[GH-ISSUE #3758] library libgtk3-nocsd cannot be preloaded #2369

New issue

Closed

opened 2026-05-05 09:03:07 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented 2026-05-05 09:03:07 -06:00

Owner

Copy link

Originally created by @ghost on GitHub (Nov 17, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3758

Bug and expected behavior
I am trying to use https://github.com/PCMan/gtk3-nocsd to launch GTK3 applications. The library /usr/lib/libgtk3-nocsd.so.0 is added to LD_PRELOAD. It seems that there are problems with this library and firejail.

Out of firejail
It works. For example:

• gtk3-nocsd nautilus
• gtk3-nocsd evince
• gtk3-nocsd remmina

Firejail without a profile
Even without a profile, some applications fail.

• firejail --noprofile gtk3-nocsd nautilus : it works.
• firejail --noprofile gtk3-nocsd evince: It fails. ERROR: ld.so: object 'libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
• firejail --noprofile gtk3-nocsd remmina: It fails. ERROR: ld.so: object 'libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

Environment

• Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release)

lsb_release -a
LSB Version:	1.4
Distributor ID:	Arch
Description:	Arch Linux
Release:	rolling
Codename:	n/a

• Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)

firejail --version
firejail version 0.9.64

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Originally created by @ghost on GitHub (Nov 17, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3758 **Bug and expected behavior** I am trying to use https://github.com/PCMan/gtk3-nocsd to launch GTK3 applications. The library /usr/lib/libgtk3-nocsd.so.0 is added to LD_PRELOAD. It seems that there are problems with this library and firejail. **Out of firejail** It works. For example: - `gtk3-nocsd nautilus` - `gtk3-nocsd evince` - `gtk3-nocsd remmina` **Firejail without a profile** Even without a profile, some applications fail. - `firejail --noprofile gtk3-nocsd nautilus` : it works. - `firejail --noprofile gtk3-nocsd evince`: It fails. `ERROR: ld.so: object 'libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.` - `firejail --noprofile gtk3-nocsd remmina`: It fails. `ERROR: ld.so: object 'libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.` **Environment** - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) ``` lsb_release -a LSB Version: 1.4 Distributor ID: Arch Description: Arch Linux Release: rolling Codename: n/a ``` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` firejail --version firejail version 0.9.64 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ```

gitea-mirror closed this issue 2026-05-05 09:03:08 -06:00

gitea-mirror commented 2026-05-05 09:03:10 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 18, 2020):

@chrpinedo Hi, I have installed gtk3-nocsd from the AUR to see if I can reproduce.

• (1) Do you use the gtk3-nocsd package from the AUR or do you build it from https://github.com/PCMan/gtk3-nocsd? I ask because the AUR package uses a forked git repo. Just so we can establish some baseline for communication/testing things in this context, I would recommend installing gtk3-nocsd from the AUR if you haven't.

• (2) I cannot reproduce your --noprofile observations and I have in fact been succesful in using a firejailed evince with gtk3-nocsd (see below). Commands to test stuff with --noprofile better use full paths, to avoid potential clashes with symlinks in /usr/local/bin (put there by firecfg for example). So, can you redo these commands and report back please:

$ firejail --noprofile gtk3-nocsd /usr/bin/evince
$ firejail --noprofile gtk3-nocsd /usr/bin/remmina

• (3) Using a LD_PRELOAD'ed lib like gtk3-nocsd in combination with firejail more than likely will need extra work. This depends on the profile obviously, but in general options like private-bin, private-etc and private-lib are to be accounted for in .local overrides. LD_PRELOAD and gtk3-nocsd (a shell script using specific commands) depend on having access to things that might not be available in the default firejail profiles.

Let me provide an example for evince to clarify all this. /usr/bin/gtk3-nocsd is a shell script. To work as expected it needs access to your shell and to any other command it references (basename, grep, readlink and which). The evince.profile has options in this regard that will need attention:

[...]
include disable-shell.inc
[...]
private-bin evince,evince-previewer,evince-thumbnailer
private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
# private-lib might break two-page-view on some systems
private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
[...]

For me running firejail --profile=evince gtk3-nocsd /usr/bin/evince works with the below evince.local:

# Firejail profile for evince
# Persistent local customizations
## add gtk3-nocsd support
#+ env var
env GTK_CSD=0
#+ paths blocked by disable-shell.inc
noblacklist ${PATH}/bash
noblacklist ${PATH}/sh
#+ additional options to ensure all needed files are accessible inside the sandbox
private-bin basename,bash,grep,gtk3-nocsd,readlink,sh,which
private-etc ld.so.conf,ld.so.conf.d,ld.so.preload
private-lib libgtk3-nocsd.so.*

Can you test on your side if any of this improves your attempt to use gtk3-nocsd please? There are other things you could do (like adding env GTK_CSD=0 to your globals.local instead of per affected profile), but let's start as simply as possible for now.

<!-- gh-comment-id:729539829 --> @ghost commented on GitHub (Nov 18, 2020): @chrpinedo Hi, I have installed gtk3-nocsd from the [AUR](https://aur.archlinux.org/packages/gtk3-nocsd-git/) to see if I can reproduce. - (1) Do you use the gtk3-nocsd package from the AUR or do you build it from https://github.com/PCMan/gtk3-nocsd? I ask because the AUR package uses a [forked](https://github.com/ZaWertun/gtk3-nocsd) git repo. Just so we can establish some baseline for communication/testing things in this context, I would recommend installing gtk3-nocsd from the AUR if you haven't. - (2) I cannot reproduce your `--noprofile` observations and I have in fact been succesful in using a firejailed evince with gtk3-nocsd (see below). Commands to test stuff with --noprofile better use full paths, to avoid potential clashes with symlinks in /usr/local/bin (put there by `firecfg` for example). So, can you redo these commands and report back please: ``` $ firejail --noprofile gtk3-nocsd /usr/bin/evince $ firejail --noprofile gtk3-nocsd /usr/bin/remmina ``` - (3) Using a LD_PRELOAD'ed lib like gtk3-nocsd in combination with firejail more than likely will need extra work. This depends on the profile obviously, but in general options like `private-bin,` `private-etc` and `private-lib` are to be accounted for in .local overrides. LD_PRELOAD and gtk3-nocsd (a shell script using specific commands) depend on having access to things that might not be available in the default firejail profiles. Let me provide an example for `evince` to clarify all this. /usr/bin/gtk3-nocsd is a `shell` script. To work as expected it needs access to your shell and to any other command it references (basename, grep, readlink and which). The evince.profile has options in this regard that will need attention: ``` [...] include disable-shell.inc [...] private-bin evince,evince-previewer,evince-thumbnailer private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd # private-lib might break two-page-view on some systems private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* [...] ``` For me running `firejail --profile=evince gtk3-nocsd /usr/bin/evince` works with the below evince.local: ``` # Firejail profile for evince # Persistent local customizations ## add gtk3-nocsd support #+ env var env GTK_CSD=0 #+ paths blocked by disable-shell.inc noblacklist ${PATH}/bash noblacklist ${PATH}/sh #+ additional options to ensure all needed files are accessible inside the sandbox private-bin basename,bash,grep,gtk3-nocsd,readlink,sh,which private-etc ld.so.conf,ld.so.conf.d,ld.so.preload private-lib libgtk3-nocsd.so.* ``` Can you test on your side if any of this improves your attempt to use gtk3-nocsd please? There are other things you could do (like adding env GTK_CSD=0 to your globals.local instead of per affected profile), but let's start as simply as possible for now.

gitea-mirror commented 2026-05-05 09:03:11 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 18, 2020):

@glitsj16 you got a great improvement! :-)

• (1) I am using the same AUR package you use
• (2) I can execute the same commands you suggest:

$ firejail --noprofile gtk3-nocsd /usr/bin/evince
$ firejail --noprofile gtk3-nocsd /usr/bin/remmina

In fact, I was able to run the following commands with the idea of not using the "gtk3-nocsd" command:

$ firejail  --noprofile --env=GTK_CSD=0 --env=LD_PRELOAD=/usr/lib/libgtk3-nocsd.so.0 /usr/bin/evince
$ firejail  --noprofile --env=GTK_CSD=0 --env=LD_PRELOAD=/usr/lib/libgtk3-nocsd.so.0 /usr/bin/remmina

I prefer this approach, because the idea would be to use the application and depending on the environment variables to be able to have window decorators or not. In fact, the AUR packages comes with /etc/X11/xinit/xinitrc.d/30-gtk3-nocsd.shscript, which creates GTK_CSD and LD_PRELOAD env variables only if GNOME desktop environment is not in use.
I don't know, if it would be possible to "whitelist" GTK_CSD and LD_PRELOAD environment variables so that firejail could get it from parent process instead of setting them statically in the profile.

• (3) instead of executing firejail --profile=evince gtk3-nocsd /usr/bin/evince I would prefer to execute firejail evince by getting GTK_CSD and LD_PRELOAD variables preferably from parent process and including a profile of whilested bins/libs...

The ~/.config/firejail/evince.profile seems to be no sufficient because firejail evince is launched with CSD and I get the error ERROR: ld.so: object '/usr/bin/libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored..

# Firejail profile for evince
# Persistent local customizations
## add gtk3-nocsd support
#+ env var
env GTK_CSD=0
env LD_PRELOAD=/usr/bin/libgtk3-nocsd.so.0
#+ paths blocked by disable-shell.inc
noblacklist ${PATH}/bash
noblacklist ${PATH}/sh
#+ additional options to ensure all needed files are accessible inside the sandbox
private-bin basename,bash,grep,gtk3-nocsd,readlink,sh,which
private-etc ld.so.conf,ld.so.conf.d,ld.so.preload
private-lib libgtk3-nocsd.so.*
include /etc/firejail/evince.profile

<!-- gh-comment-id:729890424 --> @ghost commented on GitHub (Nov 18, 2020): @glitsj16 you got a great improvement! :-) - (1) I am using the same AUR package you use - (2) I can execute the same commands you suggest: ```bash $ firejail --noprofile gtk3-nocsd /usr/bin/evince $ firejail --noprofile gtk3-nocsd /usr/bin/remmina ``` In fact, I was able to run the following commands with the idea of not using the "gtk3-nocsd" command: ```bash $ firejail --noprofile --env=GTK_CSD=0 --env=LD_PRELOAD=/usr/lib/libgtk3-nocsd.so.0 /usr/bin/evince $ firejail --noprofile --env=GTK_CSD=0 --env=LD_PRELOAD=/usr/lib/libgtk3-nocsd.so.0 /usr/bin/remmina ``` I prefer this approach, because the idea would be to use the application and depending on the environment variables to be able to have window decorators or not. In fact, the AUR packages comes with `/etc/X11/xinit/xinitrc.d/30-gtk3-nocsd.sh`script, which creates GTK_CSD and LD_PRELOAD env variables only if GNOME desktop environment is not in use. I don't know, if it would be possible to "whitelist" GTK_CSD and LD_PRELOAD environment variables so that firejail could get it from parent process instead of setting them statically in the profile. - (3) instead of executing `firejail --profile=evince gtk3-nocsd /usr/bin/evince` I would prefer to execute `firejail evince` by getting GTK_CSD and LD_PRELOAD variables preferably from parent process and including a profile of whilested bins/libs... The `~/.config/firejail/evince.profile` seems to be no sufficient because `firejail evince` is launched with CSD and I get the error `ERROR: ld.so: object '/usr/bin/libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.`. ``` # Firejail profile for evince # Persistent local customizations ## add gtk3-nocsd support #+ env var env GTK_CSD=0 env LD_PRELOAD=/usr/bin/libgtk3-nocsd.so.0 #+ paths blocked by disable-shell.inc noblacklist ${PATH}/bash noblacklist ${PATH}/sh #+ additional options to ensure all needed files are accessible inside the sandbox private-bin basename,bash,grep,gtk3-nocsd,readlink,sh,which private-etc ld.so.conf,ld.so.conf.d,ld.so.preload private-lib libgtk3-nocsd.so.* include /etc/firejail/evince.profile ```

gitea-mirror commented 2026-05-05 09:03:11 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 19, 2020):

The ~/.config/firejail/evince.profile seems to be no sufficient because firejail evince is launched with CSD and I get the error ERROR: ld.so: object '/usr/bin/libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored..

For the above 'logic' to work you need to have that profile named ~/.config/firejail/evince.local, NOT ~/.config/firejail/evince.profile.

I prefer this approach, because the idea would be to use the application and depending on the environment variables to be able to have window decorators or not.

Okay, I did some more testing and came up with a slightly different approach. It involves creating a 'non-GNOME' firejail profile and a shell script that needs to be in your $PATH before /usr/local/bin and /usr/bin, e.g. in ~/bin.

$ cat ~/.config/firejail/evince-non-gnome.profile

# Firejail profile for evince [non-GNOME session]
# Description: Document (PostScript, PDF) viewer

## add gtk3-nocsd support
#+ paths blocked by disable-shell.inc
noblacklist ${PATH}/bash
noblacklist ${PATH}/sh
#+ additional options to ensure all needed files are accessible inside the sandbox
private-bin basename,bash,grep,gtk3-nocsd,readlink,sh,which
private-etc ld.so.conf,ld.so.conf.d,ld.so.preload
private-lib libgtk3-nocsd.so.*

include evince.profile

$ cat ~/bin/evince

#!/bin/sh
#
## wrapper for evince
#+ gtk3-nocsd support via env vars
#+ sandbox support via firejail

### vars
_app="evince"
_bin="/usr/bin/${_app}"
_bin_no_sbox="$_bin"

## sandboxing
_sbox_mode="quiet"
#+ sandbox profile depending on session
case "${DESKTOP_SESSION-}" in
    gnome|gnome-*|*/gnome|*/gnome-*)
	_csd_helper=""
	_sbox_profile="$_app"
        ;;
    *)
	_csd_helper="gtk3-nocsd"
	_sbox_profile="${_app}-non-gnome"
        ;;
esac
#+ start command depending on sandbox mode
case "$_sbox_mode" in
    off)
	_cmd="${_csd_helper} ${_bin_no_sbox}"
	;;
    quiet)
	_cmd="firejail --profile=${_sbox_profile} --quiet ${_csd_helper} ${_bin}"
	;;
    verbose)
	_cmd="firejail --ignore=quiet --profile=${_sbox_profile} ${_csd_helper} ${_bin}"
	;;
esac


### logic
${_cmd} "$@"

exit 0

After creating both files you can launch evince from the CLI by running evince and it will automagically run sandboxed and with/without window decorators depending on the env vars you pointed to. For testing you can set the _sbox_mode var to verbose so you can see exactly which profiles firejail is loading.

Just to avoid confusion, for remmina you will have to create a specific ~/.config/firejail/remmina-non-gnome.profile.

<!-- gh-comment-id:730057033 --> @ghost commented on GitHub (Nov 19, 2020): > The ~/.config/firejail/evince.profile seems to be no sufficient because firejail evince is launched with CSD and I get the error ERROR: ld.so: object '/usr/bin/libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.. For the above 'logic' to work you need to have that profile named ~/.config/firejail/evince.`local`, **NOT** ~/.config/firejail/evince.`profile`. > I prefer this approach, because the idea would be to use the application and depending on the environment variables to be able to have window decorators or not. Okay, I did some more testing and came up with a slightly different approach. It involves creating a 'non-GNOME' firejail profile and a shell script that needs to be in your $PATH before /usr/local/bin and /usr/bin, e.g. in ~/bin. $ cat ~/.config/firejail/evince-non-gnome.profile ``` # Firejail profile for evince [non-GNOME session] # Description: Document (PostScript, PDF) viewer ## add gtk3-nocsd support #+ paths blocked by disable-shell.inc noblacklist ${PATH}/bash noblacklist ${PATH}/sh #+ additional options to ensure all needed files are accessible inside the sandbox private-bin basename,bash,grep,gtk3-nocsd,readlink,sh,which private-etc ld.so.conf,ld.so.conf.d,ld.so.preload private-lib libgtk3-nocsd.so.* include evince.profile ``` $ cat ~/bin/evince ``` #!/bin/sh # ## wrapper for evince #+ gtk3-nocsd support via env vars #+ sandbox support via firejail ### vars _app="evince" _bin="/usr/bin/${_app}" _bin_no_sbox="$_bin" ## sandboxing _sbox_mode="quiet" #+ sandbox profile depending on session case "${DESKTOP_SESSION-}" in gnome|gnome-*|*/gnome|*/gnome-*) _csd_helper="" _sbox_profile="$_app" ;; *) _csd_helper="gtk3-nocsd" _sbox_profile="${_app}-non-gnome" ;; esac #+ start command depending on sandbox mode case "$_sbox_mode" in off) _cmd="${_csd_helper} ${_bin_no_sbox}" ;; quiet) _cmd="firejail --profile=${_sbox_profile} --quiet ${_csd_helper} ${_bin}" ;; verbose) _cmd="firejail --ignore=quiet --profile=${_sbox_profile} ${_csd_helper} ${_bin}" ;; esac ### logic ${_cmd} "$@" exit 0 ``` After creating both files you can launch evince from the CLI by running `evince` and it will automagically run sandboxed and with/without window decorators depending on the env vars you pointed to. For testing you can set the _sbox_mode var to `verbose` so you can see exactly which profiles firejail is loading. Just to avoid confusion, for `remmina` you will have to create a specific ~/.config/firejail/remmina-non-gnome.profile.

gitea-mirror commented 2026-05-05 09:03:12 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 21, 2020):

The ~/.config/firejail/evince.profile seems to be no sufficient because firejail evince is launched with CSD and I get the error ERROR: ld.so: object '/usr/bin/libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored..

For the above 'logic' to work you need to have that profile named ~/.config/firejail/evince.local, NOT ~/.config/firejail/evince.profile.

Just only to know, why is so different to put the file in my ~/.config/firejail directory from /etc/firejail/*.local. I normally use the first one, because I think is more clear: they are my customizations I want for my linux user.

I prefer this approach, because the idea would be to use the application and depending on the environment variables to be able to have window decorators or not.

Okay, I did some more testing and came up with a slightly different approach. It involves creating a 'non-GNOME' firejail profile and a shell script that needs to be in your $PATH before /usr/local/bin and /usr/bin, e.g. in ~/bin.

This solution is quite smart! I modified your script to be used as a wrapper by all the "non-gnome" applications I want to configure without CSD:

$ cat ~/bin/firejail-gtk3-nocsd

#!/bin/sh
#
## firejail wrapper for gtk3-nocsd


### vars
if [ x"$(basename "$0")"x = x"firejail-gtk3-nocsd"x ] ; then
    echo "Usage: "
    echo "  1. Create a firejail profile named \"app-non-gnome.profile\""
    echo "  2. Link \"app\" to this script"
    echo "  3. Run \"app\""
    exit 0
else
    _app="$(basename "$0")"
fi
_bin="/usr/bin/${_app}"
_bin_no_sbox="$_bin"

## sandboxing
_sbox_mode="quiet"
#+ sandbox profile depending on session
case "${DESKTOP_SESSION-}" in
    gnome|gnome-*|*/gnome|*/gnome-*)
	_csd_helper=""
	_sbox_profile="$_app"
        ;;
    *)
	_csd_helper="gtk3-nocsd"
	_sbox_profile="${_app}-non-gnome"
        ;;
esac
#+ start command depending on sandbox mode
case "$_sbox_mode" in
    off)
	_cmd="${_csd_helper} ${_bin_no_sbox}"
	;;
    quiet)
	_cmd="firejail --profile=${_sbox_profile} --quiet ${_csd_helper} ${_bin}"
	;;
    verbose)
	_cmd="firejail --ignore=quiet --profile=${_sbox_profile} ${_csd_helper} ${_bin}"
	;;
esac


### logic
${_cmd} "$@"

exit 0

So, now to add a new application without CSD for my i3wm desktop I have to do (an example with shortwave GTK3 application):

1. Create an specific profile for the application based on the evince profile you suggested: shortwave-non-gnome.profile
2. Link shortwave to firejail-gtk3-nocsd: ln -s ~/bin/firejail-gtk3-nocsd ~/bin/shortwave

I am quite happy for this solution! Thanks glitsj16, I couldn't have gotten to this solution without your help.

Regards!

<!-- gh-comment-id:731567009 --> @ghost commented on GitHub (Nov 21, 2020): > > The ~/.config/firejail/evince.profile seems to be no sufficient because firejail evince is launched with CSD and I get the error ERROR: ld.so: object '/usr/bin/libgtk3-nocsd.so.0' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.. > > For the above 'logic' to work you need to have that profile named ~/.config/firejail/evince.`local`, **NOT** ~/.config/firejail/evince.`profile`. Just only to know, why is so different to put the file in my ~/.config/firejail directory from /etc/firejail/*.local. I normally use the first one, because I think is more clear: they are _my_ customizations I want for _my_ linux user. > > > I prefer this approach, because the idea would be to use the application and depending on the environment variables to be able to have window decorators or not. > > Okay, I did some more testing and came up with a slightly different approach. It involves creating a 'non-GNOME' firejail profile and a shell script that needs to be in your $PATH before /usr/local/bin and /usr/bin, e.g. in ~/bin. > This solution is quite smart! I modified your script to be used as a wrapper by all the "non-gnome" applications I want to configure without CSD: `$ cat ~/bin/firejail-gtk3-nocsd` ```bash #!/bin/sh # ## firejail wrapper for gtk3-nocsd ### vars if [ x"$(basename "$0")"x = x"firejail-gtk3-nocsd"x ] ; then echo "Usage: " echo " 1. Create a firejail profile named \"app-non-gnome.profile\"" echo " 2. Link \"app\" to this script" echo " 3. Run \"app\"" exit 0 else _app="$(basename "$0")" fi _bin="/usr/bin/${_app}" _bin_no_sbox="$_bin" ## sandboxing _sbox_mode="quiet" #+ sandbox profile depending on session case "${DESKTOP_SESSION-}" in gnome|gnome-*|*/gnome|*/gnome-*) _csd_helper="" _sbox_profile="$_app" ;; *) _csd_helper="gtk3-nocsd" _sbox_profile="${_app}-non-gnome" ;; esac #+ start command depending on sandbox mode case "$_sbox_mode" in off) _cmd="${_csd_helper} ${_bin_no_sbox}" ;; quiet) _cmd="firejail --profile=${_sbox_profile} --quiet ${_csd_helper} ${_bin}" ;; verbose) _cmd="firejail --ignore=quiet --profile=${_sbox_profile} ${_csd_helper} ${_bin}" ;; esac ### logic ${_cmd} "$@" exit 0 ``` So, now to add a new application without CSD for my i3wm desktop I have to do (an example with shortwave GTK3 application): 1. Create an specific profile for the application based on the evince profile you suggested: `shortwave-non-gnome.profile` 2. Link shortwave to firejail-gtk3-nocsd: `ln -s ~/bin/firejail-gtk3-nocsd ~/bin/shortwave` I am quite happy for this solution! Thanks glitsj16, I couldn't have gotten to this solution without your help. Regards!

gitea-mirror commented 2026-05-05 09:03:12 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 21, 2020):

$ cat ~/bin/firejail-gtk3-nocsd

Nice script. Good to hear you have a working solution. I'll close this, but feel free to reopen if you have more questions. Take care!

<!-- gh-comment-id:731578346 --> @ghost commented on GitHub (Nov 21, 2020): > $ cat ~/bin/firejail-gtk3-nocsd Nice script. Good to hear you have a working solution. I'll close this, but feel free to reopen if you have more questions. Take care!

gitea-mirror commented 2026-05-05 09:03:13 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 21, 2020):

For the above 'logic' to work you need to have that profile named ~/.config/firejail/evince.local, NOT ~/.config/firejail/evince.profile.

Just only to know, why is so different to put the file in my ~/.config/firejail directory from /etc/firejail/*.local. I normally use the first one, because I think is more clear: they are my customizations I want for my linux user.

@glitsj16 was talking about to use a *.local instead of *.profile and not about using /etc/firejail instead of ~/.config/firejail.

<!-- gh-comment-id:731597758 --> @rusty-snake commented on GitHub (Nov 21, 2020): > > For the above 'logic' to work you need to have that profile named ~/.config/firejail/evince.local, NOT ~/.config/firejail/evince.profile. > > Just only to know, why is so different to put the file in my ~/.config/firejail directory from /etc/firejail/*.local. I normally use the first one, because I think is more clear: they are my customizations I want for my linux user. @glitsj16 was talking about to use a *.local instead of *.profile and not about using /etc/firejail instead of ~/.config/firejail.

gitea-mirror commented 2026-05-05 09:03:13 -06:00

Author

Owner

Copy link

@ssokolow commented on GitHub (Mar 26, 2022):

For anyone who wanders in off a search engine looking to fix this on a machine where GNOME isn't even installed (and thus, being conditional isn't a concern), here's what I tossed into /etc/firejail/evince.local to restore Evince to the behaviour I get without Firejail:

env LD_PRELOAD=libgtk3-nocsd.so.0
private-lib libgtk3-nocsd.so.0

<!-- gh-comment-id:1079629754 --> @ssokolow commented on GitHub (Mar 26, 2022): For anyone who wanders in off a search engine looking to fix this on a machine where GNOME isn't even installed (and thus, being conditional isn't a concern), here's what I tossed into `/etc/firejail/evince.local` to restore Evince to the behaviour I get without Firejail: ``` env LD_PRELOAD=libgtk3-nocsd.so.0 private-lib libgtk3-nocsd.so.0 ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2369

No description provided.