Firejail prevents simple-scan from opening "save" dialog

Markus.N2 · 2025-05-02 21:48:08

Hi,
I'm trying to use simple-scan with firejail. So far, I haven't added a custom configuration for this application (the corresponding .local file). Also, it looks like simple-scan was added to the list of firejailed applications recently.
I would have expected the "Save" dialog to open, just with very few choices for target folders to save to. Instead, nothing happens when I click that button. When I bypass firejail by directly running /usr/bin/simple-scan, everything works.
Below is the current /etc/firejail/simple-scan.profile. It was provided by the firejail package and has not been altered by me. Neither has any of the included files.
Any idea which option prevents opening of the file chooser dialog for "save"?

Thanks.

# Firejail profile for simple-scan
# Description: Simple Scanning Utility
# This file is overwritten after every install/update
# Persistent local customizations
include simple-scan.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/simple-scan
noblacklist ${DOCUMENTS}

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

whitelist /usr/share/hplip
whitelist /usr/share/simple-scan
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
nosound
notv
#novideo
protocol unix,inet,inet6,netlink
# blacklisting of ioperm system calls breaks simple-scan
seccomp !ioperm
tracelog

#private-bin simple-scan
#private-dev
#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
#private-tmp

restrict-namespaces

seth · 2025-05-02 23:24:18

https://github.com/flatpak/xdg-desktop- … 1243927291

Does simple-scan end up using xdg-desktop-portal to open the (save) file dialog?

Markus.N2 · 2025-05-03 05:24:00

I'm not sure ... maybe I should add that I'm using XFCE desktop and I'm not (yet) on Wayland. To my understanding, portals are only a thing on Wayland.

seth · 2025-05-03 05:54:28

No, xdg-desktop-portal originates from the flatschpak universe and is increasingly used to punch barn doors into the security promises of wayland fill gaps in the wayland protocol, but it's also used for desktop integration, particularly with file dialogs.

pacman -Qs portal # do you have that stuff installed at all

and then check the system journal (it'll typically show up there) and you can "dbus-monitor --session" openening the file dialog.

The linked bug suggests noroot is problematic and "include disable-xdg.inc" looks kinda troublesome, too

Markus.N2 · 2025-05-07 07:23:58

Indeed, it's using a portal (or trying to). According to dbus-monitor output, it makes multiple calls, with the "destination" parameter containing "portal".
Maybe I should open a bug report on firejail directly.
At least, I've learned something new (dbus-monitor). so thank you for that.

Arch Linux

#1 2025-05-02 21:48:08

Firejail prevents simple-scan from opening "save" dialog

#2 2025-05-02 23:24:18

Re: Firejail prevents simple-scan from opening "save" dialog

#3 2025-05-03 05:24:00

Re: Firejail prevents simple-scan from opening "save" dialog

#4 2025-05-03 05:54:28

Re: Firejail prevents simple-scan from opening "save" dialog

#5 2025-05-07 07:23:58

Re: Firejail prevents simple-scan from opening "save" dialog

Board footer