Chrome applications (including electron) that use system tray sets empty tray icon when private-tmp is active

[msva]

I've found that slack (which have private-tmp active in default system-wide profile) started to render empty icon in the tray.
Debugging showed that on every start it creates two directories under /tmp, named like .org.chromium.Chromium.[6 random alphanumeric]. And one of them contains icons/hicolor/24x24/apps path, and in the apps directory, it places is a files (may be more than one), that named like: chrome_app_indicator2_[32 random hex digit].png.

I guess, it tells systemtray to load icon from that path, but since the path exists only in private bin, system tray fails to do that.

I'd try to work it around with whitelist /tmp/.org.chromium.Chromium.*, but... whitelist (and friends) does not support regex 😺

// Although, I anyway not sure, if whitelist works in reverse way and allows to create whitelisted files on host system...

And, it is also happens when running chrome/chromium under firejail and using chrome apps, as it also happens with another electron-based apps.

[netblue30]

I would try to comment out (add a #) private-tmp in /etc/firejail/slack.profile.

[msva]

I would try to comment out (add a #) private-tmp in /etc/firejail/slack.profile.

Yes, it helps (that is how I debugged that it is private-tmp's fault). But it has side-effects: 1) it will (obviously) expose entire /tmp to slack 2) that change will be rewritten after next firejail upgrade.

[netblue30]

For 2) is easy, I'll remove it from the profile.

For 1), can you figure out what files or directories it uses in /tmp? We can whitelist /tmp. At minimum, we need just a "whitelist /tmp/.X11-unix" and the directories/files created by slack.

[msva]

as far as I looked in private /tmp inside jail, it only creates directory "Slack Crashes" and two directories I described above (".org.chromium.Chromium.[a-zA-Z0-9]{6}"), and uses nothing from system's /tmp

[netblue30]

OK, so I only need to add some basic globbing/regx support in whitelists, something like

--whitelist=.org.chromium.Chromium.*

[msva]

Hi there!

Is it ant progress about this? 😎

[msva]

I'm not sure if whitelist now supports wildcards (at least, it doesn't compain on *), but this is still the issue.
And, I'm not sure, if it will work as intended out of the box, since it creates that directories (containing the tray icon png file) in runtime (i.e. after start), and they have unique names every time.
So, I'm not sure, if it will be enough to just whitelist that directories (with wildcard), or will firejail need to "proxy" that directories in "outter" /tmp?..
How do you think, @netblue30 ?

[msva]

By the way, the same thing is actual for chrome forks. For example, Yandex Browser just created /tmp/.ru.yandex.desktop.browser.MJGCGo directory. I bet new Opera doing it in the similar way.
So, we definitely need a way to somehow whitelist not-yet-created directories by mask (to not just manually blacklist files from /tmp to prevent proprietary things to access, but just sandbox them in their own /tmp, but having some directories they creating in outter /tmp.

Or, maybe, do a LD_PRELOAD hack to hijack that files creation/writing to them and do the same in "external" copy in "outter" /tmp.

[chiraag-nataraj]

Hey all,

I'm actually currently using private-tmp with slack and it's actually the only way it works (apparently Electron apps need /tmp to be executable, and my /tmp is mounted noexec). I've attached the profile I'm using currently - can someone else test and report back if it works for them?
slack.txt

[alien2003]

The same with wire-desktop and slack for me

(slack:18): Gtk-WARNING **: 11:39:28.818: Theme parsing error: gtk.css:1:107: Failed to import: Error opening file /home/alien/.local/share/gnome-shell/extensions/[email protected]/styles/buttons-right.css: No such file or directory

(slack:18): Gtk-WARNING **: 11:39:28.819: Theme parsing error: gtk.css:2:113: Failed to import: Error opening file /home/alien/.local/share/gnome-shell/extensions/[email protected]/styles/buttons-right-tiled.css: No such file or directory

[SkewedZeppelin]

@alien2003
try adding the following to ~/.config/firejail/[broken program].local or globals.local

noblacklist ${HOME}/.local/share/gnome-shell
whitelist ${HOME}/.local/share/gnome-shell
read-only ${HOME}/.local/share/gnome-shell

[alien2003]

@SkewedZeppelin No errors in terminal now but the icon is still missing. I use Gnome 3.30.2 on Manjaro with this extension for tay icons: https://extensions.gnome.org/extension/615/appindicator-support/

[alien2003]

Seems to be ok with this extension: https://extensions.gnome.org/extension/1503/tray-icons/

[intika]

Same issue with skype... as its chromium based...

Awaiting wildcards support for white-list here are some possible solutions....

1. (Edit: not good) run the application with an other user dedicated to that application... (with dbus-lauch)

2. (Edit: not good) Ohhh i found a quick easy solution ! just prefix the binary with dbus-launch...
   firejail --profile=/etc/firejail/skypeforlinux.profile dbus-launch skypeforlinux
   dbus-launch will proxify the necessary stuff and keep the tmp jailed...

Note that with dbus-launcher it's buggy and slow to use it with... so left with no solution... have to dig a little deeper... Wildcards white list is not implemented yet as of 05/2019

Edit:
i think i found the problem and its not related at all...
here is the solution export TMPDIR=${HOME}/whatever

After some debugging... here is my little report

First of all the problem seems to be caused by an empty $TMPDIR environment variable when --private-tmp is used (firejail bug ?)

So basically the solution is to create a directory accessible by the user let say /tmpjail then set $TMPDIR to that directory under the profile file like so:
env TMPDIR=/tmpjail

@netblue30 for firejail a reliable solution could be a new feature (let say --accessible-tmp) that would mount a tmpfs to the main namespace under /tmp/tmpjail (and white list it) then set $TMPDIR and $TMP to /tmp/tmpjail (this solution would solve the problem and keep the /tmp jailed)
A quick easy solution would be editing the problematic profiles like skype use "mkdir" to create /tmp/tmpjail, whitelist it then set the tmp variable to that file...

[smitsohu]

Whitelist globbing was added recently by @netblue30, so whitelist /tmp/.org.chromium.Chromium.* should work now in Firejail master.
Could someone confirm?

[rusty-snake]

@smitsohu if I got this right, /tmp/foobar.XXXX is create by foobar. This still did not help.

[smitsohu]

@rusty-snake I see. Then the only solutions are indeed

• ignore private-tmp
• @intika 's proposal

[rusty-snake]

result from #3540:

ignore private-tmp

mkdir /tmp/FOO-tmp
whitelist /tmp/FOO-tmp
env TMPDIR=/tmp/FOO-tmp
env TMP=/tmp/FOO-tmp

# IF dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
# ELIF dbus-user none
ignore dbus-user none
dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
# FI

edit: removed useless dbus-user.talk org.freedesktop.StatusNotifierItem lines, see #3774.

---

Would it make sense to add a private-tmp-exposed which does the /tmp/FOO-tmp stuff?