Open wushangwei opened 2 years ago
Behavior without a profile
Can you create an empty spectacle.profile
in ~/.config/firejail
and kill all running spectacle processes and try again.
I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.
Is this related to https://bugs.kde.org/show_bug.cgi?id=446628 ?
Could be.
I think it is related because if I run firecfg clean
and delete ~/.local/share/applications/org.kde.spectacle.desktop
, then spectacle
works but firejail spectacle
does not.
From #5245: spectacle does not even work with
$ cat ~/.config/firejail/spectacle.profile
include noprofile.profile
Somebody needs to investigate how the Wayland implementations works and what is breaking it.
Maybe (I'm guessing around) it works with join-or-start spectacle
(maybe in combination with include noprofile.profile
and nothing else). Or when the dbus activation is firejailed as well using firecfg.py.
The following debug information has been generated from the following environment:
Distro: Arch Linux
Firejail version: firejail version 0.9.72 (installed from firejail-git 0.9.72rc1.r8990.c93ac4186-1 in the AUR)
KDE Plasma: 5.26.5
noprofile.profile
set via $HOME/.config/firejail/spectacle.profile
LC_ALL=C firejail --debug /usr/bin/spectacle
``` Building quoted command line: '/usr/bin/spectacle' Command name #spectacle# Found spectacle.profile profile in /home/vendion/.config/firejail directory Reading profile /home/vendion/.config/firejail/spectacle.profile Found noprofile.profile profile in /etc/firejail directory Reading profile /etc/firejail/noprofile.profile DISPLAY=:1 parsed as 1 Using the local network stack Initializing child process Parent pid 43373, child pid 43374 Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /usr 3936 1865 254:6 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/root rw mountid=3936 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Create the new utmp file Mount the new utmp file Disable /home/vendion/.config/firejail Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Not blacklist /sys/fs Not blacklist /sys/module Current directory: /home/vendion DISPLAY=:1 parsed as 1 Masking all X11 sockets except /tmp/.X11-unix/X1 Mounting read-only /run/firejail/mnt/seccomp 3960 3933 0:103 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=3960 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 120 .. -rw-r--r-- vendion vendion 616 seccomp -rw-r--r-- vendion vendion 432 seccomp.32 -rw-r--r-- vendion vendion 0 seccomp.postexec -rw-r--r-- vendion vendion 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/spectacle Child process initialized in 9.78 ms monitoring pid 2 Screenshot request failed: "The process is not authorized to take a screenshot" qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap Sandbox monitor: waitpid 2 retval 2 status 0 Parent is shutting down, bye... ```
https://github.com/flameshot-org/flameshot/issues/1380#issue-812908678:
- KWin requires you to use the D-Bus.
- KWin enforces security by ensuring you have the
X-KDE-DBUS-Restricted-Interfaces
key with the valueorg.kde.kwin.Screenshot
.- KWin uses something called KApplicationTrader to find the desktop file of the process and check if the aforementioned key exists. It compare the
Exec
key in the desktop files and the executable location obtained from procfs to do so.- Flameshot does not specify the full path to the binary in it's desktop file, unlike Spectacle.
- Flameshot sets the
X-KDE-DBUS-Restricted-Interfaces
key toorg_kde_kwin_effect-screenshot
instead oforg.kde.kwin.Screenshot
.
That's what I'm feared.
executable location obtained from procfs
~May relates to #5035. I'm not sure which pid it exactly looks at and which file it uses and if this then works or not.~
Update: Relates to #5035 because it looks at /proc/<pid>/exe
and then the pid doesn't matter.
And this symlink needs to return the same path as used by Exec=
in the desktop file.
https://github.com/KDE/kwin/blob/master/src/wayland/utils/executable_path_proc.cpp https://github.com/KDE/kservice/blob/master/src/services/kapplicationtrader.cpp Seem to be the relevant files
If we can foul KApplicationTrader it would be the simplest workaround.
full path to the binary in it's desktop file
This becomes really difficult to implement. If possible at all.
I'm having the same issue. In the interim I commented Spectacle out of /etc/firejail/firecfg.config
and deleted the .desktop file in .local/share/applications
.
This works until the next time firecfg
runs (which for me is every update). The desktop file is regenerated. How can that be prevented?
I'm having the same issue. In the interim I commented Spectacle out of
/etc/firejail/firecfg.config
and deleted the .desktop file in.local/share/applications
.This works until the next time
firecfg
runs (which for me is every update). The desktop file is regenerated. How can that be prevented?
Removing it from firecfg.config should have been enough; see also:
As a workaround, manually create an override in ~/bin and/or
~/.local/share/applications that calls /usr/bin/spectacle
instead of just
spectacle
.
5245 is exactly what I experienced. For now I replaced the file in .local/share/applications
with the original as a stopgap. That way firecfg thinks the file already exists and doesn't attempt to recreate.
I can confirm this is still happening, Fedora 38, KDE 5.27.3
Update: you need to remove two offending rules to get it to work on Wayland:
With these changes it appears to work fine on firejail version 0.9.72 on Arch.
@alexpyattaev Nice find. Can you open a PR and fix our spectacle.profile?
I am not sure if my "fix" is a good one. In particular, I am unsure if a narrower profile would work, or even what exactly noroot command does:) Should I make a PR?
ke 13. syysk. 2023 klo 4.34 glitsj16 @.***> kirjoitti:
@alexpyattaev https://github.com/alexpyattaev Nice find. Can you open a PR and fix our spectacle.profile?
— Reply to this email directly, view it on GitHub https://github.com/netblue30/firejail/issues/5127#issuecomment-1716802352, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABNIL3XIWPE6RMPXG6C52VDX2EETXANCNFSM5U2YRVUA . You are receiving this because you were mentioned.Message ID: @.***>
I am not sure if my "fix" is a good one. In particular, I am unsure if a narrower profile would work, or even what exactly noroot command does:) Should I make a PR?
That's understandable, although your reasoning looks sound to me. Let's wait for the OP and others to chime in before acting on this.
That's understandable, although your reasoning looks sound to me.
Well that is what makes it scary - it is just good enough to pass the "sanity check" while being made entirely of guesswork and assumptions. Kinda like GPT4 programming.
noroot was already known since https://github.com/netblue30/firejail/issues/5127#issuecomment-1383179762
UPDATE: more testing carried out on my OpenSUSE Tumbleweed with KDE Wayland
ignore noroot
and ignore private-dev
are neededorg.kde.KWin.Screenshot2
besides the already present org.kde.{S,s}pectacle
and several other org.kde.KWin.*
addressesscreenrecording
(in webm or mp4 format) too (so we better open up ${VIDEOS} and drop no3d
)I'll need some more time putting together a profile that can deliver all this functionality in a reasonably secure way.
There is additional aspect to this. Apparently, the ~/.local/share/applications/org.kde.spectacle.desktop that firecfg makes somehow manages to make dbus forget that the application has X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1 permission, which in turn makes Pipewire daemon deny access to the screen recording.
Removing the .desktop file fixes the issue (as the system builtin file is used instead), but firejail remakes the user's local file making spectacle to fail starting. I am unsure what the problem is, as the line in .desktop that enables access to pipewire is still in place.
something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?
@alexpyattaev I did notice the 'weirdness' of the spectacle desktop file(s) too. Not exactly sure what firecfg
does to it (personally never used it), but AFAICT its coded with the assumption that replacing DBusActivatable=true
with DBusActivatable=false
avoids D-Bus activation. But there's no such entree in the spectacle desktop file AFAICT. Maybe using firecfg.py from @rusty-snake might help here, don't know.
Anyway, here are my latest findings. Note that I've always opted to start the app with its -l
flag (Launch Spectacle without taking a screenshot) from CLI to keep output sane while experimenting
$ QT_QPA_PLATFORM=wayland firejail --ignore=quiet /usr/bin/spectacle -l
Putting together a reliably working dbus-user filter
combo (for both screenshot and screenrecording) drove me nuts. Too many variables, too many complications... IMO we should better drop it alltogether from spectacle's profile. Obviously this is open for debate and just my opinion, no more, no less.
ignore noroot
ignore private-dev
If anyone wants to test/confirm/deny, here's my proposed spectacle.profile:
HTH
something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?
@firefoxlover Hard to tell whether those are related. Are you seeing all that on KDE Wayland? Or how should we understand your comment in this issues context? Please try to describe exactly what broke where. One thing is clear though, Flatpak and Firejail don't mix: https://github.com/netblue30/firejail/blob/eb5c97197b699dbb8ba69e798c86e5e97c36e17e/src/man/firejail.1.in#L82-L84
something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?
Firefox and chrome work just fine for me. In Firejail both of them. So I do not think it is 100% related.
Firefox Screenshots: Not blocked by firejail, check your Firefox profile.
Ctrl+P: Unrelated => new issue
This is not my experience though. After removing the .desktop entry generated by firejail it suddenly worked again. I didnt change anything on the profile. Ctrl+P always crashed, and screenshots had really weird issues, getting the wrong areas etc.
I expected a wayland bug but on the same system, different user profile the bugs where completely gone.
After removing the firejail .desktop files, everything was working again.
Removing the local desktop file solves the issue, but that is just a workaround, doesn't solve the actual problem.
This also happens to me when launching spectacle
from the terminal. My terminal is a Flatpak installation.
Full log:
Reading profile /etc/firejail/spectacle.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 383424, child pid 383428
1 program installed in 3.50 ms
Warning: skipping alternatives for private /etc
Warning: skipping ld.so.preload for private /etc
Private /etc installed in 7.35 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 138.24 ms
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory)
On Wayland, Spectacle requires KDE Plasma's KWin compositor, which does not seem to be available. Use Spectacle on KDE Plasma, or use a different screenshot tool.
Failed to create secure directory (/run/user/60311/pulse): Permission denied
ALSA lib confmisc.c:855:(parse_card) cannot find card '0'
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory
ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1342:(snd_func_refer) error evaluating name
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5727:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2675:(snd_pcm_open_noupdate) Unknown PCM default
kf.notifications: Failed to play sound with canberra: File or data not found
at this point the GUI error message pops up, after hitting OK on it, the log continues:
Remember requesting the interface on your desktop file: X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1
Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")
"applications.menu" not found in ()
QPainter::begin: Paint device returned engine == 0, type: 3
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::worldTransform: Painter not active
QPainter::scale: Painter not active
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::end: Painter not active, aborted
QPainter::begin: Paint device returned engine == 0, type: 3
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::worldTransform: Painter not active
QPainter::scale: Painter not active
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::end: Painter not active, aborted
Spectacle's window opens, but no screenshot is taken. I set up Pacman to auto generate these entries.
thanks for keeping track of this! I am more interested in bubblejail, but that one has even less tooling, so unless some big org decides to support it, it will take some time to get usable
For me spectacle does not work on with X server too, only removing symlink from /usr/local/bin
and .desktop
file from $HOME/.local/share/applications
unlocks it to full. No advice from this issue worked.
Arch, Spectacle 24.02.2
, plasma-desktop 6.0.4
, xorg-server 21.1.13
given that most distros ship with wayland nowadays, should firejail ship with something like:
# enable if you are not on Wayland see https://github.com/netblue30/firejail/issues/5127
!spectacle
in firecfg.conf
? and this becomes an enhacement to add the profile?
@kmk3
For me spectacle does not work on with X server too, only removing symlink from
/usr/local/bin
and.desktop
file from$HOME/.local/share/applications
unlocks it to full. No advice from this issue worked. Arch, Spectacle24.02.2
, plasma-desktop6.0.4
, xorg-server21.1.13
If you disable it X users will not benefit from it.
For me spectacle does not work on with X server too, only removing symlink from
/usr/local/bin
and.desktop
file from$HOME/.local/share/applications
unlocks it to full. No advice from this issue worked. Arch, Spectacle24.02.2
, plasma-desktop6.0.4
, xorg-server21.1.13
If you disable it X users will not benefit from it.
The comment you just quoted said that firejailed spectacle does not work on X either.
But even if it did, profiles should work by default on common setups (xorg and wayland) and apparently spectacle does not work at all even with noprofile.profile on plasma/wayland.
The effect is worse for programs that are usually not started from the CLI, as the user will not see stderr, so it's harder to tell that the issue is caused by firejail.
Lastly, in firejail-git you can include more programs in firecfg by adding them to /etc/firejail/firecfg.d/:
Ok, so what is left to complete so we can mark this issue as completed? And as far as I understand (I tried reading the thread), the problem seems to be coming from Spectacle behaving weirdly?
Do we want to do the same for things like obs
and maybe others which main functionality depends on screen capture somehow?
Description
Spectacle not working under KDE Wayland. It opens, but complains "Could not take a screenshot". However it works under x11 session.
Steps to Reproduce
Click the spectacle desktop shortcut and doesn't work.
kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop, doesn't work. Logs are shown in Log section.
To reduce the dbus errors above, I created ~/.config/firejail/spectacle.local with the following content:
Run the command above again, DBus errors are gone, but left with Screenshot request failed: "The process is not authorized to take a screenshot". Still doesn't work.
Expected behavior
Spectacle should take screenshots normally under KDE Wayland.
Actual behavior
Cannot take screenshots under KDE Wayland. Does not affect X11 session. Console outputs are provided above. If I modify the desktop file, replace "spectacle" with "/usr/bin/spectacle", it will take screenshot normally.
Behavior without a profile
LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop
Logs are shown in Log Section. Console output is similar with the one after modifying spectacle.local. Doesn't work either.
Additional context
If simply edit the spectacle desktop file and change the Exec from "spectacle" to "/usr/bin/spectacle", it will work normally.
Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
Output of
kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop
``` kf.kio.core: Malformed JSON protocol file for protocol: "trash" , number of the ExtraNames fields should match the number of ExtraTypes fields kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Reading profile /etc/firejail/spectacle.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 31315, child pid 31326 1 program installed in 2.10 ms Warning: skipping alternatives for private /etc Private /etc installed in 6.27 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Child process initialized in 114.17 ms Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown") Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" kf.config.core: Couldn't write "/home/nikki/.config/spectaclerc" . Disk full? Error calling KWin DBus interface: "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown" libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (没有那个文件或目录) qt.qpa.wayland: Wayland does not support QWindow::requestActivate() qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap "applications.menu" not found in () Parent is shutting down, bye... ```
Output of
kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop
after modifying spectacle.local``` kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Reading profile /etc/firejail/spectacle.profile Reading profile /home/nikki/.config/firejail/spectacle.local Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 32061, child pid 32075 1 program installed in 2.35 ms Warning: skipping alternatives for private /etc Private /etc installed in 5.47 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Child process initialized in 115.37 ms Screenshot request failed: "The process is not authorized to take a screenshot" libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory) qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap "applications.menu" not found in () Parent is shutting down, bye... ```
Output of
LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop
``` Parent pid 32543, child pid 32544 Child process initialized in 10.20 ms kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Warning: an existing sandbox was detected. /usr/bin/spectacle will run without any additional sandboxing features Screenshot request failed: "The process is not authorized to take a screenshot" qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap Parent is shutting down, bye... ```
Output of
LC_ALL=C firejail --noprofile kioclient exec /usr/share/applications/org.kde.spectacle.desktop
``` Parent pid 32875, child pid 32876 Child process initialized in 14.83 ms kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found Screenshot request failed: "The process is not authorized to take a screenshot" qt.qpa.wayland: Wayland does not support QWindow::requestActivate() QPixmap::scaled: Pixmap is a null pixmap Parent is shutting down, bye... ```