github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1866] conky issues #1260

New issue

Closed

opened 2026-05-05 07:44:25 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 07:44:25 -06:00

Owner

Originally created by @mjsurette on GitHub (Apr 6, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1866

I have installed Parrot Studio 3.11 on my computer. It uses firejail version 0.9.52.

I have some problems with my conky script and firejail.

Here is my .config/firejail/conky.profile

include /etc/firejail/conky.local

include /etc/firejail/globals.local

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none

disable-mnt
private-bin conky,sensors,sed,awk,ip,grep,sh,wget,who,top
private-dev
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

My conky.conf works as expected under openSUSE Tumbleweed on the same machine.
Running it under Parrot with
`firejail --noprofile conky`
gives:

Parent pid 20870, child pid 20871
Child process initialized in 21.18 ms
Warning: an existing sandbox was detected. /usr/bin/conky will run without any additional sandboxing features
conky: desktop window (1000006) is subwindow of root window (119)
conky: window type - normal
conky: drawing to created window (0x2000002)
conky: drawing to double buffer
conky: forked to background, pid is 3

Warning: an existing sandbox was detected. /usr/bin/wget will run without any additional sandboxing features

The private-bin allows the scripts inside my conky.conf to run, however there must be some other limitations. Here are the issues I'm having:

who |awk '{print $1}'
will print my username in a terminal but prints nothing in my conky.conf
who -b |awk '{print $3 " " $4}'
works in both contexts.

Other issues I'm having problems with are some of the conky built-in variables.

top and top_mem in particular only report the processes related to conky. I would like to expand this to all of the current user's processes.

fs_used and fs_free work properly for '/' but report the numbers di gives for '/sys/fs/cgroup' when asked for '/home'

Any guidance on how to remove these restrictions would be very much appreciated.

Mike

Originally created by @mjsurette on GitHub (Apr 6, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1866 I have installed Parrot Studio 3.11 on my computer. It uses firejail version 0.9.52. I have some problems with my conky script and firejail. Here is my .config/firejail/conky.profile --- ``` include /etc/firejail/conky.local include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace netfilter no3d nodvd nogroups nonewprivs noroot nosound notv novideo protocol unix,inet,inet6,netlink seccomp shell none disable-mnt private-bin conky,sensors,sed,awk,ip,grep,sh,wget,who,top private-dev private-tmp memory-deny-write-execute noexec ${HOME} noexec /tmp ``` --- My conky.conf works as expected under openSUSE Tumbleweed on the same machine. Running it under Parrot with `firejail --noprofile conky ` gives: --- ``` Parent pid 20870, child pid 20871 Child process initialized in 21.18 ms Warning: an existing sandbox was detected. /usr/bin/conky will run without any additional sandboxing features conky: desktop window (1000006) is subwindow of root window (119) conky: window type - normal conky: drawing to created window (0x2000002) conky: drawing to double buffer conky: forked to background, pid is 3 Warning: an existing sandbox was detected. /usr/bin/wget will run without any additional sandboxing features ``` --- The private-bin allows the scripts inside my conky.conf to run, however there must be some other limitations. Here are the issues I'm having: who |awk '{print $1}' will print my username in a terminal but prints nothing in my conky.conf who -b |awk '{print $3 " " $4}' works in both contexts. Other issues I'm having problems with are some of the conky built-in variables. top and top_mem in particular only report the processes related to conky. I would like to expand this to all of the current user's processes. fs_used and fs_free work properly for '/' but report the numbers di gives for '/sys/fs/cgroup' when asked for '/home' Any guidance on how to remove these restrictions would be very much appreciated. Mike

gitea-mirror closed this issue

2026-05-05 07:44:27 -06:00

gitea-mirror commented

2026-05-05 07:44:29 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Apr 6, 2018):

I think Parrot OS automatically starts many programs inside firejail - i.e. running conky in Parrot OS is equivalent to running firejail conky on OpenSUSE.
So, when you run firejail conky on Parrot OS, you're really running firejail firejail conky , thus firejail tries to sandbox another firejail instance, causing the error message about the existing sandbox.

You can check by starting conky and then calling firejail --list. If you see conky as one of the listed programs, then it's being sandboxed automatically. 😄

@Fred-Barclay commented on GitHub (Apr 6, 2018): I think Parrot OS automatically starts many programs inside firejail - i.e. running `conky` in Parrot OS is equivalent to running `firejail conky` on OpenSUSE. So, when you run `firejail conky` on Parrot OS, you're really running `firejail firejail conky` , thus firejail tries to sandbox another firejail instance, causing the error message about the existing sandbox. You can check by starting `conky` and then calling `firejail --list`. If you see conky as one of the listed programs, then it's being sandboxed automatically. :smile:

gitea-mirror commented

2026-05-05 07:44:30 -06:00

Author

Owner

@mjsurette commented on GitHub (Apr 7, 2018):

Yes, Parrot OS does sandbox everything. I haven't been able to start conky without one. I like the idea of having everything sandboxed, but not losing functionality.
My concern is about restoring this functionality. I really can't see how to run conky without the sandboxing it.

Mike

@mjsurette commented on GitHub (Apr 7, 2018): Yes, Parrot OS does sandbox everything. I haven't been able to start conky without one. I like the idea of having everything sandboxed, but not losing functionality. My concern is about restoring this functionality. I really can't see how to run conky without the sandboxing it. Mike

gitea-mirror commented

2026-05-05 07:44:31 -06:00

Author

Owner

@mjsurette commented on GitHub (Apr 8, 2018):

I followed the procedure outlined at https://l3net.wordpress.com/2015/04/13/firejail-seccomp-guide/

After adding 75 items to the seccomp.keep line, there were no more syslog entries. The behaviour was exactly the same as when I had the unadorned seccomp.

Does this mean that something other than firejail is blocking my desired functionality? Is there somewhere else that I can look?

Mike

@mjsurette commented on GitHub (Apr 8, 2018): I followed the procedure outlined at https://l3net.wordpress.com/2015/04/13/firejail-seccomp-guide/ After adding 75 items to the seccomp.keep line, there were no more syslog entries. The behaviour was exactly the same as when I had the unadorned seccomp. Does this mean that something other than firejail is blocking my desired functionality? Is there somewhere else that I can look? Mike

gitea-mirror commented

2026-05-05 07:44:33 -06:00

Author

Owner

@smitsohu commented on GitHub (Apr 9, 2018):

who and top providing only limited information inside the sandbox is by design and currently not configurable. EDIT: It is possible though to allow who to read /var/log/wtmp with the --writable-var-log option, if that's considered an acceptable alternative.

If you prefer to disable firejail just delete /usr/local/bin/conky, which is a symlink pointing to the firejail binary.

@smitsohu commented on GitHub (Apr 9, 2018): `who` and `top` providing only limited information inside the sandbox is by design and currently not configurable. EDIT: It is possible though to allow `who` to read /var/log/wtmp with the `--writable-var-log` option, if that's considered an acceptable alternative. If you prefer to disable firejail just delete /usr/local/bin/conky, which is a symlink pointing to the firejail binary.

gitea-mirror commented

2026-05-05 07:44:35 -06:00

Author

Owner

@mjsurette commented on GitHub (Apr 15, 2018):

Yes, that does the trick. I would prefer to have it jailed, but life is full comprimises.

Thank you for the help.

Mike

@mjsurette commented on GitHub (Apr 15, 2018): Yes, that does the trick. I would prefer to have it jailed, but life is full comprimises. Thank you for the help. Mike

gitea-mirror referenced this issue

2026-05-05 10:10:00 -06:00

[PR #1260] [MERGED] blacklist file-manager python scripts #3900

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1260

No description provided.

Rows
Columns

[GH-ISSUE #1866] conky issues #1260

Here is my .config/firejail/conky.profile

My conky.conf works as expected under openSUSE Tumbleweed on the same machine. Running it under Parrot with firejail --noprofile conky gives:

My conky.conf works as expected under openSUSE Tumbleweed on the same machine.
Running it under Parrot with
`firejail --noprofile conky`
gives: