[GH-ISSUE #2591] Seahorse isn't firejailed, but still launches. #1649

New issue

Closed

opened 2026-05-05 08:17:56 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented 2026-05-05 08:17:56 -06:00

Owner

Copy link

Originally created by @ghost on GitHub (Mar 13, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2591

General information

firejail --version
firejail version 0.9.58.2

Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

lsb_release --all
No LSB modules are available.
Distributor ID: Parrot
Description: Parrot GNU/Linux 4.5
Release: 4.5
Codename: stretch

Steps to reproduce

1. I tried to install a seahorse profile, as it wasn't available by default.

> ls /etc/firejail | grep seahorse
> ls .config/firejail/
disable-exec.inc  seahorse.profile
>    

2. Then I ran firecfg, this was part of the output:

Configuring symlinks in /usr/local/bin based on local firejail config directory
   seahorse created

3. Then I tried running seahorse itself. Apparmor complained.

> seahorse 
Reading profile /home/user/.config/firejail/seahorse.profile                                            
Reading profile /home/user/.config/firejail/disable-exec.inc                                            
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/gpg.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 28531, child pid 28532
Blacklist violations are logged to syslog
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 88.04 ms

4. Did what the previous message suggested.

> sudo aa-enforce firejail-default

ERROR: Include file /etc/apparmor.d/local/firejail-local not found  

5. Created a blank firejail-local file. Much like other files like it in the same folder

> cat /etc/apparmor.d/local/bin.ping
> cat /etc/apparmor.d/local/nvidia_modprobe
> cat /etc/apparmor.d/local/firejail-local
>    

6. I run sudo aa-enforce firejail-default again, this time without errors. The seahorse process then launches, but I get the following message:

> seahorse 
Reading profile /home/user/.config/firejail/seahorse.profile                                            
Reading profile /home/user/.config/firejail/disable-exec.inc                                            
Reading profile /etc/firejail/whitelist-var-common.inc                                                  
Reading profile /etc/firejail/gpg.profile                                                               
Reading profile /etc/firejail/disable-common.inc                                                        
Reading profile /etc/firejail/disable-devel.inc                                                         
Reading profile /etc/firejail/disable-interpreters.inc                                                  
Reading profile /etc/firejail/disable-passwdmgr.inc                                                     
Reading profile /etc/firejail/disable-programs.inc                                                      
Parent pid 4015, child pid 4016                                                                         
Blacklist violations are logged to syslog                                                               
Child process initialized in 99.13 ms

Parent is shutting down, bye...

7. I see that seahorse is not listed under the output of firejail --list. This is the output from syslog after two attempts:

> sudo tail /var/log/syslog
Mar 13 18:56:40 parrot gnome-shell[1855]: Object St.Bin (0x5604b95e6f40), has been already deallocated -
 impossible to access it. This might be caused by the object having been destroyed from C code using som
ething such as destroy(), dispose(), or remove() vfuncs                                                 
Mar 13 18:56:40 parrot gnome-shell[1855]: clutter_actor_show: assertion 'CLUTTER_IS_ACTOR (self)' failed
Mar 13 18:57:45 parrot kernel: [ 9138.270593] audit: type=1400 audit(1552514265.692:298): apparmor="DENI
ED" operation="ptrace" profile="torbrowser_firefox" pid=11191 comm=46532042726F6B657220353132 requested_
mask="read" denied_mask="read" peer="torbrowser_plugin_container"                                       
Mar 13 18:57:45 parrot kernel: [ 9138.270596] audit: type=1400 audit(1552514265.692:299): apparmor="DENI
ED" operation="ptrace" profile="torbrowser_firefox" pid=11191 comm=46532042726F6B657220353132 requested_
mask="read" denied_mask="read" peer="torbrowser_plugin_container"                                       
Mar 13 19:04:03 parrot seahorse[8321]: catalog.vala:183: couldn't add ui defintion for action group: Key
ringBackend: "<ui>#012#011#011#011<popup name='SeahorseGkrBackend'>#012#011#011#011#011<menuitem action=
'keyring-new'/>#012#011#011#011</popup>#012#011#011</ui>                                                
Mar 13 19:04:03 parrot org.gnome.Shell.desktop[1855]: Window manager warning: Buggy client sent a _NET_A
CTIVE_WINDOW message with a timestamp of 0 for 0x5603ed5 (Passwords )                                   
Mar 13 19:05:01 parrot CRON[3923]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)     
Mar 13 19:05:10 parrot wpa_supplicant[926]: wlan0: WPA: Group rekeying completed with 8c:10:d4:d6:7b:9e 
[GTK=CCMP]                                                                                              
Mar 13 19:05:26 parrot seahorse[8321]: catalog.vala:183: couldn't add ui defintion for action group: Key
ringBackend: "<ui>#012#011#011#011<popup name='SeahorseGkrBackend'>#012#011#011#011#011<menuitem action=
'keyring-new'/>#012#011#011#011</popup>#012#011#011</ui>                                                
Mar 13 19:05:26 parrot org.gnome.Shell.desktop[1855]: Window manager warning: Buggy client sent a _NET_A
CTIVE_WINDOW message with a timestamp of 0 for 0x5604020 (Passwords ) 

How do I proceed?

Originally created by @ghost on GitHub (Mar 13, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2591 ## General information **firejail --version** firejail version 0.9.58.2 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled **lsb_release --all** No LSB modules are available. Distributor ID: Parrot Description: Parrot GNU/Linux 4.5 Release: 4.5 Codename: stretch ## Steps to reproduce 1. I tried to install a [seahorse profile](https://github.com/netblue30/firejail/blob/master/etc/seahorse.profile), as it wasn't available by default. ``` > ls /etc/firejail | grep seahorse > ls .config/firejail/ disable-exec.inc seahorse.profile > ``` 2. Then I ran `firecfg`, this was part of the output: ``` Configuring symlinks in /usr/local/bin based on local firejail config directory seahorse created ``` 3. Then I tried running seahorse itself. Apparmor complained. ``` > seahorse Reading profile /home/user/.config/firejail/seahorse.profile Reading profile /home/user/.config/firejail/disable-exec.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/gpg.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 28531, child pid 28532 Blacklist violations are logged to syslog Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 88.04 ms ``` 4. Did what the previous message suggested. ``` > sudo aa-enforce firejail-default ERROR: Include file /etc/apparmor.d/local/firejail-local not found ``` 5. Created a blank firejail-local file. Much like other files like it in the same folder ``` > cat /etc/apparmor.d/local/bin.ping > cat /etc/apparmor.d/local/nvidia_modprobe > cat /etc/apparmor.d/local/firejail-local > ``` 6. I run `sudo aa-enforce firejail-default` again, this time without errors. The `seahorse` process then launches, but I get the following message: ``` > seahorse Reading profile /home/user/.config/firejail/seahorse.profile Reading profile /home/user/.config/firejail/disable-exec.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/gpg.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 4015, child pid 4016 Blacklist violations are logged to syslog Child process initialized in 99.13 ms Parent is shutting down, bye... ``` 7. I see that seahorse is not listed under the output of `firejail --list`. This is the output from syslog after two attempts: ``` > sudo tail /var/log/syslog Mar 13 18:56:40 parrot gnome-shell[1855]: Object St.Bin (0x5604b95e6f40), has been already deallocated - impossible to access it. This might be caused by the object having been destroyed from C code using som ething such as destroy(), dispose(), or remove() vfuncs Mar 13 18:56:40 parrot gnome-shell[1855]: clutter_actor_show: assertion 'CLUTTER_IS_ACTOR (self)' failed Mar 13 18:57:45 parrot kernel: [ 9138.270593] audit: type=1400 audit(1552514265.692:298): apparmor="DENI ED" operation="ptrace" profile="torbrowser_firefox" pid=11191 comm=46532042726F6B657220353132 requested_ mask="read" denied_mask="read" peer="torbrowser_plugin_container" Mar 13 18:57:45 parrot kernel: [ 9138.270596] audit: type=1400 audit(1552514265.692:299): apparmor="DENI ED" operation="ptrace" profile="torbrowser_firefox" pid=11191 comm=46532042726F6B657220353132 requested_ mask="read" denied_mask="read" peer="torbrowser_plugin_container" Mar 13 19:04:03 parrot seahorse[8321]: catalog.vala:183: couldn't add ui defintion for action group: Key ringBackend: "<ui>#012#011#011#011<popup name='SeahorseGkrBackend'>#012#011#011#011#011<menuitem action= 'keyring-new'/>#012#011#011#011</popup>#012#011#011</ui> Mar 13 19:04:03 parrot org.gnome.Shell.desktop[1855]: Window manager warning: Buggy client sent a _NET_A CTIVE_WINDOW message with a timestamp of 0 for 0x5603ed5 (Passwords ) Mar 13 19:05:01 parrot CRON[3923]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) Mar 13 19:05:10 parrot wpa_supplicant[926]: wlan0: WPA: Group rekeying completed with 8c:10:d4:d6:7b:9e [GTK=CCMP] Mar 13 19:05:26 parrot seahorse[8321]: catalog.vala:183: couldn't add ui defintion for action group: Key ringBackend: "<ui>#012#011#011#011<popup name='SeahorseGkrBackend'>#012#011#011#011#011<menuitem action= 'keyring-new'/>#012#011#011#011</popup>#012#011#011</ui> Mar 13 19:05:26 parrot org.gnome.Shell.desktop[1855]: Window manager warning: Buggy client sent a _NET_A CTIVE_WINDOW message with a timestamp of 0 for 0x5604020 (Passwords ) ``` How do I proceed?

gitea-mirror closed this issue 2026-05-05 08:17:57 -06:00

gitea-mirror commented 2026-05-05 08:17:59 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Mar 13, 2019):

You need to undo all the manual file creation you did and install firejail-profiles package

nvm, seahorse isn't in 0.9.58.2

<!-- gh-comment-id:472650931 --> @SkewedZeppelin commented on GitHub (Mar 13, 2019): ~~You need to undo all the manual file creation you did and install `firejail-profiles` package~~ nvm, seahorse isn't in 0.9.58.2

gitea-mirror commented 2026-05-05 08:18:00 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 15, 2019):

@hThoreau If you could provide a debug log here (or a link to one on a pastebin service of your choosing) that would help to see what's happening with your seahorse exactly. Something like firejail --debug seahorse 2>&1 | tee seahorse.log will capture all output to a file in the path you run it from. Additional output from firejail --list and/or firejail --tree after running the debug command would be very helpfull too.

<!-- gh-comment-id:473206037 --> @ghost commented on GitHub (Mar 15, 2019): @hThoreau If you could provide a debug log here (or a link to one on a pastebin service of your choosing) that would help to see what's happening with your seahorse exactly. Something like `firejail --debug seahorse 2>&1 | tee seahorse.log` will capture all output to a file in the path you run it from. Additional output from `firejail --list` and/or `firejail --tree` after running the debug command would be very helpfull too.

gitea-mirror commented 2026-05-05 08:18:01 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 16, 2019):

Huh... It's running now. o_O

> firejail seahorse
Reading profile /home/user/.config/firejail/seahorse.profile
Reading profile /home/user/.config/firejail/disable-exec.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/gpg.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 13461, child pid 13462
Blacklist violations are logged to syslog
Child process initialized in 101.16 ms
Warning: an existing sandbox was detected. /usr/bin/seahorse will run without any additional sandboxing features
seahorse-Message: 11:32:21.324: DNS-SD initialization failed: Daemon not running
> firejail --list
11078:user::/usr/bin/firejail /usr/bin/torbrowser-launcher 
11305:user:keepassxc:/usr/bin/firejail /usr/bin/keepassxc 
13461:user::firejail seahorse 

<!-- gh-comment-id:473535540 --> @ghost commented on GitHub (Mar 16, 2019): Huh... It's running now. o_O ``` > firejail seahorse Reading profile /home/user/.config/firejail/seahorse.profile Reading profile /home/user/.config/firejail/disable-exec.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/gpg.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 13461, child pid 13462 Blacklist violations are logged to syslog Child process initialized in 101.16 ms Warning: an existing sandbox was detected. /usr/bin/seahorse will run without any additional sandboxing features seahorse-Message: 11:32:21.324: DNS-SD initialization failed: Daemon not running > firejail --list 11078:user::/usr/bin/firejail /usr/bin/torbrowser-launcher 11305:user:keepassxc:/usr/bin/firejail /usr/bin/keepassxc 13461:user::firejail seahorse ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1649

No description provided.