search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.74k stars 561 forks source link

mpv: cannot open files via dolphin #6197

Open aardbol opened 8 months ago

aardbol commented 8 months ago

Description

Opening videos in mpv via Dolphin doesn't work. mpv doesn't even start. But opening mpv and dragging and dropping the video from the same location works and the video will be played.

Steps to Reproduce

Browse to the folder. Open the video file and see that mpv won't start.

Run mpv video in terminal. In terminal error: Error: cannot access profile file: globals.local

The behavior works in the Downloads folder though

Expected behavior

Video plays

Actual behavior

Nothing.

Behavior without a profile

Same behavior

Additional context

The folder containing video files has been whitelisted and set read-only.

Environment

Arch with latest firejail

Checklist

Log

Output of LC_ALL=C firejail /path/to/program

``` Error: cannot access profile file: globals.local ```

Output of LC_ALL=C firejail --debug /path/to/program

``` output goes here ```

glitsj16 commented 8 months ago

Thanks for reporting. We'll need a bit more info on your setup though. Are you running Dolphin sandboxed? How does your mpv.desktop look like (either from /usr/share/applications or ~/.local/share/applications)? In other words, do you use firecfg at all?

The mpv profile doesn't include disable-xdg.inc, so it's unclear why your ~/Downloads folder is working while other paths under your user's /home aren't. Can you post that globals.local here please?

rusty-snake commented 8 months ago

Is this a "normal" filesystem or some kind of FUSE like a samba share?

Behavior without a profile Same behavior

Impossible.

aardbol commented 8 months ago

Is this a "normal" filesystem or some kind of FUSE like a samba share?

local FS yes. BTRFS to be specific.

Behavior without a profile Same behavior

Impossible.

You're right, the problem is a bit different:

firejail --noprofile mpv op.mp4:


Parent pid 872710, child pid 872711
Child process initialized in 5.97 ms
Warning: an existing sandbox was detected. /usr/bin/mpv will run without any additional sandboxing features
[file] Cannot open file 'op.mp4': No such file or directory
Failed to open op.mp4.
Exiting... (Errors when loading file)

Parent is shutting down, bye...
aardbol commented 8 months ago

Thanks for reporting. We'll need a bit more info on your setup though. Are you running Dolphin sandboxed? How does your mpv.desktop look like (either from /usr/share/applications or ~/.local/share/applications)? In other words, do you use firecfg at all?

The mpv profile doesn't include disable-xdg.inc, so it's unclear why your ~/Downloads folder is working while other paths under your user's /home isn't. Can you post that globals.local here please?

Yes Dolphin is also sandboxes, via firecfg, no custom local config.

In /usr/share/applications:


[Desktop Entry]
Type=Application
Name=mpv Media Player
GenericName=Multimedia player
Comment=Play movies and songs
Icon=mpv
TryExec=mpv
Exec=mpv --player-operation-mode=pseudo-gui -- %U
Terminal=false
Categories=AudioVideo;Audio;Video;Player;TV;
MimeType=application/ogg;application/x-ogg;application/mxf;application/sdp;application/smil;application/x-smil;appl>
X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb,srt,rist,webdav,webdavs
StartupWMClass=mpv

mpv.local:

private-bin env,mpv,python*,waf,youtube-dl,yt-dlp,ls

whitelist ${HOME}/.SiriKali
read-only ${HOME}/.SiriKali

whitelist ${HOME}/z_nobackup
read-only ${HOME}/z_nobackup
glitsj16 commented 8 months ago

$ firejail --noprofile mpv op.mp4 Warning: an existing sandbox was detected. /usr/bin/mpv will run without any additional sandboxing features

This is a common mistake. Always use the full path to the application's executable (in this case /usr/bin/mpv). If you don't, the command actually tries to execute firejail firejail mpv ..., which throws firejail into confusion. I'm not saying this is the cause of your issue, but it sure makes things much harder to debug.

Yes Dolphin is also sandboxes, via firecfg, no custom local config.

How exactly did you add dolphin to firecfg? It isn't in /etc/firejail/firecfg.config by default.

mpv.local [...] private-bin env,mpv,python*,waf,youtube-dl,yt-dlp,ls

Our mpv.profile already has private-bin env,mpv,python*,waf,youtube-dl,yt-dlp. If you want to add other binaries to it, just use private-bin ls in mpv.local. The private-bin option is cumulative.

Please make these changes and post output from

$ firejail --noprofile /usr/bin/mpv /full/path/to/op.mp4
aardbol commented 8 months ago

Yes Dolphin is also sandboxes, via firecfg, no custom local config.

How exactly did you add dolphin to firecfg? It isn't in /etc/firejail/firecfg.config by default.

Good eye, it's not sandboxed. I didn't know about that file.

Please make these changes and post output from

$ firejail --noprofile /usr/bin/mpv /full/path/to/op.mp4

Same problem as before if given the relative path of the video. Absolute path works.

glitsj16 commented 8 months ago

Same problem as before if it's the relative path. Absolute path works.

Out of ideas here. I'd check (the Exec=... line in) ~/.local/share/applications/mpv.desktop, but I assume you've already done so. And mimeapps.list (both in ~/.config & ~/.local/share/applications). Hopefully someone with actual KDE/Dolphin experience chimes in.

aardbol commented 7 months ago

I have the same issue with gwenview opening an image from a mounted cryptomator container. Path: /home/*/.local/share/Cryptomator. Disabling gwenview in firecfg makes it work again

rashadgasimli commented 5 months ago

However, mpv can play videos and musics from /home/$USER/Videos and /home/$USER/Music and gwenview also can show images from /home/$USER/Pictures.