[GH-ISSUE #3540] Signal-desktop icon in mate notification tray not displayed #2225

New issue

Closed

opened 2026-05-05 08:54:43 -06:00 by gitea-mirror · 16 comments

gitea-mirror commented 2026-05-05 08:54:43 -06:00

Owner

Copy link

Originally created by @NH0 on GitHub (Jul 23, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3540

When using signal-desktop with firejail and the signal-desktop profile from the git, the notification icon shows a gray forbidden sign instead of the signal icon.

When starting with --no-profile the icon is correctly displayed. When starting the app without firejail the icon is correctly displayed.

Reproduce
Steps to reproduce the behavior:

1. Run in bash firejail signal-desktop --use-tray-icon
2. Look at the MATE notification panel and see that the icon isn't displayed properly.

Environment

• Ubuntu 16.04
• firejail version 0.9.62

Originally created by @NH0 on GitHub (Jul 23, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3540 When using signal-desktop with firejail and the signal-desktop profile from the git, the notification icon shows a gray forbidden sign instead of the signal icon. When starting with `--no-profile` the icon is correctly displayed. When starting the app without firejail the icon is correctly displayed. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail signal-desktop --use-tray-icon` 2. Look at the MATE notification panel and see that the icon isn't displayed properly. **Environment** - Ubuntu 16.04 - firejail version 0.9.62

gitea-mirror closed this issue 2026-05-05 08:54:45 -06:00

gitea-mirror commented 2026-05-05 08:54:47 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 23, 2020):

To late for me now. I need to sleep 😴 . The relevant things should be #1137 + dbus-user filter.

<!-- gh-comment-id:663239286 --> @rusty-snake commented on GitHub (Jul 23, 2020): To late for me now. I need to sleep :sleeping: . The relevant things should be #1137 + `dbus-user filter`.

gitea-mirror commented 2026-05-05 08:54:47 -06:00

Author

Owner

Copy link

@NH0 commented on GitHub (Jul 23, 2020):

Thanks !
I believe I don't have exactly the same issue as #1137 because I can see an icon, it just isn't the right one (it must be a default one I guess).
I've installed the xdg-dbus-proxy and them tried to set dbus-user filter and dbus-user.call org.freedesktop.Notifications in my local profile but I can't seem to make it work.
I have the following error :
Error: line 1 in /home/nh0/.config/firejail/signal-desktop.local is invalid

<!-- gh-comment-id:663266512 --> @NH0 commented on GitHub (Jul 23, 2020): Thanks ! I believe I don't have exactly the same issue as #1137 because I can see an icon, it just isn't the right one (it must be a default one I guess). I've installed the xdg-dbus-proxy and them tried to set `dbus-user filter` and `dbus-user.call org.freedesktop.Notifications` in my local profile but I can't seem to make it work. I have the following error : `Error: line 1 in /home/nh0/.config/firejail/signal-desktop.local is invalid`

gitea-mirror commented 2026-05-05 08:54:48 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 23, 2020):

@NH0 that's because D-Bus filtering is a new feature. It's not available in 0.9.62 and for now exists only in the git version.

<!-- gh-comment-id:663272831 --> @smitsohu commented on GitHub (Jul 23, 2020): @NH0 that's because D-Bus filtering is a new feature. It's not available in 0.9.62 and for now exists only in the git version.

gitea-mirror commented 2026-05-05 08:54:48 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 23, 2020):

As pointed out above, you'll need to build firejail from git for this to work. There are instructions in our wiki.

<!-- gh-comment-id:663274372 --> @ghost commented on GitHub (Jul 23, 2020): As pointed out above, you'll need to build firejail from git for this to work. There are instructions in [our wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git#debianubuntu).

gitea-mirror commented 2026-05-05 08:54:49 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 24, 2020):

... or use ignore nodbus.

dbus-user.call org.freedesktop.Notifications

You would need a talk rule and org.freedesktop.Notifications is the wrong name. I think it is org.freedesktop.StatusNotifierItem.

<!-- gh-comment-id:663375869 --> @rusty-snake commented on GitHub (Jul 24, 2020): ... or use `ignore nodbus`. > dbus-user.call org.freedesktop.Notifications You would need a talk rule and org.freedesktop.Notifications is the wrong name. I think it is `org.freedesktop.StatusNotifierItem`.

gitea-mirror commented 2026-05-05 08:54:49 -06:00

Author

Owner

Copy link

@NH0 commented on GitHub (Jul 24, 2020):

Thanks for the replies !
I've updated firejail from git, now using firejail 0.9.63.
I now get the same problem as #1137 : I don't see an icon anymore in the notification area.
I tried using ignore nodbus but it didn't change anything, so I guess it's actually not the problem.
I've looked at the solution from #1137 and here is my signal-desktop.local :

mkdir /tmp/signal-tmp
whitelist /tmp/signal-tmp
env TMPDIR=/tmp/signal-tmp
env TMP=/tmp/signal-tmp

However, still no icon.

<!-- gh-comment-id:663581093 --> @NH0 commented on GitHub (Jul 24, 2020): Thanks for the replies ! I've updated firejail from git, now using firejail 0.9.63. I now get the same problem as #1137 : I don't see an icon anymore in the notification area. I tried using `ignore nodbus` but it didn't change anything, so I guess it's actually not the problem. I've looked at the solution from #1137 and here is my signal-desktop.local : ``` mkdir /tmp/signal-tmp whitelist /tmp/signal-tmp env TMPDIR=/tmp/signal-tmp env TMP=/tmp/signal-tmp ``` However, still no icon.

gitea-mirror commented 2026-05-05 08:54:50 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 25, 2020):

Works it if you ignore private-tmp instead of this workaround?

<!-- gh-comment-id:663852608 --> @rusty-snake commented on GitHub (Jul 25, 2020): Works it if you `ignore private-tmp` instead of this workaround?

gitea-mirror commented 2026-05-05 08:54:50 -06:00

Author

Owner

Copy link

@NH0 commented on GitHub (Jul 27, 2020):

Nop, it didn't change anything.

<!-- gh-comment-id:664097286 --> @NH0 commented on GitHub (Jul 27, 2020): Nop, it didn't change anything.

gitea-mirror commented 2026-05-05 08:54:50 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Aug 5, 2020):

When starting with --no-profile the icon is correctly displayed.

We need to find the line in the profile that is breaking it. As profiles typically are short, a simple way is to just comment out all lines, and then uncomment line after line till it breaks.

This profile could be a bit more difficult to debug as it has whitelisting. Does it work with firejail --ignore=whitelist signal-desktop --use-tray-icon? If yes, could you also try firejail --whitelist=~/.cache signal-desktop --use-tray-icon ?

The easiest would be to run firejail --build signal-desktop --use-tray-icon and post the output here, but I'm afraid it will fail in this case.

<!-- gh-comment-id:669103347 --> @smitsohu commented on GitHub (Aug 5, 2020): > When starting with --no-profile the icon is correctly displayed. We need to find the line in the profile that is breaking it. As profiles typically are short, a simple way is to just comment out all lines, and then uncomment line after line till it breaks. This profile could be a bit more difficult to debug as it has whitelisting. Does it work with `firejail --ignore=whitelist signal-desktop --use-tray-icon`? If yes, could you also try `firejail --whitelist=~/.cache signal-desktop --use-tray-icon` ? The easiest would be to run `firejail --build signal-desktop --use-tray-icon` and post the output here, but I'm afraid it will fail in this case.

gitea-mirror commented 2026-05-05 08:54:51 -06:00

Author

Owner

Copy link

@NH0 commented on GitHub (Aug 5, 2020):

Following your advice and based on what has been said on this issue, I tried commenting out some lines in the profile file (/etc/firejail/signal-desktop.profile), and I got it to work by commenting out:

# private-tmp
# dbus-user none

Removing dbus-user none allowed me to have a broken icon in the notification tray, and removing private-tmp allowed me to have the correct icon displayed.
I don't know why ignore private-tmp and ignore nodbus didn't work before.

Do you think it's possible to find a middle ground between :

• removing completely the dbus-user and private-tmp lines
• having no icon ?

That would be great !

Note : firejail --ignore=whitelist signal-desktop --use-tray-icon didn't work

<!-- gh-comment-id:669236731 --> @NH0 commented on GitHub (Aug 5, 2020): Following your advice and based on what has been said on this issue, I tried commenting out some lines in the profile file (/etc/firejail/signal-desktop.profile), and **I got it to work** by commenting out: ``` # private-tmp # dbus-user none ``` Removing `dbus-user none` allowed me to have a broken icon in the notification tray, and removing `private-tmp` allowed me to have the correct icon displayed. I don't know why `ignore private-tmp` and `ignore nodbus` didn't work before. Do you think it's possible to find a middle ground between : - removing completely the `dbus-user` and `private-tmp` lines - having no icon ? That would be great ! Note : `firejail --ignore=whitelist signal-desktop --use-tray-icon` didn't work

gitea-mirror commented 2026-05-05 08:54:51 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 5, 2020):

I don't know why ignore private-tmp and ignore nodbus didn't work before.

Because there is no nodbus in 0.9.63 anymore which can be ignored.

Can uncomment these lines again and try this signal-desktop.local:

ignore private-tmp

mkdir /tmp/signal-tmp
whitelist /tmp/signal-tmp
env TMPDIR=/tmp/signal-tmp
env TMP=/tmp/signal-tmp

dbus-user filter
dbus-user.talk org.freedesktop.<TODO>
ignore dbus-user none

<!-- gh-comment-id:669308247 --> @rusty-snake commented on GitHub (Aug 5, 2020): > I don't know why ignore private-tmp and ignore nodbus didn't work before. Because there is no `nodbus` in 0.9.63 anymore which can be ignored. Can uncomment these lines again and try this signal-desktop.local: ``` ignore private-tmp mkdir /tmp/signal-tmp whitelist /tmp/signal-tmp env TMPDIR=/tmp/signal-tmp env TMP=/tmp/signal-tmp dbus-user filter dbus-user.talk org.freedesktop.<TODO> ignore dbus-user none ```

gitea-mirror commented 2026-05-05 08:54:52 -06:00

Author

Owner

Copy link

@NH0 commented on GitHub (Aug 5, 2020):

Finally got it :

ignore private-tmp

mkdir /tmp/signal-tmp
whitelist /tmp/signal-tmp
env TMPDIR=/tmp/signal-tmp
env TMP=/tmp/signal-tmp

ignore dbus-user none

dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher

Thanks for your quick responses and your help 💯

<!-- gh-comment-id:669489519 --> @NH0 commented on GitHub (Aug 5, 2020): Finally got it : ``` ignore private-tmp mkdir /tmp/signal-tmp whitelist /tmp/signal-tmp env TMPDIR=/tmp/signal-tmp env TMP=/tmp/signal-tmp ignore dbus-user none dbus-user filter dbus-user.talk org.kde.StatusNotifierWatcher ``` Thanks for your quick responses and your help 💯

gitea-mirror commented 2026-05-05 08:54:52 -06:00

Author

Owner

Copy link

@ckotte commented on GitHub (Oct 21, 2020):

I have the same issue with evince on GNOME. The icon isn't displayed until I set ignore dbus-user none. However, I can set anything for dbus-user.talk. It looks like this setting doesn't have any effect.

I would like to further restrict the DBUS access. So, does dbus-user filter restricts the DBUS access again when ignore dbus-user none was specified before?

How can I find out the correct well-known name for dbus-user.talk?

<!-- gh-comment-id:713506711 --> @ckotte commented on GitHub (Oct 21, 2020): I have the same issue with evince on GNOME. The icon isn't displayed until I set ```ignore dbus-user none```. However, I can set anything for ```dbus-user.talk```. It looks like this setting doesn't have any effect. I would like to further restrict the DBUS access. So, does ```dbus-user filter``` restricts the DBUS access again when ```ignore dbus-user none``` was specified before? How can I find out the correct well-known name for ```dbus-user.talk```?

gitea-mirror commented 2026-05-05 08:54:52 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 21, 2020):

Hi, I use this in my evince.local to have the evince icon displayed in my dash-to-dock panel.

dbus-user filter
ignore dbus-user none

So you can simply first set filter and the ignore none, but it does not matter because ignore is a simple text-match which is applied while parsing and just skips line where a previous ignore matches. And dbus-user none does not macth dbus-user filter.

How can I find out the correct well-known name for dbus-user.talk?

ATM the is no perfect way. You can look at flatpak permissions, use firejail's --dbus-log option or dbus-monitor. For tray-icons I can tell you that there are two common standards, org.freedesktop.StatusNotifierItem and org.kde.StatusNotifierWatcher. Depending on the shell-extension you use for tray-icons you need the first one or the last one.

<!-- gh-comment-id:713627292 --> @rusty-snake commented on GitHub (Oct 21, 2020): Hi, I use this in my evince.local to have the evince icon displayed in my dash-to-dock panel. ``` dbus-user filter ignore dbus-user none ``` So you can simply first set `filter` and the ignore `none`, but it does not matter because `ignore` is a simple text-match which is applied while parsing and just skips line where a previous `ignore` matches. And `dbus-user none` does not macth `dbus-user filter`. > How can I find out the correct well-known name for `dbus-user.talk`? ATM the is no perfect way. You can look at flatpak permissions, use firejail's `--dbus-log` option or `dbus-monitor`. For tray-icons I can tell you that there are two common standards, `org.freedesktop.StatusNotifierItem` and `org.kde.StatusNotifierWatcher`. Depending on the shell-extension you use for tray-icons you need the first one or the last one.

gitea-mirror commented 2026-05-05 08:54:53 -06:00

Author

Owner

Copy link

@ckotte commented on GitHub (Oct 21, 2020):

May I ask what the benefit of filter is if you don't use any of the other options? I can only see combinations of filter with dbus-user.call, dbus-user.talk, etc. pp. in the manpage.

The filter policy enables the session DBus filter. This option requires installing the xdg-dbus-proxy utility. Permissions for well-known names can be added with the --dbus-user.talk and --dbus-user.own options.

It also doesn't matter which setting I add. I can always see the icon as long as I have ignore dbus-user none

<!-- gh-comment-id:713663422 --> @ckotte commented on GitHub (Oct 21, 2020): May I ask what the benefit of ```filter``` is if you don't use any of the other options? I can only see combinations of ```filter``` with ```dbus-user.call```, ```dbus-user.talk```, etc. pp. in the manpage. > The filter policy enables the session DBus filter. This option requires installing the xdg-dbus-proxy utility. Permissions for well-known names can be added with the --dbus-user.talk and --dbus-user.own options. It also doesn't matter which setting I add. I can always see the icon as long as I have ```ignore dbus-user none```

gitea-mirror commented 2026-05-05 08:54:53 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 21, 2020):

IDK why it work with filter without rules, but not with none. Maybe it's the error handling from glib/gtk.

<!-- gh-comment-id:713681895 --> @rusty-snake commented on GitHub (Oct 21, 2020): IDK why it work with `filter` without rules, but not with `none`. Maybe it's the error handling from glib/gtk.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2225

No description provided.