github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2550] Pidgin lags in firejail #1642

New issue
Closed
opened 2026-05-05 08:17:39 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 08:17:39 -06:00
Owner
Copy link

Originally created by @7twin on GitHub (Mar 9, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2550

4.20.13-arch1-1-ARCH with KDE.

Running pidgin in firejail makes the interface stutter a lot and then freeze entirely for ~5-10 seconds most of the time.

Possibly related to #2395 - it mentions as a workaround ignoring "nosound", but running firejail --ignore=nosound pidgin does not fix the issue.

Reading profile /etc/firejail/pidgin.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 27285, child pid 27286
1 program installed in 4.28 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 62.67 ms

(Pidgin:4): Gtk-WARNING **: 11:38:46.084: Unable to locate theme engine in module_path: "adwaita",

(Pidgin:4): Gtk-WARNING **: 11:38:46.091: Unable to locate theme engine in module_path: "adwaita",

(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.337: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstzbar.so': libzbar.so.0: cannot open shared object file: No such file or directory

(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.398: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstkate.so': libkate.so.1: cannot open shared object file: No such file or directory

(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.430: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstlv2.so': liblilv-0.so.0: cannot open shared object file: No such file or directory

(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.447: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstfluidsynthmidi.so': libfluidsynth.so.2: cannot open shared object file: No such file or directory

(Pidgin:4): Json-CRITICAL **: 11:38:55.854: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.860: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.866: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.869: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.881: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.887: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.891: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.894: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.903: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.914: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.927: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.930: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:38:55.937: json_object_get_string_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:39:08.376: json_object_get_int_member: assertion 'node != NULL' failed

(Pidgin:4): Json-CRITICAL **: 11:39:31.588: json_object_get_int_member: assertion 'node != NULL' failed
Originally created by @7twin on GitHub (Mar 9, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2550 4.20.13-arch1-1-ARCH with KDE. Running pidgin in firejail makes the interface stutter a lot and then freeze entirely for ~5-10 seconds most of the time. Possibly related to #2395 - it mentions as a workaround ignoring "nosound", but running `firejail --ignore=nosound pidgin` does not fix the issue. ``` Reading profile /etc/firejail/pidgin.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 27285, child pid 27286 1 program installed in 4.28 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized in 62.67 ms (Pidgin:4): Gtk-WARNING **: 11:38:46.084: Unable to locate theme engine in module_path: "adwaita", (Pidgin:4): Gtk-WARNING **: 11:38:46.091: Unable to locate theme engine in module_path: "adwaita", (gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.337: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstzbar.so': libzbar.so.0: cannot open shared object file: No such file or directory (gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.398: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstkate.so': libkate.so.1: cannot open shared object file: No such file or directory (gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.430: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstlv2.so': liblilv-0.so.0: cannot open shared object file: No such file or directory (gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.447: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstfluidsynthmidi.so': libfluidsynth.so.2: cannot open shared object file: No such file or directory (Pidgin:4): Json-CRITICAL **: 11:38:55.854: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.860: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.866: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.869: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.881: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.887: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.891: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.894: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.903: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.914: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.927: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.930: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:38:55.937: json_object_get_string_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:39:08.376: json_object_get_int_member: assertion 'node != NULL' failed (Pidgin:4): Json-CRITICAL **: 11:39:31.588: json_object_get_int_member: assertion 'node != NULL' failed ```
gitea-mirror 2026-05-05 08:17:39 -06:00
gitea-mirror commented 2026-05-05 08:17:43 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 17, 2019):

@7twin The gst-plugin-scanner GStreamer warnings usually mean you haven't installed the packages that provide those plugins. Quite harmless IMHO. As for the others and the perceived stutter, I'm looking into that more closely (although I'm not used to KDE) and have put together an alternative pidgin profile. If you download that and put it into ~/.config/firejail it should be ready for testing. I'd appreciate any feedback.

<!-- gh-comment-id:473641863 --> @ghost commented on GitHub (Mar 17, 2019): @7twin The gst-plugin-scanner GStreamer warnings usually mean you haven't installed the packages that provide those plugins. Quite harmless IMHO. As for the others and the perceived stutter, I'm looking into that more closely (although I'm not used to KDE) and have put together an [alternative pidgin profile](https://gist.github.com/glitsj16/215e8a0a363d387570cca7d29f108980). If you download that and put it into ~/.config/firejail it should be ready for testing. I'd appreciate any feedback.
gitea-mirror commented 2026-05-05 08:17:44 -06:00
Author
Owner
Copy link

@7twin commented on GitHub (Mar 18, 2019):

@glitsj16 I'm sort of afraid to test it currently as I rely heavily on pidgin working and post uninstall of firejail it continued to be wonky for some time until some hard reboots. (pidgin worked perfectly fine before firejail though, so it was definitely the issue)

Dropbox also started to re-sync all files for some reason, which I can't take right now. (slow internet and thousands of files are not the best combination) I'll be happy to try it once #2547 with betterdiscord has a way to get it working though, as by that time I should probably be able to experiment again.

A sort of related question too (especially with the above described dropbox issue) - is there a way to exclude processes from being firejailed locally, so even on updates it won't get back - as with deleting the .profile would do?

<!-- gh-comment-id:474088414 --> @7twin commented on GitHub (Mar 18, 2019): @glitsj16 I'm sort of afraid to test it currently as I rely heavily on pidgin working and post uninstall of firejail it continued to be wonky for some time until some hard reboots. (pidgin worked perfectly fine before firejail though, so it was definitely the issue) Dropbox also started to re-sync all files for some reason, which I can't take right now. (slow internet and thousands of files are not the best combination) I'll be happy to try it once #2547 with betterdiscord has a way to get it working though, as by that time I should probably be able to experiment again. A sort of related question too (especially with the above described dropbox issue) - is there a way to exclude processes from being firejailed locally, so even on updates it won't get back - as with deleting the .profile would do?
gitea-mirror commented 2026-05-05 08:17:45 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 18, 2019):

@7twin No worries, I do understand your arguments. I might go ahead and merge my changes for the pidgin profile in a few days. It should improve functionality on KDE. Running some more extensive testing myself in the days ahead. Pidgin has a rather wide array of plugins and I'm looking for ways to make those work without loosening its sandbox.

As for your question on excluding applications from being firejailed, that's possible yes. Many ways to do that. You could go for a pacman post-install hook for firejail that removes the apps you want to exclude from /usr/lib/firejail/firecfg.conf (that is the file that controls firecfg functionality). If you only have a few applications to exclude that would be overkill and I'd suggest putting a simple wrapper script in your ${HOME}/bin. Ensure it has the exact same name, calling the exact same command with a full path and it will bypass firejail's wrappers in /usr/local/bin. At least it will if ${HOME}/bin has precendence in your $PATH env var (which it should). Here's an example script to always run your pidgin non-sandboxed. Saved as ${HOME}/bin/pidgin and made executable it will bypass firejail:

#!/bin/sh
# wrapper for pidgin :: non-sandboxed
/usr/bin/pidgin "$@"

Do note that .desktop files control whatever is launched via GUI, so make sure the relevant pidgin.desktop file in ~/.local/share/applications points to your ${HOME}/bin/pidgin script.

<!-- gh-comment-id:474106420 --> @ghost commented on GitHub (Mar 18, 2019): @7twin No worries, I do understand your arguments. I might go ahead and merge my changes for the pidgin profile in a few days. It should improve functionality on KDE. Running some more extensive testing myself in the days ahead. Pidgin has a rather wide array of plugins and I'm looking for ways to make those work without loosening its sandbox. As for your question on excluding applications from being firejailed, that's possible yes. Many ways to do that. You could go for a pacman post-install hook for firejail that removes the apps you want to exclude from /usr/lib/firejail/firecfg.conf (that is the file that controls firecfg functionality). If you only have a few applications to exclude that would be overkill and I'd suggest putting a simple wrapper script in your ${HOME}/bin. Ensure it has the exact same name, calling the exact same command with a full path and it will bypass firejail's wrappers in /usr/local/bin. At least it will if ${HOME}/bin has precendence in your $PATH env var (which it should). Here's an example script to always run your pidgin non-sandboxed. Saved as `${HOME}/bin/pidgin` and made executable it will bypass firejail: ``` #!/bin/sh # wrapper for pidgin :: non-sandboxed /usr/bin/pidgin "$@" ``` Do note that .desktop files control whatever is launched via GUI, so make sure the relevant pidgin.desktop file in ~/.local/share/applications points to your ${HOME}/bin/pidgin script.
gitea-mirror commented 2026-05-05 08:17:45 -06:00
Author
Owner
Copy link

@7twin commented on GitHub (Mar 18, 2019):

@glitsj16 Regarding the plugins, here's all plugins I use and the pidgin version, to possibly be able to re-create my setup easier:

  • extra/pidgin 2.13.0-5
  • aur/purple-skypeweb-git 1.5.r10.90007bf-1 (there's an update currently)
  • aur/pidgin-opensteamworks-git 1.6.1.r52.gbf7dd28-1 (also an update queued)
  • The rest is built-in (not plugins).

Thanks for the excluding explanation too! will definitely give it a shot for the dropbox issue once I reinstall. Though I wonder, wouldn't each update also force the .desktop files to be reset? maybe there should be a non-update overwritten file (in .config or ~?) where you can just exclude certain programs from all profiles or modifications.

<!-- gh-comment-id:474116860 --> @7twin commented on GitHub (Mar 18, 2019): @glitsj16 Regarding the plugins, here's all plugins I use and the pidgin version, to possibly be able to re-create my setup easier: - extra/pidgin 2.13.0-5 - aur/purple-skypeweb-git 1.5.r10.90007bf-1 (there's an update currently) - aur/pidgin-opensteamworks-git 1.6.1.r52.gbf7dd28-1 (also an update queued) - The rest is built-in (not plugins). Thanks for the excluding explanation too! will definitely give it a shot for the dropbox issue once I reinstall. Though I wonder, wouldn't each update also force the .desktop files to be reset? maybe there should be a non-update overwritten file (in .config or ~?) where you can just exclude certain programs from all profiles or modifications.
gitea-mirror commented 2026-05-05 08:17:46 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 19, 2019):

@7twin Indeed, you would have to take extra steps to protect that .desktop file from being overwritten. Which is exactly what the chattr command can do, by setting the immutable bit on it, I forgot to mention that important part... See https://en.wikipedia.org/wiki/Chattr for more detailed info.

<!-- gh-comment-id:474557251 --> @ghost commented on GitHub (Mar 19, 2019): @7twin Indeed, you would have to take extra steps to protect that .desktop file from being overwritten. Which is exactly what the `chattr` command can do, by setting the `immutable bit` on it, I forgot to mention that important part... See https://en.wikipedia.org/wiki/Chattr for more detailed info.
gitea-mirror commented 2026-05-05 08:17:47 -06:00
Author
Owner
Copy link

@7twin commented on GitHub (Mar 19, 2019):

@glitsj16 Thanks will look into it, though the blacklist idea would be more universal too.

<!-- gh-comment-id:474629725 --> @7twin commented on GitHub (Mar 19, 2019): @glitsj16 Thanks will look into it, though the blacklist idea would be more universal too.
gitea-mirror commented 2026-05-05 08:17:47 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 27, 2019):

@7twin Merged the new whitelist pidgin.profile in https://github.com/netblue30/firejail/pull/2620. Please feel free to reopen this if you still suffer stutter or anything else.

<!-- gh-comment-id:476950298 --> @ghost commented on GitHub (Mar 27, 2019): @7twin Merged the new whitelist pidgin.profile in https://github.com/netblue30/firejail/pull/2620. Please feel free to reopen this if you still suffer stutter or anything else.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1642
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?