ffmpeg 4.2.2 does not work with the included firejail profile

[the-lost-bit]

First I would like to thank all the developers for this really nice piece of security software.

My issue is with the latest version of FFmpeg, version 4.2.2 (pacman says 1:4.2.2-1). If I try to run ffmpeg like so, firejail ffmpeg, I get the following error:

/usr/bin/ffmpeg: error while loading shared libraries: libmfx.so.1: cannot open shared object file: No such file or directory

If I use the --noprofile option the above command runs without errors though, so it seems like this may be an issue with the included FFmpeg profile. The library that ffmpeg complains about is located in /opt/intel/mediasdk/lib This intel-directory was created (not by me) when I updated FFmpeg to the latest version.

There is no error when using the previous version of FFmpeg, that is 4.2.1 (pacman says 1:4.2.1-4). I tried to do some whitelisting of the above directory but to no avail. Hopefully someone more skilled in setting up profiles can help me on the way to solve this problem. I am a beginner.

Manjaro: 18.1.5
Firejail: 0.9.62
FFmpeg: 4.2.2

[glitsj16]

@the-lost-bit We are aware of this. See #3147 and #3150. To summarize: the ffmpeg profile saw some changes after releasing 0.9.62. Until a decision is made on a follow-up release you can fix this by adding

private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl

to your ffmpeg.local (or create that file if you don't have one yet). Would you be so kind as to confirm/deny whether the above changes fix the ffmpeg issue?

[the-lost-bit]

Many thanks glitsj16 for the swift reply, and my apologies for not doing a proper search among the issues!

Yes, your suggested ffmpeg.local file seems to do the trick. I did note however that the issue persisted with youtube-dl which calls ffmpeg to merge video and audio after download, so I just made a youtube-dl.local file with the exact same contents as per your suggestion above, and indeed this works.

Are there any obvious negative security implications with my ad hoc solution to the youtube-dl+ffmpeg combo issue? Thanks again, and sorry if I went a bit off topic.

[glitsj16]

Many thanks glitsj16 for the swift reply, and my apologies for not doing a proper search among the issues!

@the-lost-bit No worries, that happens. A duplicate is still better than no report at all. Firejail by design relies heavily on user input for keeping profiles in good condition and your input is appreciated.

Yes, your suggested ffmpeg.local file seems to do the trick.

Great, thanks for confirming.

I did note however that the issue persisted with youtube-dl which calls ffmpeg to merge video and audio after download, so I just made a youtube-dl.local file with the exact same contents as per your suggestion above, and indeed this works.

Indeed, I forgot to mention youtube-dl. The relevant changes to that profile look like this:

private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf

... so you should be fine by replacing the private-etc line in your youtube-dl.local with the above.

Are there any obvious negative security implications with my ad hoc solution to the youtube-dl+ffmpeg combo issue?

None, your ad-hoc workarounds now offer the exact same security level as those in git master. It's only too bad the relevant profile changes happened after releasing firejail 0.9.62. I suggested a new release after users started reporting ffmpeg issues, but no decision on that yet. Just make a note to remove your private-etc .local fixes when a future update arrives, that will make those superfluous.

I'll close this, but do feel free to re-open when you notice anything fishy with your ffmpeg/youtube-dl usage. Thank you for the cooperation!

[rusty-snake]

Duplicate of #3147