ktorrent: Cannot start application: No such file or directory

[vendion]

Description

Ktorrent 22.08.1 doesn't launch with the default firejail profile, instead a fatal python error is thrown.

Steps to Reproduce

Steps to reproduce the behavior

1. Launch ktorrent via LC_ALL=C firejail /usr/bin/ktorrent (gave full path as I have firejail setup so apps are ran under it by default)
2. Ktorrent doesn't launch with lots of output to STDOUT/STDERR in the terminal

Expected behavior

Ktorrent to open up.

Actual behavior

Ktorrent errored out before even opening the main window.

Behavior without a profile

Without a profile Ktorrent opens up just fine.

Additional context

Environment

• Distro: Arch Linux
• Firejail version: 0.9.70

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/ktorrent.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 6660, child pid 6662
1 program installed in 4.39 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/keybase/kbfs
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Warning: cleaning all supplementary groups
Child process initialized in 232.75 ms
Warning: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP
Warning: The desktop entry file "/usr/share/applications/kcm_krunnersettings.desktop" has Type= "Application" but no Exec line
Warning: Invalid Service :  "/usr/share/applications/kcm_krunnersettings.desktop"
Warning: The desktop entry file "/usr/share/applications/qemu.desktop" has Type= "Application" but no Exec line
Warning: Invalid Service :  "/usr/share/applications/qemu.desktop"
Failed to create secure directory (/run/user/1000/pulse): Permission denied

(gst-plugin-scanner:22): GLib-GObject-WARNING **: 11:02:52.990: type name '-a-png-encoder-pred' contains invalid characters

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:52.992: g_type_set_qdata: assertion 'node != NULL' failed

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:52.992: g_type_set_qdata: assertion 'node != NULL' failed

(gst-plugin-scanner:22): GLib-GObject-WARNING **: 11:02:53.029: type name '-a-png-encoder-pred' contains invalid characters

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:53.029: g_type_set_qdata: assertion 'node != NULL' failed

(gst-plugin-scanner:22): GLib-GObject-CRITICAL **: 11:02:53.029: g_type_set_qdata: assertion 'node != NULL' failed
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
  PYTHONHOME = (not set)
  PYTHONPATH = (not set)
  program name = 'python3'
  isolated = 0
  environment = 1
  user site = 1
  import site = 1
  sys._base_executable = ''
  sys.base_prefix = '/usr'
  sys.base_exec_prefix = '/usr'
  sys.platlibdir = 'lib'
  sys.executable = ''
  sys.prefix = '/usr'
  sys.exec_prefix = '/usr'
  sys.path = [
    '/usr/lib/python310.zip',
    '/usr/lib/python3.10',
    '/usr/lib/lib-dynload',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x00007f31b77d1740 (most recent call first):
  <no Python frame>
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
  PYTHONHOME = (not set)
  PYTHONPATH = (not set)
  program name = 'python3'
  isolated = 0
  environment = 1
  user site = 1
  import site = 1
  sys._base_executable = ''
  sys.base_prefix = '/usr'
  sys.base_exec_prefix = '/usr'
  sys.platlibdir = 'lib'
  sys.executable = ''
  sys.prefix = '/usr'
  sys.exec_prefix = '/usr'
  sys.path = [
    '/usr/lib/python310.zip',
    '/usr/lib/python3.10',
    '/usr/lib/lib-dynload',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x00007fe6dc8a2740 (most recent call first):
  <no Python frame>
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
[ALSOFT] (EE) Failed to connect PipeWire event context (errno: 112)
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Warning: 0 instead of 4 arguments to message "    <html>    <body ..." supplied before conversion
Warning: WebEngineContext used before QtWebEngine::initialize() or OpenGL context creation failed.
Warning: QGLXContext: Failed to create dummy context
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/vendion/894010a10ebc4b2d00a9834ae41c9873

[glitsj16]

Python is blocked by include disable-interpreters.inc. Can you test if ktorrent works as expected when adding the below to a ~/.config/firejail/ktorrent.local:

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
include allow-python3.inc

private-bin python*

We can add it to our default ktorrent.profile if this fixes it for you. Or you can create a PR if you want.

[vendion]

Seems that is not all getting blocked:

Reading profile /etc/firejail/ktorrent.profile
Reading profile /home/vendion/.config/firejail/ktorrent.local
Reading profile /etc/firejail/allow-python3.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 17266, child pid 17268
65 programs installed in 76.24 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/keybase/kbfs
Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc
Warning: cleaning all supplementary groups
Child process initialized in 307.38 ms
Cannot start application: No such file or directory

Parent is shutting down, bye...

[glitsj16]

Sadly I'm not really familiar with KDE to explain all these warnings, although IMO most of them look harmless. The ktorrent profile uses nosound so any warnings regarding pulseaudio and pipewire or to be expected. Why /home/vendion/.kde/share/config/ktorrentrc cannot be created escapes me. I guess you'll have to do more digging to pin-point what's keeping ktorrent from starting up. I'm stabbing in the dark here, but one thing that can be checked very quickly is if here have been changes that need something else in private-bin besides python*. Try with ignore private-bin to rule that out if you find the time to debug this further.

[rusty-snake]

Also check your syslog for seccomp messages.

[kmk3]

@vendion commented on Oct 11:

Warning: cannot create /home/vendion/.kde/share/config/ktorrentrc

This should be fixed by #5415.

Does it still fail with the changes from #5415?

[X6B]

I can launch Ktorrent using the default profile on Archlinux without problems.

The real problem with Ktorrent profile is already reported: #1793

So, if you open Ktorrent for the first time, will not save any configurations because firejail can´t write on /.config/ktorrentrc. You have to launch Ktorrent outside firejail, configure the program to your liking, let Ktorrent create a valid /.config/ktorrentrc file and using ktorrent firejailed.

In the default ktorrent profile I see strange things, for example:

private-bin kbuildsycoca4,kdeinit4 <---- KDE4 programs
.kde/ and .kde4/ folders only exist in my system because firejail (kaffeine) creates them, no program actually uses them.

[vendion]

@X6B Odd because I do have Ktorrent already configured, and it works outside of firejail but with firejail nothing. One question, are you actively running KDE? I'm trying to launch Ktorrent from HerbstluftWM instead of KDE. Again it works without firejail this way though.

@kmk3 That at least takes care of that issue, but I'm still having the same problem.

After implementing the other suggestions in the thread here is an updated output of firejail --debug /usr/bin/ktorrent: https://gist.github.com/vendion/99fb198013bdc3ef8704290ef45bd006

@rusty-snake The only log I see seccomp in other than the debug output of firejail is AppArmor's audit log but I don't see anything for ktorrent.

[rusty-snake]

• Forgot, you need to run with --seccomp-error-action=log.
• HerbstluftWM, sndio, elvish, ... such systems have much less testing
• Does it work use elvish, shell none should be set.
• Since --noprofile works, comment ktorrent.profile line by line to find the cause.
• Does it work w/o deterministic-shutdown?

[vendion]

Does it work use elvish, shell none should be set.

I don't follow what you mean here? Should I add shell none to the ktorrent.profile?

Edit: I see now, shell=none passed in as a command line argument didn't seem to have any effect. I also don't see any thing different in my logs running with seccomp-error-action=log but I did update the above gist with the new output.

Still to test is without the deterministic-shutdown and then going line by line.

[rusty-snake]

I should not write the first part of the sentence, look up something and then write the rest without re-reading the first part ...

It should contain shell none, https://github.com/netblue30/firejail/blob/0.9.70/etc/profile-a-l/ktorrent.profile.

[X6B]

@vendion Yes, I'm an Archlinux KDE user and never had a problem starting Ktorrent under firejail. The only problem is that the configuration files seem to be opened in read-only mode.

[vendion]

Okay, I manage to get Ktorrent to launch under firejail with the following profile:

/etc/firejail/ktorrent.profile

# Firejail profile for ktorrent
# Description: BitTorrent client based on the KDE platform
# This file is overwritten after every install/update
# Persistent local customizations
include ktorrent.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/ktorrentrc
noblacklist ${HOME}/.kde/share/apps/ktorrent
noblacklist ${HOME}/.kde/share/config/ktorrentrc
noblacklist ${HOME}/.kde4/share/apps/ktorrent
noblacklist ${HOME}/.kde4/share/config/ktorrentrc
noblacklist ${HOME}/.local/share/ktorrent
noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc

# Legacy paths
mkdir ${HOME}/.kde4/share/apps/ktorrent
mkdir ${HOME}/.kde4/share/config
mkfile ${HOME}/.kde4/share/config/ktorrentrc

mkdir ${HOME}/.kde/share/apps/ktorrent
mkdir ${HOME}/.kde/share/config
mkdir ${HOME}/.local/share/ktorrent
mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
mkfile ${HOME}/.config/ktorrentrc
mkfile ${HOME}/.kde/share/config/ktorrentrc
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ktorrentrc
whitelist ${HOME}/.kde/share/apps/ktorrent
whitelist ${HOME}/.kde/share/config/ktorrentrc
whitelist ${HOME}/.kde4/share/apps/ktorrent
whitelist ${HOME}/.kde4/share/config/ktorrentrc
whitelist ${HOME}/.local/share/ktorrent
whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-var-common.inc

caps.drop all
machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
#seccomp

#private-bin kbuildsycoca4,kdeinit4,ktorrent
private-dev
# private-lib - problems on Arch
private-tmp

deterministic-shutdown
# memory-deny-write-execute

.config/firejail/ktorrent.local

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
include allow-python3.inc

#private-bin python*
#ignore private-bin

#shell none

[rusty-snake]

• If you list changes only instead of 95% copy of the profile, it is easier for everyone to track what got changed.
  Ignoring the .local, the changes are:

The following commands are unique to ktorrent.profile:
seccomp
private-bin kbuildsycoca4,kdeinit4,ktorrent

The following commands are unique to ktorrent-modif.profile:
mkdir ${HOME}/.kde4/share/config
mkdir ${HOME}/.kde/share/config

[smitsohu]

Maybe it's about time to get rid of all that kde4 cruft altogether.

From all big distributions it looks like only RHEL 7 still supports KDE/Plasma 4, and will do so till mid 2024. As far as I understand there are no free RHEL 7 clones any more, now that CentOS has been discontinued.

It would help also in other ways. Profiles like that for Okular don't have a net none, because back in the days the D-Bus session bus socket used to be abstract, and it is close to impossible to remove D-Bus access from a KDE 4 app.

Nowadays all of that is not true anymore.

[kmk3]

@smitsohu on Dec 28:

Maybe it's about time to get rid of all that kde4 cruft altogether.

From all big distributions it looks like only RHEL 7 still supports
KDE/Plasma 4, and will do so till mid 2024. As far as I understand there are
no free RHEL 7 clones any more, now that CentOS has been discontinued.

It would help also in other ways. Profiles like that for Okular don't have a
net none, because back in the days the D-Bus session bus socket used to be
abstract, and it is close to impossible to remove D-Bus access from a KDE 4
app.

Nowadays all of that is not true anymore.

Sounds like a good idea to me.

(Though I'd postpone doing such a refactoring until after 0.9.72)

Could you open an issue to track/discuss this?

[smitsohu]

Could you open an issue to track/discuss this?

Yes, will do that.

As far as I understand there are no free RHEL 7 clones any more, now that CentOS has been discontinued.

I was wrong by the way. CentOS 7 and RHEL 7 reach EOL at the same time.