_refer) error evaluating name ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory ALSA lib conf.c:5727:(snd_config_expand) Evaluate error: No such file or directory ALSA lib pcm.c:2675:(snd_pcm_open_noupdate) Unknown PCM default kf.notifications: Failed to play sound with canberra: File or data not found ``` at this point the GUI error message pops up, after hitting OK on it, the log continues: ```log Remember requesting the interface on your desktop file: X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1 Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown") "applications.menu" not found in () QPainter::begin: Paint device returned engine == 0, type: 3 QPainter::setRenderHint: Painter must be active to set rendering hints QPainter::setRenderHint: Painter must be active to set rendering hints QPainter::scale: Painter not active QPainter::worldTransform: Painter not active QPainter::scale: Painter not active QPainter::setRenderHint: Painter must be active to set rendering hints QPainter::scale: Painter not active QPainter::end: Painter not active, aborted QPainter::begin: Paint device returned engine == 0, type: 3 QPainter::setRenderHint: Painter must be active to set rendering hints QPainter::setRenderHint: Painter must be active to set rendering hints QPainter::scale: Painter not active QPainter::worldTransform: Painter not active QPainter::scale: Painter not active QPainter::setRenderHint: Painter must be active to set rendering hints QPainter::scale: Painter not active QPainter::end: Painter not active, aborted ``` Spectacle's window opens, but no screenshot is taken. I [set up](https://wiki.archlinux.org/title/Firejail#Using_Firejail_by_default) Pacman to auto generate these entries.
gitea-mirror commented 2026-05-05 09:33:08 -06:00
Author
Owner
Copy link

@secretmango commented on GitHub (Dec 19, 2023):

thanks for keeping track of this! I am more interested in bubblejail, but that one has even less tooling, so unless some big org decides to support it, it will take some time to get usable

<!-- gh-comment-id:1863566882 --> @secretmango commented on GitHub (Dec 19, 2023): thanks for keeping track of this! I am more interested in bubblejail, but that one has even less tooling, so unless some big org decides to support it, it will take some time to get usable
gitea-mirror commented 2026-05-05 09:33:08 -06:00
Author
Owner
Copy link

@Real-Gecko commented on GitHub (May 15, 2024):

For me spectacle does not work on with X server too, only removing symlink from /usr/local/bin and .desktop file from $HOME/.local/share/applications unlocks it to full. No advice from this issue worked.
Arch, Spectacle 24.02.2, plasma-desktop 6.0.4, xorg-server 21.1.13

<!-- gh-comment-id:2112245758 --> @Real-Gecko commented on GitHub (May 15, 2024): For me spectacle does not work on with X server too, only removing symlink from `/usr/local/bin` and `.desktop` file from `$HOME/.local/share/applications` unlocks it to full. No advice from this issue worked. Arch, Spectacle `24.02.2`, plasma-desktop `6.0.4`, xorg-server `21.1.13`
gitea-mirror commented 2026-05-05 09:33:09 -06:00
Author
Owner
Copy link

@gcb commented on GitHub (Jul 19, 2024):

given that most distros ship with wayland nowadays, should firejail ship with something like:

# enable if you are not on Wayland see https://github.com/netblue30/firejail/issues/5127
!spectacle

in firecfg.conf? and this becomes an enhacement to add the profile?

<!-- gh-comment-id:2239654924 --> @gcb commented on GitHub (Jul 19, 2024): given that most distros ship with wayland nowadays, should firejail ship with something like: ``` # enable if you are not on Wayland see https://github.com/netblue30/firejail/issues/5127 !spectacle ``` in `firecfg.conf`? and this becomes an enhacement to add the profile?
gitea-mirror commented 2026-05-05 09:33:09 -06:00
Author
Owner
Copy link

@IPlayZed commented on GitHub (Jul 23, 2024):

@kmk3

For me spectacle does not work on with X server too, only removing symlink from /usr/local/bin and .desktop file from $HOME/.local/share/applications unlocks it to full. No advice from this issue worked. Arch, Spectacle 24.02.2, plasma-desktop 6.0.4, xorg-server 21.1.13

If you disable it X users will not benefit from it.

<!-- gh-comment-id:2244219158 --> @IPlayZed commented on GitHub (Jul 23, 2024): @kmk3 > For me spectacle does not work on with X server too, only removing symlink from `/usr/local/bin` and `.desktop` file from `$HOME/.local/share/applications` unlocks it to full. No advice from this issue worked. Arch, Spectacle `24.02.2`, plasma-desktop `6.0.4`, xorg-server `21.1.13` If you disable it X users will not benefit from it.
gitea-mirror commented 2026-05-05 09:33:10 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 23, 2024):

For me spectacle does not work on with X server too, only removing symlink
from /usr/local/bin and .desktop file from
$HOME/.local/share/applications unlocks it to full. No advice from this
issue worked. Arch, Spectacle 24.02.2, plasma-desktop 6.0.4,
xorg-server 21.1.13

If you disable it X users will not benefit from it.

The comment you just quoted said that firejailed spectacle does not work on X
either.

But even if it did, profiles should work by default on common setups (xorg and
wayland) and apparently spectacle does not work at all even with
noprofile.profile on plasma/wayland.

The effect is worse for programs that are usually not started from the CLI, as
the user will not see stderr, so it's harder to tell that the issue is caused
by firejail.

Lastly, in firejail-git you can include more programs in firecfg by adding them
to /etc/firejail/firecfg.d/:

<!-- gh-comment-id:2245232414 --> @kmk3 commented on GitHub (Jul 23, 2024): > > For me spectacle does not work on with X server too, only removing symlink > > from `/usr/local/bin` and `.desktop` file from > > `$HOME/.local/share/applications` unlocks it to full. No advice from this > > issue worked. Arch, Spectacle `24.02.2`, plasma-desktop `6.0.4`, > > xorg-server `21.1.13` > > If you disable it X users will not benefit from it. The comment you just quoted said that firejailed spectacle does not work on X either. But even if it did, profiles should work by default on common setups (xorg and wayland) and apparently spectacle does not work at all even with noprofile.profile on plasma/wayland. The effect is worse for programs that are usually not started from the CLI, as the user will not see stderr, so it's harder to tell that the issue is caused by firejail. Lastly, in firejail-git you can include more programs in firecfg by adding them to /etc/firejail/firecfg.d/: * #5876
gitea-mirror commented 2026-05-05 09:33:10 -06:00
Author
Owner
Copy link

@IPlayZed commented on GitHub (Jul 28, 2024):

Ok, so what is left to complete so we can mark this issue as completed? And as far as I understand (I tried reading the thread), the problem seems to be coming from Spectacle behaving weirdly?

<!-- gh-comment-id:2254338313 --> @IPlayZed commented on GitHub (Jul 28, 2024): Ok, so what is left to complete so we can mark this issue as completed? And as far as I understand (I tried reading the thread), the problem seems to be coming from Spectacle behaving weirdly?
gitea-mirror commented 2026-05-05 09:33:11 -06:00
Author
Owner
Copy link

@gcb commented on GitHub (Aug 8, 2024):

Do we want to do the same for things like obs and maybe others which main functionality depends on screen capture somehow?

<!-- gh-comment-id:2275991420 --> @gcb commented on GitHub (Aug 8, 2024): Do we want to do the same for things like `obs` and maybe others which main functionality depends on screen capture somehow?
gitea-mirror commented 2026-05-05 09:33:11 -06:00
Author
Owner
Copy link

@Utini2000 commented on GitHub (Oct 11, 2024):

Ye so after reading this and trying all kind of workarounds, the only solution was to exclude spectacle (and obs) from firecfg.

<!-- gh-comment-id:2407090829 --> @Utini2000 commented on GitHub (Oct 11, 2024): Ye so after reading this and trying all kind of workarounds, the only solution was to exclude spectacle (and obs) from firecfg.
gitea-mirror commented 2026-05-05 09:33:12 -06:00
Author
Owner
Copy link

@gcb commented on GitHub (Oct 30, 2024):

Ye so after reading this and trying all kind of workarounds, the only solution was to exclude spectacle (and obs) from firecfg.

this have bite me again and again :) I remove it from the config list, but then the .desktop file remains and for some reason without the permission lines it needs. And i cannot take screenshots until i remember i have to delete my desktop file in ~/.local something.

maybe someone who knows better the code can comment if the "fix" for this is to add a "delete all user desktop files created by firejail" before reaching the copy step https://github.com/netblue30/firejail/blob/master/src/firecfg/desktop_files.c#L189 ?

<!-- gh-comment-id:2447201879 --> @gcb commented on GitHub (Oct 30, 2024): > Ye so after reading this and trying all kind of workarounds, the only solution was to exclude spectacle (and obs) from firecfg. this have bite me again and again :) I remove it from the config list, but then the .desktop file remains and for some reason without the permission lines it needs. And i cannot take screenshots until i remember i have to delete my desktop file in ~/.local something. maybe someone who knows better the code can comment if the "fix" for this is to add a "delete all user desktop files created by firejail" before reaching the copy step https://github.com/netblue30/firejail/blob/master/src/firecfg/desktop_files.c#L189 ?
gitea-mirror commented 2026-05-05 09:33:12 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Oct 30, 2024):

Ye so after reading this and trying all kind of workarounds, the only
solution was to exclude spectacle (and obs) from firecfg.

this have bite me again and again :) I remove it from the config list, but
then the .desktop file remains and for some reason without the permission
lines it needs. And i cannot take screenshots until i remember i have to
delete my desktop file in ~/.local something.

maybe someone who knows better the code can comment if the "fix" for this is
to add a "delete all user desktop files created by firejail" before reaching
the copy step
https://github.com/netblue30/firejail/blob/master/src/firecfg/desktop_files.c#L189
?

firecfg --clean should remove it.

See also:

Does it work with firejail-git?

If not, please open a new issue and follow the bug report template:

<!-- gh-comment-id:2448608633 --> @kmk3 commented on GitHub (Oct 30, 2024): > > Ye so after reading this and trying all kind of workarounds, the only > > solution was to exclude spectacle (and obs) from firecfg. > > this have bite me again and again :) I remove it from the config list, but > then the .desktop file remains and for some reason without the permission > lines it needs. And i cannot take screenshots until i remember i have to > delete my desktop file in ~/.local something. > > maybe someone who knows better the code can comment if the "fix" for this is > to add a "delete all user desktop files created by firejail" before reaching > the copy step > https://github.com/netblue30/firejail/blob/master/src/firecfg/desktop_files.c#L189 > ? `firecfg --clean` should remove it. See also: * #6268 Does it work with firejail-git? If not, please open a new issue and follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md>
gitea-mirror commented 2026-05-05 09:33:12 -06:00
Author
Owner
Copy link

@gcb commented on GitHub (Oct 31, 2024):

My point was that firecfg --fix should do a --clean beforehand. Kinda like the root user firecfg flow does with the rules.

<!-- gh-comment-id:2450856336 --> @gcb commented on GitHub (Oct 31, 2024): My point was that `firecfg --fix` should do a `--clean` beforehand. Kinda like the root user firecfg flow does with the rules.
gitea-mirror commented 2026-05-05 09:33:14 -06:00
Author
Owner
Copy link

@VLOD-ZDOV commented on GitHub (Feb 6, 2025):

this SOMETIMES happens when I take a screenshot of an area.

kpipewire_vaapi_logging: VAAPI: VA-API NVDEC driver [direct backend] in use for device "/dev/dri/renderD128"
libva error: /usr/lib/dri/nvidia_drv_video.so init failed
kpipewire_vaapi_logging: VAAPI: Failed to initialize display
The cached device pixel ratio value was stale on window update.  Please file a QTBUG which explains how to reproduce.
QWaylandGLContext::makeCurrent: eglError: 0x3003, this: 0x63d3f74bd5d0 
QRhiGles2: Failed to make context current. Expect bad things to happen.
Failed to create RHI (backend 2)
Failed to initialize graphics backend for OpenGL.
fish: Job 1, 'spectacle' terminated by signal SIGABRT (Abort)
<!-- gh-comment-id:2640261857 --> @VLOD-ZDOV commented on GitHub (Feb 6, 2025): this SOMETIMES happens when I take a screenshot of an area. ``` kpipewire_vaapi_logging: VAAPI: VA-API NVDEC driver [direct backend] in use for device "/dev/dri/renderD128" libva error: /usr/lib/dri/nvidia_drv_video.so init failed kpipewire_vaapi_logging: VAAPI: Failed to initialize display The cached device pixel ratio value was stale on window update. Please file a QTBUG which explains how to reproduce. QWaylandGLContext::makeCurrent: eglError: 0x3003, this: 0x63d3f74bd5d0 QRhiGles2: Failed to make context current. Expect bad things to happen. Failed to create RHI (backend 2) Failed to initialize graphics backend for OpenGL. fish: Job 1, 'spectacle' terminated by signal SIGABRT (Abort) ```
gitea-mirror commented 2026-05-05 09:33:14 -06:00
Author
Owner
Copy link

@gcb commented on GitHub (May 7, 2025):

Hi everyone.

This still creates the spectacle desktop files for users. Despite spectacle being commented upstream since forever.

It's the worse of both cases: no sand-boxing, no screenshots.

$ sudo -s
# grep spectacle /etc/firejail/firecfg.config
  #spectacle
# firecfg
...
Fixing desktop files in /home/gcb/.local/share/applications
...
   org.kde.spectacle.desktop created
...
# ^D
$ spectacle 
Remember requesting the interface on your desktop file: X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1
kpipewire_vaapi_logging: VAAPI: Mesa Gallium driver 25.0.5-arch1.1 for AMD Radeon Graphics (radeonsi, rembrandt, LLVM 19.1.7, DRM 3.61, 6.14.5-arch1-1) in use for device "/dev/dri/renderD128"
KWin screenshot request failed:
The process is not authorized to take a screenshot
Potentially relevant information:
- Method: CaptureScreen
- Method specific arguments: "eDP-1"
<!-- gh-comment-id:2860585732 --> @gcb commented on GitHub (May 7, 2025): Hi everyone. This still creates the spectacle desktop files for users. Despite spectacle being commented upstream since forever. It's the worse of both cases: no sand-boxing, no screenshots. ``` $ sudo -s # grep spectacle /etc/firejail/firecfg.config #spectacle # firecfg ... Fixing desktop files in /home/gcb/.local/share/applications ... org.kde.spectacle.desktop created ... # ^D $ spectacle Remember requesting the interface on your desktop file: X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1 kpipewire_vaapi_logging: VAAPI: Mesa Gallium driver 25.0.5-arch1.1 for AMD Radeon Graphics (radeonsi, rembrandt, LLVM 19.1.7, DRM 3.61, 6.14.5-arch1-1) in use for device "/dev/dri/renderD128" KWin screenshot request failed: The process is not authorized to take a screenshot Potentially relevant information: - Method: CaptureScreen - Method specific arguments: "eDP-1" ```
gitea-mirror commented 2026-05-05 09:33:15 -06:00
Author
Owner
Copy link

@pedroadame commented on GitHub (May 19, 2025):

this SOMETIMES happens when I take a screenshot of an area.

kpipewire_vaapi_logging: VAAPI: VA-API NVDEC driver [direct backend] in use for device "/dev/dri/renderD128"
libva error: /usr/lib/dri/nvidia_drv_video.so init failed
kpipewire_vaapi_logging: VAAPI: Failed to initialize display
The cached device pixel ratio value was stale on window update.  Please file a QTBUG which explains how to reproduce.
QWaylandGLContext::makeCurrent: eglError: 0x3003, this: 0x63d3f74bd5d0 
QRhiGles2: Failed to make context current. Expect bad things to happen.
Failed to create RHI (backend 2)
Failed to initialize graphics backend for OpenGL.
fish: Job 1, 'spectacle' terminated by signal SIGABRT (Abort)

Probably not related, but I also get these errors (libva error, QWaylandGLContext::makeCurrent: eglError 0x3003, etc) when trying to invoke spectacle by shortcut to capture a region when playing Riven Remake (I haven't figured out why, no other related errors appear when playing), and then Wayland freezes (can't render new windows nor resize or move existing ones) until I close the game. I'm currently looking for an answer.

<!-- gh-comment-id:2891609450 --> @pedroadame commented on GitHub (May 19, 2025): > this SOMETIMES happens when I take a screenshot of an area. > > ``` > kpipewire_vaapi_logging: VAAPI: VA-API NVDEC driver [direct backend] in use for device "/dev/dri/renderD128" > libva error: /usr/lib/dri/nvidia_drv_video.so init failed > kpipewire_vaapi_logging: VAAPI: Failed to initialize display > The cached device pixel ratio value was stale on window update. Please file a QTBUG which explains how to reproduce. > QWaylandGLContext::makeCurrent: eglError: 0x3003, this: 0x63d3f74bd5d0 > QRhiGles2: Failed to make context current. Expect bad things to happen. > Failed to create RHI (backend 2) > Failed to initialize graphics backend for OpenGL. > fish: Job 1, 'spectacle' terminated by signal SIGABRT (Abort) > ``` Probably not related, but I also get these errors (libva error, QWaylandGLContext::makeCurrent: eglError 0x3003, etc) when trying to invoke spectacle by shortcut to capture a region when playing Riven Remake (I haven't figured out why, no other related errors appear when playing), and then Wayland freezes (can't render new windows nor resize or move existing ones) until I close the game. I'm currently looking for an answer.
gitea-mirror commented 2026-05-05 09:33:15 -06:00
Author
Owner
Copy link

@nayrosk commented on GitHub (Feb 10, 2026):

I found a temporary solution to automatically disable the creation of the .desktop file by firejail when install / upgrade / remove a package. I should point out that this works with pacman, but should be adaptable for others. When installing Firejail, you probably created a pacman hook to configure the symlinks for each install/upgrade/remove.

In accordance with this installation guide, I set up this hook:

❯ sudo cat /etc/pacman.d/hooks/80-firejail.hook
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/share/applications/*.desktop

[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'

Steps

Update firecfg.config

Ensure that spectacle is disabled in the firejail configuration. If it is not, comment it out:

sudo vim /etc/firejail/firecfg.config
[...]
#spectacle
[...]

Add a Pacman hook that will be executed after the firejail hook

According to the manual:

"[...] Hooks are run in alphabetical order of their file name, where the ordering ignores the suffix. [...]"
-- man 5 alpm-hooks, Archlinux

All you need to do is create a new hook that deletes the file recreated by Firejail. IMPORTANT: this hook must be higher in alphabetical order than Firejail's (you can use the notation “00-xxx.hook”):

sudo vim /etc/pacman.d/hooks/99-after-firejail-remove-spectacle.hook
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Package
Target = *

[Action]
Description = Cleanup spectacle desktop override after firejail
When = PostTransaction
Exec = /usr/bin/rm -f /home/[YOUR_USER_FOLDER]/.local/share/applications/org.kde.spectacle.desktop

Replace [YOUR_USER_FOLDER] by your real user folder (without brackets).

Now when you modify your packages, the .desktop file will be automatically deleted:

:: Running post-transaction hooks...
(1/5) Arming ConditionNeedsUpdate...
(2/5) Refreshing PackageKit...
(3/5) Generating Menu Items...
(4/5) Configure symlinks in /usr/local/bin based on firecfg.config...
(5/5) Cleanup spectacle desktop override after firejail

Of course, if you run the firecfg command manually, you will still need to delete the file.

<!-- gh-comment-id:3877326107 --> @nayrosk commented on GitHub (Feb 10, 2026): I found a temporary solution to automatically **disable the creation of the .desktop file by firejail when install / upgrade / remove a package**. I should point out that **this works with pacman, but should be adaptable for others**. When installing Firejail, you probably created a pacman hook to configure the symlinks for each install/upgrade/remove. In accordance with this [installation guide](https://wiki.archlinux.org/title/Firejail#Using_Firejail_by_default), I set up this hook: ```bash ❯ sudo cat /etc/pacman.d/hooks/80-firejail.hook [Trigger] Type = Path Operation = Install Operation = Upgrade Operation = Remove Target = usr/bin/* Target = usr/share/applications/*.desktop [Action] Description = Configure symlinks in /usr/local/bin based on firecfg.config... When = PostTransaction Depends = firejail Exec = /bin/sh -c 'firecfg >/dev/null 2>&1' ``` ## Steps ### Update `firecfg.config` Ensure that `spectacle` is disabled in the firejail configuration. If it is not, comment it out: ```bash sudo vim /etc/firejail/firecfg.config [...] #spectacle [...] ``` ### Add a Pacman hook that will be executed after the firejail hook According to the manual: > "[...] Hooks are run in alphabetical order of their file name, where the ordering ignores the suffix. [...]"\ > -- <cite>man 5 alpm-hooks, [Archlinux](https://man.archlinux.org/man/alpm-hooks.5.en)</cite> All you need to do is create a new hook that deletes the file recreated by Firejail. **IMPORTANT: this hook must be higher in alphabetical order than Firejail's** (you can use the notation “00-xxx.hook”): ```bash sudo vim /etc/pacman.d/hooks/99-after-firejail-remove-spectacle.hook [Trigger] Operation = Install Operation = Upgrade Operation = Remove Type = Package Target = * [Action] Description = Cleanup spectacle desktop override after firejail When = PostTransaction Exec = /usr/bin/rm -f /home/[YOUR_USER_FOLDER]/.local/share/applications/org.kde.spectacle.desktop ``` **Replace [YOUR_USER_FOLDER] by your real user folder (without brackets).** Now when you modify your packages, the `.desktop` file will be automatically deleted: ```bash :: Running post-transaction hooks... (1/5) Arming ConditionNeedsUpdate... (2/5) Refreshing PackageKit... (3/5) Generating Menu Items... (4/5) Configure symlinks in /usr/local/bin based on firecfg.config... (5/5) Cleanup spectacle desktop override after firejail ``` Of course, if you run the `firecfg` command manually, **you will still need to delete the file**.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2889
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?