github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1654] zathura fails to start with default zathura.profile #1115

New issue

Closed

opened 2026-05-05 07:29:00 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 07:29:00 -06:00

Owner

Originally created by @Artefact2 on GitHub (Nov 20, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1654

When using the default zathura.profile, zathura complains about D-Bus and only displays a black window, failing to load the document.

firejail zathura foo.pdf

Reading profile /etc/firejail/zathura.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: noroot option is not available
Parent pid 26574, child pid 26575
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 72.05 ms

** (zathura:6): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-lJWdxrYETl: Connection refused

I am using firejail 0.9.50. Any ways to solve or work around this?

Originally created by @Artefact2 on GitHub (Nov 20, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1654 When using the default zathura.profile, zathura complains about D-Bus and only displays a black window, failing to load the document. ~~~ firejail zathura foo.pdf Reading profile /etc/firejail/zathura.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: noroot option is not available Parent pid 26574, child pid 26575 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 72.05 ms ** (zathura:6): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-lJWdxrYETl: Connection refused ~~~ I am using firejail 0.9.50. Any ways to solve or work around this?

gitea-mirror

2026-05-05 07:29:00 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 07:29:04 -06:00

Author

Owner

@smitsohu commented on GitHub (Nov 20, 2017):

Hi @Artefact2, could you try firejail --ignore=net --noblacklist=/run/user/*/bus zathura foo.pdf?

@smitsohu commented on GitHub (Nov 20, 2017): Hi @Artefact2, could you try `firejail --ignore=net --noblacklist=/run/user/*/bus zathura foo.pdf`?

gitea-mirror commented

2026-05-05 07:29:05 -06:00

Author

Owner

@Artefact2 commented on GitHub (Nov 20, 2017):

Hi @smitsohu, it does work. But I assume, with those flags, it is no longer prevented from accessing the network?

@Artefact2 commented on GitHub (Nov 20, 2017): Hi @smitsohu, it does work. But I assume, with those flags, it is no longer prevented from accessing the network?

gitea-mirror commented

2026-05-05 07:29:07 -06:00

Author

Owner

@Artefact2 commented on GitHub (Nov 20, 2017):

firejail --noblacklist='/run/user/*/bus' zathura foo.pdf is interesting. The program still complains about a refused connection, but renders the document correctly.

@Artefact2 commented on GitHub (Nov 20, 2017): `firejail --noblacklist='/run/user/*/bus' zathura foo.pdf` is interesting. The program still complains about a refused connection, but renders the document correctly.

gitea-mirror commented

2026-05-05 07:29:09 -06:00

Author

Owner

@smitsohu commented on GitHub (Nov 20, 2017):

It's a bug, thanks!

The sandbox is still isolated pretty much from networks owing to protocol unix.

@smitsohu commented on GitHub (Nov 20, 2017): It's a bug, thanks! The sandbox is still isolated pretty much from networks owing to `protocol unix`.

gitea-mirror commented

2026-05-05 07:29:12 -06:00

Author

Owner

@smitsohu commented on GitHub (Nov 20, 2017):

firejail --noblacklist='/run/user/*/bus' zathura foo.pdf is interesting. The program still complains about a refused connection, but renders the document correctly.

It probably means that you have two dbus-daemon processes running on your system, one using the /run/user/$UID/bus socket and the other creating an abstract socket. You can run netstat -p | grep dbus-daemon to get an idea, abstract sockets are prepended there with an @.
With blacklist=/run/user/*/bus you shut down connection to one daemon, with net none you shut down connection to the other.

The error message in your first post points to an a11y bus, with probably a socket in the abstract namespace. It seems that zathura tries first to connect to the a11y bus and afterwards to the session bus under /run/user/$UID/bus. An absent a11y bus is still tolerated, but an absent session bus is not.

@smitsohu commented on GitHub (Nov 20, 2017): > firejail --noblacklist='/run/user/*/bus' zathura foo.pdf is interesting. The program still complains about a refused connection, but renders the document correctly. It probably means that you have two dbus-daemon processes running on your system, one using the /run/user/$UID/bus socket and the other creating an abstract socket. You can run `netstat -p | grep dbus-daemon` to get an idea, abstract sockets are prepended there with an @. With `blacklist=/run/user/*/bus` you shut down connection to one daemon, with `net none` you shut down connection to the other. The error message in your first post points to an [a11y](https://en.wikipedia.org/wiki/Assistive_Technology_Service_Provider_Interface) bus, with probably a socket in the abstract namespace. It seems that zathura tries first to connect to the a11y bus and afterwards to the session bus under /run/user/$UID/bus. An absent a11y bus is still tolerated, but an absent session bus is not.

gitea-mirror commented

2026-05-05 07:29:13 -06:00

Author

Owner

@smitsohu commented on GitHub (Nov 20, 2017):

Anyways, we will probably need to comment both blacklist=/run/user/*/bus and net none in the default profile, because for part of our userbase all D-Bus sockets are abstract. This means that while net none works fine for you, it will likely break zathura for them.

Creating a file /etc/firejail/zathura.local with

net none
noblacklist /run/user/*/bus

should solve this issue for you.

@smitsohu commented on GitHub (Nov 20, 2017): Anyways, we will probably need to comment both `blacklist=/run/user/*/bus` and `net none` in the default profile, because for part of our userbase all D-Bus sockets are abstract. This means that while `net none` works fine for you, it will likely break zathura for them. Creating a file /etc/firejail/zathura.local with ``` net none noblacklist /run/user/*/bus ``` should solve this issue for you.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1115

No description provided.

Rows
Columns