[GH-ISSUE #6782] foliate: cannot launch ebooks & GTK style is not followed #3370

New issue

Closed

opened 2026-05-05 09:56:50 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 09:56:50 -06:00

Owner

Copy link

Originally created by @rsramkis on GitHub (Jun 17, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6782

Description

I am unable to open ebooks in foliate with the default firejail profile on Arch Linux with Gnome 48 desktop.

❯ firejail --version
firejail version 0.9.74

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - IDS support is disabled
        - Landlock support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-lib support is disabled
        - private-cache and tmpfs as user enabled
        - sandbox check is enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Expected behavior

When Foliate opens I expect:

• History of ebooks previously opened to show.
• Preferred GTK style should show in application interface.
• I should be able to double click on a book and open it.

Actual behavior

• History of ebooks previously opened to show. But no thumbnails.
• The light GTK style is showing (instead of preferred dark.
• Opening a book crashes Foliate.

Steps to Reproduce

After I launch the Foliate ebook reader (local Arch GTK application) with firejail --noprofile foliate, the application looks like it has the correct styling. But I cannot open a book:

Output from the terminal when I try to open book:

❯ firejail --noprofile foliate
firejail version 0.9.74

Parent pid 6157, child pid 6158
Base filesystem installed in 0.04 ms
Child process initialized in 13.95 ms
Warning: an existing sandbox was detected. /usr/bin/foliate will run without any additional sandboxing features
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers
bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (com.github.johnfactotum.Foliate:3): ERROR **: 21:38:34.128: Failed to fully launch dbus-proxy: Child process exited with code 1

Parent is shutting down, bye...

When I launch foliate from terminal you will see all the GTK styling disappear:

This is what the terminal shows:

❯ foliate
Reading profile /etc/firejail/foliate.profile
Reading profile /home/rsruser/.config/firejail/foliate.local
Reading profile /etc/firejail/allow-gjs.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Parent pid 6319, child pid 6320
3 programs installed in 4.46 ms
Private /etc installed in 26.04 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Base filesystem installed in 104.97 ms
Child process initialized in 222.83 ms

(com.github.johnfactotum.Foliate:26): Gdk-WARNING **: 21:42:54.981: Failed to read portal settings: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/6345/root
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers

** (com.github.johnfactotum.Foliate:26): WARNING **: 21:44:09.884: Failed to create '/run/user/1000/.flatpak/webkit-26-18': Permission denied

** (com.github.johnfactotum.Foliate:26): WARNING **: 21:44:09.884: Failed to create '/run/user/1000/.flatpak/webkit-26-19': Permission denied

** (com.github.johnfactotum.Foliate:26): ERROR **: 21:44:09.885: Failed to start dbus proxy: Failed to spawn child process “/usr/bin/bwrap” (No such file or directory)

Parent is shutting down, bye...

From reviewing #6644, it appears there is mention of adding permissions for bubblewrap to allow for opening of ebooks. But it is not clear what I need to do to fix the issue.

Thank you.

Source:

• https://github.com/netblue30/firejail/issues/6644

Checklist

• [x ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x ] I have performed a short search for similar issues (to avoid opening a duplicate).
• [x ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ x] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @rsramkis on GitHub (Jun 17, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6782 ### Description I am unable to open ebooks in foliate with the default firejail profile on Arch Linux with Gnome 48 desktop. ``` ❯ firejail --version firejail version 0.9.74 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - IDS support is disabled - Landlock support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - sandbox check is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Expected behavior When Foliate opens I expect: - History of ebooks previously opened to show. - Preferred GTK style should show in application interface. - I should be able to double click on a book and open it. ### Actual behavior - History of ebooks previously opened to show. But no thumbnails. - The light GTK style is showing (instead of preferred dark. - Opening a book crashes Foliate. ### Steps to Reproduce After I launch the Foliate ebook reader (local Arch GTK application) with `firejail --noprofile foliate`, the application looks like it has the correct styling. But I cannot open a book:  **Output from the terminal when I try to open book:** ``` ❯ firejail --noprofile foliate firejail version 0.9.74 Parent pid 6157, child pid 6158 Base filesystem installed in 0.04 ms Child process initialized in 13.95 ms Warning: an existing sandbox was detected. /usr/bin/foliate will run without any additional sandboxing features MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers bwrap: Can't mount proc on /newroot/proc: Operation not permitted ** (com.github.johnfactotum.Foliate:3): ERROR **: 21:38:34.128: Failed to fully launch dbus-proxy: Child process exited with code 1 Parent is shutting down, bye... ``` When I launch foliate from terminal you will see all the GTK styling disappear:  This is what the terminal shows: ``` ❯ foliate Reading profile /etc/firejail/foliate.profile Reading profile /home/rsruser/.config/firejail/foliate.local Reading profile /etc/firejail/allow-gjs.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Parent pid 6319, child pid 6320 3 programs installed in 4.46 ms Private /etc installed in 26.04 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/doc Base filesystem installed in 104.97 ms Child process initialized in 222.83 ms (com.github.johnfactotum.Foliate:26): Gdk-WARNING **: 21:42:54.981: Failed to read portal settings: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/6345/root MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers ** (com.github.johnfactotum.Foliate:26): WARNING **: 21:44:09.884: Failed to create '/run/user/1000/.flatpak/webkit-26-18': Permission denied ** (com.github.johnfactotum.Foliate:26): WARNING **: 21:44:09.884: Failed to create '/run/user/1000/.flatpak/webkit-26-19': Permission denied ** (com.github.johnfactotum.Foliate:26): ERROR **: 21:44:09.885: Failed to start dbus proxy: Failed to spawn child process “/usr/bin/bwrap” (No such file or directory) Parent is shutting down, bye... ``` From reviewing #6644, it appears there is mention of adding permissions for bubblewrap to allow for opening of ebooks. But it is not clear what I need to do to fix the issue. Thank you. **Source:** * https://github.com/netblue30/firejail/issues/6644 ### Checklist - [x ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x ] I have performed a short search for similar issues (to avoid opening a duplicate). - [x ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror 2026-05-05 09:56:50 -06:00

• closed this issue
• added the
  duplicate
  label

gitea-mirror commented 2026-05-05 09:56:52 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 17, 2025):

❯ foliate
Reading profile /etc/firejail/foliate.profile
Reading profile /home/rsruser/.config/firejail/foliate.local

What happens without local modifications?

** (com.github.johnfactotum.Foliate:26): WARNING **: 21:44:09.884: Failed to create '/run/user/1000/.flatpak/webkit-26-18': Permission denied

Is this a normal program or a flatpak?

What is the output of the following?

which -a foliate

@amano-kenji

Considering #6582, can you reproduce these issues?

<!-- gh-comment-id:2979080386 --> @kmk3 commented on GitHub (Jun 17, 2025): > ``` > ❯ foliate > Reading profile /etc/firejail/foliate.profile > Reading profile /home/rsruser/.config/firejail/foliate.local > ``` What happens without local modifications? > ``` > ** (com.github.johnfactotum.Foliate:26): WARNING **: 21:44:09.884: Failed to create '/run/user/1000/.flatpak/webkit-26-18': Permission denied > ``` Is this a normal program or a flatpak? What is the output of the following? ``` which -a foliate ``` @amano-kenji Considering #6582, can you reproduce these issues?

gitea-mirror commented 2026-05-05 09:56:53 -06:00

Author

Owner

Copy link

@rsramkis commented on GitHub (Jun 17, 2025):

1. The foliate.local file I am using is all commented out:

# private-bin com.github.johnfactotum.Foliate
# noblacklist /usr/bin/bwrap
# seccomp !mount,!pivot_root,!umount2

2. The install is a local install from the Arch Repository (not flatpak):

https://archlinux.org/packages/extra/any/foliate/

3. What is the output of "which -a foliate"?

❯ which -a foliate
/usr/local/bin/foliate
/usr/bin/foliate

4. Considering #6582, can you reproduce these issues?

The build of firejail from April 1, 2025 I am running already has the refactored changes mentioned for the files:

• foliate.profile
• com.github.johnfactotum.Foliate.profile

These are the changes:

• Move everything into foliate.profile

• Leave just private-bin com.github.johnfactotum.Foliate in
  com.github.johnfactotum.Foliate.profile and make it be a redirect to
  foliate.profile

• Add private-bin foliate to foliate.profile

• Add foliate to firecfg.config

<!-- gh-comment-id:2981863299 --> @rsramkis commented on GitHub (Jun 17, 2025): 1. The foliate.local file I am using is all commented out: ``` # private-bin com.github.johnfactotum.Foliate # noblacklist /usr/bin/bwrap # seccomp !mount,!pivot_root,!umount2 ``` 2. The install is a local install from the Arch Repository (not flatpak): [https://archlinux.org/packages/extra/any/foliate/](url) 3. What is the output of "which -a foliate"? ``` ❯ which -a foliate /usr/local/bin/foliate /usr/bin/foliate ``` 4. Considering [#6582](https://github.com/netblue30/firejail/pull/6582), can you reproduce these issues? The build of firejail from April 1, 2025 I am running already has the refactored changes mentioned for the files: - foliate.profile - com.github.johnfactotum.Foliate.profile These are the changes: - Move everything into foliate.profile - Leave just private-bin com.github.johnfactotum.Foliate in com.github.johnfactotum.Foliate.profile and make it be a redirect to foliate.profile - Add private-bin foliate to foliate.profile - Add foliate to firecfg.config

gitea-mirror commented 2026-05-05 09:56:54 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 18, 2025):

❯ firejail --noprofile foliate

Make sure to run either just the program directly (foliate) or use the full
program path (firejail /usr/bin/foliate) to avoid firejail-in-firejail issues
(see #2877).

After I launch the Foliate ebook reader (local Arch GTK application) with
firejail --noprofile foliate, the application looks like it has the correct
styling. But I cannot open a book:

Does it work with --profile=noprofile?

Example:

firejail --profile=noprofile /usr/bin/foliate

If not, then it might be the same problem as in #3647 and we should probably
drop it from firecfg.

Though maybe at least the theme issue can be fixed.

You can try commenting the lines in the profile until you find which ones are
causing this issue.

1. The foliate.local file I am using is all commented out:

# private-bin com.github.johnfactotum.Foliate
# noblacklist /usr/bin/bwrap
# seccomp !mount,!pivot_root,!umount2

2. The install is a local install from the Arch Repository (not flatpak):

https://archlinux.org/packages/extra/any/foliate/

3. What is the output of "which -a foliate"?

❯ which -a foliate
/usr/local/bin/foliate
/usr/bin/foliate

Looks good.

4. Considering #6582, can you reproduce these issues?

To be clear, I was asking @amano-kenji (as presumably another user of this
program, due to #6582) to see if the program works at least works on Gentoo
(see #6580).

<!-- gh-comment-id:2982486738 --> @kmk3 commented on GitHub (Jun 18, 2025): > ``` > ❯ firejail --noprofile foliate > ``` Make sure to run either just the program directly (`foliate`) or use the full program path (`firejail /usr/bin/foliate`) to avoid firejail-in-firejail issues (see #2877). > After I launch the Foliate ebook reader (local Arch GTK application) with > `firejail --noprofile foliate`, the application looks like it has the correct > styling. But I cannot open a book: Does it work with `--profile=noprofile`? Example: ``` firejail --profile=noprofile /usr/bin/foliate ``` If not, then it might be the same problem as in #3647 and we should probably drop it from firecfg. Though maybe at least the theme issue can be fixed. You can try commenting the lines in the profile until you find which ones are causing this issue. > 1. The foliate.local file I am using is all commented out: > > ``` > # private-bin com.github.johnfactotum.Foliate > # noblacklist /usr/bin/bwrap > # seccomp !mount,!pivot_root,!umount2 > ``` > > 2. The install is a local install from the Arch Repository (not flatpak): > > [https://archlinux.org/packages/extra/any/foliate/](url) > > 3. What is the output of "which -a foliate"? > > ``` > ❯ which -a foliate > /usr/local/bin/foliate > /usr/bin/foliate > ``` Looks good. > 4. Considering [#6582](https://github.com/netblue30/firejail/pull/6582), can you reproduce these issues? To be clear, I was asking @amano-kenji (as presumably another user of this program, due to #6582) to see if the program works at least works on Gentoo (see #6580).

gitea-mirror commented 2026-05-05 09:56:54 -06:00

Author

Owner

Copy link

@rsramkis commented on GitHub (Jun 18, 2025):

1. When I run ' firejail --profile=noprofile /usr/bin/foliate' the application does launch with correct colors and style. But then crashes when I try to open a book:

❯ firejail --profile=noprofile /usr/bin/foliate
Reading profile /etc/firejail/noprofile.profile
firejail version 0.9.74

Parent pid 16189, child pid 16190
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Base filesystem installed in 0.01 ms
Child process initialized in 12.32 ms
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers
bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (com.github.johnfactotum.Foliate:3): ERROR **: 23:16:32.030: Failed to fully launch dbus-proxy: Child process exited with code 1

<!-- gh-comment-id:2982568811 --> @rsramkis commented on GitHub (Jun 18, 2025): 1. When I run ' firejail --profile=noprofile /usr/bin/foliate' the application does launch with correct colors and style. But then crashes when I try to open a book: ``` ❯ firejail --profile=noprofile /usr/bin/foliate Reading profile /etc/firejail/noprofile.profile firejail version 0.9.74 Parent pid 16189, child pid 16190 Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Base filesystem installed in 0.01 ms Child process initialized in 12.32 ms MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers bwrap: Can't mount proc on /newroot/proc: Operation not permitted ** (com.github.johnfactotum.Foliate:3): ERROR **: 23:16:32.030: Failed to fully launch dbus-proxy: Child process exited with code 1 ``` 

gitea-mirror commented 2026-05-05 09:56:55 -06:00

Author

Owner

Copy link

@rsramkis commented on GitHub (Jun 18, 2025):

Solution was to disable Foliate from being sandboxed by Firejail.

<!-- gh-comment-id:2982629453 --> @rsramkis commented on GitHub (Jun 18, 2025): Solution was to disable Foliate from being sandboxed by Firejail.

gitea-mirror commented 2026-05-05 09:56:55 -06:00

Author

Owner

Copy link

@amano-kenji commented on GitHub (Jun 18, 2025):

I still need env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 in foliate.local to read ebooks in foliate.

$ which -a foliate
/home/user/.local/bin/foliate
/usr/bin/foliate

~/.local/bin/foliate launches foliate inside firejail.

<!-- gh-comment-id:2982687410 --> @amano-kenji commented on GitHub (Jun 18, 2025): I still need `env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1` in foliate.local to read ebooks in foliate. ``` $ which -a foliate /home/user/.local/bin/foliate /usr/bin/foliate ``` ~/.local/bin/foliate launches foliate inside firejail.

gitea-mirror referenced this issue 2026-05-05 10:25:41 -06:00

[PR #3370] [CLOSED] github issue template ask unusual setups,debug warnings/errors #4737

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3370

No description provided.