Open skrat opened 2 years ago
glitsj16
commented
2 years ago I think we need to drop the novideo from our profile for camera support (and perhaps add to private-bin). Does it work with the below command?
$ firejail --ignore=novideo /usr/bin/shotwell
rusty-snake
commented
2 years ago I think we need org.gtk.vfs.GPhoto2VolumeMonitor.
Does this work?
$ firejail --dbus-user.talk="org.gtk.vfs.*" /usr/bin/shotwell
skrat
commented
2 years ago Nope, none of these work. @rusty-snake @glitsj16
~ $ shotwell
Reading profile /etc/firejail/shotwell.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 2159542, child pid 2159545
Warning: skipping none for private /opt
Private /opt installed in 0.05 ms
1 program installed in 5.13 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Private /etc installed in 1.84 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 65.91 ms
(shotwell:6): dbind-WARNING **: 17:04:12.182: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
(shotwell:6): GLib-WARNING **: 17:04:12.333: getpwuid_r(): failed due to unknown user id (1000)
Parent is shutting down, bye...
~ 4.4s $ /usr/bin/shotwell
~ 20.2s $
(shotwell:6): GLib-WARNING **: 17:04:12.333: getpwuid_r(): failed due to unknown user id (1000)
That can be fixed by adding --private-etc=passwd (on command line) or by adding private-etc passwd to a shotwell.local override. After doing so, please retest both suggestions and report back.
skrat
commented
2 years ago @glitsj16 nope, that doesn't help either. I removed everything I could from the profile and still no camera:
# Firejail profile for shotwell
# Description: A digital photo organizer designed for the GNOME desktop environment
# This file is overwritten after every install/update
# Persistent local customizations
include shotwell.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/shotwell
noblacklist ${HOME}/.local/share/shotwell
noblacklist ${PICTURES}
mkdir ${HOME}/.cache/shotwell
mkdir ${HOME}/.local/share/shotwell
whitelist ${HOME}/.cache/shotwell
whitelist ${HOME}/.local/share/shotwell
whitelist ${PICTURES}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
protocol unix,inet,inet6
shell noneI also looked and compared the profiles to other gphoto2 based apps (digiKam, gthumb) and didn't find anything. Is there a way to do some kind of syscall tracing, and then maybe, compare the run with firejail and without?
I don't know too much about the specifics, all I know that without firejail I can see my camera, and import photos, with firejail, I cannot.