Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spectacle: cannot take screenshots (KDE Wayland) #5127

Open
6 of 7 tasks
wushangwei opened this issue May 2, 2022 · 40 comments
Open
6 of 7 tasks

spectacle: cannot take screenshots (KDE Wayland) #5127

wushangwei opened this issue May 2, 2022 · 40 comments
Labels
bug Something isn't working

Comments

@wushangwei
Copy link

wushangwei commented May 2, 2022

Description

Spectacle not working under KDE Wayland. It opens, but complains "Could not take a screenshot". However it works under x11 session.

Steps to Reproduce

  1. Click the spectacle desktop shortcut and doesn't work.

  2. kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop, doesn't work.
    Logs are shown in Log section.

  3. To reduce the dbus errors above, I created ~/.config/firejail/spectacle.local with the following content:

dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kglobalaccel
dbus-user.talk org.kde.KWin
dbus-user.talk org.kde.plasmashell
dbus-user.talk org.kde.KWin.ScreenShot2

Run the command above again, DBus errors are gone, but left with Screenshot request failed: "The process is not authorized to take a screenshot". Still doesn't work.

Expected behavior

Spectacle should take screenshots normally under KDE Wayland.

Actual behavior

Cannot take screenshots under KDE Wayland. Does not affect X11 session. Console outputs are provided above.
If I modify the desktop file, replace "spectacle" with "/usr/bin/spectacle", it will take screenshot normally.

Behavior without a profile

LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop

Logs are shown in Log Section. Console output is similar with the one after modifying spectacle.local. Doesn't work either.

Additional context

If simply edit the spectacle desktop file and change the Exec from "spectacle" to "/usr/bin/spectacle", it will work normally.

Environment

  • Arch Linux
  • firejail version 0.9.68
  • KDE Wayland

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop

kf.kio.core: Malformed JSON protocol file for protocol: "trash" , number of the ExtraNames fields should match the number of ExtraTypes fields
kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Reading profile /etc/firejail/spectacle.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc                                                                        
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31315, child pid 31326
1 program installed in 2.10 ms                                 
Warning: skipping alternatives for private /etc
Private /etc installed in 6.27 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 114.17 ms
Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
Error querying plasma version "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
kf.config.core: Couldn't write "/home/nikki/.config/spectaclerc" . Disk full?
Error calling KWin DBus interface: "org.freedesktop.DBus.Error.ServiceUnknown" "org.freedesktop.DBus.Error.ServiceUnknown"
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (没有那个文件或目录)
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap
"applications.menu"  not found in  ()

Parent is shutting down, bye...

Output of kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop after modifying spectacle.local

kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Reading profile /etc/firejail/spectacle.profile
Reading profile /home/nikki/.config/firejail/spectacle.local
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc                                                                        
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 32061, child pid 32075
1 program installed in 2.35 ms                                       
Warning: skipping alternatives for private /etc
Private /etc installed in 5.47 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 115.37 ms
Screenshot request failed: "The process is not authorized to take a screenshot"
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory)
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap
"applications.menu"  not found in  ()

Parent is shutting down, bye...

Output of LC_ALL=C firejail --noprofile kioclient exec /home/nikki/.local/share/applications/org.kde.spectacle.desktop

Parent pid 32543, child pid 32544
Child process initialized in 10.20 ms
kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Warning: an existing sandbox was detected. /usr/bin/spectacle will run without any additional sandboxing features
Screenshot request failed: "The process is not authorized to take a screenshot"
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap

Parent is shutting down, bye...

Output of LC_ALL=C firejail --noprofile kioclient exec /usr/share/applications/org.kde.spectacle.desktop

Parent pid 32875, child pid 32876
Child process initialized in 14.83 ms
kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Screenshot request failed: "The process is not authorized to take a screenshot"
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

Behavior without a profile

Can you create an empty spectacle.profile in ~/.config/firejail and kill all running spectacle processes and try again.

@rusty-snake
Copy link
Collaborator

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

@rusty-snake rusty-snake closed this as not planned Won't fix, can't repro, duplicate, stale Jun 8, 2022
@kiasoc5
Copy link

kiasoc5 commented Jun 10, 2022

Is this related to https://bugs.kde.org/show_bug.cgi?id=446628 ?

@rusty-snake
Copy link
Collaborator

Could be.

@kiasoc5
Copy link

kiasoc5 commented Jun 11, 2022

I think it is related because if I run firecfg clean and delete ~/.local/share/applications/org.kde.spectacle.desktop, then spectacle works but firejail spectacle does not.

@rusty-snake
Copy link
Collaborator

From #5245: spectacle does not even work with

$ cat ~/.config/firejail/spectacle.profile
include noprofile.profile

@rusty-snake rusty-snake reopened this Jan 15, 2023
@rusty-snake
Copy link
Collaborator

Somebody needs to investigate how the Wayland implementations works and what is breaking it.

@rusty-snake
Copy link
Collaborator

Maybe (I'm guessing around) it works with join-or-start spectacle (maybe in combination with include noprofile.profile and nothing else). Or when the dbus activation is firejailed as well using firecfg.py.

@vendion
Copy link

vendion commented Jan 15, 2023

The following debug information has been generated from the following environment:

Distro: Arch Linux
Firejail version: firejail version 0.9.72 (installed from firejail-git 0.9.72rc1.r8990.c93ac4186-1 in the AUR)
KDE Plasma: 5.26.5
noprofile.profile set via $HOME/.config/firejail/spectacle.profile

Output of LC_ALL=C firejail --debug /usr/bin/spectacle

Building quoted command line: '/usr/bin/spectacle'
Command name #spectacle#
Found spectacle.profile profile in /home/vendion/.config/firejail directory
Reading profile /home/vendion/.config/firejail/spectacle.profile
Found noprofile.profile profile in /etc/firejail directory
Reading profile /etc/firejail/noprofile.profile
DISPLAY=:1 parsed as 1
Using the local network stack
Initializing child process
Parent pid 43373, child pid 43374
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /usr
3936 1865 254:6 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/root rw
mountid=3936 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Create the new utmp file
Mount the new utmp file
Disable /home/vendion/.config/firejail
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Not blacklist /sys/fs
Not blacklist /sys/module
Current directory: /home/vendion
DISPLAY=:1 parsed as 1
Masking all X11 sockets except /tmp/.X11-unix/X1
Mounting read-only /run/firejail/mnt/seccomp
3960 3933 0:103 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=3960 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             120 ..
-rw-r--r-- vendion  vendion          616 seccomp
-rw-r--r-- vendion  vendion          432 seccomp.32
-rw-r--r-- vendion  vendion            0 seccomp.postexec
-rw-r--r-- vendion  vendion            0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/spectacle
Child process initialized in 9.78 ms
monitoring pid 2

Screenshot request failed: "The process is not authorized to take a screenshot"
qt.qpa.wayland: Wayland does not support QWindow::requestActivate()
QPixmap::scaled: Pixmap is a null pixmap
Sandbox monitor: waitpid 2 retval 2 status 0

Parent is shutting down, bye...

@rusty-snake
Copy link
Collaborator

rusty-snake commented Jan 15, 2023

flameshot-org/flameshot#1380 (comment):

  • KWin requires you to use the D-Bus.
  • KWin enforces security by ensuring you have the X-KDE-DBUS-Restricted-Interfaces key with the value org.kde.kwin.Screenshot.
  • KWin uses something called KApplicationTrader to find the desktop file of the process and check if the aforementioned key exists. It compare the Exec key in the desktop files and the executable location obtained from procfs to do so.
  • Flameshot does not specify the full path to the binary in it's desktop file, unlike Spectacle.
  • Flameshot sets the X-KDE-DBUS-Restricted-Interfaces key to org_kde_kwin_effect-screenshot instead of org.kde.kwin.Screenshot.

That's what I'm feared.

executable location obtained from procfs

May relates to #5035. I'm not sure which pid it exactly looks at and which file it uses and if this then works or not.

Update: Relates to #5035 because it looks at /proc/<pid>/exe and then the pid doesn't matter.

And this symlink needs to return the same path as used by Exec= in the desktop file.

https://github.com/KDE/kwin/blob/master/src/wayland/utils/executable_path_proc.cpp
https://github.com/KDE/kservice/blob/master/src/services/kapplicationtrader.cpp
Seem to be the relevant files

If we can foul KApplicationTrader it would be the simplest workaround.

full path to the binary in it's desktop file

This becomes really difficult to implement. If possible at all.

@jaredmo
Copy link

jaredmo commented May 12, 2023

I'm having the same issue. In the interim I commented Spectacle out of /etc/firejail/firecfg.config and deleted the .desktop file in .local/share/applications.

This works until the next time firecfg runs (which for me is every update). The desktop file is regenerated. How can that be prevented?

@kmk3
Copy link
Collaborator

kmk3 commented May 12, 2023

I'm having the same issue. In the interim I commented Spectacle out of
/etc/firejail/firecfg.config and deleted the .desktop file in
.local/share/applications.

This works until the next time firecfg runs (which for me is every update).
The desktop file is regenerated. How can that be prevented?

Removing it from firecfg.config should have been enough; see also:

As a workaround, manually create an override in ~/bin and/or
~/.local/share/applications that calls /usr/bin/spectacle instead of just
spectacle.

@jaredmo
Copy link

jaredmo commented May 12, 2023

5245 is exactly what I experienced. For now I replaced the file in .local/share/applications with the original as a stopgap. That way firecfg thinks the file already exists and doesn't attempt to recreate.

@secretmango
Copy link

I can confirm this is still happening, Fedora 38, KDE 5.27.3

@alexpyattaev
Copy link

Update: you need to remove two offending rules to get it to work on Wayland:

  • noroot // This breaks access to render device
  • private-dev // This makes device node invisible (so it can not be accessed)

With these changes it appears to work fine on firejail version 0.9.72 on Arch.

@glitsj16
Copy link
Collaborator

@alexpyattaev Nice find. Can you open a PR and fix our spectacle.profile?

@alexpyattaev
Copy link

alexpyattaev commented Sep 13, 2023 via email

@glitsj16
Copy link
Collaborator

I am not sure if my "fix" is a good one. In particular, I am unsure if a narrower profile would work, or even what exactly noroot command does:)
Should I make a PR?

That's understandable, although your reasoning looks sound to me. Let's wait for the OP and others to chime in before acting on this.

@alexpyattaev
Copy link

That's understandable, although your reasoning looks sound to me.

Well that is what makes it scary - it is just good enough to pass the "sanity check" while being made entirely of guesswork and assumptions. Kinda like GPT4 programming.

@rusty-snake
Copy link
Collaborator

noroot was already known since #5127 (comment)

@glitsj16
Copy link
Collaborator

UPDATE: more testing carried out on my OpenSUSE Tumbleweed with KDE Wayland

  • confirming that both ignore noroot and ignore private-dev are needed
  • additional D-Bus user filtering is also needed: d-feet shows org.kde.KWin.Screenshot2 besides the already present org.kde.{S,s}pectacle and several other org.kde.KWin.* addresses
  • adding to the complexity is that apparently spectacle can do screenrecording (in webm or mp4 format) too (so we better open up ${VIDEOS} and drop no3d)

I'll need some more time putting together a profile that can deliver all this functionality in a reasonably secure way.

@alexpyattaev
Copy link

There is additional aspect to this. Apparently, the ~/.local/share/applications/org.kde.spectacle.desktop that firecfg makes somehow manages to make dbus forget that the application has X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1 permission, which in turn makes Pipewire daemon deny access to the screen recording.

Removing the .desktop file fixes the issue (as the system builtin file is used instead), but firejail remakes the user's local file making spectacle to fail starting. I am unsure what the problem is, as the line in .desktop that enables access to pipewire is still in place.

@secretmango
Copy link

something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?

@glitsj16 glitsj16 added the bug Something isn't working label Sep 14, 2023
@glitsj16
Copy link
Collaborator

@alexpyattaev I did notice the 'weirdness' of the spectacle desktop file(s) too. Not exactly sure what firecfg does to it (personally never used it), but AFAICT its coded with the assumption that replacing DBusActivatable=true with DBusActivatable=false avoids D-Bus activation. But there's no such entree in the spectacle desktop file AFAICT. Maybe using firecfg.py from @rusty-snake might help here, don't know.

Anyway, here are my latest findings. Note that I've always opted to start the app with its -l flag (Launch Spectacle without taking a screenshot) from CLI to keep output sane while experimenting

$ QT_QPA_PLATFORM=wayland firejail --ignore=quiet /usr/bin/spectacle -l

Putting together a reliably working dbus-user filter combo (for both screenshot and screenrecording) drove me nuts. Too many variables, too many complications... IMO we should better drop it alltogether from spectacle's profile. Obviously this is open for debate and just my opinion, no more, no less.

  • always needed
    • ignore noroot
    • ignore private-dev <-- NOT NEEDED
  • allow everything on the session bus (no dbus-user filtering)

If anyone wants to test/confirm/deny, here's my proposed spectacle.profile:

$ cat ~/.config/firejail/spectacle.profile
# Firejail profile for spectacle
# Description: Spectacle is a simple application for capturing desktop screenshots.
# This file is overwritten after every install/update
# Persistent local customizations
include spectacle.local
# Persistent global definitions
include globals.local

# Add the next lines to your spectacle.local to use sharing services.
#netfilter
#ignore net none
#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
#protocol unix,inet,inet6

noblacklist ${HOME}/.config/spectaclerc
noblacklist ${PICTURES}
noblacklist ${VIDEOS}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc

mkfile ${HOME}/.config/spectaclerc
whitelist ${HOME}/.config/spectaclerc
whitelist ${DOWNLOADS}
whitelist ${PICTURES}
whitelist ${VIDEOS}
whitelist /usr/share/kconf_update/spectacle_*
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
#machine-id
net none
#no3d
nodvd
nogroups
noinput
nonewprivs
noprinters
#noroot
#nosound
notv
nou2f
novideo
protocol unix
seccomp
seccomp.block-secondary
tracelog

disable-mnt
private-bin spectacle
private-cache
private-dev
private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
private-tmp

# finding a reliably working dbus-user filtering combo for
# screenshot/screenrecording functionality failed - help wanted
#dbus-user filter
#dbus-user.own org.kde.spectacle
#dbus-user.own org.kde.Spectacle
#dbus-user.talk org.freedesktop.FileManager1
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kglobalaccel
dbus-system none

restrict-namespaces

HTH

@glitsj16
Copy link
Collaborator

something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?

@firefoxlover Hard to tell whether those are related. Are you seeing all that on KDE Wayland? Or how should we understand your comment in this issues context? Please try to describe exactly what broke where. One thing is clear though, Flatpak and Firejail don't mix:

Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
are not supported. Snap and flatpak packages have their own native management tools and will
not work when sandboxed with Firejail.

@alexpyattaev
Copy link

something that may be interesting: not only spectacle broke, but also Firefox screenshots and Ctrl+P Website printing and Flameshot Flatpak. Is this related? Would all these need seperate profiles?

Firefox and chrome work just fine for me. In Firejail both of them. So I do not think it is 100% related.

@rusty-snake
Copy link
Collaborator

Firefox Screenshots: Not blocked by firejail, check your Firefox profile.

Ctrl+P: Unrelated => new issue

@secretmango
Copy link

This is not my experience though. After removing the .desktop entry generated by firejail it suddenly worked again. I didnt change anything on the profile. Ctrl+P always crashed, and screenshots had really weird issues, getting the wrong areas etc.

I expected a wayland bug but on the same system, different user profile the bugs where completely gone.

After removing the firejail .desktop files, everything was working again.

@IPlayZed
Copy link

IPlayZed commented Dec 19, 2023

Removing the local desktop file solves the issue, but that is just a workaround, doesn't solve the actual problem.
This also happens to me when launching spectacle from the terminal. My terminal is a Flatpak installation.
Full log:

Reading profile /etc/firejail/spectacle.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 383424, child pid 383428
1 program installed in 3.50 ms
Warning: skipping alternatives for private /etc
Warning: skipping ld.so.preload for private /etc
Private /etc installed in 7.35 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 138.24 ms
libEGL warning: wayland-egl: could not open /dev/dri/renderD128 (No such file or directory)
On Wayland, Spectacle requires KDE Plasma's KWin compositor, which does not seem to be available. Use Spectacle on KDE Plasma, or use a different screenshot tool.
Failed to create secure directory (/run/user/60311/pulse): Permission denied
ALSA lib confmisc.c:855:(parse_card) cannot find card '0'
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory
ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1342:(snd_func_refer) error evaluating name
ALSA lib conf.c:5204:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5727:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2675:(snd_pcm_open_noupdate) Unknown PCM default
kf.notifications: Failed to play sound with canberra: File or data not found

at this point the GUI error message pops up, after hitting OK on it, the log continues:

Remember requesting the interface on your desktop file: X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1
Couldn't start kglobalaccel from org.kde.kglobalaccel.service: QDBusError("org.freedesktop.DBus.Error.ServiceUnknown", "org.freedesktop.DBus.Error.ServiceUnknown")
"applications.menu"  not found in  ()
QPainter::begin: Paint device returned engine == 0, type: 3
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::worldTransform: Painter not active
QPainter::scale: Painter not active
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::end: Painter not active, aborted
QPainter::begin: Paint device returned engine == 0, type: 3
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::worldTransform: Painter not active
QPainter::scale: Painter not active
QPainter::setRenderHint: Painter must be active to set rendering hints
QPainter::scale: Painter not active
QPainter::end: Painter not active, aborted

Spectacle's window opens, but no screenshot is taken.
I set up Pacman to auto generate these entries.

@secretmango
Copy link

thanks for keeping track of this! I am more interested in bubblejail, but that one has even less tooling, so unless some big org decides to support it, it will take some time to get usable

@Real-Gecko
Copy link

For me spectacle does not work on with X server too, only removing symlink from /usr/local/bin and .desktop file from $HOME/.local/share/applications unlocks it to full. No advice from this issue worked.
Arch, Spectacle 24.02.2, plasma-desktop 6.0.4, xorg-server 21.1.13

@gcb
Copy link
Contributor

gcb commented Jul 19, 2024

given that most distros ship with wayland nowadays, should firejail ship with something like:

# enable if you are not on Wayland see https://github.com/netblue30/firejail/issues/5127
!spectacle

in firecfg.conf? and this becomes an enhacement to add the profile?

kmk3 added a commit to kmk3/firejail that referenced this issue Jul 20, 2024
There are various reports in netblue30#5127 that the current profile is broken on
wayland (and at least one report that it is broken on xorg as well).
@IPlayZed
Copy link

@kmk3

For me spectacle does not work on with X server too, only removing symlink from /usr/local/bin and .desktop file from $HOME/.local/share/applications unlocks it to full. No advice from this issue worked. Arch, Spectacle 24.02.2, plasma-desktop 6.0.4, xorg-server 21.1.13

If you disable it X users will not benefit from it.

@kmk3
Copy link
Collaborator

kmk3 commented Jul 23, 2024

For me spectacle does not work on with X server too, only removing symlink
from /usr/local/bin and .desktop file from
$HOME/.local/share/applications unlocks it to full. No advice from this
issue worked. Arch, Spectacle 24.02.2, plasma-desktop 6.0.4,
xorg-server 21.1.13

If you disable it X users will not benefit from it.

The comment you just quoted said that firejailed spectacle does not work on X
either.

But even if it did, profiles should work by default on common setups (xorg and
wayland) and apparently spectacle does not work at all even with
noprofile.profile on plasma/wayland.

The effect is worse for programs that are usually not started from the CLI, as
the user will not see stderr, so it's harder to tell that the issue is caused
by firejail.

Lastly, in firejail-git you can include more programs in firecfg by adding them
to /etc/firejail/firecfg.d/:

kmk3 added a commit to kmk3/firejail that referenced this issue Jul 25, 2024
There are various reports in netblue30#5127 that the current profile is broken on
wayland (and at least one report that it is broken on xorg as well).

Relates to netblue30#6268.
kmk3 added a commit to kmk3/firejail that referenced this issue Jul 26, 2024
There are various reports in netblue30#5127 that the current profile is broken on
wayland (and at least one report that it is broken on xorg as well).

Relates to netblue30#6268.
kmk3 added a commit that referenced this issue Jul 26, 2024
There are various reports in #5127 that the current profile is broken on
wayland (and at least one report that it is broken on xorg as well).

Relates to #6268.
@IPlayZed
Copy link

Ok, so what is left to complete so we can mark this issue as completed? And as far as I understand (I tried reading the thread), the problem seems to be coming from Spectacle behaving weirdly?

@gcb
Copy link
Contributor

gcb commented Aug 8, 2024

Do we want to do the same for things like obs and maybe others which main functionality depends on screen capture somehow?

@kmk3 kmk3 changed the title Spectacle not working under KDE Wayland spectacle: cannot take screenshots (KDE Wayland) Aug 24, 2024
@Utini2000
Copy link

Ye so after reading this and trying all kind of workarounds, the only solution was to exclude spectacle (and obs) from firecfg.

@gcb
Copy link
Contributor

gcb commented Oct 30, 2024

Ye so after reading this and trying all kind of workarounds, the only solution was to exclude spectacle (and obs) from firecfg.

this have bite me again and again :) I remove it from the config list, but then the .desktop file remains and for some reason without the permission lines it needs. And i cannot take screenshots until i remember i have to delete my desktop file in ~/.local something.

maybe someone who knows better the code can comment if the "fix" for this is to add a "delete all user desktop files created by firejail" before reaching the copy step https://github.com/netblue30/firejail/blob/master/src/firecfg/desktop_files.c#L189 ?

@kmk3
Copy link
Collaborator

kmk3 commented Oct 30, 2024

Ye so after reading this and trying all kind of workarounds, the only
solution was to exclude spectacle (and obs) from firecfg.

this have bite me again and again :) I remove it from the config list, but
then the .desktop file remains and for some reason without the permission
lines it needs. And i cannot take screenshots until i remember i have to
delete my desktop file in ~/.local something.

maybe someone who knows better the code can comment if the "fix" for this is
to add a "delete all user desktop files created by firejail" before reaching
the copy step
https://github.com/netblue30/firejail/blob/master/src/firecfg/desktop_files.c#L189
?

firecfg --clean should remove it.

See also:

Does it work with firejail-git?

If not, please open a new issue and follow the bug report template:

@gcb
Copy link
Contributor

gcb commented Oct 31, 2024

My point was that firecfg --fix should do a --clean beforehand. Kinda like the root user firecfg flow does with the rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests