[GH-ISSUE #3707] qBittorrent tray icon missing from notification panel when running it with firejail

gitea-mirror commented

2026-05-05 09:01:14 -06:00

Owner

Originally created by @mYnDstrEAm on GitHub (Oct 28, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3707

The system tray icon of qBittorrent missing when minimizing it to the notification area

Bug and expected behavior

When minimizing qBittorent to the tray it does not display an entry in KDE's notification panel (in qBittorrent the setting "Minimize qBittorent to notification area" is enabled)
In the bottom right when clicking the arrow of the tray to display KDE's notification panel ("Status & Notifications") a entry for qBittorent should display

I get this in the console when starting qBittorrent with firejail:

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set
org.kde.knotifications: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP

No profile and disabling firejail

What changed calling firejail --noprofile /path/to/program in a terminal?

I don't get these 2 outputs in the console and it minimizes to the notification area

Reproduce
Steps to reproduce the behavior:

Run in bash firejail qbittorrent
Enable "Minimize qBittorent to notification area" setting
Try to minimize to tray

Environment
Debian 10 stable with KDE
Firejail 0.9.62

Additional context
The notification icon shows when running it without firejail

Checklist

The upstream profile (and redirect profile if exists) have no changes fixing it.
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
Programs needed for interaction are listed in the profile.
A short search for duplicates was performed.
If it is a AppImage, --profile=PROFILENAME is used to set the right profile.

Originally created by @mYnDstrEAm on GitHub (Oct 28, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3707 The system tray icon of qBittorrent missing when minimizing it to the notification area **Bug and expected behavior** - When minimizing qBittorent to the tray it does not display an entry in KDE's notification panel (in qBittorrent the setting "Minimize qBittorent to notification area" is enabled) - In the bottom right when clicking the arrow of the tray to display KDE's notification panel ("Status & Notifications") a entry for qBittorent should display I get this in the console when starting qBittorrent with firejail: * `Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set` * `org.kde.knotifications: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP` **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? I don't get these 2 outputs in the console and it minimizes to the notification area **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail qbittorrent` 2. Enable "Minimize qBittorent to notification area" setting 3. Try to minimize to tray **Environment** Debian 10 stable with KDE Firejail 0.9.62 **Additional context** The notification icon shows when running it without firejail **Checklist** - [x] The upstream profile (and redirect profile if exists) have no changes fixing it. - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] Programs needed for interaction are listed in the profile. - [x] A short search for duplicates was performed. - [x] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.

gitea-mirror

2026-05-05 09:01:14 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 09:01:17 -06:00

Author

Owner

@CodeArtisan00 commented on GitHub (Oct 28, 2020):

run with ignore nodbus

@CodeArtisan00 commented on GitHub (Oct 28, 2020): run with `ignore nodbus`

gitea-mirror commented

2026-05-05 09:01:17 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 28, 2020):

For the record: ignore nodbus only works for 0.9.62. In 0.9.64 either add ignore dbus-user none or set it to filter and add talk rules.

Tray-icon and native-notifications (there are multiple standards in the linux world, IDK how all of them work and which software implements which):

dbus-user filter
dbus-user.talk org.kde.knotifications
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.StatusNotifierItem
ignore dbus-user none

qBittorent may fail with that becaue it has no own rules and error-handling differs between "permission denied" on socket and "permission denied" inside dbus.

A hardened solution for 0.9.62:

ignore nodbus
blacklist /run/dbus

@rusty-snake commented on GitHub (Oct 28, 2020): For the record: `ignore nodbus` only works for 0.9.62. In 0.9.64 either add `ignore dbus-user none` or set it to `filter` and add talk rules. Tray-icon and native-notifications (there are multiple standards in the linux world, IDK how all of them work and which software implements which): ``` dbus-user filter dbus-user.talk org.kde.knotifications dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.StatusNotifierItem ignore dbus-user none ``` qBittorent may fail with that becaue it has no own rules and error-handling differs between "permission denied" on socket and "permission denied" inside dbus. ---- A hardened solution for 0.9.62: ``` ignore nodbus blacklist /run/dbus ```

gitea-mirror commented

2026-05-05 09:01:18 -06:00

Author

Owner

@mYnDstrEAm commented on GitHub (Oct 28, 2020):

I ran kate ~/.config/firejail/qbittorrent.local and added these two lines and it works now. Thank you!

This should probably be added to the qbittorrent.profile.
However, I think that ignore nodbus should probably be replaced with allowing the notification tray icons in specific. You already listed relevant notification permissions. Before it's standardized better it should probably be done by firejail with something like "allow-tray".

@mYnDstrEAm commented on GitHub (Oct 28, 2020): I ran `kate ~/.config/firejail/qbittorrent.local` and added these two lines and it works now. Thank you! This should probably be added to the qbittorrent.profile. However, I think that `ignore nodbus` should probably be replaced with allowing the notification tray icons in specific. You already listed relevant notification permissions. Before it's standardized better it should probably be done by firejail with something like "`allow-tray`".

gitea-mirror commented

2026-05-05 09:01:19 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 29, 2020):

This should probably be added to the qbittorrent.profile.

Hmm, qbittorent is a program which mainly deals with (untrusted) data from the internet. This means it has a high attack-surface (e.g. buffer-overflows while processing a bad packet can result in RCE). D-Bus is a good technology for sandbox-escapes. So just allowing all D-Bus is risky. Fortunately we have fine grained D-Bus access policies since 0.9.64. However a lot of D-Bus interfaces are still unsafe and call rules are not maintainable without aliases. IMHO we should add a note for now.

@rusty-snake commented on GitHub (Oct 29, 2020): > This should probably be added to the qbittorrent.profile. Hmm, qbittorent is a program which mainly deals with (untrusted) data from the internet. This means it has a high attack-surface (e.g. buffer-overflows while processing a bad packet can result in RCE). D-Bus is a good technology for sandbox-escapes. So just allowing all D-Bus is risky. Fortunately we have fine grained D-Bus access policies since 0.9.64. However a lot of D-Bus interfaces are still unsafe and `call` rules are not maintainable without aliases. IMHO we should add a note for now.

gitea-mirror commented

2026-05-05 09:01:19 -06:00

Author

Owner

@mYnDstrEAm commented on GitHub (Oct 29, 2020):

That's why I'm wary of adding it (and I'm not sure what's being allowed when also blacklisting /run/dbus). But somehow qBittorrent and other apps with tray icons should work (completely) with firejail. Looks like Debian recently upgraded its used firejail version in backports to 0.9.64: is it now possible to allow tray-icons in specific? Does this mean that allowing notification area icons would still be unsafe with dbus (if so and if you know related dbus code issues please link them here; haven't looked into zeromq which is probably unlikely to be viable)?

@mYnDstrEAm commented on GitHub (Oct 29, 2020): That's why I'm wary of adding it (and I'm not sure what's being allowed when also blacklisting /run/dbus). But somehow qBittorrent and other apps with tray icons should work (completely) with firejail. Looks like Debian recently upgraded its used firejail version in backports to 0.9.64: is it now possible to allow tray-icons in specific? Does this mean that allowing notification area icons would still be unsafe with dbus (if so and if you know related dbus code issues please link them here; haven't looked into zeromq which is probably unlikely to be viable)?

gitea-mirror commented

2026-05-05 09:01:21 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 29, 2020):

I'm not sure what's being allowed when also blacklisting /run/dbus

/run/dbus/system_bus_socket is the socket of the system-bus which is mainly used for privileged things (NetworkManager, systemd, PackageKit, Bluetooth, ...).

Looks like Debian recently upgraded its used firejail version in backports to 0.9.64: is it now possible to allow tray-icons in specific?

Yes, you can install it and try the rules I posted above. xdg-dbus-proxy must be installed.

OT: I suggest to always use the backports version because it has newer features and the much more recent profiles.

Does this mean that allowing notification area icons would still be unsafe with dbus (if so and if you know related dbus code issues please link them here;

It's not a bug in the D-Bus code. If you want it is a bug in the spec. The issue is that the most DEs populate all there objects/methods/interfaces on all names. Example on GNOME (<= 3.36.1) as I use GNOME and am more familiar but KDE should do the same IIRC. dbus-user.talk org.freedesktop.Notifications (native notifications; notify-send) allows to take screenshots, install extensions (which are commonly used for spyware under linux), execute and shell command outside of the sandbox.

IDK which of the names above are really needed and IDK if they safe under KDE, but based on my previous experience I classify all names as unsafe until I know better.

Using dbus-{user,system}.call rules can be used to allow access only to specific functions/properties/signals. However, these rules are terrible to maintain until we have aliases.

EDIT: and there are some reviews: https://github.com/netblue30/firejail/wiki/Restrict-D-Bus

@rusty-snake commented on GitHub (Oct 29, 2020): > I'm not sure what's being allowed when also blacklisting /run/dbus /run/dbus/system_bus_socket is the socket of the system-bus which is mainly used for privileged things (NetworkManager, systemd, PackageKit, Bluetooth, ...). > Looks like Debian recently upgraded its used firejail version in backports to 0.9.64: is it now possible to allow tray-icons in specific? Yes, you can install it and try the rules I posted above. `xdg-dbus-proxy` must be installed. OT: **I** suggest to always use the backports version because it has newer features and the much more recent profiles. > Does this mean that allowing notification area icons would still be unsafe with dbus (if so and if you know related dbus code issues please link them here; It's not a bug in the D-Bus code. If you want it is a bug in the spec. The issue is that the most DEs populate all there objects/methods/interfaces on all names. Example on GNOME (<= 3.36.1) as I use GNOME and am more familiar but KDE should do the same IIRC. `dbus-user.talk org.freedesktop.Notifications` (native notifications; `notify-send`) allows to take screenshots, install extensions (which are commonly used for spyware under linux), execute and shell command outside of the sandbox. IDK which of the names above are really needed and IDK if they safe under KDE, but based on my previous experience I classify all names as unsafe until I know better. Using `dbus-{user,system}.call` rules can be used to allow access only to specific functions/properties/signals. However, these rules are terrible to maintain until we have aliases. EDIT: and there are some reviews: https://github.com/netblue30/firejail/wiki/Restrict-D-Bus

gitea-mirror commented

2026-05-05 09:01:22 -06:00

Author

Owner

@aminvakil commented on GitHub (Feb 25, 2024):

firejail 0.9.72-1 on Arch Linux on KDE Plasma 5.115.0-1 and qbittorrent 4.6.3-1
This works and no new permissions are necessary to add as mentioned in https://github.com/netblue30/firejail/issues/3707#issuecomment-717990844 :

dbus-user filter
ignore dbus-user none

Also for future readers like me, link has been moved to https://github.com/netblue30/firejail/wiki/Restrict-DBus .

@aminvakil commented on GitHub (Feb 25, 2024): firejail 0.9.72-1 on Arch Linux on KDE Plasma 5.115.0-1 and qbittorrent 4.6.3-1 This works and no new permissions are necessary to add as mentioned in https://github.com/netblue30/firejail/issues/3707#issuecomment-717990844 : ``` dbus-user filter ignore dbus-user none ``` Also for future readers like me, link has been moved to https://github.com/netblue30/firejail/wiki/Restrict-DBus .

gitea-mirror referenced this issue

2026-05-05 10:16:54 -06:00

[PR #2334] [CLOSED] restrict audacious profile #4268

Rows
Columns

[GH-ISSUE #3707] qBittorrent tray icon missing from notification panel when running it with firejail #2334