-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome applications (including electron) that use system tray sets empty tray icon when private-tmp is active #1137
Comments
I would try to comment out (add a #) private-tmp in /etc/firejail/slack.profile. |
I would try to comment out (add a #) private-tmp in
/etc/firejail/slack.profile.
Yes, it helps (that is how I debugged that it is private-tmp's fault).
But it has side-effects:
1) it will (obviously) expose entire /tmp to slack
2) that change will be rewritten after next firejail upgrade.
|
For 2) is easy, I'll remove it from the profile. For 1), can you figure out what files or directories it uses in /tmp? We can whitelist /tmp. At minimum, we need just a "whitelist /tmp/.X11-unix" and the directories/files created by slack. |
as far as I looked in private /tmp inside jail, it only creates directory
"Slack Crashes" and two directories I described above
(".org.chromium.Chromium.[a-zA-Z0-9]{6}"), and uses nothing from system's /tmp
|
OK, so I only need to add some basic globbing/regx support in whitelists, something like
|
Hi there! Is it ant progress about this? 😎 |
I'm not sure if whitelist now supports wildcards (at least, it doesn't compain on |
By the way, the same thing is actual for chrome forks. For example, Yandex Browser just created Or, maybe, do a LD_PRELOAD hack to hijack that files creation/writing to them and do the same in "external" copy in "outter" /tmp. |
Hey all, I'm actually currently using |
The same with wire-desktop and slack for me
|
@alien2003
|
@SkewedZeppelin No errors in terminal now but the icon is still missing. I use Gnome 3.30.2 on Manjaro with this extension for tay icons: https://extensions.gnome.org/extension/615/appindicator-support/ |
Seems to be ok with this extension: https://extensions.gnome.org/extension/1503/tray-icons/ |
Same issue with skype... as its chromium based... Awaiting wildcards support for white-list here are some possible solutions....
Note that with dbus-launcher it's buggy and slow to use it with... so left with no solution... have to dig a little deeper... Wildcards white list is not implemented yet as of 05/2019 Edit: After some debugging... here is my little report First of all the problem seems to be caused by an empty $TMPDIR environment variable when --private-tmp is used (firejail bug ?) So basically the solution is to create a directory accessible by the user let say /tmpjail then set $TMPDIR to that directory under the profile file like so: @netblue30 for firejail a reliable solution could be a new feature (let say --accessible-tmp) that would mount a tmpfs to the main namespace under /tmp/tmpjail (and white list it) then set $TMPDIR and $TMP to /tmp/tmpjail (this solution would solve the problem and keep the /tmp jailed) |
Whitelist globbing was added recently by @netblue30, so |
@smitsohu if I got this right, |
@rusty-snake I see. Then the only solutions are indeed
|
result from #3540:
edit: removed useless Would it make sense to add a |
I've found that
slack
(which haveprivate-tmp
active in default system-wide profile) started to render empty icon in the tray.Debugging showed that on every start it creates two directories under
/tmp
, named like.org.chromium.Chromium.[6 random alphanumeric]
. And one of them containsicons/hicolor/24x24/apps
path, and in theapps
directory, it places is a files (may be more than one), that named like:chrome_app_indicator2_[32 random hex digit].png
.I guess, it tells systemtray to load icon from that path, but since the path exists only in private bin, system tray fails to do that.
I'd try to work it around with
whitelist /tmp/.org.chromium.Chromium.*
, but...whitelist
(and friends) does not support regex 😺// Although, I anyway not sure, if
whitelist
works in reverse way and allows to create whitelisted files on host system...And, it is also happens when running
chrome
/chromium
under firejail and using chrome apps, as it also happens with another electron-based apps.The text was updated successfully, but these errors were encountered: