Description

Opening videos in mpv via Dolphin doesn't work. mpv doesn't even start. But opening mpv and dragging and dropping the video from the same location works and the video will be played.

Steps to Reproduce

Browse to the folder. Open the video file and see that mpv won't start.

Run mpv video in terminal. In terminal error:
Error: cannot access profile file: globals.local

The behavior works in the Downloads folder though

Expected behavior

Video plays

Actual behavior

Nothing.

Behavior without a profile

Same behavior

Additional context

The folder containing video files has been whitelisted and set read-only.

Environment

Arch with latest firejail

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Error: cannot access profile file: globals.local

output goes here

Thanks for reporting. We'll need a bit more info on your setup though. Are you running Dolphin sandboxed? How does your mpv.desktop look like (either from /usr/share/applications or ~/.local/share/applications)? In other words, do you use firecfg at all?

The mpv profile doesn't include disable-xdg.inc, so it's unclear why your ~/Downloads folder is working while other paths under your user's /home aren't. Can you post that globals.local here please?

Is this a "normal" filesystem or some kind of FUSE like a samba share?

Behavior without a profile
Same behavior

Impossible.

Is this a "normal" filesystem or some kind of FUSE like a samba share?

local FS yes. BTRFS to be specific.

Behavior without a profile
Same behavior

Impossible.

You're right, the problem is a bit different:

firejail --noprofile mpv op.mp4:

Parent pid 872710, child pid 872711
Child process initialized in 5.97 ms
Warning: an existing sandbox was detected. /usr/bin/mpv will run without any additional sandboxing features
[file] Cannot open file 'op.mp4': No such file or directory
Failed to open op.mp4.
Exiting... (Errors when loading file)

Parent is shutting down, bye...

Thanks for reporting. We'll need a bit more info on your setup though. Are you running Dolphin sandboxed? How does your mpv.desktop look like (either from /usr/share/applications or ~/.local/share/applications)? In other words, do you use firecfg at all?

The mpv profile doesn't include disable-xdg.inc, so it's unclear why your ~/Downloads folder is working while other paths under your user's /home isn't. Can you post that globals.local here please?

Yes Dolphin is also sandboxes, via firecfg, no custom local config.

In /usr/share/applications:

[Desktop Entry]
Type=Application
Name=mpv Media Player
GenericName=Multimedia player
Comment=Play movies and songs
Icon=mpv
TryExec=mpv
Exec=mpv --player-operation-mode=pseudo-gui -- %U
Terminal=false
Categories=AudioVideo;Audio;Video;Player;TV;
MimeType=application/ogg;application/x-ogg;application/mxf;application/sdp;application/smil;application/x-smil;appl>
X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb,srt,rist,webdav,webdavs
StartupWMClass=mpv

mpv.local:

private-bin env,mpv,python*,waf,youtube-dl,yt-dlp,ls

whitelist ${HOME}/.SiriKali
read-only ${HOME}/.SiriKali

whitelist ${HOME}/z_nobackup
read-only ${HOME}/z_nobackup

$ firejail --noprofile mpv op.mp4
Warning: an existing sandbox was detected. /usr/bin/mpv will run without any additional sandboxing features

This is a common mistake. Always use the full path to the application's executable (in this case /usr/bin/mpv). If you don't, the command actually tries to execute firejail firejail mpv ..., which throws firejail into confusion. I'm not saying this is the cause of your issue, but it sure makes things much harder to debug.

Yes Dolphin is also sandboxes, via firecfg, no custom local config.

How exactly did you add dolphin to firecfg? It isn't in /etc/firejail/firecfg.config by default.

mpv.local
[...]
private-bin env,mpv,python*,waf,youtube-dl,yt-dlp,ls

Our mpv.profile already has private-bin env,mpv,python*,waf,youtube-dl,yt-dlp. If you want to add other binaries to it, just use private-bin ls in mpv.local. The private-bin option is cumulative.

Please make these changes and post output from

$ firejail --noprofile /usr/bin/mpv /full/path/to/op.mp4

Yes Dolphin is also sandboxes, via firecfg, no custom local config.

How exactly did you add dolphin to firecfg? It isn't in /etc/firejail/firecfg.config by default.

Good eye, it's not sandboxed. I didn't know about that file.

Please make these changes and post output from

$ firejail --noprofile /usr/bin/mpv /full/path/to/op.mp4

Same problem as before if given the relative path of the video. Absolute path works.

Same problem as before if it's the relative path. Absolute path works.

Out of ideas here. I'd check (the Exec=... line in) ~/.local/share/applications/mpv.desktop, but I assume you've already done so. And mimeapps.list (both in ~/.config & ~/.local/share/applications). Hopefully someone with actual KDE/Dolphin experience chimes in.

I have the same issue with gwenview opening an image from a mounted cryptomator container. Path: /home/*/.local/share/Cryptomator. Disabling gwenview in firecfg makes it work again

However, mpv can play videos and musics from /home/$USER/Videos and /home/$USER/Music and gwenview also can show images from /home/$USER/Pictures.