netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.83k stars 568 forks source link

firefox: cannot drag and drop files from Dolphin #6444

Closed Utini2000 closed 1 month ago

Utini2000 commented 3 months ago

Description

Drag & Drop of files (e.g. adding attachments in a webmail) does not work with Firefox & KDE Dolphin.

Steps to Reproduce

Open Firefox Browser gmail Create Mail Drag & Drop a .pdf from /home/Downloads/ via Dolphin

Expected behavior

Working drag & drop.

Actual behavior

Drag & Drop not working

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile firefox in a terminal?_ Then drag & drop will work fine

Additional context

Nope :)

Environment

firefox.local:

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

# Add the next line to your firefox.local to enable native notifications.
dbus-user.talk org.freedesktop.Notifications
# Add the next line to your firefox.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your firefox.local for plasma browser integration.
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver
# Add the next line to your firefox.local to allow screen sharing under wayland.
dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
ignore noroot

Checklist

Log

Output of LC_ALL=C firejail /path/to/program

``` Reading profile /etc/firejail/firefox.profile Reading profile /home/myusername/.config/firejail/firefox.local Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 35623, child pid 35627 9 programs installed in 17.04 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Child process initialized in 200.43 ms [Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187 (firefox:16): GLib-CRITICAL **: 09:11:32.193: g_strv_length: assertion 'str_array != NULL' failed [Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187 (firefox:16): GLib-CRITICAL **: 09:11:32.194: g_strv_length: assertion 'str_array != NULL' failed [Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187 (firefox:16): GLib-CRITICAL **: 09:11:32.194: g_strv_length: assertion 'str_array != NULL' failed ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ```

Output of LC_ALL=C firejail --debug /path/to/program

Link: https://gist.github.com/Utini2000/e78b15f511baf946a3c1ebafa15ac449

rusty-snake commented 3 months ago

DnD does not give Firefox an FD but an path. Firefox must be able to open that path.

Tri with --allusers to make /home/Downloads visible.

Utini2000 commented 3 months ago

DnD does not give Firefox an FD but an path. Firefox must be able to open that path.

Tri with --allusers to make /home/Downloads visible.

@rusty-snake

That does not work either:

$ LC_ALL=C firejail --allusers firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /home/myusername/.config/firejail/firefox.local
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 41155, child pid 41159
9 programs installed in 19.00 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 197.80 ms
[Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187

(firefox:16): GLib-CRITICAL **: 10:41:47.820: g_strv_length: assertion 'str_array != NULL' failed
[Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187

(firefox:16): GLib-CRITICAL **: 10:41:47.821: g_strv_length: assertion 'str_array != NULL' failed
[Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187

(firefox:16): GLib-CRITICAL **: 10:41:47.821: g_strv_length: assertion 'str_array != NULL' failed
[Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187

(firefox:16): GLib-CRITICAL **: 10:41:59.140: g_strv_length: assertion 'str_array != NULL' failed
[Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187

(firefox:16): GLib-CRITICAL **: 10:41:59.141: g_strv_length: assertion 'str_array != NULL' failed
[Parent 16, Main Thread] WARNING: g_strv_length: assertion 'str_array != NULL' failed: 'glib warning', file /usr/src/debug/firefox/firefox-129.0.2/toolkit/xre/nsSigHandlers.cpp:187

(firefox:16): GLib-CRITICAL **: 10:41:59.141: g_strv_length: assertion 'str_array != NULL' failed

Parent is shutting down, bye...
Utini2000 commented 2 months ago

Any more ideas?

kmk3 commented 2 months ago

This is probably related to dbus; try the following:

Utini2000 commented 2 months ago

@kmk3 Thanks, I disabled the dbus parameters one by one and the ones breaking drag & drop are:

dbus-user none
dbus-user filter

I added these to firefox.local:

ignore dbus-user none
ignore dbus-user filter

No idea if this causes any major security issues but if not, this should be set by default since drag & drop is an essential "feature" with a browser (e.g. sharedrives, picture upload, ....)?

glitsj16 commented 2 months ago

I added these to firefox.local: ignore dbus-user none ignore dbus-user filter

firefox.profile already has ignore dbus-user none: https://github.com/netblue30/firejail/blob/5edddc918ecbeddcc9c9fff9374e6d51ae4c286b/etc/profile-a-l/firefox.profile#L65

Using ignore dbus-user filter will break URL opening and mpris support. This might not be an issue for you, but it would be much nicer if you could try to find which dbus filters would get DnD working on KDE. Have you seen the dbus comments in firefox.profile and tried some of the KDE-related ones yet? https://github.com/netblue30/firejail/blob/5edddc918ecbeddcc9c9fff9374e6d51ae4c286b/etc/profile-a-l/firefox.profile#L57-L59

Utini2000 commented 2 months ago

@glitsj16 woopsie you are right. I only had to add "ignore dbus-user filter" to get it to work.

The following are already in my firefox.local but didn't help:

Keepass:

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

KDE (kdeconnect not installed):

# Add the next line to your firefox.local to enable native notifications.
dbus-user.talk org.freedesktop.Notifications
# Add the next line to your firefox.local to allow inhibiting screensavers.
dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your firefox.local for plasma browser integration.
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver
# Add the next line to your firefox.local to allow screen sharing under wayland.
dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
ignore noroot

Any other dbus filters I should try adding?

glitsj16 commented 2 months ago

Any other dbus filters I should try adding?

Never actually touched KDE so nothing I can suggest offhand. But I see there's a org.kde.dolphin.FileManager1.service in the dolphin package on Arch, so try dbus-user.talk org.kde.dolphin.FileManager1 I'd say. Other than that you can try using something like busctl or d-feet to inspect what dbus commands dolphin is using (as suggested by @kmk3 above in the Librewolf issue).

rusty-snake commented 2 months ago

Since GNOME+Nautilus+Firefox+Wayland works for me, do you run a x11 or Wayland session?

Utini2000 commented 2 months ago

@rusty-snake I am on wayland - what about you?

Utini2000 commented 2 months ago

@glitsj16 the "dbus-user.talk org.kde.dolphin.FileManager1" does not help and also busctl does not list it for me?

Here is the whole busctl output:

busctl

```console $ busctl NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0 955 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - - :1.1 1 systemd root :1.1 init.scope - - :1.10 966 firewalld root :1.10 firewalld.service - - :1.103 6530 dolphin username :1.103 user@1000.service - - :1.106 7057 dolphin username :1.106 user@1000.service - - :1.108 7466 0 username :1.108 user@1000.service - - :1.11 1027 NetworkManager root :1.11 NetworkManager.service - - :1.126 12585 telegram-deskto username :1.126 user@1000.service - - :1.127 12585 telegram-deskto username :1.127 user@1000.service - - :1.129 15084 gdbus username :1.129 user@1000.service - - :1.139 15533 plasmashell username :1.139 user@1000.service - - :1.14 1047 cupsd root :1.14 cups.service - - :1.140 15742 electron username :1.140 user@1000.service - - :1.141 15742 electron username :1.141 user@1000.service - - :1.15 1067 sddm root :1.15 sddm.service - - :1.17 1078 colord colord :1.17 colord.service - - :1.18 1111 Xorg root :1.18 sddm.service - - :1.19 1143 smbd root :1.19 smb.service - - :1.2 959 dbus-broker-lau root :1.2 dbus-broker.service - - :1.20 1200 wpa_supplicant root :1.20 wpa_supplicant.service - - :1.206 24994 gdbus username :1.206 user@1000.service - - :1.257 35302 dolphin username :1.257 user@1000.service - - :1.275 42325 gdbus username :1.275 user@1000.service - - :1.281 42473 systemd-inhibit username :1.281 user@1000.service - - :1.282 42475 gdbus username :1.282 user@1000.service - - :1.292 42955 nm-openvpn-serv root :1.292 NetworkManager.service - - :1.299 47859 busctl username :1.299 user@1000.service - - :1.3 963 avahi-daemon avahi :1.3 avahi-daemon.service - - :1.32 1347 systemd username :1.32 user@1000.service - - :1.34 1395 startplasma-way username :1.34 session-2.scope 2 - :1.36 1501 xdg-desktop-por username :1.36 user@1000.service - - :1.37 1522 rtkit-daemon root :1.37 rtkit-daemon.service - - :1.38 1494 kwin_wayland username :1.38 user@1000.service - - :1.39 1542 wireplumber username :1.39 user@1000.service - - :1.4 970 systemd-machine root :1.4 systemd-machined.service - - :1.40 1542 wireplumber username :1.40 user@1000.service - - :1.41 1607 kded6 username :1.41 user@1000.service - - :1.42 1733 udisksd root :1.42 udisks2.service - - :1.44 1722 org_kde_powerde username :1.44 user@1000.service - - :1.45 1722 org_kde_powerde username :1.45 user@1000.service - - :1.46 1722 org_kde_powerde username :1.46 user@1000.service - - :1.47 1721 polkit-kde-auth username :1.47 user@1000.service - - :1.48 1767 upowerd root :1.48 upower.service - - :1.49 1607 kded6 username :1.49 user@1000.service - - :1.5 964 bluetoothd root :1.5 bluetooth.service - - :1.50 1607 kded6 username :1.50 user@1000.service - - :1.6 967 power-profiles- root :1.6 power-profiles-daemon.service - - :1.63 1926 agent username :1.63 user@1000.service - - :1.64 1916 syncthingtray username :1.64 user@1000.service - - :1.65 1908 firewall-applet username :1.65 user@1000.service - - :1.7 969 systemd-logind root :1.7 systemd-logind.service - - :1.88 1721 polkit-kde-auth username :1.88 user@1000.service - - :1.9 979 polkitd polkitd :1.9 polkit.service - - :1.94 1723 xdg-desktop-por username :1.94 user@1000.service - - com.redhat.NewPrinterNotification 1607 kded6 username :1.41 user@1000.service - - dev.jonmagon.kdiskmark.helperinterface - - - (activatable) - - - fi.w1.wpa_supplicant1 1200 wpa_supplicant root :1.20 wpa_supplicant.service - - net.hadess.PowerProfiles 967 power-profiles- root :1.6 power-profiles-daemon.service - - org.bluez 964 bluetoothd root :1.5 bluetooth.service - - org.fedoraproject.FirewallD1 966 firewalld root :1.10 firewalld.service - - org.freedesktop.Accounts - - - (activatable) - - - org.freedesktop.Avahi 963 avahi-daemon avahi :1.3 avahi-daemon.service - - org.freedesktop.ColorManager 1078 colord colord :1.17 colord.service - - org.freedesktop.DBus 1 systemd root - init.scope - - org.freedesktop.DisplayManager 1067 sddm root :1.15 sddm.service - - org.freedesktop.GeoClue2 - - - (activatable) - - - org.freedesktop.ModemManager1 - - - (activatable) - - - org.freedesktop.NetworkManager 1027 NetworkManager root :1.11 NetworkManager.service - - org.freedesktop.NetworkManager.openvpn.Connection_20 42955 nm-openvpn-serv root :1.292 NetworkManager.service - - org.freedesktop.Passim - - - (activatable) - - - org.freedesktop.PolicyKit1 979 polkitd polkitd :1.9 polkit.service - - org.freedesktop.RealtimeKit1 1522 rtkit-daemon root :1.37 rtkit-daemon.service - - org.freedesktop.UDisks2 1733 udisksd root :1.42 udisks2.service - - org.freedesktop.UPower 1767 upowerd root :1.48 upower.service - - org.freedesktop.UPower.PowerProfiles 967 power-profiles- root :1.6 power-profiles-daemon.service - - org.freedesktop.fwupd - - - (activatable) - - - org.freedesktop.home1 - - - (activatable) - - - org.freedesktop.hostname1 - - - (activatable) - - - org.freedesktop.import1 - - - (activatable) - - - org.freedesktop.locale1 - - - (activatable) - - - org.freedesktop.login1 969 systemd-logind root :1.7 systemd-logind.service - - org.freedesktop.machine1 970 systemd-machine root :1.4 systemd-machined.service - - org.freedesktop.network1 - - - (activatable) - - - org.freedesktop.nm_dispatcher - - - (activatable) - - - org.freedesktop.nm_priv_helper - - - (activatable) - - - org.freedesktop.oom1 - - - (activatable) - - - org.freedesktop.portable1 - - - (activatable) - - - org.freedesktop.ratbag1 - - - (activatable) - - - org.freedesktop.resolve1 - - - (activatable) - - - org.freedesktop.systemd1 1 systemd root :1.1 init.scope - - org.freedesktop.timedate1 - - - (activatable) - - - org.freedesktop.timesync1 955 systemd-timesyn systemd-timesync :1.0 systemd-timesyncd.service - - org.kde.filesharing.samba - - - (activatable) - - - org.kde.fontinst - - - (activatable) - - - org.kde.kameleonhelper - - - (activatable) - - - org.kde.kcontrol.kcmclock - - - (activatable) - - - org.kde.kcontrol.kcmkwallet5 - - - (activatable) - - - org.kde.kcontrol.kcmsddm - - - (activatable) - - - org.kde.kded.inotify - - - (activatable) - - - org.kde.kded.smart - - - (activatable) - - - org.kde.kinfocenter.dmidecode - - - (activatable) - - - org.kde.kio.admin - - - (activatable) - - - org.kde.kpmcore.helperinterface - - - (activatable) - - - org.kde.ksysguard.processlisthelper - - - (activatable) - - - org.kde.ktexteditor6.katetextbuffer - - - (activatable) - - - org.kde.powerdevil.backlighthelper - - - (activatable) - - - org.kde.powerdevil.chargethresholdhelper - - - (activatable) - - - org.kde.powerdevil.discretegpuhelper - - - (activatable) - - - org.kde.ufw - - - (activatable) - - - ```

rusty-snake commented 2 months ago

and also busctl does not list it for me?

It is per user after all, so it listens on the session bus not on the system bus.

Utini2000 commented 2 months ago

and also busctl does not list it for me?

It is per user after all, so it listens on the session bus not on the system bus.

Uhm not sure what to do with that information. Does it mean the problems root is somewhere else or should I set a different allowed dbus rule?

rusty-snake commented 2 months ago

You busctl command was busctl --system (implicit) not busctl --user

Utini2000 commented 2 months ago

busctl --user

Oh sorry for that. Here is busctl --user with dolphin running so that it actually also shows up:

busctl --user

```console $ busctl --user NAME PID PROCESS USER CONNECTION UNIT SESSION DESCRIPTION :1.0 1395 startplasma-way username :1.0 session-2.scope 2 - :1.1 1347 systemd username :1.1 user@1000.service - - :1.10 1541 pipewire username :1.10 user@1000.service - - :1.109 23980 0 username :1.109 user@1000.service - - :1.11 1542 wireplumber username :1.11 user@1000.service - - :1.110 23980 0 username :1.110 user@1000.service - - :1.116 28618 smbnotifier username :1.116 user@1000.service - - :1.120 28633 smbnotifier username :1.120 user@1000.service - - :1.122 28669 kio-fuse username :1.122 user@1000.service - - :1.13 1393 kwalletd6 username :1.13 session-2.scope 2 - :1.14 1607 kded6 username :1.14 user@1000.service - - :1.148 35418 smbnotifier username :1.148 user@1000.service - - :1.15 1605 ksmserver username :1.15 user@1000.service - - :1.165 48281 smbnotifier username :1.165 user@1000.service - - :1.166 48292 systemsettings username :1.166 user@1000.service - - :1.17 1653 pipewire-pulse username :1.17 user@1000.service - - :1.18 1607 kded6 username :1.18 user@1000.service - - :1.198 52439 Discord username :1.198 user@1000.service - - :1.199 52439 Discord username :1.199 user@1000.service - - :1.2 1483 dbus-broker-lau username :1.2 user@1000.service - - :1.20 1669 dconf-service username :1.20 user@1000.service - - :1.205 52439 Discord username :1.205 user@1000.service - - :1.207 54763 konsole username :1.207 user@1000.service - - :1.208 54960 konsole username :1.208 user@1000.service - - :1.21 1703 kactivitymanage username :1.21 user@1000.service - - :1.212 61271 telegram-deskto username :1.212 user@1000.service - - :1.213 61271 telegram-deskto username :1.213 user@1000.service - - :1.214 61271 telegram-deskto username :1.214 user@1000.service - - :1.22 1720 gmenudbusmenupr username :1.22 user@1000.service - - :1.220 62853 smbnotifier username :1.220 user@1000.service - - :1.221 62857 smbnotifier username :1.221 user@1000.service - - :1.223 62863 smbnotifier username :1.223 user@1000.service - - :1.224 62867 smbnotifier username :1.224 user@1000.service - - :1.228 63115 smbnotifier username :1.228 user@1000.service - - :1.229 63199 smbnotifier username :1.229 user@1000.service - - :1.23 1724 xembedsniproxy username :1.23 user@1000.service - - :1.238 63651 okular username :1.238 user@1000.service - - :1.24 1721 polkit-kde-auth username :1.24 user@1000.service - - :1.249 66522 dolphin username :1.249 user@1000.service - - :1.25 1723 xdg-desktop-por username :1.25 user@1000.service - - :1.250 66592 kioworker username :1.250 user@1000.service - - :1.251 66635 busctl username :1.251 user@1000.service - - :1.26 1722 org_kde_powerde username :1.26 user@1000.service - - :1.27 1501 xdg-desktop-por username :1.27 user@1000.service - - :1.31 1927 kaccess username :1.31 user@1000.service - - :1.33 1907 easyeffects username :1.33 user@1000.service - - :1.34 1916 syncthingtray username :1.34 user@1000.service - - :1.36 1908 firewall-applet username :1.36 user@1000.service - - :1.38 1916 syncthingtray username :1.38 user@1000.service - - :1.39 1908 firewall-applet username :1.39 user@1000.service - - :1.4 1491 kwin_wayland_wr username :1.4 user@1000.service - - :1.40 1908 firewall-applet username :1.40 user@1000.service - - :1.43 2630 at-spi-bus-laun username :1.43 user@1000.service - - :1.54 5220 baloorunner username :1.54 user@1000.service - - :1.55 5238 konsole username :1.55 user@1000.service - - :1.6 1501 xdg-desktop-por username :1.6 user@1000.service - - :1.68 7153 kiod6 username :1.68 user@1000.service - - :1.7 1506 xdg-document-po username :1.7 user@1000.service - - :1.76 7466 0 username :1.76 user@1000.service - - :1.8 1510 xdg-permission- username :1.8 user@1000.service - - :1.9 1494 kwin_wayland username :1.9 user@1000.service - - :1.94 15533 plasmashell username :1.94 user@1000.service - - :1.97 15742 electron username :1.97 user@1000.service - - :1.98 15742 electron username :1.98 user@1000.service - - ca.desrt.dconf 1669 dconf-service username :1.20 user@1000.service - - com.canonical.Unity 15533 plasmashell username :1.94 user@1000.service - - com.canonical.indicators.webcredentials - - - (activatable) - - - com.github.wwmm.easyeffects 1907 easyeffects username :1.33 user@1000.service - - com.google.code.AccountsSSO.SingleSignOn - - - (activatable) - - - com.nokia.SingleSignOn.Backup - - - (activatable) - - - com.nokia.singlesignonui - - - (activatable) - - - com.teamviewer.TeamViewer - - - (activatable) - - - com.teamviewer.TeamViewer.Desktop - - - (activatable) - - - local.org_kde_powerdevil 1722 org_kde_powerde username :1.26 user@1000.service - - org.a11y.Bus 2630 at-spi-bus-laun username :1.43 user@1000.service - - org.fedoraproject.Config.Printing - - - (activatable) - - - org.freedesktop.Akonadi.Control - - - (activatable) - - - org.freedesktop.ColorHelper - - - (activatable) - - - org.freedesktop.DBus 1347 systemd username - user@1000.service - - org.freedesktop.FileManager1 66522 dolphin username :1.249 user@1000.service - - org.freedesktop.Notifications 15533 plasmashell username :1.94 user@1000.service - - org.freedesktop.PowerManagement 1722 org_kde_powerde username :1.26 user@1000.service - - org.freedesktop.PowerManagement.Inhibit 1722 org_kde_powerde username :1.26 user@1000.service - - org.freedesktop.ReserveDevice1.Audio0 1542 wireplumber username :1.11 user@1000.service - - org.freedesktop.ReserveDevice1.Audio1 1542 wireplumber username :1.11 user@1000.service - - org.freedesktop.ReserveDevice1.Audio2 1542 wireplumber username :1.11 user@1000.service - - org.freedesktop.ScreenSaver 1494 kwin_wayland username :1.9 user@1000.service - - org.freedesktop.background.Monitor 1501 xdg-desktop-por username :1.27 user@1000.service - - org.freedesktop.impl.portal.PermissionStore 1510 xdg-permission- username :1.8 user@1000.service - - org.freedesktop.impl.portal.desktop.kde 1723 xdg-desktop-por username :1.25 user@1000.service - - org.freedesktop.impl.portal.desktop.kwallet 1393 kwalletd6 username :1.13 session-2.scope 2 - org.freedesktop.portal.Desktop 1501 xdg-desktop-por username :1.6 user@1000.service - - org.freedesktop.portal.Documents 1506 xdg-document-po username :1.7 user@1000.service - - org.freedesktop.portal.Tracker - - - (activatable) - - - org.freedesktop.secrets 1393 kwalletd6 username :1.13 session-2.scope 2 - org.freedesktop.systemd1 1347 systemd username :1.1 user@1000.service - - org.gnome.keyring.PrivatePrompter - - - (activatable) - - - org.gnome.keyring.SystemPrompter - - - (activatable) - - - org.gtk.GLib.PACRunner - - - (activatable) - - - org.gtk.Settings 1607 kded6 username :1.14 user@1000.service - - org.kde.ActivityManager 1703 kactivitymanage username :1.21 user@1000.service - - org.kde.GtkConfig 1607 kded6 username :1.14 user@1000.service - - org.kde.JobViewServer 15533 plasmashell username :1.94 user@1000.service - - org.kde.KIOFuse 28669 kio-fuse username :1.122 user@1000.service - - org.kde.KScreen - - - (activatable) - - - org.kde.KSplash - - - (activatable) - - - org.kde.KWin 1494 kwin_wayland username :1.9 user@1000.service - - org.kde.KWin.HighlightWindow 1494 kwin_wayland username :1.9 user@1000.service - - org.kde.KWin.NightLight 1494 kwin_wayland username :1.9 user@1000.service - - org.kde.KWin.ScreenShot2 1494 kwin_wayland username :1.9 user@1000.service - - org.kde.KWinWrapper 1491 kwin_wayland_wr username :1.4 user@1000.service - - org.kde.LogoutPrompt - - - (activatable) - - - org.kde.Shutdown - - - (activatable) - - - org.kde.Solid.PowerManagement 1722 org_kde_powerde username :1.26 user@1000.service - - org.kde.Solid.PowerManagement.PolicyAgent 1722 org_kde_powerde username :1.26 user@1000.service - - org.kde.Spectacle - - - (activatable) - - - org.kde.StatusNotifierHost-15533 15533 plasmashell username :1.94 user@1000.service - - org.kde.StatusNotifierWatcher 1607 kded6 username :1.14 user@1000.service - - org.kde.dolphin-66522 66522 dolphin username :1.249 user@1000.service - - org.kde.fontinst - - - (activatable) - - - org.kde.kaccess 1927 kaccess username :1.31 user@1000.service - - org.kde.kappmenu 1607 kded6 username :1.14 user@1000.service - - org.kde.kcookiejar5 - - - (activatable) - - - org.kde.kded5 - - - (activatable) - - - org.kde.kded6 1607 kded6 username :1.14 user@1000.service - - org.kde.keyboard 1494 kwin_wayland username :1.9 user@1000.service - - org.kde.kglobalaccel 1494 kwin_wayland username :1.9 user@1000.service - - org.kde.kiod5 - - - (activatable) - - - org.kde.kiod6 7153 kiod6 username :1.68 user@1000.service - - org.kde.kioexecd - - - (activatable) - - - org.kde.kioexecd6 7153 kiod6 username :1.68 user@1000.service - - org.kde.kmtpd5 7153 kiod6 username :1.68 user@1000.service - - org.kde.konsole-5238 5238 konsole username :1.55 user@1000.service - - org.kde.konsole-54763 54763 konsole username :1.207 user@1000.service - - org.kde.konsole-54960 54960 konsole username :1.208 user@1000.service - - org.kde.kpasswdserver - - - (activatable) - - - org.kde.kpasswdserver6 7153 kiod6 username :1.68 user@1000.service - - org.kde.krunner - - - (activatable) - - - org.kde.kscreen.osdService - - - (activatable) - - - org.kde.ksmserver 1605 ksmserver username :1.15 user@1000.service - - org.kde.kssld5 - - - (activatable) - - - org.kde.kssld6 7153 kiod6 username :1.68 user@1000.service - - org.kde.ksystemstats1 - - - (activatable) - - - org.kde.kuiserver 15533 plasmashell username :1.94 user@1000.service - - org.kde.kwalletd5 1393 kwalletd6 username :1.13 session-2.scope 2 - org.kde.kwalletd6 1393 kwalletd6 username :1.13 session-2.scope 2 - org.kde.kwalletmanager5 - - - (activatable) - - - org.kde.okular-252 63651 okular username :1.238 user@1000.service - - org.kde.plasmanetworkmanagement 1607 kded6 username :1.14 user@1000.service - - org.kde.plasmashell 15533 plasmashell username :1.94 user@1000.service - - org.kde.plasmashell.accentColor 1607 kded6 username :1.14 user@1000.service - - org.kde.polkit-kde-authentication-agent-1 1721 polkit-kde-auth username :1.24 user@1000.service - - org.kde.powerdevil.powerProfileOsdService - - - (activatable) - - - org.kde.runners.activities 1703 kactivitymanage username :1.21 user@1000.service - - org.kde.runners.baloo 5220 baloorunner username :1.54 user@1000.service - - org.kde.screensaver 1494 kwin_wayland username :1.9 user@1000.service - - org.kde.spectacle - - - (activatable) - - - org.kde.systemsettings 48292 systemsettings username :1.166 user@1000.service - - org.keepassxc.KeePassXC.MainWindow 7466 0 username :1.76 user@1000.service - - org.mozilla.firefox.ZGVmYassdC1yZWxlYXNl 23980 0 username :1.109 user@1000.service - - org.pulseaudio.Server 1653 pipewire-pulse username :1.17 user@1000.service - - org.telegram.desktop 61271 telegram-deskto username :1.213 user@1000.service - - ```

So the next rules to try would be:

dbus-user.talk org.freedesktop.FileManager1 

Correct?

rusty-snake commented 2 months ago

FileManager1 has no relevant interfaces AFAIK.

org.kde.KIOFuse, org.kde.kio* look more interesting to me.

Utini2000 commented 2 months ago

Added these to my firefox.local but it didn't help / fix the issue:

dbus-user.talk org.kde.KIOFuse
dbus-user.talk org.kde.kiod5
dbus-user.talk org.kde.kio6
dbus-user.talk org.kde.kioexecd
dbus-user.talk org.kde.kioexecd6

This also didn't help:

ignore dbus-user.talk org.kde.KIOFuse
ignore dbus-user.talk org.kde.kiod5
ignore dbus-user.talk org.kde.kio6
ignore dbus-user.talk org.kde.kioexecd
ignore dbus-user.talk org.kde.kioexecd6
rusty-snake commented 2 months ago

Can you try dbus-user.talk org.kde.* to narrow it down.

Utini2000 commented 2 months ago

Can you try dbus-user.talk org.kde.* to narrow it down.

Sure! I tried but it didn't fix the issue.

rusty-snake commented 2 months ago
busctl --user list --no-legend --activatable --acquired | cut -d" " -f1 | sed -E "s/.*/dbus-user.talk \0/"

and then do a binary search with it

Utini2000 commented 2 months ago

Uhm I am sorry but what do you mean with binary search?

I could just divide the whole outputted list in 10 parts, then add each part step by step until I figure out which part contains the required line and then inspect that specific part.

Or rather keep diving the whole output by 50% until I figure out the rogue line :P

Here is the output btw:

busctl

``` dbus-user.talk ca.desrt.dconf dbus-user.talk com.canonical.Unity dbus-user.talk com.canonical.indicators.webcredentials dbus-user.talk com.github.wwmm.easyeffects dbus-user.talk com.google.code.AccountsSSO.SingleSignOn dbus-user.talk com.nokia.SingleSignOn.Backup dbus-user.talk com.nokia.singlesignonui dbus-user.talk com.teamviewer.TeamViewer dbus-user.talk com.teamviewer.TeamViewer.Desktop dbus-user.talk local.org_kde_powerdevil dbus-user.talk org.a11y.Bus dbus-user.talk org.fedoraproject.Config.Printing dbus-user.talk org.freedesktop.Akonadi.Control dbus-user.talk org.freedesktop.ColorHelper dbus-user.talk org.freedesktop.DBus dbus-user.talk org.freedesktop.FileManager1 dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.PowerManagement dbus-user.talk org.freedesktop.PowerManagement.Inhibit dbus-user.talk org.freedesktop.ReserveDevice1.Audio0 dbus-user.talk org.freedesktop.ReserveDevice1.Audio1 dbus-user.talk org.freedesktop.ReserveDevice1.Audio2 dbus-user.talk org.freedesktop.ScreenSaver dbus-user.talk org.freedesktop.background.Monitor dbus-user.talk org.freedesktop.impl.portal.PermissionStore dbus-user.talk org.freedesktop.impl.portal.desktop.kde dbus-user.talk org.freedesktop.impl.portal.desktop.kwallet dbus-user.talk org.freedesktop.portal.Desktop dbus-user.talk org.freedesktop.portal.Documents dbus-user.talk org.freedesktop.portal.Tracker dbus-user.talk org.freedesktop.secrets dbus-user.talk org.freedesktop.systemd1 dbus-user.talk org.gnome.keyring.PrivatePrompter dbus-user.talk org.gnome.keyring.SystemPrompter dbus-user.talk org.gtk.GLib.PACRunner dbus-user.talk org.gtk.Settings dbus-user.talk org.kde.ActivityManager dbus-user.talk org.kde.GtkConfig dbus-user.talk org.kde.JobViewServer dbus-user.talk org.kde.KIOFuse dbus-user.talk org.kde.KScreen dbus-user.talk org.kde.KSplash dbus-user.talk org.kde.KWin dbus-user.talk org.kde.KWin.HighlightWindow dbus-user.talk org.kde.KWin.NightLight dbus-user.talk org.kde.KWin.ScreenShot2 dbus-user.talk org.kde.KWinWrapper dbus-user.talk org.kde.LogoutPrompt dbus-user.talk org.kde.Shutdown dbus-user.talk org.kde.Solid.PowerManagement dbus-user.talk org.kde.Solid.PowerManagement.PolicyAgent dbus-user.talk org.kde.Spectacle dbus-user.talk org.kde.StatusNotifierHost-1776 dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.kde.dolphin-2296 dbus-user.talk org.kde.fontinst dbus-user.talk org.kde.kaccess dbus-user.talk org.kde.kappmenu dbus-user.talk org.kde.kcookiejar5 dbus-user.talk org.kde.kded5 dbus-user.talk org.kde.kded6 dbus-user.talk org.kde.keyboard dbus-user.talk org.kde.kglobalaccel dbus-user.talk org.kde.kiod5 dbus-user.talk org.kde.kiod6 dbus-user.talk org.kde.kioexecd dbus-user.talk org.kde.kioexecd6 dbus-user.talk org.kde.kmtpd5 dbus-user.talk org.kde.konsole-3023 dbus-user.talk org.kde.kpasswdserver dbus-user.talk org.kde.kpasswdserver6 dbus-user.talk org.kde.krunner dbus-user.talk org.kde.kscreen.osdService dbus-user.talk org.kde.ksmserver dbus-user.talk org.kde.kssld5 dbus-user.talk org.kde.kssld6 dbus-user.talk org.kde.ksystemstats1 dbus-user.talk org.kde.kuiserver dbus-user.talk org.kde.kwalletd5 dbus-user.talk org.kde.kwalletd6 dbus-user.talk org.kde.kwalletmanager5 dbus-user.talk org.kde.plasmanetworkmanagement dbus-user.talk org.kde.plasmashell dbus-user.talk org.kde.plasmashell.accentColor dbus-user.talk org.kde.polkit-kde-authentication-agent-1 dbus-user.talk org.kde.powerdevil.powerProfileOsdService dbus-user.talk org.kde.runners.activities dbus-user.talk org.kde.runners.baloo dbus-user.talk org.kde.screensaver dbus-user.talk org.kde.spectacle dbus-user.talk org.mozilla.firefox.ZGVmYXxxxxyZWxlYXNl dbus-user.talk org.pulseaudio.Server dbus-user.talk org.telegram.desktop ```

rusty-snake commented 2 months ago

I could just divide the whole outputted list in 10 parts, then add each part step by step until I figure out which part contains the required line and then inspect that specific part.

Or rather keep diving the whole output by 50% until I figure out the rogue line :P

Pretty much this. But keep in mind that it is possible that more than one line is required, which can make find them harder.

kmk3 commented 2 months ago

@Utini2000

The following might work to narrow it down (untested):

Find the Firefox service name:

busctl --user | grep '^org.mozilla.firefox' | cut -f 1 -d ' '

Then run a command to monitor it, drag and drop a file from Dolphin and stop the command with Ctrl+C:

(Edit: Wrong command; see below)

```sh sudo busctl monitor "$firefox" | tee ~/firefox-dbus.txt ^C grep Interface= ~/firefox-dbus.txt ```

busctl --user monitor "$firefox" | tee ~/firefox-dbus.txt
^C
grep Interface= ~/firefox-dbus.txt

What is the grep output?

What is in ~/firefox-dbus.txt?

@rusty-snake on Aug 29:

Since GNOME+Nautilus+Firefox+Wayland works for me, do you run a x11 or Wayland session?

Do you know which dbus name is used in this case?

rusty-snake commented 2 months ago

Do you know which dbus name is used in this case?

The relevant interface seems to be org.freedesktop.portal.FileTransfer. In the monitoring log it is called by unique name.

Utini2000 commented 2 months ago

@kmk3 This is the output:

Sender=:1.66  Path=/org/freedesktop/UPower/devices/battery_BAT0  Interface=org.freedesktop.DBus.Properties  Member=PropertiesChanged
  Sender=:1.66  Path=/org/freedesktop/UPower/devices/DisplayDevice  Interface=org.freedesktop.DBus.Properties  Member=PropertiesChanged
  Sender=:1.11  Path=/org/freedesktop/NetworkManager/AccessPoint/1  Interface=org.freedesktop.DBus.Properties  Member=PropertiesChanged
  Sender=:1.11  Path=/org/freedesktop/NetworkManager/AccessPoint/1  Interface=org.freedesktop.DBus.Properties  Member=PropertiesChanged

Adding "dbus-user.talk org.freedesktop.DBus.Properties" didn't help / didn't fix the issue.

I didn't have the time to try all the entries from this post: https://github.com/netblue30/firejail/issues/6444#issuecomment-2321538938

But I will do so if that is what it takes :) Probably got the time tomorrow!

rusty-snake commented 2 months ago

This is the output:

This is the system bus which is surely not used for DnD in a session.

org.freedesktop.DBus.Properties

Is an interface name for which you can not add talk rules

I didn't have the time to try all the entries from this post: https://github.com/netblue30/firejail/issues/6444#issuecomment-2321538938

dbus-user.talk org.freedesktop.*

Utini2000 commented 2 months ago

This is the output:

This is the system bus which is surely not used for DnD in a session.

org.freedesktop.DBus.Properties

Is an interface name for which you can not add talk rules

I didn't have the time to try all the entries from this post: #6444 (comment)

dbus-user.talk org.freedesktop.*

YES! :) Your rule fixes the issue.

So it must be something in here:

dbus-user.talk org.freedesktop.Akonadi.Control
dbus-user.talk org.freedesktop.ColorHelper
dbus-user.talk org.freedesktop.DBus
dbus-user.talk org.freedesktop.FileManager1
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.PowerManagement
dbus-user.talk org.freedesktop.PowerManagement.Inhibit
dbus-user.talk org.freedesktop.ReserveDevice1.Audio0
dbus-user.talk org.freedesktop.ReserveDevice1.Audio1
dbus-user.talk org.freedesktop.ReserveDevice1.Audio2
dbus-user.talk org.freedesktop.ScreenSaver
dbus-user.talk org.freedesktop.background.Monitor
dbus-user.talk org.freedesktop.impl.portal.PermissionStore
dbus-user.talk org.freedesktop.impl.portal.desktop.kde
dbus-user.talk org.freedesktop.impl.portal.desktop.kwallet
dbus-user.talk org.freedesktop.portal.Desktop
dbus-user.talk org.freedesktop.portal.Documents
dbus-user.talk org.freedesktop.portal.Tracker
dbus-user.talk org.freedesktop.secrets
dbus-user.talk org.freedesktop.systemd1
rusty-snake commented 2 months ago

dbus-user.talk org.freedesktop.portal.Documents

Utini2000 commented 2 months ago

dbus-user.talk org.freedesktop.portal.Documents

Yes sir, this is fixing the issue! :)

This debugging was interesting. Will this get into the original firefox.profile and help other users then?

kmk3 commented 1 month ago

For reference, the previous busctl command was wrong.

It should work with the following:

busctl --user monitor "$firefox" | tee ~/firefox-dbus.txt
^C
grep Interface= ~/firefox-dbus.txt