search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.68k stars 557 forks source link

gwenview: Cannot access images on sftp:// URI #6162

Open minhng99 opened 7 months ago

minhng99 commented 7 months ago

Description

Gwenview showing error Socket create failed: Operation not supported when attempt to open any image with the sftp:// URI.

Steps to Reproduce

Steps to reproduce the behavior

  1. Open Dolphin, access a remote sftp server that have pictures in it.
  2. Attempt to open said picture using Gwenview

or

Run Gwenview with this command /usr/bin/firejail /usr/bin/gwenview sftp://root@192.168.1.20/picture.jpg

Expected behavior

The picture should be displayed normally.

Actual behavior

The picture never loads, Gwenview shows Socket create failed: Operation not supported

Behavior without a profile

The application works normally.

Additional context

Environment

Checklist

Log

Output of LC_ALL=C firejail /path/to/program

``` Reading profile /etc/firejail/gwenview.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 13733, child pid 13734 45 programs installed in 105.49 ms Warning: skipping alternatives for private /etc Warning: skipping kde4rc for private /etc Warning: skipping kde5rc for private /etc Warning: skipping ld.so.preload for private /etc Private /etc installed in 5.17 ms Private /usr/etc installed in 0.00 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /home/user/.ssh/authorized_keys Warning: not remounting /run/user/1000/doc Warning: not remounting /run/user/1000/kio-fuse-LcPmjF Warning: cleaning all supplementary groups Child process initialized in 148.88 ms kf.config.core: Created a KConfigGroup on an inaccessible config location "baloofilerc" "Basic Settings" UdevQt: unable to create udev monitor connection kf.i18n.kuit: "Unknown subcue ':whatsthis,' in UI marker in context {@info:whatsthis, %1 the action's text}." kf.config.core: Created a KConfigGroup on an inaccessible config location "baloofilerc" "Basic Settings" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-aptus-mos" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-arq" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-bay" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-bmq" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-cap" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-cine" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-cs1" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-dc2" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-drf" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-dxo" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-epson-eip" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-epson-erf" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-fff" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-hasselblad-3fr" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-iiq" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-kodak-dcs" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-kodak-kc2" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-mamiya-mef" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-mfw" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-minolta-mdc" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-mng" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-obm" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-ori" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-ptx" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-pxn" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-qtk" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-r3d" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-raw" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-rdc" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-rwl" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-rwz" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-samsung-srw" org.kde.kdegraphics.gwenview.lib: Unresolved mime type "image/x-sti" org.kde.kdegraphics.gwenview.lib: Unresolved raw mime type "image/x-samsung-srw" kf.config.core: Created a KConfigGroup on an inaccessible config location "kwinrc" "org.kde.kdecoration2" kf.kio.core: "Socket create failed: Operation not supported" ```

Output of LC_ALL=C firejail --debug /path/to/program

rusty-snake commented 7 months ago

Socket create failed: Operation not supported

protocol inet,inet6

minhng99 commented 7 months ago

Socket create failed: Operation not supported

protocol inet,inet6

Yeah, that worked... but there seems to be a problem because the server is accessed with SSH key, therefore the .ssh has to be whitelisted which isn't ideal :(

also, the ssh key askpass dialog isn't click-able or type-able for some reason.

Do you have another idea?

rusty-snake commented 7 months ago

also, the ssh key askpass dialog isn't click-able or type-able for some reason.

Trial and error it down. Maybe one of

ignore include disable-common.inc
ignore include disable-shell.inc

ignore private-bin
ignore private-etc
kmk3 commented 7 months ago

@minhng99 on Jan 21:

Socket create failed: Operation not supported

protocol inet,inet6

Yeah, that worked... but there seems to be a problem because the server is accessed with SSH key, therefore the .ssh has to be whitelisted which isn't ideal :(

Does it work if you add the key to ssh-agent and allow access to the ssh-agent socket in the profile?

The socket is usually in this path:

noblacklist /tmp/ssh-*