github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #947] Chromium 'Save as' doesn't work with --net on KDE #644

New issue

Closed

opened 2026-05-05 06:20:32 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 06:20:32 -06:00

Owner

Originally created by @fld on GitHub (Nov 29, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/947

On Debian jessie KDE I used:
% firejail --trace --profile=/etc/firejail/chromium.profile --net=br0 --dns=192.168.0.1 --defaultgw=192.168.0.1 chromium --temp-profile

And tried to "Save as" (ctrl+s) the page. Nothing happens.

Corresponding,
trace output:

14:chromium:open64 /home/fld/13:mktemp:open/Default/DownloadMetadata:-1
14:chromium:open64 /proc/self/status:117
14:chromium:open64 /proc/self/status:117
14:chromium:open64 /dev/null:119
14:chromium:fopen64 /proc/156/stat:0x559704973be0
14:chromium:open64 /dev/null:119

audit.log:
type=ANOM_ABEND msg=audit(1480420969.030:82479): auid=1000 uid=1000 gid=1000 ses=2 pid=18448 comm="drkonqi" exe="/usr/lib/kde4/libexec/drkonqi" sig=6

Originally created by @fld on GitHub (Nov 29, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/947 On Debian jessie KDE I used: `% firejail --trace --profile=/etc/firejail/chromium.profile --net=br0 --dns=192.168.0.1 --defaultgw=192.168.0.1 chromium --temp-profile` And tried to "Save as" (ctrl+s) the page. Nothing happens. Corresponding, trace output: ``` 14:chromium:open64 /home/fld/13:mktemp:open/Default/DownloadMetadata:-1 14:chromium:open64 /proc/self/status:117 14:chromium:open64 /proc/self/status:117 14:chromium:open64 /dev/null:119 14:chromium:fopen64 /proc/156/stat:0x559704973be0 14:chromium:open64 /dev/null:119 ``` audit.log: `type=ANOM_ABEND msg=audit(1480420969.030:82479): auid=1000 uid=1000 gid=1000 ses=2 pid=18448 comm="drkonqi" exe="/usr/lib/kde4/libexec/drkonqi" sig=6`

gitea-mirror

2026-05-05 06:20:32 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:20:36 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 30, 2016):

drkonqi seems to be the KDE crash handler. It seems something crashed and drkonqi was activated

It is hard to tell what's going on. Probably, they try to connect to some local server over a Unix socket. The network namespace isolates all external sockets, so the connection doesn't succeed - and then they crash! I don't get this problem on my setup (Debian stable + LXDE), could be something related to KDE/Cromium integration.

@netblue30 commented on GitHub (Nov 30, 2016): drkonqi seems to be the KDE crash handler. It seems something crashed and drkonqi was activated It is hard to tell what's going on. Probably, they try to connect to some local server over a Unix socket. The network namespace isolates all external sockets, so the connection doesn't succeed - and then they crash! I don't get this problem on my setup (Debian stable + LXDE), could be something related to KDE/Cromium integration.

gitea-mirror commented

2026-05-05 06:20:38 -06:00

Author

Owner

@fld commented on GitHub (Nov 30, 2016):

Chromium uses Qt so the resulting 'Save as - KDialog' has the KDE "Places" side-bar, which displays all the systems currently mounted storage. Apparently this stuff uses UNIX sockets and/or DBus.

I tried this with gwenview:

% firejail --profile=/etc/firejail/gwenview.profile --net=br0 --dns=192.168.0.1 --defaultgw=192.168.0.1 gwenview
Reading profile /etc/firejail/gwenview.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 3494, child pid 3499

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0             be:5f:00:22:0e:ed  192.168.0.249    255.255.255.0    UP    
Default gateway 192.168.0.1
DNS server 192.168.0.1

Child process initialized
gwenview(2)/kdeui (kdelibs): Session bus not found 
To circumvent this problem try the following command (with Linux and bash) 
export $(dbus-launch) 
KCrash: Application 'gwenview' crashing...
KCrash: Attempting to start /usr/lib/kde4/libexec/drkonqi from kdeinit
KCrash: Connect sock_file=/home/fld/.kde/socket-main/kdeinit4__0

Looks like the --net feature is not going to be very useful in KDE environments, unless there is a way to allow DBus and UNIX sockets?

@fld commented on GitHub (Nov 30, 2016): Chromium uses Qt so the resulting 'Save as - KDialog' has the KDE "Places" side-bar, which displays all the systems currently mounted storage. Apparently this stuff uses UNIX sockets and/or DBus. I tried this with gwenview: ``` % firejail --profile=/etc/firejail/gwenview.profile --net=br0 --dns=192.168.0.1 --defaultgw=192.168.0.1 gwenview Reading profile /etc/firejail/gwenview.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 3494, child pid 3499 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0 be:5f:00:22:0e:ed 192.168.0.249 255.255.255.0 UP Default gateway 192.168.0.1 DNS server 192.168.0.1 Child process initialized gwenview(2)/kdeui (kdelibs): Session bus not found To circumvent this problem try the following command (with Linux and bash) export $(dbus-launch) KCrash: Application 'gwenview' crashing... KCrash: Attempting to start /usr/lib/kde4/libexec/drkonqi from kdeinit KCrash: Connect sock_file=/home/fld/.kde/socket-main/kdeinit4__0 ``` Looks like the --net feature is not going to be very useful in KDE environments, unless there is a way to allow DBus and UNIX sockets?

gitea-mirror commented

2026-05-05 06:20:40 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 3, 2016):

This should be very easy for them to fix. Crashing pressing "Save as" could become a big issue. For example, you work in a text editor for one hour and when you press "Save as" the program crashes.

Looks like the --net feature is not going to be very useful in KDE environments

Network namespace is a basic security feature in Linux kernel, KDE devs should try to support it. Most people will choose a kernel security feature over some misimplemented dbus functionality in user space. Take Docker as an example. Network namespace is enabled by default in Docker, I don't think you can convince the users to run containers without it. They would drop your program and choose something else.

@netblue30 commented on GitHub (Dec 3, 2016): This should be very easy for them to fix. Crashing pressing "Save as" could become a big issue. For example, you work in a text editor for one hour and when you press "Save as" the program crashes. > Looks like the --net feature is not going to be very useful in KDE environments Network namespace is a basic security feature in Linux kernel, KDE devs should try to support it. Most people will choose a kernel security feature over some misimplemented dbus functionality in user space. Take Docker as an example. Network namespace is enabled by default in Docker, I don't think you can convince the users to run containers without it. They would drop your program and choose something else.

gitea-mirror commented

2026-05-05 06:20:41 -06:00

Author

Owner

@smitsohu commented on GitHub (Sep 27, 2017):

It should be possible to work around the issue with chromium, if you start it with NO_CHROME_KDE_FILE_DIALOG=1 chromium

@smitsohu commented on GitHub (Sep 27, 2017): It should be possible to work around the issue with chromium, if you start it with `NO_CHROME_KDE_FILE_DIALOG=1 chromium`

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#644

No description provided.

Rows
Columns