...it does start without using firejail.

Hi @ilikenwf
What version of firejail and linux distro are you using?

Can you open the file /etc/firejail/transmission-remote.profile and comment out the line memory-deny-write-execute (put a # at the beginning of the line). Then save it and try to run transmission-remote-gtk with firejail again.

Cheers!
Fred

Gtk-Message: 21:54:55.506: Failed to load module "canberra-gtk-module"

@ilikenwf Depending on firejail version and OS used this part of the issue might be caused by using private-lib without any further specifications in the profile or by simply not having the mentioned GTK module installed on your system. On Arch it is part of the libcanberra package but you can check this with your OS's native package manager tools. I'm guessing this issue can be easily fixed as soon as we get more info from your side on what @Fred-Barclay asked above. Thanks for reporting this.

I'm using arch and have both canberra packages installed; I'm also using the git version of firejail.

Commenting out the private-lib and memory-deny-write-execute directives results in only this:

```transmission-remote-gtk [08/04 07:26 PM]
Reading profile /etc/firejail/transmission-remote-gtk.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc

(transmission-remote-gtk:8): Gtk-WARNING **: 00:26:06.979: cannot open display: :0
```

@ilikenwf With private-lib still commented out, can you try adding unix to the protocol line?

E.g.

protocol unix,inet,inet6

EDIT: second inet is inet6

Also (with protocol unix,inet,inet6) can you try out the following private-lib?

private-lib libjson-glib*,libcurl.so*,libgtk-3.so*,libGeoIP.so*,libnotify.so*

Adding unix to the protocol line helped in that the application now runs, however it seems to be
unable to read it's profile in .config or wherver transmission-remote stores settings.

The private-lib settings cause it to break again...

Those settings appear to be in ~/.config/transmission-remote-gtk

Beyond that it is reading settings with the mkdir and whitelist in place, however it can't resolve my transmission host's domain now.

@ilikenwf so the following transmission-remote-gtk.profile works?
not sure about ignore mdwe and ${HOME}/.config/transmission

# Firejail profile for transmission-remote-gtk
# Description: A remote control utility for transmission-daemon (GTK GUI)
# This file is overwritten after every install/update
# Persistent local customizations
include transmission-remote-gtk.local
# Persistent global definitions
# added by included profile
#include globals.local

ignore private-lib
ignore memory-deny-write-execute

mkdir ${HOME}/.cache/transmission
mkdir ${HOME}/.config/transmission
mkdir ${HOME}/.config/transmission-remote-gtk
whitelist ${HOME}/.cache/transmission
whitelist ${HOME}/.config/transmission
whitelist ${HOME}/.config/transmission-remote-gtk
include whitelist-common.inc
include whitelist-var-common.inc

protocol unix

private-etc fonts

# Redirect
include transmission-remote.profile

however it can't resolve my transmission host's domain now.

Try --ignore=private-etc if that fix it try --private-etc=resolv.conf.

IMHO we should redo the profile and redirect to transmission-gtk.profile instead. That should solve all encountered issues by @ilikenwf in a more elegant and maintainable way. Just my two cents.

Or turn the redirect
=> transmission-remote.profile include transmission-remote-gtk.profile and add some restrictions.

The modifications I mentioned to transmission-remote.profile and the above do work to run the application, however it is not able to access the network for some reason.

however it is not able to access the network

internet or your LAN?

I assume that firejail --noprofile transmission-remote-gtk works.
Can you try firejail --ignore=eth --ignore=netfilter --ignore=protocol --ignore=net --ignore="net none" --ignore=private-etc --ignore=nodbus transmission-remote-gtk. And if it works, try to find out which ignore is needed.

firejail --noprofile transmission-remote-gtk does indeed work as expected.

Ok, so it seems these are the ones breaking it, as it runs fine this way:

firejail --ignore=protocol --ignore=private-lib --ignore=private-etc transmission-remote-gtk

Along with these profiles:
https://gist.github.com/ilikenwf/f265644a87788d0a698c9a5e8cbc1e2a

@ilikenwf transmisson has a very restrictiv private-etc, can you try with:
--private-etc=ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
And maybe also:
--private-etc=alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg,dconf,gconf,gtk-2.0,gtk-3.0

After playing with those private-etc settings, I find this is the minimum required to work with the aforementioned/gisted profiles:

firejail --ignore=protocol --private-etc=resolv.conf,hosts,hostname transmission-remote-gtk

Ok, so after all that is rolled into the profiles I end up with this so far:

# Firejail profile for transmission-remote-gtk
# Description: A remote control utility for transmission-daemon (GTK GUI)
# This file is overwritten after every install/update
# Persistent local customizations
include transmission-remote-gtk.local
# Persistent global definitions
# added by included profile
#include globals.local

ignore private-lib

mkdir ${HOME}/.cache/transmission
mkdir ${HOME}/.config/transmission
mkdir ${HOME}/.config/transmission-remote-gtk
whitelist ${HOME}/.cache/transmission
whitelist ${HOME}/.config/transmission
whitelist ${HOME}/.config/transmission-remote-gtk
include whitelist-common.inc
include whitelist-var-common.inc

protocol inet,inet6,unix

private-bin transmission-remote-gtk
private-etc fonts,resolv.conf,hosts,hostname

# Redirect
include transmission-remote.profile

```

Firejail profile for transmission-remote

Description: A remote control utility for transmission-daemon (CLI)

This file is overwritten after every install/update

quiet

Persistent local customizations

include transmission-remote.local

Persistent global definitions

include globals.local

noblacklist ${HOME}/.cache/transmission
noblacklist ${HOME}/.config/transmission

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

apparmor
caps.drop all
machine-id
netfilter
nodbus
nodvd
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol inet,inet6,unix
seccomp
shell none
tracelog

private-bin transmission-remote
private-dev
private-etc alternatives,hosts,nsswitch.conf
private-lib
private-tmp

memory-deny-write-execute
````

So we're really just down to the private lib ignore line being the only ignore rule now...

I've gone ahead and pushed refactored transmission profiles. Re-opening this to get input from the OP, @ilikenwf.

@ilikenwf I'm closing this as it should be fixed now. Feel free to reopen when needed.