Steam for Linux
All Discussions Artwork Videos News Guides

Steam for Linux

Der tüddelige Fußgänger Oct 12, 2022 @ 2:44am
Screen capture under wayland, when using Firejail/Apparmor
Hey all,
I've recently taken a look into hardening my Arch install with Firejail and enhancing that with Apparmor. Those 2 technologies are working just fine, however. Due to their strong sandboxing. Also happen to break everything related to capturing my desktop in any capacity (besides ingame screenshots from Steam).

I use the stock Firejail profiles which are being shipped for every application. The only one I've modified so far is the firefox one. I've alraedy found something in a github discussion, and I've modified my firejail settings a bit, allowing Firefox to use Portals so that it can capture my desktop.
I have made a file called ~/.config/firejail/firefox.local containing the line
dbus-user.talk org.freedesktop.portal.Desktop
This now fixes the issues I've had in Firefox. Yet when i try to copy this line and made a .profile file for obs-studio, spectacle, or anything which would need access to my desktop. It wouldn't work in their cases.

So basically. Is there anyone else here using Firejail with Apparmor on Arch and running into the same issue? I've already browsed what seems like the entire internet and couldn't find a solution on how to finally take a screenshot again.
But i also have to add, that besides the inability to create screenshots, Firejail/Apparmor are working without any problems.

In case that helps. I am using Kde plasma 5.25.5 with, as stated earlier, Wayland. And use an amd rx580 using the open source mesa drivers.


Thanks in advance if anyone has a solution!
< >
Showing 1-7 of 7 comments
BezaoBuilder Oct 14, 2022 @ 2:24pm 
You probably have to give the recording application access to the pipewire socket.
The pipewire socket is a socket file which is usually at "/run/user/$UID/pipewire-0", replacing $UID with your user id.
#1
Der tüddelige Fußgänger Oct 14, 2022 @ 2:36pm 
Originally posted by BezaoBuilder:
You probably have to give the recording application access to the pipewire socket.
The pipewire socket is a socket file which is usually at "/run/user/$UID/pipewire-0", replacing $UID with your user id.
Not required anymore.

I've just run sudo firecfg again.
Then went ahead to delete the .desktop file of spectacle in my home dir.
If i understand everything right, this now starts spectacle without the sandbox, thus, it being able to finally take a screenshot again.

I already know about the problem of spectacle not having the right permission.
When starting the program from the terminal, it states "This process is not authorized to take a screenshot"
Meaning i would have to toggle some specific option in the spectacle.local file. Thing is. I have absolutely zero clue on which option is required, I am too lazy to do actual research through the firejail documentation, and the chance of getting hacked through a screenshotting program being, well, very low at best.

It's not very elegant. Yet it works and that's all which matters to me.
#2
BezaoBuilder Oct 14, 2022 @ 2:42pm 
Adding "include whitelist-runuser-common.inc" in your configs should work, if I understood the config files correctly.
#3
BezaoBuilder Oct 14, 2022 @ 2:48pm 
Adding permission for the /run/user/$UID/doc folder (actually a FUSE filesystem) could help in Spectacle, if you wish to try to sandbox it again.
#4
Der tüddelige Fußgänger Oct 14, 2022 @ 2:49pm 
Originally posted by BezaoBuilder:
Adding "include whitelist-runuser-common.inc" in your configs should work, if I understood the config files correctly.
Nope, doesn't work.
I'll just stay with "insecure" screenshots then. I mean it's just screenshots. It isn't something which can be exploited like a document viewer with a malicious pdf or a web browser with a shady link.
#5
BezaoBuilder Oct 14, 2022 @ 2:56pm 
Originally posted by The Xenoblade guy:
Originally posted by BezaoBuilder:
Adding "include whitelist-runuser-common.inc" in your configs should work, if I understood the config files correctly.
Nope, doesn't work.
I'll just stay with "insecure" screenshots then. I mean it's just screenshots. It isn't something which can be exploited like a document viewer with a malicious pdf or a web browser with a shady link.
How about for OBS then? That is what I was thinking.
#6
Der tüddelige Fußgänger Oct 14, 2022 @ 3:01pm 
Originally posted by BezaoBuilder:
Originally posted by The Xenoblade guy:
Nope, doesn't work.
I'll just stay with "insecure" screenshots then. I mean it's just screenshots. It isn't something which can be exploited like a document viewer with a malicious pdf or a web browser with a shady link.
How about for OBS then? That is what I was thinking.
Yeah, well.
I never record anything on my screen, i still have it installed because, ehm, priorities.

I start it, add Pipewire as the video input. Then black screen. Absolutely ♥♥♥♥♥♥♥ nothing. I mean i never cared about video recording. Yet that doesn't change the fact that it gives me a black screen in the recording field.
#7
< >
Showing 1-7 of 7 comments
Per page: 1530 50

Steam for Linux > General Discussions > Topic Details
Date Posted: Oct 12, 2022 @ 2:44am
Posts: 7

Discussions Rules and Guidelines