github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

share path) #3366

New issue

Closed

opened 2026-05-05 09:56:39 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 09:56:39 -06:00

Owner

Originally created by @myrslint on GitHub (Jun 9, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6773

Description

I use Arch Linux with firejail built from the AUR that builds tip of the tree from this repository. Currently, a new version of xkeyboard-config, version 2.45, is in extra-testing due to later land in official Arch Linux extra package repository.

Since upgrading to that version of xkeyboard-config some applications that worked fine before fail to launch under firejail. The applications I have tested which display this issue are: Firefox, Thunderbird, Gajim, KeepassXC, GoldenDict, and Zathura.

Steps to Reproduce

Steps to reproduce the behavior

Run any of the listed applications, possibly any application that depends on libxkbcommon.
The application fails to run with the following error message:

xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb

Expected behavior

That applications which used to work continue working.

Actual behavior

Applications don't start.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Applications in question start fine, as they did before.

Additional context

Any other detail that may help to understand/debug the problem

Downgrading xkeyboard-config to 2.44, all else unchanged, lets everything run fine.

Alternatively, with xkeyboard-config 2.45 installed, adding whitelist /usr/share/X11/xkb to any application's firejail profile results in correct starting and operation of that application.

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.15.1-arch1-2 x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): Current versions of each of applications listed above, and likely more, from official Arch Linux repositories
Version of Firejail (firejail --version):

firejail version 0.9.75

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- IDS support is disabled
	- Landlock support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-lib support is disabled
	- private-cache and tmpfs as user enabled
	- sandbox check is enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD): 0.9.74.r63.g87183d605-1

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/zathura.profile
Reading profile /home/user/.config/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-write-mnt.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.75

Parent pid 16029, child pid 16030
Warning: NVIDIA card detected, nogroups command ignored
1 program installed in 1.45 ms
Private /etc installed in 11.18 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/user/.gnupg/gpg.conf
Warning: not remounting /home/user/.config/ncmpcpp/config
Warning: not remounting /home/user/.gnupg/gpg.conf
Warning: not remounting /home/user/.mozilla/firefox/profiles.ini
Warning: not remounting /home/user/.config/ncmpcpp/config
Warning: not remounting /home/user/.mozilla/firefox/profiles.ini
Base filesystem installed in 109.74 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 197.83 ms
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb

Parent is shutting down, bye...

Originally created by @myrslint on GitHub (Jun 9, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6773  ### Description I use Arch Linux with firejail built from the AUR that builds tip of the tree from this repository. Currently, a new version of xkeyboard-config, version 2.45, is in extra-testing due to later land in official Arch Linux extra package repository. Since upgrading to that version of xkeyboard-config some applications that worked fine before fail to launch under firejail. The applications I have tested which display this issue are: Firefox, Thunderbird, Gajim, KeepassXC, GoldenDict, and Zathura. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run any of the listed applications, possibly any application that depends on libxkbcommon. 2. The application fails to run with the following error message: ``` xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb ``` ### Expected behavior That applications which used to work continue working. ### Actual behavior Applications don't start. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Applications in question start fine, as they did before. ### Additional context _Any other detail that may help to understand/debug the problem_ Downgrading xkeyboard-config to 2.44, all else unchanged, lets everything run fine. Alternatively, with xkeyboard-config 2.45 installed, adding `whitelist /usr/share/X11/xkb` to any application's firejail profile results in correct starting and operation of that application. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.15.1-arch1-2 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): Current versions of each of applications listed above, and likely more, from official Arch Linux repositories - Version of Firejail (`firejail --version`): ``` firejail version 0.9.75 Compile time support: - always force nonewprivs support is disabled - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - IDS support is disabled - Landlock support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - sandbox check is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): 0.9.74.r63.g87183d605-1 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/zathura.profile Reading profile /home/user/.config/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-write-mnt.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.75 Parent pid 16029, child pid 16030 Warning: NVIDIA card detected, nogroups command ignored 1 program installed in 1.45 ms Private /etc installed in 11.18 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /home/user/.gnupg/gpg.conf Warning: not remounting /home/user/.config/ncmpcpp/config Warning: not remounting /home/user/.gnupg/gpg.conf Warning: not remounting /home/user/.mozilla/firefox/profiles.ini Warning: not remounting /home/user/.config/ncmpcpp/config Warning: not remounting /home/user/.mozilla/firefox/profiles.ini Base filesystem installed in 109.74 ms Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 197.83 ms xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb Parent is shutting down, bye... ``` </p> </details>

gitea-mirror

2026-05-05 09:56:39 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:56:41 -06:00

Author

Owner

@aminvakil commented on GitHub (Jun 9, 2025):

Same problem with firejail 0.9.74

@aminvakil commented on GitHub (Jun 9, 2025): Same problem with firejail 0.9.74

gitea-mirror commented

2026-05-05 09:56:41 -06:00

Author

Owner

@oddfellow commented on GitHub (Jun 9, 2025):

xkeyboard-config changed their keymap data path to <prefix>/<datadir>/xkeyboard-config-2 and made <prefix>/<datadir>/X11/xkb a symlink.

fd1d8d2d4f

@oddfellow commented on GitHub (Jun 9, 2025): xkeyboard-config changed their keymap data path to `<prefix>/<datadir>/xkeyboard-config-2` and made `<prefix>/<datadir>/X11/xkb` a symlink. https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/commit/fd1d8d2d4f07ac494109b1a9e72d7fe777f6757a

gitea-mirror commented

2026-05-05 09:56:42 -06:00

Author

Owner

@myrslint commented on GitHub (Jun 9, 2025):

xkeyboard-config changed their keymap data path to <prefix>/<datadir>/xkeyboard-config-2 and made <prefix>/<datadir>/X11/xkb a symlink.

fd1d8d2d4f

Good finding. Thank you!

I have tried, for example, firejail --profile=/etc/firejail/firefox.profile bash followed by ls -R /usr/share/X11/xkb. It seems to be able to correctly traverse, list, and access the files there. Why is libxkbcommon unable to do so later on behalf of Firefox unless whitelist /usr/share/X11/xkb is added to Firefox's profile?

@myrslint commented on GitHub (Jun 9, 2025): > xkeyboard-config changed their keymap data path to `<prefix>/<datadir>/xkeyboard-config-2` and made `<prefix>/<datadir>/X11/xkb` a symlink. > > https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/commit/fd1d8d2d4f07ac494109b1a9e72d7fe777f6757a Good finding. Thank you! I have tried, for example, `firejail --profile=/etc/firejail/firefox.profile bash` followed by `ls -R /usr/share/X11/xkb`. It seems to be able to correctly traverse, list, and access the files there. Why is libxkbcommon unable to do so later on behalf of Firefox unless `whitelist /usr/share/X11/xkb` is added to Firefox's profile?

gitea-mirror commented

2026-05-05 09:56:42 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 9, 2025):

xkeyboard-config changed their keymap data path to
<prefix>/<datadir>/xkeyboard-config-2 and made <prefix>/<datadir>/X11/xkb
a symlink.

fd1d8d2d4f

Does it work with the following in
~/.config/firejail/whitelist-usr-share-common.local?

whitelist /usr/share/xkeyboard-config-2

@kmk3 commented on GitHub (Jun 9, 2025): > xkeyboard-config changed their keymap data path to > `<prefix>/<datadir>/xkeyboard-config-2` and made `<prefix>/<datadir>/X11/xkb` > a symlink. > > https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/commit/fd1d8d2d4f07ac494109b1a9e72d7fe777f6757a Does it work with the following in ~/.config/firejail/whitelist-usr-share-common.local? ``` whitelist /usr/share/xkeyboard-config-2 ```

gitea-mirror commented

2026-05-05 09:56:42 -06:00

Author

Owner

@myrslint commented on GitHub (Jun 9, 2025):

xkeyboard-config changed their keymap data path to
<prefix>/<datadir>/xkeyboard-config-2 and made <prefix>/<datadir>/X11/xkb
a symlink.
fd1d8d2d4f

Does it work with the following in ~/.config/firejail/whitelist-usr-share-common.local?
whitelist /usr/share/xkeyboard-config-2

It does. This seems to be a cleaner, more general way to fix it. Hopefully, that line can be added to /etc/firejail/whitelist-usr-share-common.inc to fix the issue globally.

@myrslint commented on GitHub (Jun 9, 2025): > > xkeyboard-config changed their keymap data path to > > `<prefix>/<datadir>/xkeyboard-config-2` and made `<prefix>/<datadir>/X11/xkb` > > a symlink. > > https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/commit/fd1d8d2d4f07ac494109b1a9e72d7fe777f6757a > > Does it work with the following in ~/.config/firejail/whitelist-usr-share-common.local? > > ``` > whitelist /usr/share/xkeyboard-config-2 > ``` It does. This seems to be a cleaner, more general way to fix it. Hopefully, that line can be added to `/etc/firejail/whitelist-usr-share-common.inc` to fix the issue globally.

gitea-mirror commented

2026-05-05 09:56:43 -06:00

Author

Owner

@reagentoo commented on GitHub (Jun 10, 2025):

Does it work with the following in ~/.config/firejail/whitelist-usr-share-common.local?
whitelist /usr/share/xkeyboard-config-2

Fixes Telegram launch:

qt.qpa.wayland: failed to create xkb context
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb

@reagentoo commented on GitHub (Jun 10, 2025): > Does it work with the following in ~/.config/firejail/whitelist-usr-share-common.local? > > ``` > whitelist /usr/share/xkeyboard-config-2 > ``` Fixes Telegram launch: ``` qt.qpa.wayland: failed to create xkb context xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3366

No description provided.

Rows
Columns