github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6973] vlc: icon in taskbar has black background instead of transparent #3440

New issue
Open
opened 2026-05-05 10:00:11 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 10:00:11 -06:00
Owner
Copy link

Originally created by @mYnDstrEAm on GitHub (Nov 26, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6973

Description

The first image shows how the icon looks like in Debian 13 with KDE any Wayland when I run vlc, the second image show how it looks like when I run firejail vlc.

Image Image

Edit: in those small images it's not as visible because the background is gray but it looks ugly and eye-catching; all the other app icons display fine there except the VLC player.

I think something needs to be changed in the VLC profile (maybe also a profile that is used there or also other profiles). Until the fix is distributed to Debian 13 users, I'd like to know what to write into ~/.config/firejail/vlc.profile to fix this

Steps to Reproduce

  1. Run in bash firejail vlc
  2. See the Plasma taskbar

Expected behavior

Transparent background of VLC player

Actual behavior

Black background of VLC player

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?
It shows the correct icon with transparent background.

Additional context

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.12.57+deb13-amd64 x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Debian 13
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): 3.0.21
  • Version of Firejail (firejail --version): 0.9.74
  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD):

Checklist

  • I am using a supported version of firejail
  • I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Reading profile /etc/firejail/vlc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-player-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /home/username/.config/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
firejail version 0.9.74

Parent pid 3713388, child pid 3713392
Warning: cannot find /var/run/utmp
6 programs installed in x.xx ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Base filesystem installed in xxx.xx ms
Child process initialized in xxx.xx ms
VLC media player 3.0.21 Vetinari (revision 3.0.21-0-gdd8bfdbabe8)
[00005602b74eb400] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
Qt: Session management error: None of the authentication protocols specified are supported

Output of LC_ALL=C firejail --debug /path/to/program 

Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=3714283: locking /run/firejail/firejail-run.lock ...
pid=3714283: locked /run/firejail/firejail-run.lock
pid=3714283: unlocking /run/firejail/firejail-run.lock ...
pid=3714283: unlocked /run/firejail/firejail-run.lock
Building quoted command line: '/usr/bin/vlc' 
Command name #vlc#
Found vlc.profile profile in /etc/firejail directory
Reading profile /etc/firejail/vlc.profile
Cannot access .local file vlc.local: No such file or directory, skipping...
Cannot access .local file globals.local: No such file or directory, skipping...
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-common.local profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.local
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Cannot access .local file disable-devel.local: No such file or directory, skipping...
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Cannot access .local file disable-exec.local: No such file or directory, skipping...
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Cannot access .local file disable-interpreters.local: No such file or directory, skipping...
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Cannot access .local file disable-programs.local: No such file or directory, skipping...
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Cannot access .local file whitelist-common.local: No such file or directory, skipping...
Found whitelist-player-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-player-common.inc
Cannot access .local file whitelist-player-common.local: No such file or directory, skipping...
Found whitelist-run-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-run-common.inc
Cannot access .local file whitelist-run-common.local: No such file or directory, skipping...
Found whitelist-runuser-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-runuser-common.inc
Cannot access .local file whitelist-runuser-common.local: No such file or directory, skipping...
Found whitelist-var-common.inc profile in /home/username/.config/firejail directory
Reading profile /home/username/.config/firejail/whitelist-var-common.inc
Cannot access .local file whitelist-var-common.local: No such file or directory, skipping...
Warning: networking feature is disabled in Firejail configuration file
[profile] combined protocol list: "unix,inet,inet6,netlink"
firejail version 0.9.74

pid=3714283: locking /run/firejail/firejail-run.lock ...
pid=3714283: locked /run/firejail/firejail-run.lock
DISPLAY=:1 parsed as 1
pid=3714283: unlocking /run/firejail/firejail-run.lock ...
pid=3714283: unlocked /run/firejail/firejail-run.lock
xdg-dbus-proxy arg: unix:path=/run/user/1000/bus
xdg-dbus-proxy arg: /run/firejail/dbus/1000/3714283-user
xdg-dbus-proxy arg: --filter
xdg-dbus-proxy arg: --own=org.mpris.MediaPlayer2.vlc
xdg-dbus-proxy arg: --talk=org.freedesktop.Notifications
xdg-dbus-proxy arg: --talk=org.freedesktop.ScreenSaver
xdg-dbus-proxy arg: --talk=org.mpris.MediaPlayer2.Player
starting xdg-dbus-proxy
sbox exec: /usr/bin/xdg-dbus-proxy --fd=4 --args=5 
Dropping all capabilities
Drop privileges: pid 3714284, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
xdg-dbus-proxy initialized
Using the local network stack
Parent pid 3714283, child pid 3714287
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0
nogroups command not ignored
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
[.....]

Originally created by @mYnDstrEAm on GitHub (Nov 26, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6973 ### Description The first image shows how the icon looks like in Debian 13 with KDE any Wayland when I run `vlc`, the second image show how it looks like when I run `firejail vlc`. <img width="26" height="31" alt="Image" src="https://github.com/user-attachments/assets/55eb88ee-e762-4927-bb71-255382d5bf7a" /> <img width="31" height="31" alt="Image" src="https://github.com/user-attachments/assets/ac18d0db-3229-4ded-8c87-0e4d05488519" /> Edit: in those small images it's not as visible because the background is gray but it looks ugly and eye-catching; all the other app icons display fine there except the VLC player. I think something needs to be changed in the VLC profile (maybe also a profile that is used there or also other profiles). Until the fix is distributed to Debian 13 users, I'd like to know what to write into `~/.config/firejail/vlc.profile` to fix this ### Steps to Reproduce 1. Run in bash `firejail vlc` 2. See the Plasma taskbar ### Expected behavior Transparent background of VLC player ### Actual behavior Black background of VLC player ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ It shows the correct icon with transparent background. ### Additional context ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.12.57+deb13-amd64 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Debian 13 - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): 3.0.21 - Version of Firejail (`firejail --version`): 0.9.74 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist - [ ] I am using a [supported version](https://github.com/netblue30/firejail/tree/master/SECURITY.md) of firejail - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/vlc.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-player-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /home/username/.config/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file firejail version 0.9.74 Parent pid 3713388, child pid 3713392 Warning: cannot find /var/run/utmp 6 programs installed in x.xx ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Base filesystem installed in xxx.xx ms Child process initialized in xxx.xx ms VLC media player 3.0.21 Vetinari (revision 3.0.21-0-gdd8bfdbabe8) [00005602b74eb400] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. Qt: Session management error: None of the authentication protocols specified are supported ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long, save it to a file (e.g. "fjdebug.txt") and attach it to the comment: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files If that does not work, create a secret gist at https://gist.github.com/ and link it here. --> ``` Looking for kernel processes Found kthreadd process, we are not running in a sandbox pid=3714283: locking /run/firejail/firejail-run.lock ... pid=3714283: locked /run/firejail/firejail-run.lock pid=3714283: unlocking /run/firejail/firejail-run.lock ... pid=3714283: unlocked /run/firejail/firejail-run.lock Building quoted command line: '/usr/bin/vlc' Command name #vlc# Found vlc.profile profile in /etc/firejail directory Reading profile /etc/firejail/vlc.profile Cannot access .local file vlc.local: No such file or directory, skipping... Cannot access .local file globals.local: No such file or directory, skipping... Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-common.local profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.local Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Cannot access .local file disable-devel.local: No such file or directory, skipping... Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Cannot access .local file disable-exec.local: No such file or directory, skipping... Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Cannot access .local file disable-interpreters.local: No such file or directory, skipping... Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Cannot access .local file disable-programs.local: No such file or directory, skipping... Found whitelist-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-common.inc Cannot access .local file whitelist-common.local: No such file or directory, skipping... Found whitelist-player-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-player-common.inc Cannot access .local file whitelist-player-common.local: No such file or directory, skipping... Found whitelist-run-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-run-common.inc Cannot access .local file whitelist-run-common.local: No such file or directory, skipping... Found whitelist-runuser-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-runuser-common.inc Cannot access .local file whitelist-runuser-common.local: No such file or directory, skipping... Found whitelist-var-common.inc profile in /home/username/.config/firejail directory Reading profile /home/username/.config/firejail/whitelist-var-common.inc Cannot access .local file whitelist-var-common.local: No such file or directory, skipping... Warning: networking feature is disabled in Firejail configuration file [profile] combined protocol list: "unix,inet,inet6,netlink" firejail version 0.9.74 pid=3714283: locking /run/firejail/firejail-run.lock ... pid=3714283: locked /run/firejail/firejail-run.lock DISPLAY=:1 parsed as 1 pid=3714283: unlocking /run/firejail/firejail-run.lock ... pid=3714283: unlocked /run/firejail/firejail-run.lock xdg-dbus-proxy arg: unix:path=/run/user/1000/bus xdg-dbus-proxy arg: /run/firejail/dbus/1000/3714283-user xdg-dbus-proxy arg: --filter xdg-dbus-proxy arg: --own=org.mpris.MediaPlayer2.vlc xdg-dbus-proxy arg: --talk=org.freedesktop.Notifications xdg-dbus-proxy arg: --talk=org.freedesktop.ScreenSaver xdg-dbus-proxy arg: --talk=org.mpris.MediaPlayer2.Player starting xdg-dbus-proxy sbox exec: /usr/bin/xdg-dbus-proxy --fd=4 --args=5 Dropping all capabilities Drop privileges: pid 3714284, uid 1000, gid 1000, force_nogroups 1 No supplementary groups xdg-dbus-proxy initialized Using the local network stack Parent pid 3714283, child pid 3714287 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 1 No supplementary groups Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0 nogroups command not ignored No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc [.....] ``` </p> </details>
gitea-mirror added the
needinfo
old-version
 labels 2026-05-05 10:00:11 -06:00
gitea-mirror commented 2026-05-05 10:00:13 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 27, 2025):

Behavior without a profile

Missing information.

Logs

Missing information.

  1. Run in bash firejail vlc
  • Version of Firejail (firejail --version): 0.9.74

Checklist

  • I am using a supported version of firejail
  • I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)

Both are incorrect.

What happens with a supported version and the correct commands?

<!-- gh-comment-id:3584431949 --> @kmk3 commented on GitHub (Nov 27, 2025): > Behavior without a profile Missing information. > Logs Missing information. > 1. Run in bash `firejail vlc` > * Version of Firejail (`firejail --version`): 0.9.74 > ### Checklist > > * [x] I am using a [supported version](https://github.com/netblue30/firejail/tree/master/SECURITY.md) of firejail > * [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) Both are incorrect. What happens with a supported version and the correct commands?
gitea-mirror commented 2026-05-05 10:00:14 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Nov 27, 2025):

Missing information.

Added.

Missing information.

Added.

Both are incorrect.

Fixed. This is the latest version available in Debian 13 with no newer version in backports. I did run firejail /usr/bin/vlc but just didn't put it into the description.

What happens with a supported version and the correct commands?

I can't get a newer version of firejail. I used the correct commands (firejail /usr/bin/vlc). How is this similar to the other issue or were just saying I should also add the info there. I'll edit the other issue too but I don't run firefox without a profile and it would be better to check if this problem of not opening links also occurs for other computers/users...it doesn't have to be the same app but I suspect it also doesn't work for other users with the latest version and the same default Web browser configuration.

<!-- gh-comment-id:3585616996 --> @mYnDstrEAm commented on GitHub (Nov 27, 2025): >Missing information. Added. >Missing information. Added. >Both are incorrect. Fixed. This is the latest version available in Debian 13 with [no newer version in backports](https://packages.debian.org/search?mode=filename&suite=trixie-backports&section=all&arch=amd64&searchon=contents&keywords=firejail). I did run firejail /usr/bin/vlc but just didn't put it into the description. >What happens with a supported version and the correct commands? I can't get a newer version of firejail. I used the correct commands (`firejail /usr/bin/vlc`). How is this similar to the other issue or were just saying I should also add the info there. I'll edit the other issue too but I don't run firefox without a profile and it would be better to check if this problem of not opening links also occurs for other computers/users...it doesn't have to be the same app but I suspect it also doesn't work for other users with the latest version and the same default Web browser configuration.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3440
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?