Originally posted by **omega3** March 9, 2022
Chromium doesn't allow to upload file for example to imgur. I am using Chromium on Plasma KDE. Imgur shows error.
When I add `nodbus` it opens diffrent dialog, I guess it is gtk diolog - not Plasma KDE - and I can upload. But when I save file with this setting and this dialog I can't see them in Dolphin.
What to do?
Expected behavior would be to be able to download / upload files in Chromium from Plasma KDE dialog and when downloaded, see them in Dolphin.
I use `chromium.local` profile, which is basically the same as in /etc/Firejail and run Chromium like this:
`firejail --private=/home/user/Data/jail/ --profile=/home/user/Data/jail/.config/firejail/chromium.local /usr/bin/chromium`
I can download file from the Internet for example from Imgur to Downloads folder in this custom fake /home but at the same time I can't upload.
I added to `chromium.local`
```
include whitelist-common.inc
whitelist ~/Downloads
noblacklist ~/Downloads
```
but it doesn't work.
Giving full path or something like this:
```
whitelist ${HOME}/Downloads
noblacklist ${HOME}/Downloads
whitelist /home/user/Data/jail/Downloads
noblacklist /home/user/Data/jail/Downloads
```
also doesn't work.
```
firejail version 0.9.69
Operating System: Manjaro Linux
KDE Plasma Version: 5.24.2
KDE Frameworks Version: 5.91.0
Qt Version: 5.15.2
Kernel Version: 5.15.25-1-MANJARO (64-bit)
Graphics Platform: X11
```
This doesn't work:
```
firejail --private=/home/user/Data/jail/ --profile=/home/user/Data/jail/.config/firejail/chromium.local /usr/bin/chromium
Reading profile /home/user/Data/jail/.config/firejail/chromium.local
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1032, child pid 1033
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 272.35 ms
[1:1:0310/082301.559099:ERROR:content_main_runner_impl.cc(377)] Unable to load CDM /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so: odwzorowanie segmentu z obiektu dzielonego nie powiodło się)
[12:12:0310/082301.559401:ERROR:content_main_runner_impl.cc(377)] Unable to load CDM /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/user/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so: odwzorowanie segmentu z obiektu dzielonego nie powiodło się)
[4:29:0310/082301.806816:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:29:0310/082301.807026:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[36:36:0310/082302.560984:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
[4:100:0310/082302.634668:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634724:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634783:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634831:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:100:0310/082302.634870:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Brak dostępu
[4:54:0310/082303.690763:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:54:0310/082303.690800:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled)
[4:54:0310/082303.691363:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[4:54:0310/082303.691381:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5
[4:54:0310/082304.075469:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:54:0310/082304.076786:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close)
[4:61:0310/082307.152013:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[4:61:0310/082307.152480:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
[37:47:0310/082338.362955:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[37:47:0310/082338.362996:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled)
[37:47:0310/082338.364082:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[37:47:0310/082338.364103:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5
[37:47:0310/082338.648748:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[37:47:0310/082338.648783:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close)
Parent is shutting down, bye...
```
This doesn't work:
```
firejail --private=/home/user/Data/jail/ --noprofile /usr/bin/chromium
Parent pid 1889, child pid 1890
Child process initialized in 26.64 ms
[34:34:0310/083007.020228:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
[4:113:0310/083007.366998:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[4:113:0310/083007.367944:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[4:113:0310/083007.368613:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[4:51:0310/083008.214835:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.isEnabled: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:51:0310/083008.214872:ERROR:kwallet_dbus.cc(100)] Error contacting kwalletd5 (isEnabled)
[4:51:0310/083008.217861:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KLauncher.start_service_by_desktop_name: object_path= /KLauncher: org.freedesktop.DBus.Error.ServiceUnknown: The name org.kde.klauncher was not provided by any .service files
[4:51:0310/083008.217904:ERROR:kwallet_dbus.cc(72)] Error contacting klauncher to start kwalletd5
[4:51:0310/083008.566695:ERROR:object_proxy.cc(623)] Failed to call method: org.kde.KWallet.close: object_path= /modules/kwalletd5: org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
[4:51:0310/083008.566733:ERROR:kwallet_dbus.cc(418)] Error contacting kwalletd5 (close)
[4:48:0310/083010.652529:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[4:48:0310/083010.652566:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
Parent is shutting down, bye...
```
With this uploading works:
```
firejail --noprofile /usr/bin/chromium
Parent pid 2131, child pid 2132
Child process initialized in 28.29 ms
[2:93:0310/083059.708288:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[2:93:0310/083059.709199:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[2:93:0310/083059.709989:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.systemd1.UnitMasked: Unit upower.service is masked.
[33:33:0310/083059.787593:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
[2:48:0310/083103.620897:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[2:48:0310/083103.621051:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
Parent is shutting down, bye...
```
I am not sure about apparmor. I have it installed but as far I as remember I don't use it, perhaps I blocked it a long time ago. But Firefox works with default Firefox profile and upload works.
My chromium.local
```
# Firejail profile for chromium
# Description: A web browser built for speed, simplicity, and security
# This file is overwritten after every install/update
# Persistent local customizations
include chromium.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf
mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf
whitelist /usr/share/chromium
include whitelist-common.inc
whitelist ~/Downloads
noblacklist ~/Downloads
# private-bin chromium,chromium-browser,chromedriver
# Redirect
include chromium-common.profile
```
When I add nodbus it opens diffrent dialog, I guess it is gtk diolog - not Plasma KDE - and I can upload. But when I save file with this setting and this dialog I can't see them in Dolphin.
I'm not familiar with KDE but there's a comment on the last line in /etc/firejail/chromium-common.profile that you might try:
# The file dialog needs to work without d-bus.
?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
As a quick test you can add it without the conditional, just to double-check if you can get your Plasma tools working in the sandbox. Add the below line to your chromium.local and run your command again:
It doesn't change anything. I need to rephrase this: "Expected behavior would be to be able to download / upload files in Chromium from Plasma KDE dialog and when downloaded, see them in Dolphin."
I don't care what dialog chromium uses gtk or KDE. The problem is that I can't see the filed downloaded with gtk dialog in Dolphin. I could see them that would solve the problem. Maybe I should install something in my system?
The other thing is that when I run Chromium without Firejail it uses KDE dialog and uploads files correctly. So, the conclusion is there is something in profiles or firejail that makes a difference.
I don't care what dialog chromium uses gtk or KDE. The problem is that I can't see the filed downloaded with gtk dialog in Dolphin. I could see them that would solve the problem.
Does your dolphin run firejailed too?
You can transfer out the downloaded file(s) to your real filesystem for Dolphin:
--get=name|pid filename
Retrieve the container file and store it on the host in the current working directory. The container is specified by name or PID.
Chromium doesn't allow to upload file for example to imgur. I am using Chromium on Plasma KDE. Imgur shows error.
The other thing is that when I run Chromium without Firejail it uses KDE dialog and uploads files correctly.
I've put together a test profile to debug this. The private option is inside the file as you can see. Just to keep the command a bit shorter, shouldn't make any functional difference.
Please download this file, place it in your ~/Data/jail/.config/firejail dir as fj-issue-5032.profile and run with the debug option: $ firejail --debug --profile=~/Data/jail/.config/firejail/fj-issue-5032.profile /usr/bin/chromium | tee -a ~/Downloads/fj-issue-5032.log. Try downloading/uploading, do some browsing etceterea and when you're done, upload the resulting ~/Downloads/fj-issue-5032.log somewhere (or post it here, as you prefer). I still cannot reproduce, but I don't have KDE (which shouldn't really matter here).
With fj-issue-5032.profile profile file dialog within Chromium couldn't be open.
https://i.imgur.com/1bnogBR.png
when I pressed "choose photo" nothing happened, no dialog appeared.
log and also output from terminal:
fj-issue-5032.log
The fact that dialog doesn't appear is caused by:
include chromium-common-hardened.inc.profile
but when I hashed it I still can't upload with above profile
I'm out of ideas on this one. Copy chromium.profile and chromium-common.profile from /etc/firejail to your ~/Data/jail/.config/firejail and start commenting lines until you get a working configuration.
I've had the same problem with Chromium using openSUSE with KDE for a couple of months. Downloads only work directly into the downloads folder. Saving web pages only works using the print option. Uploads don’t work at all.
I found that uncommenting the noroot option in
However, I usually keep the noroot option enabled. I only disable it when I know that I want to upload something. Sometimes I just use Firefox instead in these rare occasions which has noroot enabled per default.
The hardened profile isn’t enabled per default in openSUSE. You have to manually uncomment the
include chromium-common-hardened.inc.profile
line in
/etc/firejail/chromium-common.profile
Maybe the noroot option is hidden somewhere else in one of the various profiles chromium uses.
I found that uncommenting the noroot option ... does the trick for me.
@Kebron718 That's some impressive detective work. Never suspected noroot could have anything to do with uploading files in a web browser. But I'm not at all familiar with this one. Still, I wonder if any of you is using anything 'special' in ~/.config/chromium-flags.conf or wrapper scripts by any chance?
The hardened profile isn’t enabled per default in openSUSE.
The extra hardening is always disabled by default, regardless of distro.
Maybe the noroot option is hidden somewhere else in one of the various profiles chromium uses.
No it's only in chromium-common-hardened.inc.profile AFAICT (it should be).
So a one-liner ignore noroot placed in a ~/.config/firejail/chromium-common-hardened.inc.local should suffice for users facing this issue.
Although I am not programmist I think that this issue may be connected to dbus options because with gtk dialog it works. The problem is how chromium in firejail "communicates" with kde system.
This wiki shows many dbus options but I have no idea what they do.
There was a discussion about #3184
The discussion you're refering to is now reality. Has been for a while. Firejail has integrated xdg-dbus-proxy (you should install that package if it isn't!) and the 'newish' options are considered stable and pretty much feature-complete. This provides the much wanted finer-grained control earlier versions were missing. That implied implementing a more complex set of options to control D-Bus and I can see how that would need time to get familiar with. But in the case of chromium it's actually quite simple. By default chromium-common.profile grants full access to the D-Bus session bus and only blocks the system bus (which most programs don't need access to):
[...]
#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
dbus-system none
[...]
We already discussed NO_CHROME_KDE_FILE_DIALOG=1 above and it didn't make any difference for your issue as you reported. So I see only one more thing you can try in this D-Bus context and that's granting full access to the system bus too.
The problem is how chromium in firejail "communicates" with kde system.
Most, if not all the DE-related files for both GTK and QT/KDE reside in the included *.inc files in the profile. To check if you need anything additional stuff, try not including any of those, just as a test to see if that changes anything. Together with the above D-Bus remarks that brings me to the below ~/.config/firejail/chromium-common.local:
ignore include disable-common.inc
ignore include disable-programs.inc
ignore whitelist /usr/share/mozilla/extensions
ignore whitelist /usr/share/webext
ignore include whitelist-common.inc
ignore include whitelist-usr-share-common.inc
ignore dbus-system none
Just make sure you don't have anything in globals.local and existing chromium{,-common}.local files that might throw sand in the machine.
File-dialog broken by noroot on KDE? Sounds like portals.
@rusty-snake Thanks for joining in. Obviously I don't understand the problem at hand and all I'm achieving here is confusing the OP. And myself for that matter. Twice already @omega3 said ignore noroot doesn't work for him, here and here. Also, like mentioned above, chrome-common.profile doesn't filter dbus-user. noroot can still break things on KDE, regardless of D-Bus user options?
Some xdg-desktop-portal implementations (in some versions) are broken (for some features) if the sandbox is started with noroot (I known that at least some xdg-desktop-portal-kde versions are affected (under some configurations)). (As you see I don't really know when it happens just that noroot + (some) xdg-desktop-portal impls + some conditions are broken). If chromium uses portals to get a native file-prompt, this may be an issue.
@rusty-snake Thanks for providing context and insights. Sounds a real mess :-) With that many unknowns (the multiple some's in your observations) it would be very difficult to formulate a working solution without flooding the affected profiles with even more comments. See {cachy-browser,firefox.librewolf}.profiles for examples of what I mean. The current count of advisory lines in the dbus section of those is 13, not reassuring :-)
can confirm noroot portal issue with an Electron app when trying to open an "upload" dialog window
ERROR:select_file_dialog_impl_portal.cc(698)] Portal returned error: org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/PID/root
apt list xdg-dbus-proxy
xdg-dbus-proxy/bionic,bionic,bionic,now 0.1.3-1~18.04 amd64 [installed,automatic]
apt list xdg-desktop-portal
xdg-desktop-portal/bionic,bionic 1.12.1-1ubuntu1~18.04 amd64 [installed,automatic]
apt list firejail
firejail/bionic,now 0.9.68-3~0ubuntu18.04.0 amd64 [installed]
I can also confirm that with Ubuntu 22.04 & using latest Google-Chrome, we are unable to upload anything as well.
I think one issue is that the --private=/folder is not being respected by all aspects of the jailed app, such as Gnome's file selection interface. On Ubuntu 20.04, when you used the open file dialog (CTRL+O), it would look like the opened location was the home folder of the user, while actually being the /folder it was jailed at. With 22.04, however, it always opens the actual $HOME folder and gives a list of all files and folders inside it, despite being unable to actually read any of the files when you try to open them.
Maybe what's happening is that there is some sort of a mismatch that prevents uploads: Gnome is sending one file location that uses the actual $HOME as a point of reference (which the jailed app doesn't have access), whereas the jailed app expects a file that matches the --private=/folder point of reference.
I thought this because, when trying to save files (as someone explained above), the only time a save succeeds is when the save targets $HOME/Downloads as selected by Gnome's file selection interface. All other attempts at saving at other locations fail. And when save succeeds, it actually saves to the jailed /folder/Downloads rather than the selected $HOME/Downloads in Gnome's file selection interface.
I have no real knowledge of the underlying infrastructure so I can't pinpoint the issue any further. This is just what I observe, maybe it will help.
Incidentally, the only error in the console output is:
Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
Hello,
I am also unable to upload files in Ungoogled Chromium when Firejail is enabled:
[9:22:0527/125401.021993:ERROR:select_file_dialog_linux_portal.cc(760)] Portal returned error: org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/44295/root
Discussed in https://github.com/netblue30/firejail/discussions/5025
I'm not familiar with KDE but there's a comment on the last line in /etc/firejail/chromium-common.profile that you might try:
As a quick test you can add it without the conditional, just to double-check if you can get your Plasma tools working in the sandbox. Add the below line to your chromium.local and run your command again:
Does that change anything for the better?
I added like this:
env NO_CHROME_KDE_FILE_DIALOG=1both in/etc/firejail/chromium-common.profileandchromium.localand no change.Might be a duplicate of https://github.com/netblue30/firejail/issues/4965.
Try adding the below to your /home/user/Data/jail/.config/firejail/chromium.local
It doesn't change anything. I need to rephrase this: "Expected behavior would be to be able to download / upload files in Chromium from Plasma KDE dialog and when downloaded, see them in Dolphin." I don't care what dialog chromium uses gtk or KDE. The problem is that I can't see the filed downloaded with gtk dialog in Dolphin. I could see them that would solve the problem. Maybe I should install something in my system?
The other thing is that when I run Chromium without Firejail it uses KDE dialog and uploads files correctly. So, the conclusion is there is something in profiles or firejail that makes a difference.
Does your dolphin run firejailed too? You can transfer out the downloaded file(s) to your real filesystem for Dolphin:
What does the Imgur error say exactly?
https://i.imgur.com/QvsTaQt.png
No.
I've put together a test profile to debug this. The private option is inside the file as you can see. Just to keep the command a bit shorter, shouldn't make any functional difference.
Please download this file, place it in your ~/Data/jail/.config/firejail dir as
fj-issue-5032.profileand run with the debug option:$ firejail --debug --profile=~/Data/jail/.config/firejail/fj-issue-5032.profile /usr/bin/chromium | tee -a ~/Downloads/fj-issue-5032.log. Try downloading/uploading, do some browsing etceterea and when you're done, upload the resulting ~/Downloads/fj-issue-5032.log somewhere (or post it here, as you prefer). I still cannot reproduce, but I don't have KDE (which shouldn't really matter here).With
fj-issue-5032.profileprofile file dialog within Chromium couldn't be open. https://i.imgur.com/1bnogBR.png when I pressed "choose photo" nothing happened, no dialog appeared. log and also output from terminal: fj-issue-5032.logThe fact that dialog doesn't appear is caused by:
include chromium-common-hardened.inc.profilebut when I hashed it I still can't upload with above profileI'm out of ideas on this one. Copy chromium.profile and chromium-common.profile from /etc/firejail to your ~/Data/jail/.config/firejail and start commenting lines until you get a working configuration.
Hello omega3,
I've had the same problem with Chromium using openSUSE with KDE for a couple of months. Downloads only work directly into the downloads folder. Saving web pages only works using the print option. Uploads don’t work at all. I found that uncommenting the noroot option in
/etc/firejail/chromium-common-hardened.inc.profile
does the trick for me.
However, I usually keep the noroot option enabled. I only disable it when I know that I want to upload something. Sometimes I just use Firefox instead in these rare occasions which has noroot enabled per default.
The hardened profile isn’t enabled per default in openSUSE. You have to manually uncomment the
include chromium-common-hardened.inc.profile
line in
/etc/firejail/chromium-common.profile
Maybe the noroot option is hidden somewhere else in one of the various profiles chromium uses.
@Kebron718 That's some impressive detective work. Never suspected
norootcould have anything to do with uploading files in a web browser. But I'm not at all familiar with this one. Still, I wonder if any of you is using anything 'special' in ~/.config/chromium-flags.conf or wrapper scripts by any chance?The extra hardening is always disabled by default, regardless of distro.
No it's only in chromium-common-hardened.inc.profile AFAICT (it should be). So a one-liner
ignore norootplaced in a~/.config/firejail/chromium-common-hardened.inc.localshould suffice for users facing this issue.Unfortunately, this didn't work for me.
This wiki shows many dbus options but I have no idea what they do. https://man.archlinux.org/man/firejail.1.en There was a discussion about dbus
Although I am not programmist I think that this issue may be connected to dbus options because with gtk dialog it works. The problem is how chromium in firejail "communicates" with kde system.
Unfortunate to say the least.
The discussion you're refering to is now reality. Has been for a while. Firejail has integrated
xdg-dbus-proxy(you should install that package if it isn't!) and the 'newish' options are considered stable and pretty much feature-complete. This provides the much wanted finer-grained control earlier versions were missing. That implied implementing a more complex set of options to control D-Bus and I can see how that would need time to get familiar with. But in the case of chromium it's actually quite simple. By default chromium-common.profile grants full access to the D-Bus session bus and only blocks the system bus (which most programs don't need access to):We already discussed
NO_CHROME_KDE_FILE_DIALOG=1above and it didn't make any difference for your issue as you reported. So I see only one more thing you can try in this D-Bus context and that's granting full access to the system bus too.Most, if not all the DE-related files for both GTK and QT/KDE reside in the included *.inc files in the profile. To check if you need anything additional stuff, try not including any of those, just as a test to see if that changes anything. Together with the above D-Bus remarks that brings me to the below ~/.config/firejail/chromium-common.local:
Just make sure you don't have anything in globals.local and existing chromium{,-common}.local files that might throw sand in the machine.
It doesn't work. the current setup is in
~/.config/firejail/:chromium-common-hardened.inc.local:
chromium-common.local:
chromium.local
File-dialog broken by
norooton KDE? Sounds like portals.@rusty-snake Thanks for joining in. Obviously I don't understand the problem at hand and all I'm achieving here is confusing the OP. And myself for that matter. Twice already @omega3 said
ignore norootdoesn't work for him, here and here. Also, like mentioned above, chrome-common.profile doesn't filter dbus-user.norootcan still break things on KDE, regardless of D-Bus user options?Some xdg-desktop-portal implementations (in some versions) are broken (for some features) if the sandbox is started with
noroot(I known that at least some xdg-desktop-portal-kde versions are affected (under some configurations)). (As you see I don't really know when it happens just thatnoroot+ (some) xdg-desktop-portal impls + some conditions are broken). If chromium uses portals to get a native file-prompt, this may be an issue.@rusty-snake Thanks for providing context and insights. Sounds a real mess :-) With that many unknowns (the multiple
some'sin your observations) it would be very difficult to formulate a working solution without flooding the affected profiles with even more comments. See {cachy-browser,firefox.librewolf}.profiles for examples of what I mean. The current count of advisory lines in the dbus section of those is13, not reassuring :-)can confirm
norootportal issue with an Electron app when trying to open an "upload" dialog windowERROR:select_file_dialog_impl_portal.cc(698)] Portal returned error: org.freedesktop.DBus.Error.AccessDenied: Portal operation not allowed: Unable to open /proc/PID/rootapt list xdg-dbus-proxy
xdg-dbus-proxy/bionic,bionic,bionic,now 0.1.3-1~18.04 amd64 [installed,automatic]apt list xdg-desktop-portalxdg-desktop-portal/bionic,bionic 1.12.1-1ubuntu1~18.04 amd64 [installed,automatic]apt list firejail
firejail/bionic,now 0.9.68-3~0ubuntu18.04.0 amd64 [installed]I can also confirm that with Ubuntu 22.04 & using latest Google-Chrome, we are unable to upload anything as well.
I think one issue is that the --private=/folder is not being respected by all aspects of the jailed app, such as Gnome's file selection interface. On Ubuntu 20.04, when you used the open file dialog (CTRL+O), it would look like the opened location was the home folder of the user, while actually being the /folder it was jailed at. With 22.04, however, it always opens the actual $HOME folder and gives a list of all files and folders inside it, despite being unable to actually read any of the files when you try to open them.
Maybe what's happening is that there is some sort of a mismatch that prevents uploads: Gnome is sending one file location that uses the actual $HOME as a point of reference (which the jailed app doesn't have access), whereas the jailed app expects a file that matches the --private=/folder point of reference.
I thought this because, when trying to save files (as someone explained above), the only time a save succeeds is when the save targets $HOME/Downloads as selected by Gnome's file selection interface. All other attempts at saving at other locations fail. And when save succeeds, it actually saves to the jailed /folder/Downloads rather than the selected $HOME/Downloads in Gnome's file selection interface.
I have no real knowledge of the underlying infrastructure so I can't pinpoint the issue any further. This is just what I observe, maybe it will help.
Incidentally, the only error in the console output is: Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
The document-portal does not support firejail (or firejail does not support the document-portal, take it as you like).
Hello, I am also unable to upload files in Ungoogled Chromium when Firejail is enabled:
Is there a workaround?