github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6774] zeal: program does not start #3367

New issue

Open

opened 2026-05-05 09:56:43 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 09:56:43 -06:00

Owner

Originally created by @marek22k on GitHub (Jun 10, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6774

Description

Zeal, an offline document reader, does not work.

Steps to Reproduce

Run in bash LC_ALL=C firejail /usr/bin/zeal
Does not open

Expected behavior

Zeal start.

Actual behavior

Zeal doesn't start / is "hanging" in the console:

$ LC_ALL=C firejail /usr/bin/zeal 
Reading profile /etc/firejail/zeal.profile
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Parent pid 413990, child pid 413994
1 program installed in 6.57 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 87.83 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 131.60 ms
Child process initialized in 356.96 ms
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.

(zeal:35): dbind-WARNING **: 10:35:05.483: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Qt: Session management error: Could not open network socket
zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 35)
MESA: error: Failed to query drm device.
glx: failed to create dri3 screen
failed to load driver: iris
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
[49:49:0610/103505.830410:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
[50:50:0610/103505.831404:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
[35:54:0610/103505.833325:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Behavior without a profile

Zeal starts:

$ LC_ALL=C firejail --noprofile /usr/bin/zeal 
firejail version 0.9.74

Parent pid 414778, child pid 414779
Base filesystem installed in 0.07 ms
Child process initialized in 47.44 ms
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 3)
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
zeal.core.httpserver: Listening on http://127.0.0.1:36811...
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Ansible.docset/Contents/Resources/Documents' to '/ansible'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Ant.docset/Contents/Resources/Documents' to '/apache_ant'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Collections.docset/Contents/Resources/Documents' to '/apache_commons_collections'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_CSV.docset/Contents/Resources/Documents' to '/apache_commons_csv'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Lang.docset/Contents/Resources/Documents' to '/apache_commons_lang'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Math.docset/Contents/Resources/Documents' to '/apache_commons_math'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Text.docset/Contents/Resources/Documents' to '/apache_commons_text'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_HTTP_Server.docset/Contents/Resources/Documents' to '/apache_http_server'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Arduino.docset/Contents/Resources/Documents' to '/arduino'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/ASCII_Tables.docset/Contents/Resources/Documents' to '/ascii_tablescheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/babeld.docset/Contents/Resources/Documents' to '/babeld'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Bash.docset/Contents/Resources/Documents' to '/bash'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Bash_Shortcuts.docset/Contents/Resources/Documents' to '/bash_shortcutscheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Bash_Test_Operators.docset/Contents/Resources/Documents' to '/bash_test_operatorscheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/bird.docset/Contents/Resources/Documents' to '/bird'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Boost.docset/Contents/Resources/Documents' to '/boost'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/botan-api.docset/Contents/Resources/Documents' to '/botan-api'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/botan.docset/Contents/Resources/Documents' to '/botan'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/C++.docset/Contents/Resources/Documents' to '/c__'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/C.docset/Contents/Resources/Documents' to '/c'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Chrome_Dev_Tools.docset/Contents/Resources/Documents' to '/chrome_dev_toolscheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Chromium_Command_Line_Switches.docset/Contents/Resources/Documents' to '/chromium_command_line_switchescheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Clang.docset/Contents/Resources/Documents' to '/clang'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/CMake.docset/Contents/Resources/Documents' to '/cmake'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/cryptopp-api.docset/Contents/Resources/Documents' to '/cryptopp-api'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/CSS.docset/Contents/Resources/Documents' to '/css'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Docker.docset/Contents/Resources/Documents' to '/docker'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/DokuWiki.docset/Contents/Resources/Documents' to '/dokuwiki'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/easyrsa.docset/Contents/Resources/Documents' to '/easyrsa'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/ESLint.docset/Contents/Resources/Documents' to '/eslint'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/fastd.docset/Contents/Resources/Documents' to '/fastd'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Flask.docset/Contents/Resources/Documents' to '/flask'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/fping.docset/Contents/Resources/Documents' to '/fping'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/FRR.docset/Contents/Resources/Documents' to '/frr'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GLib.docset/Contents/Resources/Documents' to '/glib'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/glibc.docset/Contents/Resources/Documents' to '/glibc'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Autoconf.docset/Contents/Resources/Documents' to '/gnu_autoconf'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Bison.docset/Contents/Resources/Documents' to '/gnu_bison'.
Cannot determine index file for docset GNU_Coding_Standards
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Coding_Standards.docset/Contents/Resources/Documents' to '/gnu_coding_standards'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Coreutils.docset/Contents/Resources/Documents' to '/gnu_coreutils'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Libtool.docset/Contents/Resources/Documents' to '/gnu_libtool'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Make.docset/Contents/Resources/Documents' to '/gnu_make'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Scientific_Library.docset/Contents/Resources/Documents' to '/gnu_scientific_library'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Go.docset/Contents/Resources/Documents' to '/go'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/googletest.docset/Contents/Resources/Documents' to '/googletest'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Gradle_DSL.docset/Contents/Resources/Documents' to '/gradle_dsl'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Gradle_Java_API.docset/Contents/Resources/Documents' to '/gradle_java_api'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Gradle_User_Guide.docset/Contents/Resources/Documents' to '/gradle_user_guide'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Groovy.docset/Contents/Resources/Documents' to '/groovy'.
Could not load docset from '/home/marek/.local/share/Zeal/Zeal/docsets/Groovy_JDK.docset'. Reinstall the docset.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Guava.docset/Contents/Resources/Documents' to '/guava'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTML.docset/Contents/Resources/Documents' to '/html'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTML_Entities.docset/Contents/Resources/Documents' to '/html_entitiescheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTTP.docset/Contents/Resources/Documents' to '/http'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTTP_Status_Codes.docset/Contents/Resources/Documents' to '/http_status_codescheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/i2pd.docset/Contents/Resources/Documents' to '/i2pd'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Java.docset/Contents/Resources/Documents' to '/java'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/JavaScript.docset/Contents/Resources/Documents' to '/javascript'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Jekyll.docset/Contents/Resources/Documents' to '/jekyll'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Jinja.docset/Contents/Resources/Documents' to '/jinja'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/jq.docset/Contents/Resources/Documents' to '/jq'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/jQuery.docset/Contents/Resources/Documents' to '/jquery'.
Cannot determine index file for docset json-schema
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/json-schema.docset/Contents/Resources/Documents' to '/json-schema'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Julia.docset/Contents/Resources/Documents' to '/julia'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Kotlin.docset/Contents/Resources/Documents' to '/kotlin'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/LaTeX.docset/Contents/Resources/Documents' to '/latex'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Less.docset/Contents/Resources/Documents' to '/less'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/libhydrogen.docset/Contents/Resources/Documents' to '/libhydrogen'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/libsodium.docset/Contents/Resources/Documents' to '/libsodium'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/libuv.docset/Contents/Resources/Documents' to '/libuv'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Licenses.docset/Contents/Resources/Documents' to '/licensescheats'.
Cannot determine index file for docset Linux_Man_Pages
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Linux_Man_Pages.docset/Contents/Resources/Documents' to '/linux_man_pages'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/LLVM.docset/Contents/Resources/Documents' to '/llvm'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Lua_5.4.docset/Contents/Resources/Documents' to '/lua_5_4'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Markdown.docset/Contents/Resources/Documents' to '/markdown'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Mediawiki.docset/Contents/Resources/Documents' to '/mediawiki'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Meson.docset/Contents/Resources/Documents' to '/meson'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/monocypher.docset/Contents/Resources/Documents' to '/monocypher'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/MySQL.docset/Contents/Resources/Documents' to '/mysql'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Neovim.docset/Contents/Resources/Documents' to '/neovim'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Netcat.docset/Contents/Resources/Documents' to '/netcatcheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Nginx.docset/Contents/Resources/Documents' to '/nginx'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/NodeJS.docset/Contents/Resources/Documents' to '/nodejs'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/openssl.docset/Contents/Resources/Documents' to '/openssl'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/OpenVPN.docset/Contents/Resources/Documents' to '/openvpn'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Perl.docset/Contents/Resources/Documents' to '/perl'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/PHP.docset/Contents/Resources/Documents' to '/php'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/pmd.docset/Contents/Resources/Documents' to '/pmd'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/PostgreSQL.docset/Contents/Resources/Documents' to '/postgresql'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Python_3.docset/Contents/Resources/Documents' to '/python_3'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Qt_6.docset/Contents/Resources/Documents' to '/qt_6'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/R.docset/Contents/Resources/Documents' to '/r'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Regular_Expressions.docset/Contents/Resources/Documents' to '/regular_expressionscheats'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/RFCs.docset/Contents/Resources/Documents' to '/rfcs'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/RuboCop.docset/Contents/Resources/Documents' to '/rubocop'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Ruby_2.docset/Contents/Resources/Documents' to '/ruby_2'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Ruby_3.docset/Contents/Resources/Documents' to '/ruby_3'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Rust.docset/Contents/Resources/Documents' to '/rust'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/SaltStack.docset/Contents/Resources/Documents' to '/saltstack'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Scapy.docset/Contents/Resources/Documents' to '/scapy'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Sequel.docset/Contents/Resources/Documents' to '/sequel'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/socat.docset/Contents/Resources/Documents' to '/socat'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Solidity.docset/Contents/Resources/Documents' to '/solidity'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/spotbugs.docset/Contents/Resources/Documents' to '/spotbugs'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/SQLite.docset/Contents/Resources/Documents' to '/sqlite'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/stunnel.docset/Contents/Resources/Documents' to '/stunnel'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Tcl.docset/Contents/Resources/Documents' to '/tcl'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/tldr.docset/Contents/Resources/Documents' to '/tldr'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Unbound.docset/Contents/Resources/Documents' to '/unbound'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Vagrant.docset/Contents/Resources/Documents' to '/vagrant'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Vim.docset/Contents/Resources/Documents' to '/vim'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/VueJS.docset/Contents/Resources/Documents' to '/vuejs'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/VyOS.docset/Contents/Resources/Documents' to '/vyos'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/wxWidgets.docset/Contents/Resources/Documents' to '/wxwidgets'.
zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/xca.docset/Contents/Resources/Documents' to '/xca'.

Parent is shutting down, bye...

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.14.9-hardened1-1-hardened x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"):

$ pacman -Qi zeal
Name            : zeal
Version         : 0.7.2-1
Description     : Offline API documentation browser
Architecture    : x86_64
URL             : https://zealdocs.org
Licenses        : GPL-3.0-or-later
Groups          : None
Provides        : None
Depends On      : glibc  gcc-libs  hicolor-icon-theme  qt6-webengine  qt6-base  qt6-webchannel  sqlite  libarchive  libxcb  libx11  xcb-util-keysyms
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 1462.44 KiB
Packager        : George Rawlinson <grawlinson@archlinux.org>
Build Date      : Thu 26 Sep 2024 08:22:29 AM UTC
Install Date    : Sat 28 Sep 2024 12:20:58 AM UTC
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Version of Firejail (firejail --version):

$ firejail --version
firejail version 0.9.74

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- IDS support is disabled
	- Landlock support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-lib support is disabled
	- private-cache and tmpfs as user enabled
	- sandbox check is enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

$ LC_ALL=C firejail /usr/bin/zeal 
Reading profile /etc/firejail/zeal.profile
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Parent pid 416205, child pid 416209
1 program installed in 6.25 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 81.54 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 126.22 ms
Child process initialized in 320.21 ms
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.

(zeal:35): dbind-WARNING **: 10:38:47.182: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Qt: Session management error: Could not open network socket
zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 35)
MESA: error: Failed to query drm device.
glx: failed to create dri3 screen
failed to load driver: iris
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
[50:50:0610/103847.561101:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
[35:54:0610/103847.562994:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[49:49:0610/103847.573798:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches

(No GUI opens)

Output of LC_ALL=C firejail --debug /path/to/program

$ LC_ALL=C firejail --debug /usr/bin/zeal > debug.txt 2>&1

debug.txt

Originally created by @marek22k on GitHub (Jun 10, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6774 ### Description Zeal, an offline document reader, does not work. ### Steps to Reproduce 1. Run in bash `LC_ALL=C firejail /usr/bin/zeal` 2. Does not open ### Expected behavior Zeal start. ### Actual behavior Zeal doesn't start / is "hanging" in the console: ``` $ LC_ALL=C firejail /usr/bin/zeal Reading profile /etc/firejail/zeal.profile Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Parent pid 413990, child pid 413994 1 program installed in 6.57 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 87.83 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 131.60 ms Child process initialized in 356.96 ms Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. (zeal:35): dbind-WARNING **: 10:35:05.483: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Qt: Session management error: Could not open network socket zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4 zeal.core.applicationsingleton: Starting as a primary instance. (PID: 35) MESA: error: Failed to query drm device. glx: failed to create dri3 screen failed to load driver: iris Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. [49:49:0610/103505.830410:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches [50:50:0610/103505.831404:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches [35:54:0610/103505.833325:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ``` ### Behavior without a profile Zeal starts: ``` $ LC_ALL=C firejail --noprofile /usr/bin/zeal firejail version 0.9.74 Parent pid 414778, child pid 414779 Base filesystem installed in 0.07 ms Child process initialized in 47.44 ms Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4 zeal.core.applicationsingleton: Starting as a primary instance. (PID: 3) Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. zeal.core.httpserver: Listening on http://127.0.0.1:36811... zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Ansible.docset/Contents/Resources/Documents' to '/ansible'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Ant.docset/Contents/Resources/Documents' to '/apache_ant'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Collections.docset/Contents/Resources/Documents' to '/apache_commons_collections'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_CSV.docset/Contents/Resources/Documents' to '/apache_commons_csv'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Lang.docset/Contents/Resources/Documents' to '/apache_commons_lang'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Math.docset/Contents/Resources/Documents' to '/apache_commons_math'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_Commons_Text.docset/Contents/Resources/Documents' to '/apache_commons_text'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Apache_HTTP_Server.docset/Contents/Resources/Documents' to '/apache_http_server'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Arduino.docset/Contents/Resources/Documents' to '/arduino'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/ASCII_Tables.docset/Contents/Resources/Documents' to '/ascii_tablescheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/babeld.docset/Contents/Resources/Documents' to '/babeld'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Bash.docset/Contents/Resources/Documents' to '/bash'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Bash_Shortcuts.docset/Contents/Resources/Documents' to '/bash_shortcutscheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Bash_Test_Operators.docset/Contents/Resources/Documents' to '/bash_test_operatorscheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/bird.docset/Contents/Resources/Documents' to '/bird'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Boost.docset/Contents/Resources/Documents' to '/boost'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/botan-api.docset/Contents/Resources/Documents' to '/botan-api'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/botan.docset/Contents/Resources/Documents' to '/botan'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/C++.docset/Contents/Resources/Documents' to '/c__'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/C.docset/Contents/Resources/Documents' to '/c'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Chrome_Dev_Tools.docset/Contents/Resources/Documents' to '/chrome_dev_toolscheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Chromium_Command_Line_Switches.docset/Contents/Resources/Documents' to '/chromium_command_line_switchescheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Clang.docset/Contents/Resources/Documents' to '/clang'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/CMake.docset/Contents/Resources/Documents' to '/cmake'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/cryptopp-api.docset/Contents/Resources/Documents' to '/cryptopp-api'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/CSS.docset/Contents/Resources/Documents' to '/css'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Docker.docset/Contents/Resources/Documents' to '/docker'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/DokuWiki.docset/Contents/Resources/Documents' to '/dokuwiki'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/easyrsa.docset/Contents/Resources/Documents' to '/easyrsa'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/ESLint.docset/Contents/Resources/Documents' to '/eslint'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/fastd.docset/Contents/Resources/Documents' to '/fastd'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Flask.docset/Contents/Resources/Documents' to '/flask'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/fping.docset/Contents/Resources/Documents' to '/fping'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/FRR.docset/Contents/Resources/Documents' to '/frr'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GLib.docset/Contents/Resources/Documents' to '/glib'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/glibc.docset/Contents/Resources/Documents' to '/glibc'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Autoconf.docset/Contents/Resources/Documents' to '/gnu_autoconf'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Bison.docset/Contents/Resources/Documents' to '/gnu_bison'. Cannot determine index file for docset GNU_Coding_Standards zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Coding_Standards.docset/Contents/Resources/Documents' to '/gnu_coding_standards'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Coreutils.docset/Contents/Resources/Documents' to '/gnu_coreutils'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Libtool.docset/Contents/Resources/Documents' to '/gnu_libtool'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Make.docset/Contents/Resources/Documents' to '/gnu_make'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/GNU_Scientific_Library.docset/Contents/Resources/Documents' to '/gnu_scientific_library'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Go.docset/Contents/Resources/Documents' to '/go'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/googletest.docset/Contents/Resources/Documents' to '/googletest'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Gradle_DSL.docset/Contents/Resources/Documents' to '/gradle_dsl'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Gradle_Java_API.docset/Contents/Resources/Documents' to '/gradle_java_api'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Gradle_User_Guide.docset/Contents/Resources/Documents' to '/gradle_user_guide'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Groovy.docset/Contents/Resources/Documents' to '/groovy'. Could not load docset from '/home/marek/.local/share/Zeal/Zeal/docsets/Groovy_JDK.docset'. Reinstall the docset. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Guava.docset/Contents/Resources/Documents' to '/guava'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTML.docset/Contents/Resources/Documents' to '/html'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTML_Entities.docset/Contents/Resources/Documents' to '/html_entitiescheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTTP.docset/Contents/Resources/Documents' to '/http'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/HTTP_Status_Codes.docset/Contents/Resources/Documents' to '/http_status_codescheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/i2pd.docset/Contents/Resources/Documents' to '/i2pd'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Java.docset/Contents/Resources/Documents' to '/java'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/JavaScript.docset/Contents/Resources/Documents' to '/javascript'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Jekyll.docset/Contents/Resources/Documents' to '/jekyll'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Jinja.docset/Contents/Resources/Documents' to '/jinja'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/jq.docset/Contents/Resources/Documents' to '/jq'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/jQuery.docset/Contents/Resources/Documents' to '/jquery'. Cannot determine index file for docset json-schema zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/json-schema.docset/Contents/Resources/Documents' to '/json-schema'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Julia.docset/Contents/Resources/Documents' to '/julia'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Kotlin.docset/Contents/Resources/Documents' to '/kotlin'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/LaTeX.docset/Contents/Resources/Documents' to '/latex'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Less.docset/Contents/Resources/Documents' to '/less'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/libhydrogen.docset/Contents/Resources/Documents' to '/libhydrogen'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/libsodium.docset/Contents/Resources/Documents' to '/libsodium'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/libuv.docset/Contents/Resources/Documents' to '/libuv'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Licenses.docset/Contents/Resources/Documents' to '/licensescheats'. Cannot determine index file for docset Linux_Man_Pages zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Linux_Man_Pages.docset/Contents/Resources/Documents' to '/linux_man_pages'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/LLVM.docset/Contents/Resources/Documents' to '/llvm'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Lua_5.4.docset/Contents/Resources/Documents' to '/lua_5_4'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Markdown.docset/Contents/Resources/Documents' to '/markdown'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Mediawiki.docset/Contents/Resources/Documents' to '/mediawiki'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Meson.docset/Contents/Resources/Documents' to '/meson'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/monocypher.docset/Contents/Resources/Documents' to '/monocypher'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/MySQL.docset/Contents/Resources/Documents' to '/mysql'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Neovim.docset/Contents/Resources/Documents' to '/neovim'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Netcat.docset/Contents/Resources/Documents' to '/netcatcheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Nginx.docset/Contents/Resources/Documents' to '/nginx'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/NodeJS.docset/Contents/Resources/Documents' to '/nodejs'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/openssl.docset/Contents/Resources/Documents' to '/openssl'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/OpenVPN.docset/Contents/Resources/Documents' to '/openvpn'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Perl.docset/Contents/Resources/Documents' to '/perl'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/PHP.docset/Contents/Resources/Documents' to '/php'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/pmd.docset/Contents/Resources/Documents' to '/pmd'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/PostgreSQL.docset/Contents/Resources/Documents' to '/postgresql'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Python_3.docset/Contents/Resources/Documents' to '/python_3'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Qt_6.docset/Contents/Resources/Documents' to '/qt_6'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/R.docset/Contents/Resources/Documents' to '/r'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Regular_Expressions.docset/Contents/Resources/Documents' to '/regular_expressionscheats'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/RFCs.docset/Contents/Resources/Documents' to '/rfcs'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/RuboCop.docset/Contents/Resources/Documents' to '/rubocop'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Ruby_2.docset/Contents/Resources/Documents' to '/ruby_2'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Ruby_3.docset/Contents/Resources/Documents' to '/ruby_3'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Rust.docset/Contents/Resources/Documents' to '/rust'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/SaltStack.docset/Contents/Resources/Documents' to '/saltstack'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Scapy.docset/Contents/Resources/Documents' to '/scapy'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Sequel.docset/Contents/Resources/Documents' to '/sequel'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/socat.docset/Contents/Resources/Documents' to '/socat'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Solidity.docset/Contents/Resources/Documents' to '/solidity'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/spotbugs.docset/Contents/Resources/Documents' to '/spotbugs'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/SQLite.docset/Contents/Resources/Documents' to '/sqlite'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/stunnel.docset/Contents/Resources/Documents' to '/stunnel'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Tcl.docset/Contents/Resources/Documents' to '/tcl'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/tldr.docset/Contents/Resources/Documents' to '/tldr'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Unbound.docset/Contents/Resources/Documents' to '/unbound'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Vagrant.docset/Contents/Resources/Documents' to '/vagrant'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/Vim.docset/Contents/Resources/Documents' to '/vim'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/VueJS.docset/Contents/Resources/Documents' to '/vuejs'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/VyOS.docset/Contents/Resources/Documents' to '/vyos'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/wxWidgets.docset/Contents/Resources/Documents' to '/wxwidgets'. zeal.core.httpserver: Mounted '/home/marek/.local/share/Zeal/Zeal/docsets/xca.docset/Contents/Resources/Documents' to '/xca'. Parent is shutting down, bye... ``` ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): `Linux 6.14.9-hardened1-1-hardened x86_64` - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): `Arch Linux` - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): ``` $ pacman -Qi zeal Name : zeal Version : 0.7.2-1 Description : Offline API documentation browser Architecture : x86_64 URL : https://zealdocs.org Licenses : GPL-3.0-or-later Groups : None Provides : None Depends On : glibc gcc-libs hicolor-icon-theme qt6-webengine qt6-base qt6-webchannel sqlite libarchive libxcb libx11 xcb-util-keysyms Optional Deps : None Required By : None Optional For : None Conflicts With : None Replaces : None Installed Size : 1462.44 KiB Packager : George Rawlinson <grawlinson@archlinux.org> Build Date : Thu 26 Sep 2024 08:22:29 AM UTC Install Date : Sat 28 Sep 2024 12:20:58 AM UTC Install Reason : Explicitly installed Install Script : No Validated By : Signature ``` - Version of Firejail (`firejail --version`): ``` $ firejail --version firejail version 0.9.74 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - IDS support is disabled - Landlock support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - sandbox check is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [X] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` $ LC_ALL=C firejail /usr/bin/zeal Reading profile /etc/firejail/zeal.profile Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Parent pid 416205, child pid 416209 1 program installed in 6.25 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 81.54 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 126.22 ms Child process initialized in 320.21 ms Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. (zeal:35): dbind-WARNING **: 10:38:47.182: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Qt: Session management error: Could not open network socket zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4 zeal.core.applicationsingleton: Starting as a primary instance. (PID: 35) MESA: error: Failed to query drm device. glx: failed to create dri3 screen failed to load driver: iris Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. [50:50:0610/103847.561101:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches [35:54:0610/103847.562994:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [49:49:0610/103847.573798:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches ``` (No GUI opens) </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` $ LC_ALL=C firejail --debug /usr/bin/zeal > debug.txt 2>&1 ``` [debug.txt](https://github.com/user-attachments/files/20671104/debug.txt) </p> </details>

gitea-mirror added the

needinfo

label 2026-05-05 09:56:43 -06:00

gitea-mirror commented

2026-05-05 09:56:45 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 10, 2025):

[49:49:0610/103505.830410:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
[50:50:0610/103505.831404:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
[35:54:0610/103505.833325:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
^C

Does it work with the following in ~/.config/firejail/zeal.local?

noblacklist /sys/fs

ignore dbus-user filter
ignore dbus-system none

If so, which lines are needed?

If not, you can try commenting lines in the profile until it works to find
which ones are causing issues.

@kmk3 commented on GitHub (Jun 10, 2025): > ``` > [49:49:0610/103505.830410:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches > [50:50:0610/103505.831404:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches > [35:54:0610/103505.833325:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied > ^C > ``` Does it work with the following in ~/.config/firejail/zeal.local? ``` noblacklist /sys/fs ignore dbus-user filter ignore dbus-system none ``` If so, which lines are needed? If not, you can try commenting lines in the profile until it works to find which ones are causing issues.

gitea-mirror commented

2026-05-05 09:56:46 -06:00

Author

Owner

@marek22k commented on GitHub (Jun 10, 2025):

noblacklist /sys/fs

ignore dbus-user filter
ignore dbus-system none

results in another error message:

(zeal:35): dbind-WARNING **: 20:17:56.163: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Qt: Session management error: Could not open network socket
zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 35)
MESA: error: Failed to query drm device.
glx: failed to create dri3 screen
failed to load driver: iris
[49:49:0610/201756.496342:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
[50:50:0610/201756.496344:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches

If not, you can try commenting lines in the profile until it works to find which ones are causing issues.

Works with the following:

 #cat /etc/firejail/zeal.profile 
# Firejail profile for zeal
# Description: Offline API documentation browser
# This file is overwritten after every install/update
# Persistent local customizations
include zeal.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/Zeal
noblacklist ${HOME}/.config/Zeal
noblacklist ${HOME}/.local/share/Zeal

# sh is needed to allow Firefox to open links
include allow-bin-sh.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

mkdir ${HOME}/.cache/Zeal
mkdir ${HOME}/.config/Zeal
mkdir ${HOME}/.local/share/Zeal
whitelist ${HOME}/.cache/Zeal
whitelist ${HOME}/.config/Zeal
whitelist ${HOME}/.local/share/Zeal
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
netfilter
#no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
#seccomp
#seccomp.block-secondary
tracelog

disable-mnt
private-bin zeal
private-cache
private-dev
#private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services
private-tmp

dbus-user filter
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
dbus-system none

# memory-deny-write-execute # breaks on Arch
restrict-namespaces

So commenting out no3d, seccomp, seccomp.block-secondary and private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services.

@marek22k commented on GitHub (Jun 10, 2025): > noblacklist /sys/fs > > ignore dbus-user filter > ignore dbus-system none results in another error message: ``` (zeal:35): dbind-WARNING **: 20:17:56.163: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Qt: Session management error: Could not open network socket zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4 zeal.core.applicationsingleton: Starting as a primary instance. (PID: 35) MESA: error: Failed to query drm device. glx: failed to create dri3 screen failed to load driver: iris [49:49:0610/201756.496342:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches [50:50:0610/201756.496344:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches ``` > If not, you can try commenting lines in the profile until it works to find which ones are causing issues. Works with the following: ``` #cat /etc/firejail/zeal.profile # Firejail profile for zeal # Description: Offline API documentation browser # This file is overwritten after every install/update # Persistent local customizations include zeal.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/Zeal noblacklist ${HOME}/.config/Zeal noblacklist ${HOME}/.local/share/Zeal # sh is needed to allow Firefox to open links include allow-bin-sh.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc # The lines below are needed to find the default Firefox profile name, to allow # opening links in an existing instance of Firefox (note that it still fails if # there isn't a Firefox instance running with the default profile; see #5352) noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini mkdir ${HOME}/.cache/Zeal mkdir ${HOME}/.config/Zeal mkdir ${HOME}/.local/share/Zeal whitelist ${HOME}/.cache/Zeal whitelist ${HOME}/.config/Zeal whitelist ${HOME}/.local/share/Zeal include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all machine-id netfilter #no3d nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6,netlink #seccomp #seccomp.block-secondary tracelog disable-mnt private-bin zeal private-cache private-dev #private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services private-tmp dbus-user filter ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher # Allow D-Bus communication with Firefox for opening links dbus-user.talk org.mozilla.* dbus-system none # memory-deny-write-execute # breaks on Arch restrict-namespaces ``` So commenting out `no3d`, `seccomp`, `seccomp.block-secondary` and `private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services`.

gitea-mirror commented

2026-05-05 09:56:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 11, 2025):

So commenting out no3d, seccomp, seccomp.block-secondary and private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services.

Can you try to change seccomp to seccomp !chroot (rest remains commented).

@rusty-snake commented on GitHub (Jun 11, 2025): > So commenting out no3d, seccomp, seccomp.block-secondary and private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services. Can you try to change `seccomp` to `seccomp !chroot` (rest remains commented).

gitea-mirror commented

2026-05-05 09:56:47 -06:00

Author

Owner

@marek22k commented on GitHub (Jun 11, 2025):

My original bug report was apparently not quite complete. zeal sometimes crashes, independent of seccomp:

$ firejail /usr/bin/zeal 
Reading profile /etc/firejail/zeal.profile
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Parent pid 4124, child pid 4128
1 program installed in 6.47 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 122.66 ms
Child process initialized in 234.05 ms

(zeal:8): dbind-WARNING **: 18:04:15.928: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Qt: Session management error: Could not open network socket
zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4
zeal.core.applicationsingleton: Cannot attach to the shared memory segment: "QSharedMemory::handle: doesn't exist"
zeal.core.applicationsingleton: Cannot connect to the local service: "QLocalSocket::connectToServer: Invalid name"

Parent is shutting down, bye...

Zeal also starts with seccomp and seccomp !chroot and with seccomp commented out sometimes (in most cases) and sometimes not.

When I tried to start zeal with various things commented out, it must have been one of the non-started cases.

@marek22k commented on GitHub (Jun 11, 2025): My original bug report was apparently not quite complete. zeal sometimes crashes, independent of `seccomp`: ``` $ firejail /usr/bin/zeal Reading profile /etc/firejail/zeal.profile Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Parent pid 4124, child pid 4128 1 program installed in 6.47 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 122.66 ms Child process initialized in 234.05 ms (zeal:8): dbind-WARNING **: 18:04:15.928: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Qt: Session management error: Could not open network socket zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4 zeal.core.applicationsingleton: Cannot attach to the shared memory segment: "QSharedMemory::handle: doesn't exist" zeal.core.applicationsingleton: Cannot connect to the local service: "QLocalSocket::connectToServer: Invalid name" Parent is shutting down, bye... ``` Zeal also starts with `seccomp` and `seccomp !chroot` and with `seccomp` commented out sometimes (in most cases) and sometimes not. When I tried to start zeal with various things commented out, it must have been one of the non-started cases.

gitea-mirror commented

2026-05-05 09:56:48 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 11, 2025):

What is the content of foo.profile with the following?

firejail --build=foo.profile /usr/bin/zeal

@kmk3 commented on GitHub (Jun 11, 2025): What is the content of foo.profile with the following? ```sh firejail --build=foo.profile /usr/bin/zeal ```

gitea-mirror commented

2026-05-05 09:56:49 -06:00

Author

Owner

@marek22k commented on GitHub (Jun 12, 2025):

$ firejail --build=foo.profile /usr/bin/zeal
zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 5)
[5:5:0612/072014.582773:FATAL:zygote_host_impl_linux.cc(206)] Check failed: . : Message too long (90)

Zeal doesn't start.

$ cat foo.profile 
# Save this file as "application.profile" (change "application" with the
# program name) in ~/.config/firejail directory. Firejail will find it
# automatically every time you sandbox your application.
#
# Run "firejail application" to test it. In the file there are
# some other commands you can try. Enable them by removing the "#".

# Firejail profile for /usr/bin/zeal
# Persistent local customizations
#include /usr/bin/zeal.local
# Persistent global definitions
#include globals.local

### Basic Blacklisting ###
### Enable as many of them as you can! A very important one is
### "disable-exec.inc". This will make among other things your home
### and /tmp directories non-executable.
include disable-common.inc	# dangerous directories like ~/.ssh and ~/.gnupg
#include disable-devel.inc	# development tools such as gcc and gdb
#include disable-exec.inc	# non-executable directories such as /var, /tmp, and /home
#include disable-interpreters.inc	# perl, python, lua etc.
include disable-programs.inc	# user configuration for programs such as firefox, vlc etc.
#include disable-shell.inc	# sh, bash, zsh etc.
#include disable-xdg.inc	# standard user directories: Documents, Pictures, Videos, Music

### Home Directory Whitelisting ###
### If something goes wrong, this section is the first one to comment out.
### Instead, you'll have to relay on the basic blacklisting above.
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium/WidevineCdm
whitelist ${HOME}/.cache/mesa_shader_cache_db
whitelist ${HOME}/.config/Zeal
whitelist ${HOME}/.Xdefaults-finnian
include whitelist-common.inc

### Filesystem Whitelisting ###
include whitelist-run-common.inc
whitelist ${RUNUSER}/at-spi/bus_0
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

#apparmor	# if you have AppArmor running, try this one!
caps.drop all
ipc-namespace
netfilter
#no3d	# disable 3D acceleration
#nodvd	# disable DVD and CD devices
#nogroups	# disable supplementary user groups
#noinput	# disable input devices
nonewprivs
noroot
#notpm	# disable TPM devices
#notv	# disable DVB TV devices
#nou2f	# disable U2F devices
#novideo	# disable video capture devices
protocol unix,
net none
seccomp !chroot	# allowing chroot, just in case this is an Electron app
#tracelog	# send blacklist violations to syslog

#disable-mnt	# no access to /mnt, /media, /run/mount and /run/media
private-bin zeal,
#private-cache	# run with an empty ~/.cache directory
private-dev
private-etc localtime,drirc,fonts,xdg,gtk-3.0,gnutls,
#private-lib
#private-tmp
# File accessed in /tmp directory:
# /tmp/.unqeqJ,/tmp/lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4,/tmp/qipc_sharedmemory_lzgZVBJMDSSTdHRMQiBaCxEjLgonHOesj3bac79918951643e3dac6cdccf6a29f58f5d7391,/tmp/qipc_systemsem_lzgZVBJMDSSTdHRMQiBaCxEjLgonHOesj3bac79918951643e3dac6cdccf6a29f58f5d7391,/tmp/.ICE-unix/1094,
#dbus-user none
#dbus-system none

#memory-deny-write-execute

@marek22k commented on GitHub (Jun 12, 2025): ``` $ firejail --build=foo.profile /usr/bin/zeal zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4 zeal.core.applicationsingleton: Starting as a primary instance. (PID: 5) [5:5:0612/072014.582773:FATAL:zygote_host_impl_linux.cc(206)] Check failed: . : Message too long (90) ``` Zeal doesn't start. ``` $ cat foo.profile # Save this file as "application.profile" (change "application" with the # program name) in ~/.config/firejail directory. Firejail will find it # automatically every time you sandbox your application. # # Run "firejail application" to test it. In the file there are # some other commands you can try. Enable them by removing the "#". # Firejail profile for /usr/bin/zeal # Persistent local customizations #include /usr/bin/zeal.local # Persistent global definitions #include globals.local ### Basic Blacklisting ### ### Enable as many of them as you can! A very important one is ### "disable-exec.inc". This will make among other things your home ### and /tmp directories non-executable. include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg #include disable-devel.inc # development tools such as gcc and gdb #include disable-exec.inc # non-executable directories such as /var, /tmp, and /home #include disable-interpreters.inc # perl, python, lua etc. include disable-programs.inc # user configuration for programs such as firefox, vlc etc. #include disable-shell.inc # sh, bash, zsh etc. #include disable-xdg.inc # standard user directories: Documents, Pictures, Videos, Music ### Home Directory Whitelisting ### ### If something goes wrong, this section is the first one to comment out. ### Instead, you'll have to relay on the basic blacklisting above. whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium/WidevineCdm whitelist ${HOME}/.cache/mesa_shader_cache_db whitelist ${HOME}/.config/Zeal whitelist ${HOME}/.Xdefaults-finnian include whitelist-common.inc ### Filesystem Whitelisting ### include whitelist-run-common.inc whitelist ${RUNUSER}/at-spi/bus_0 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc #apparmor # if you have AppArmor running, try this one! caps.drop all ipc-namespace netfilter #no3d # disable 3D acceleration #nodvd # disable DVD and CD devices #nogroups # disable supplementary user groups #noinput # disable input devices nonewprivs noroot #notpm # disable TPM devices #notv # disable DVB TV devices #nou2f # disable U2F devices #novideo # disable video capture devices protocol unix, net none seccomp !chroot # allowing chroot, just in case this is an Electron app #tracelog # send blacklist violations to syslog #disable-mnt # no access to /mnt, /media, /run/mount and /run/media private-bin zeal, #private-cache # run with an empty ~/.cache directory private-dev private-etc localtime,drirc,fonts,xdg,gtk-3.0,gnutls, #private-lib #private-tmp # File accessed in /tmp directory: # /tmp/.unqeqJ,/tmp/lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4,/tmp/qipc_sharedmemory_lzgZVBJMDSSTdHRMQiBaCxEjLgonHOesj3bac79918951643e3dac6cdccf6a29f58f5d7391,/tmp/qipc_systemsem_lzgZVBJMDSSTdHRMQiBaCxEjLgonHOesj3bac79918951643e3dac6cdccf6a29f58f5d7391,/tmp/.ICE-unix/1094, #dbus-user none #dbus-system none #memory-deny-write-execute ```

gitea-mirror commented

2026-05-05 09:56:49 -06:00

Author

Owner

@kmk3 commented on GitHub (Jun 12, 2025):

### Home Directory Whitelisting ###
### If something goes wrong, this section is the first one to comment out.
### Instead, you'll have to relay on the basic blacklisting above.
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium/WidevineCdm
whitelist ${HOME}/.cache/mesa_shader_cache_db
whitelist ${HOME}/.config/Zeal
whitelist ${HOME}/.Xdefaults-finnian
include whitelist-common.inc

Any idea why it tries to access ~/.config/chromium?

Does it use electron or something similar?

Edit: I see now that it uses Qt WebEngine.

What is the content of trace.txt with the following?

firejail --trace=trace.txt --profile=zeal /usr/bin/zeal

@kmk3 commented on GitHub (Jun 12, 2025): > ``` > ### Home Directory Whitelisting ### > ### If something goes wrong, this section is the first one to comment out. > ### Instead, you'll have to relay on the basic blacklisting above. > whitelist ${HOME}/.config/chromium > whitelist ${HOME}/.config/chromium/WidevineCdm > whitelist ${HOME}/.cache/mesa_shader_cache_db > whitelist ${HOME}/.config/Zeal > whitelist ${HOME}/.Xdefaults-finnian > include whitelist-common.inc > ``` Any idea why it tries to access ~/.config/chromium? Does it use electron or something similar? Edit: I see now that it uses Qt WebEngine. What is the content of trace.txt with the following? ```sh firejail --trace=trace.txt --profile=zeal /usr/bin/zeal ```

gitea-mirror commented

2026-05-05 09:56:49 -06:00

Author

Owner

@marek22k commented on GitHub (Jun 12, 2025):

Does it use electron or something similar?

Edit: I see now that it uses Qt WebEngine.

A built-in web browser is used to view the documentation. (Zeal starts a server on localhost and this browser then opens the corresponding page there).

What is the content of trace.txt with the following?

firejail --trace=trace.txt --profile=zeal /usr/bin/zeal

Decommented with all again:

$ firejail --trace=trace.txt --profile=zeal /usr/bin/zeal
Reading profile /etc/firejail/zeal.profile
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Parent pid 13877, child pid 13881
1 program installed in 6.57 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 81.64 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 118.53 ms
Child process initialized in 310.84 ms

(zeal:36): dbind-WARNING **: 08:15:12.148: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Qt: Session management error: Could not open network socket
zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4
zeal.core.applicationsingleton: Starting as a primary instance. (PID: 36)
MESA: error: Failed to query drm device.
glx: failed to create dri3 screen
failed to load driver: iris
[36:54:0612/081512.438625:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[50:50:0612/081512.587215:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
[51:51:0612/081512.595399:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

(it hangs, I press Ctrl+C)

trace.txt

@marek22k commented on GitHub (Jun 12, 2025): > Does it use electron or something similar? > > Edit: I see now that it uses Qt WebEngine. A built-in web browser is used to view the documentation. (Zeal starts a server on localhost and this browser then opens the corresponding page there). > What is the content of trace.txt with the following? > > firejail --trace=trace.txt --profile=zeal /usr/bin/zeal Decommented with all again: ``` $ firejail --trace=trace.txt --profile=zeal /usr/bin/zeal Reading profile /etc/firejail/zeal.profile Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Parent pid 13877, child pid 13881 1 program installed in 6.57 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 81.64 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 118.53 ms Child process initialized in 310.84 ms (zeal:36): dbind-WARNING **: 08:15:12.148: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Qt: Session management error: Could not open network socket zeal.core.applicationsingleton: Singleton ID: lzg7Z38VBJMDSS2TdHRMQiBaCxEj6-Lg_5onHOe3sj4 zeal.core.applicationsingleton: Starting as a primary instance. (PID: 36) MESA: error: Failed to query drm device. glx: failed to create dri3 screen failed to load driver: iris [36:54:0612/081512.438625:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [50:50:0612/081512.587215:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches [51:51:0612/081512.595399:ERROR:file_path_watcher_inotify.cc(895)] Failed to read /proc/sys/fs/inotify/max_user_watches ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ``` (it hangs, I press Ctrl+C) [trace.txt](https://github.com/user-attachments/files/20705001/trace.txt)

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3367

No description provided.

Rows
Columns