github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6204] mpv: profile breaks thumbfast thumbnails #3222

New issue

Closed

opened 2026-05-05 09:50:00 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:50:00 -06:00

Owner

Originally created by @jtrv on GitHub (Feb 8, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6204

Description

Using the default mpv.profile with uosc and thumbfast breaks thumbfast's progress bar thumbnail previews.

Steps to Reproduce

Steps to reproduce the behavior

paru -S firejail mpv mpv-uosc-git mpv-thumbfast-git
sudo firecfg
mpv video.mp4

Expected behavior

Hovering over the progress bar at the bottom of the screen should show thumbnail previews for the corresponding time in the video that is hovered.

Actual behavior

A single thumbnail is shown for the first point hovered over, but it won't update as you move across the progress bar.

Behavior without a profile

Works as expected

Additional context

https://github.com/po5/thumbfast/blob/master/thumbfast.lua

Environment

Arch Linux 6.7.2-zen1-2-zen
Firejail version 0.9.72

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

https://paste.rs/aJS4V.txt

Originally created by @jtrv on GitHub (Feb 8, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6204 ### Description Using the default mpv.profile with [uosc](https://github.com/tomasklaen/uosc) and [thumbfast](https://github.com/po5/thumbfast) breaks thumbfast's progress bar thumbnail previews. ### Steps to Reproduce _Steps to reproduce the behavior_ ```sh paru -S firejail mpv mpv-uosc-git mpv-thumbfast-git sudo firecfg mpv video.mp4 ``` ### Expected behavior Hovering over the progress bar at the bottom of the screen should show thumbnail previews for the corresponding time in the video that is hovered. ### Actual behavior A single thumbnail is shown for the first point hovered over, but it won't update as you move across the progress bar. ### Behavior without a profile Works as expected ### Additional context https://github.com/po5/thumbfast/blob/master/thumbfast.lua ### Environment - Arch Linux 6.7.2-zen1-2-zen - Firejail version 0.9.72 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log https://paste.rs/aJS4V.txt

gitea-mirror closed this issue

2026-05-05 09:50:00 -06:00

gitea-mirror commented

2026-05-05 09:50:02 -06:00

Author

Owner

@ghost commented on GitHub (Feb 8, 2024):

Hello. As it happens I use uosc myself with mpv thru firejail. Here are my observations. Disclaimer: I didn't change thumbfast's config, so there are other avenues beside what's briefly mentioned here.

For starters, there have been several changes to our mpv.profile compared to what's in the 0.9.72 release. Perhaps it's worthwhile to use the firejail-git package from the AUR for a smoother experience.

That being written, I did experiment a bit with the thumbfast Lua script you referenced. It took some extra loosening of mpv's sandbox, as the Lua script also calls out other commands via subprocesses. Long story short, I couldn't put together a more restrictive private-bin (yet), but the below mpv.local worked for me:

$ cat ~/.config/firejail/mpv.local
ignore noexec /tmp
include allow-bin-sh.inc
ignore apparmor
# the below private-bin is missing some items
# go over the thumbfast.lua script and try to improve it
#private-bin bash,chmod,echo,ps,sh,socat,uname
ignore private-bin

Whether or not you're willing to cripple mpv's sandbox for the thumbfast gain is up to you. Just wanted to point that out, even though it's a nice GUI addition.

@ghost commented on GitHub (Feb 8, 2024): Hello. As it happens I use [uosc](https://github.com/tomasklaen/uosc) myself with mpv thru firejail. Here are my observations. Disclaimer: I didn't change thumbfast's config, so there are other avenues beside what's briefly mentioned here. For starters, there have been several changes to our [mpv.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/mpv.profile) compared to what's in the 0.9.72 release. Perhaps it's worthwhile to use the [firejail-git](https://aur.archlinux.org/packages/firejail-git) package from the AUR for a smoother experience. That being written, I did experiment a bit with the `thumbfast` Lua script you referenced. It took some extra loosening of mpv's sandbox, as the Lua script also calls out other commands via subprocesses. Long story short, I couldn't put together a more restrictive `private-bin` (yet), but the below mpv.local worked for me: ```console $ cat ~/.config/firejail/mpv.local ignore noexec /tmp include allow-bin-sh.inc ignore apparmor # the below private-bin is missing some items # go over the thumbfast.lua script and try to improve it #private-bin bash,chmod,echo,ps,sh,socat,uname ignore private-bin ``` Whether or not you're willing to cripple mpv's sandbox for the thumbfast gain is up to you. Just wanted to point that out, even though it's a nice GUI addition.

gitea-mirror commented

2026-05-05 09:50:03 -06:00

Author

Owner

@jtrv commented on GitHub (Feb 8, 2024):

@glitsj16 thank you, all it needed was tail

include allow-bin-sh.inc

ignore noexec /tmp
ignore apparmor

private-bin bash,chmod,echo,ps,socat,tail,uname

@jtrv commented on GitHub (Feb 8, 2024): @glitsj16 thank you, all it needed was `tail` ``` include allow-bin-sh.inc ignore noexec /tmp ignore apparmor private-bin bash,chmod,echo,ps,socat,tail,uname ```

gitea-mirror commented

2026-05-05 09:50:05 -06:00

Author

Owner

@ghost commented on GitHub (Feb 8, 2024):

@jtrv Oh that's a nice find. Having private-bin intact is alwats a plus. You're welcome. Feel free to close if there's nothing left actionable now.

@ghost commented on GitHub (Feb 8, 2024): @jtrv Oh that's a nice find. Having private-bin intact is alwats a plus. You're welcome. Feel free to close if there's nothing left actionable now.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3222

No description provided.

Rows
Columns