[GH-ISSUE #5414] ktorrent: Cannot start application: No such file or directory

gitea-mirror commented

2026-05-05 09:38:40 -06:00

Owner

Originally created by @vendion on GitHub (Oct 11, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5414

Description

Ktorrent 22.08.1 doesn't launch with the default firejail profile, instead a fatal python error is thrown.

Steps to Reproduce

Steps to reproduce the behavior

Launch ktorrent via LC_ALL=C firejail /usr/bin/ktorrent (gave full path as I have firejail setup so apps are ran under it by default)
Ktorrent doesn't launch with lots of output to STDOUT/STDERR in the terminal

Expected behavior

Ktorrent to open up.

Actual behavior

Ktorrent errored out before even opening the main window.

Behavior without a profile

Without a profile Ktorrent opens up just fine.

Additional context

Environment

Distro: Arch Linux
Firejail version: 0.9.70

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/ktorrent.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 6660, child pid 6662
1 program installed in 4.39 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/keybase/kbfs
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Warning: cleaning all supplementary groups
Child process initialized in 232.75 ms
Warning: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP
Warning: The desktop entry file "/usr/share/applications/kcm_krunnersettings.desktop" has Type= "Application" but no Exec line
Warning: Invalid Service :  "/usr/share/applications/kcm_krunnersettings.desktop"
Warning: The desktop entry file "/usr/share/applications/qemu.desktop" has Type= "Application" but no Exec line
Warning: Invalid Service :  "/usr/share/applications/qemu.desktop"
Failed to create secure directory (/run/user/1000/pulse): Permission denied

(gst-plugin-scanner:22): GLib-GObject-WARNING **: 11:02:52.990: type name '-a-png-encoder-pred' contains invalid characters

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:52.992: g_type_set_qdata: assertion 'node != NULL' failed

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:52.992: g_type_set_qdata: assertion 'node != NULL' failed

(gst-plugin-scanner:22): GLib-GObject-WARNING **: 11:02:53.029: type name '-a-png-encoder-pred' contains invalid characters

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:53.029: g_type_set_qdata: assertion 'node != NULL' failed

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:53.029: g_type_set_qdata: assertion 'node != NULL' failed
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
  PYTHONHOME = (not set)
  PYTHONPATH = (not set)
  program name = 'python3'
  isolated = 0
  environment = 1
  user site = 1
  import site = 1
  sys._base_executable = ''
  sys.base_prefix = '/usr'
  sys.base_exec_prefix = '/usr'
  sys.platlibdir = 'lib'
  sys.executable = ''
  sys.prefix = '/usr'
  sys.exec_prefix = '/usr'
  sys.path = [
    '/usr/lib/python310.zip',
    '/usr/lib/python3.10',
    '/usr/lib/lib-dynload',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x00007f31b77d1740 (most recent call first):
  <no Python frame>
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
  PYTHONHOME = (not set)
  PYTHONPATH = (not set)
  program name = 'python3'
  isolated = 0
  environment = 1
  user site = 1
  import site = 1
  sys._base_executable = ''
  sys.base_prefix = '/usr'
  sys.base_exec_prefix = '/usr'
  sys.platlibdir = 'lib'
  sys.executable = ''
  sys.prefix = '/usr'
  sys.exec_prefix = '/usr'
  sys.path = [
    '/usr/lib/python310.zip',
    '/usr/lib/python3.10',
    '/usr/lib/lib-dynload',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x00007fe6dc8a2740 (most recent call first):
  <no Python frame>
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
[ALSOFT] (EE) Failed to connect PipeWire event context (errno: 112)
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Warning: 0 instead of 4 arguments to message "    <html>    <body ..." supplied before conversion
Warning: WebEngineContext used before QtWebEngine::initialize() or OpenGL context creation failed.
Warning: QGLXContext: Failed to create dummy context
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/vendion/894010a10ebc4b2d00a9834ae41c9873

Originally created by @vendion on GitHub (Oct 11, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5414  ### Description Ktorrent 22.08.1 doesn't launch with the default firejail profile, instead a fatal python error is thrown. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Launch ktorrent via `LC_ALL=C firejail /usr/bin/ktorrent` (gave full path as I have firejail setup so apps are ran under it by default) 2. Ktorrent doesn't launch with lots of output to STDOUT/STDERR in the terminal ### Expected behavior Ktorrent to open up. ### Actual behavior Ktorrent errored out before even opening the main window. ### Behavior without a profile Without a profile Ktorrent opens up just fine. ### Additional context ### Environment - Distro: Arch Linux - Firejail version: 0.9.70 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/ktorrent.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 6660, child pid 6662 1 program installed in 4.39 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/doc Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/keybase/kbfs Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc Warning: cleaning all supplementary groups Child process initialized in 232.75 ms Warning: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP Warning: The desktop entry file "/usr/share/applications/kcm_krunnersettings.desktop" has Type= "Application" but no Exec line Warning: Invalid Service : "/usr/share/applications/kcm_krunnersettings.desktop" Warning: The desktop entry file "/usr/share/applications/qemu.desktop" has Type= "Application" but no Exec line Warning: Invalid Service : "/usr/share/applications/qemu.desktop" Failed to create secure directory (/run/user/1000/pulse): Permission denied (gst-plugin-scanner:22): GLib-GObject-WARNING **: 11:02:52.990: type name '-a-png-encoder-pred' contains invalid characters (gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:52.992: g_type_set_qdata: assertion 'node != NULL' failed (gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:52.992: g_type_set_qdata: assertion 'node != NULL' failed (gst-plugin-scanner:22): GLib-GObject-WARNING **: 11:02:53.029: type name '-a-png-encoder-pred' contains invalid characters (gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:53.029: g_type_set_qdata: assertion 'node != NULL' failed (gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:53.029: g_type_set_qdata: assertion 'node != NULL' failed Could not find platform independent libraries <prefix> Could not find platform dependent libraries <exec_prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] Python path configuration: PYTHONHOME = (not set) PYTHONPATH = (not set) program name = 'python3' isolated = 0 environment = 1 user site = 1 import site = 1 sys._base_executable = '' sys.base_prefix = '/usr' sys.base_exec_prefix = '/usr' sys.platlibdir = 'lib' sys.executable = '' sys.prefix = '/usr' sys.exec_prefix = '/usr' sys.path = [ '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/lib-dynload', ] Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding Python runtime state: core initialized ModuleNotFoundError: No module named 'encodings' Current thread 0x00007f31b77d1740 (most recent call first): <no Python frame> Could not find platform independent libraries <prefix> Could not find platform dependent libraries <exec_prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] Python path configuration: PYTHONHOME = (not set) PYTHONPATH = (not set) program name = 'python3' isolated = 0 environment = 1 user site = 1 import site = 1 sys._base_executable = '' sys.base_prefix = '/usr' sys.base_exec_prefix = '/usr' sys.platlibdir = 'lib' sys.executable = '' sys.prefix = '/usr' sys.exec_prefix = '/usr' sys.path = [ '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/lib-dynload', ] Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding Python runtime state: core initialized ModuleNotFoundError: No module named 'encodings' Current thread 0x00007fe6dc8a2740 (most recent call first): <no Python frame> Failed to create secure directory (/run/user/1000/pulse): Permission denied Failed to create secure directory (/run/user/1000/pulse): Permission denied Failed to create secure directory (/run/user/1000/pulse): Permission denied [ALSOFT] (EE) Failed to connect PipeWire event context (errno: 112) Failed to create secure directory (/run/user/1000/pulse): Permission denied Failed to create secure directory (/run/user/1000/pulse): Permission denied Failed to create secure directory (/run/user/1000/pulse): Permission denied Failed to create secure directory (/run/user/1000/pulse): Permission denied Failed to create secure directory (/run/user/1000/pulse): Permission denied Failed to create secure directory (/run/user/1000/pulse): Permission denied Warning: 0 instead of 4 arguments to message " <html> <body ..." supplied before conversion Warning: WebEngineContext used before QtWebEngine::initialize() or OpenGL context creation failed. Warning: QGLXContext: Failed to create dummy context Check failed: sys_chroot("/proc/self/fdinfo/") == 0 Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> https://gist.github.com/vendion/894010a10ebc4b2d00a9834ae41c9873 </p> </details>

gitea-mirror commented

2026-05-05 09:38:42 -06:00

Author

Owner

@ghost commented on GitHub (Oct 11, 2022):

Python is blocked by include disable-interpreters.inc. Can you test if ktorrent works as expected when adding the below to a ~/.config/firejail/ktorrent.local:


# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
include allow-python3.inc

private-bin python*

We can add it to our default ktorrent.profile if this fixes it for you. Or you can create a PR if you want.

@ghost commented on GitHub (Oct 11, 2022): Python is blocked by `include disable-interpreters.inc`. Can you test if ktorrent works as expected when adding the below to a ~/.config/firejail/ktorrent.local: ``` # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc include allow-python3.inc private-bin python* ``` We can add it to our default ktorrent.profile if this fixes it for you. Or you can create a PR if you want.

gitea-mirror commented

2026-05-05 09:38:43 -06:00

Author

Owner

@vendion commented on GitHub (Oct 11, 2022):

Seems that is not all getting blocked:

Reading profile /etc/firejail/ktorrent.profile
Reading profile /home/vendion/.config/firejail/ktorrent.local
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 17266, child pid 17268
65 programs installed in 76.24 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/keybase/kbfs
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Warning: cleaning all supplementary groups
Child process initialized in 307.38 ms
Cannot start application: No such file or directory

Parent is shutting down, bye...

@vendion commented on GitHub (Oct 11, 2022): Seems that is not all getting blocked: ``` Reading profile /etc/firejail/ktorrent.profile Reading profile /home/vendion/.config/firejail/ktorrent.local Reading profile /etc/firejail/allow-python3.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 17266, child pid 17268 65 programs installed in 76.24 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/doc Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/keybase/kbfs Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc Warning: cleaning all supplementary groups Child process initialized in 307.38 ms Cannot start application: No such file or directory Parent is shutting down, bye... ```

gitea-mirror commented

2026-05-05 09:38:44 -06:00

Author

Owner

@ghost commented on GitHub (Oct 11, 2022):

Sadly I'm not really familiar with KDE to explain all these warnings, although IMO most of them look harmless. The ktorrent profile uses nosound so any warnings regarding pulseaudio and pipewire or to be expected. Why /home/vendion/.kde/share/config/ktorrentrc cannot be created escapes me. I guess you'll have to do more digging to pin-point what's keeping ktorrent from starting up. I'm stabbing in the dark here, but one thing that can be checked very quickly is if here have been changes that need something else in private-bin besides python*. Try with ignore private-bin to rule that out if you find the time to debug this further.

@ghost commented on GitHub (Oct 11, 2022): Sadly I'm not really familiar with KDE to explain all these warnings, although IMO most of them look harmless. The ktorrent profile uses `nosound` so any warnings regarding pulseaudio and pipewire or to be expected. Why /home/vendion/.kde/share/config/ktorrentrc cannot be created escapes me. I guess you'll have to do more digging to pin-point what's keeping ktorrent from starting up. I'm stabbing in the dark here, but one thing that can be checked very quickly is if here have been changes that need something else in private-bin besides python*. Try with `ignore private-bin` to rule that out if you find the time to debug this further.

gitea-mirror commented

2026-05-05 09:38:45 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 11, 2022):

Also check your syslog for seccomp messages.

@rusty-snake commented on GitHub (Oct 11, 2022): Also check your syslog for seccomp messages.

gitea-mirror commented

2026-05-05 09:38:45 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 11, 2022):

@vendion commented on Oct 11:

Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc

This should be fixed by #5415.

Does it still fail with the changes from #5415?

@kmk3 commented on GitHub (Oct 11, 2022): @vendion commented [on Oct 11](https://github.com/netblue30/firejail/issues/5414#issuecomment-1275026347): > ``` > Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc > ``` This should be fixed by #5415. Does it still fail with the changes from #5415?

gitea-mirror commented

2026-05-05 09:38:45 -06:00

Author

Owner

@X6B commented on GitHub (Oct 12, 2022):

I can launch Ktorrent using the default profile on Archlinux without problems.

The real problem with Ktorrent profile is already reported: #1793

So, if you open Ktorrent for the first time, will not save any configurations because firejail can´t write on /.config/ktorrentrc. You have to launch Ktorrent outside firejail, configure the program to your liking, let Ktorrent create a valid /.config/ktorrentrc file and using ktorrent firejailed.

In the default ktorrent profile I see strange things, for example:

private-bin kbuildsycoca4,kdeinit4 <---- KDE4 programs
.kde/ and .kde4/ folders only exist in my system because firejail (kaffeine) creates them, no program actually uses them.

@X6B commented on GitHub (Oct 12, 2022): I can launch Ktorrent using the default profile on Archlinux without problems. The real problem with Ktorrent profile is already reported: #1793 So, if you open Ktorrent for the first time, will not save any configurations because firejail can´t write on /.config/ktorrentrc. You have to launch Ktorrent outside firejail, configure the program to your liking, let Ktorrent create a valid /.config/ktorrentrc file and using ktorrent firejailed. In the default ktorrent profile I see strange things, for example: private-bin kbuildsycoca4,kdeinit4 <---- KDE4 programs .kde/ and .kde4/ folders only exist in my system because firejail (kaffeine) creates them, no program actually uses them.

gitea-mirror commented

2026-05-05 09:38:46 -06:00

Author

Owner

@vendion commented on GitHub (Oct 14, 2022):

@X6B Odd because I do have Ktorrent already configured, and it works outside of firejail but with firejail nothing. One question, are you actively running KDE? I'm trying to launch Ktorrent from HerbstluftWM instead of KDE. Again it works without firejail this way though.

@kmk3 That at least takes care of that issue, but I'm still having the same problem.

After implementing the other suggestions in the thread here is an updated output of firejail --debug /usr/bin/ktorrent: https://gist.github.com/vendion/99fb198013bdc3ef8704290ef45bd006

@rusty-snake The only log I see seccomp in other than the debug output of firejail is AppArmor's audit log but I don't see anything for ktorrent.

@vendion commented on GitHub (Oct 14, 2022): @X6B Odd because I do have Ktorrent already configured, and it works outside of firejail but with firejail nothing. One question, are you actively running KDE? I'm trying to launch Ktorrent from HerbstluftWM instead of KDE. Again it works without firejail this way though. @kmk3 That at least takes care of that issue, but I'm still having the same problem. After implementing the other suggestions in the thread here is an updated output of `firejail --debug /usr/bin/ktorrent`: https://gist.github.com/vendion/99fb198013bdc3ef8704290ef45bd006 @rusty-snake The only log I see seccomp in other than the debug output of firejail is AppArmor's audit log but I don't see anything for ktorrent.

gitea-mirror commented

2026-05-05 09:38:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 14, 2022):

Forgot, you need to run with --seccomp-error-action=log.
HerbstluftWM, sndio, elvish, ... such systems have much less testing
Does it work use elvish, shell none should be set.
Since --noprofile works, comment ktorrent.profile line by line to find the cause.
Does it work w/o deterministic-shutdown?

@rusty-snake commented on GitHub (Oct 14, 2022): - Forgot, you need to run with `--seccomp-error-action=log`. - HerbstluftWM, sndio, elvish, ... such systems have much less testing - Does it work use elvish, `shell none` should be set. - Since `--noprofile` works, comment ktorrent.profile line by line to find the cause. - Does it work w/o `deterministic-shutdown`?

gitea-mirror commented

2026-05-05 09:38:47 -06:00

Author

Owner

@vendion commented on GitHub (Oct 14, 2022):

Does it work use elvish, shell none should be set.

I don't follow what you mean here? Should I add shell none to the ktorrent.profile?

Edit: I see now, shell=none passed in as a command line argument didn't seem to have any effect. I also don't see any thing different in my logs running with seccomp-error-action=log but I did update the above gist with the new output.

Still to test is without the deterministic-shutdown and then going line by line.

@vendion commented on GitHub (Oct 14, 2022): > Does it work use elvish, shell none should be set. I don't follow what you mean here? Should I add `shell none` to the ktorrent.profile? Edit: I see now, `shell=none` passed in as a command line argument didn't seem to have any effect. I also don't see any thing different in my logs running with `seccomp-error-action=log` but I did update the above gist with the new output. Still to test is without the `deterministic-shutdown` and then going line by line.

gitea-mirror commented

2026-05-05 09:38:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 14, 2022):

I should not write the first part of the sentence, look up something and then write the rest without re-reading the first part ...

It should contain shell none, https://github.com/netblue30/firejail/blob/0.9.70/etc/profile-a-l/ktorrent.profile.

@rusty-snake commented on GitHub (Oct 14, 2022): *I should not write the first part of the sentence, look up something and then write the rest without re-reading the first part ...* It should contain `shell none`, https://github.com/netblue30/firejail/blob/0.9.70/etc/profile-a-l/ktorrent.profile.

gitea-mirror commented

2026-05-05 09:38:47 -06:00

Author

Owner

@X6B commented on GitHub (Oct 15, 2022):

@vendion Yes, I'm an Archlinux KDE user and never had a problem starting Ktorrent under firejail. The only problem is that the configuration files seem to be opened in read-only mode.

@X6B commented on GitHub (Oct 15, 2022): @vendion Yes, I'm an Archlinux KDE user and never had a problem starting Ktorrent under firejail. The only problem is that the configuration files seem to be opened in read-only mode.

gitea-mirror commented

2026-05-05 09:38:48 -06:00

Author

Owner

@vendion commented on GitHub (Oct 25, 2022):

Okay, I manage to get Ktorrent to launch under firejail with the following profile:

/etc/firejail/ktorrent.profile

# Firejail profile for ktorrent
# Description: BitTorrent client based on the KDE platform
# This file is overwritten after every install/update
# Persistent local customizations
include ktorrent.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/ktorrentrc
noblacklist ${HOME}/.kde/share/apps/ktorrent
noblacklist ${HOME}/.kde/share/config/ktorrentrc
noblacklist ${HOME}/.kde4/share/apps/ktorrent
noblacklist ${HOME}/.kde4/share/config/ktorrentrc
noblacklist ${HOME}/.local/share/ktorrent
noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc

# Legacy paths
mkdir ${HOME}/.kde4/share/apps/ktorrent
mkdir ${HOME}/.kde4/share/config
mkfile ${HOME}/.kde4/share/config/ktorrentrc

mkdir ${HOME}/.kde/share/apps/ktorrent
mkdir ${HOME}/.kde/share/config
mkdir ${HOME}/.local/share/ktorrent
mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
mkfile ${HOME}/.config/ktorrentrc
mkfile ${HOME}/.kde/share/config/ktorrentrc
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ktorrentrc
whitelist ${HOME}/.kde/share/apps/ktorrent
whitelist ${HOME}/.kde/share/config/ktorrentrc
whitelist ${HOME}/.kde4/share/apps/ktorrent
whitelist ${HOME}/.kde4/share/config/ktorrentrc
whitelist ${HOME}/.local/share/ktorrent
whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-var-common.inc

caps.drop all
machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
#seccomp

#private-bin kbuildsycoca4,kdeinit4,ktorrent
private-dev
# private-lib - problems on Arch
private-tmp

deterministic-shutdown
# memory-deny-write-execute

.config/firejail/ktorrent.local

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
include allow-python3.inc

#private-bin python*
#ignore private-bin

#shell none

@vendion commented on GitHub (Oct 25, 2022): Okay, I manage to get Ktorrent to launch under firejail with the following profile: _/etc/firejail/ktorrent.profile_ ``` # Firejail profile for ktorrent # Description: BitTorrent client based on the KDE platform # This file is overwritten after every install/update # Persistent local customizations include ktorrent.local # Persistent global definitions include globals.local noblacklist ${HOME}/.config/ktorrentrc noblacklist ${HOME}/.kde/share/apps/ktorrent noblacklist ${HOME}/.kde/share/config/ktorrentrc noblacklist ${HOME}/.kde4/share/apps/ktorrent noblacklist ${HOME}/.kde4/share/config/ktorrentrc noblacklist ${HOME}/.local/share/ktorrent noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc # Legacy paths mkdir ${HOME}/.kde4/share/apps/ktorrent mkdir ${HOME}/.kde4/share/config mkfile ${HOME}/.kde4/share/config/ktorrentrc mkdir ${HOME}/.kde/share/apps/ktorrent mkdir ${HOME}/.kde/share/config mkdir ${HOME}/.local/share/ktorrent mkdir ${HOME}/.local/share/kxmlgui5/ktorrent mkfile ${HOME}/.config/ktorrentrc mkfile ${HOME}/.kde/share/config/ktorrentrc whitelist ${DOWNLOADS} whitelist ${HOME}/.config/ktorrentrc whitelist ${HOME}/.kde/share/apps/ktorrent whitelist ${HOME}/.kde/share/config/ktorrentrc whitelist ${HOME}/.kde4/share/apps/ktorrent whitelist ${HOME}/.kde4/share/config/ktorrentrc whitelist ${HOME}/.local/share/ktorrent whitelist ${HOME}/.local/share/kxmlgui5/ktorrent include whitelist-common.inc include whitelist-run-common.inc include whitelist-var-common.inc caps.drop all machine-id netfilter no3d nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6,netlink #seccomp #private-bin kbuildsycoca4,kdeinit4,ktorrent private-dev # private-lib - problems on Arch private-tmp deterministic-shutdown # memory-deny-write-execute ``` _.config/firejail/ktorrent.local_ ``` # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc include allow-python3.inc #private-bin python* #ignore private-bin #shell none ```

gitea-mirror commented

2026-05-05 09:38:48 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 25, 2022):

If you list changes only instead of 95% copy of the profile, it is easier for everyone to track what got changed.
Ignoring the .local, the changes are:

The following commands are unique to ktorrent.profile:
seccomp
private-bin kbuildsycoca4,kdeinit4,ktorrent

The following commands are unique to ktorrent-modif.profile:
mkdir ${HOME}/.kde4/share/config
mkdir ${HOME}/.kde/share/config

@rusty-snake commented on GitHub (Oct 25, 2022): - If you list changes only instead of 95% copy of the profile, it is easier for everyone to track what got changed. Ignoring the .local, the changes are: ``` The following commands are unique to ktorrent.profile: seccomp private-bin kbuildsycoca4,kdeinit4,ktorrent The following commands are unique to ktorrent-modif.profile: mkdir ${HOME}/.kde4/share/config mkdir ${HOME}/.kde/share/config ```

gitea-mirror commented

2026-05-05 09:38:49 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 28, 2022):

Maybe it's about time to get rid of all that kde4 cruft altogether.

From all big distributions it looks like only RHEL 7 still supports KDE/Plasma 4, and will do so till mid 2024. As far as I understand there are no free RHEL 7 clones any more, now that CentOS has been discontinued.

It would help also in other ways. Profiles like that for Okular don't have a net none, because back in the days the D-Bus session bus socket used to be abstract, and it is close to impossible to remove D-Bus access from a KDE 4 app.

Nowadays all of that is not true anymore.

@smitsohu commented on GitHub (Dec 28, 2022): Maybe it's about time to get rid of all that kde4 cruft altogether. From all big distributions it looks like only RHEL 7 still supports KDE/Plasma 4, and will do so till mid 2024. As far as I understand there are no free RHEL 7 clones any more, now that CentOS has been discontinued. It would help also in other ways. Profiles like that for Okular don't have a `net none`, because back in the days the D-Bus session bus socket used to be abstract, and it is close to impossible to remove D-Bus access from a KDE 4 app. Nowadays all of that is not true anymore.

gitea-mirror commented

2026-05-05 09:38:49 -06:00

Author

Owner

@kmk3 commented on GitHub (Dec 28, 2022):

@smitsohu on Dec 28:

Maybe it's about time to get rid of all that kde4 cruft altogether.

From all big distributions it looks like only RHEL 7 still supports
KDE/Plasma 4, and will do so till mid 2024. As far as I understand there are
no free RHEL 7 clones any more, now that CentOS has been discontinued.

It would help also in other ways. Profiles like that for Okular don't have a
net none, because back in the days the D-Bus session bus socket used to be
abstract, and it is close to impossible to remove D-Bus access from a KDE 4
app.

Nowadays all of that is not true anymore.

Sounds like a good idea to me.

(Though I'd postpone doing such a refactoring until after 0.9.72)

Could you open an issue to track/discuss this?

@kmk3 commented on GitHub (Dec 28, 2022): @smitsohu [on Dec 28](https://github.com/netblue30/firejail/issues/5414#issuecomment-1366893038): > Maybe it's about time to get rid of all that kde4 cruft altogether. > > From all big distributions it looks like only RHEL 7 still supports > KDE/Plasma 4, and will do so till mid 2024. As far as I understand there are > no free RHEL 7 clones any more, now that CentOS has been discontinued. > > It would help also in other ways. Profiles like that for Okular don't have a > `net none`, because back in the days the D-Bus session bus socket used to be > abstract, and it is close to impossible to remove D-Bus access from a KDE 4 > app. > > Nowadays all of that is not true anymore. Sounds like a good idea to me. (Though I'd postpone doing such a refactoring until after 0.9.72) Could you open an issue to track/discuss this?

gitea-mirror commented

2026-05-05 09:38:49 -06:00

Author

Owner

@smitsohu commented on GitHub (Dec 29, 2022):

Could you open an issue to track/discuss this?

Yes, will do that.

As far as I understand there are no free RHEL 7 clones any more, now that CentOS has been discontinued.

I was wrong by the way. CentOS 7 and RHEL 7 reach EOL at the same time.

@smitsohu commented on GitHub (Dec 29, 2022): > Could you open an issue to track/discuss this? Yes, will do that. > As far as I understand there are no free RHEL 7 clones any more, now that CentOS has been discontinued. I was wrong by the way. CentOS 7 and RHEL 7 reach EOL at the same time.

Rows
Columns

[GH-ISSUE #5414] ktorrent: Cannot start application: No such file or directory #2987

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log