github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3769] firefox: DBus user socket was not found #2376

New issue
Open
opened 2026-05-05 09:03:25 -06:00 by gitea-mirror · 20 comments
gitea-mirror commented 2026-05-05 09:03:25 -06:00
Owner
Copy link

Originally created by @lupusbytes on GitHub (Nov 22, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3769

Bug and expected behavior

  • Describe the bug.
    Firefox does not start, instead it prints:
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DBus user socket was not found.
No proxies specified
  • What did you expect to happen?
    Firefox starting

No profile and disabling firejail
Firefox works just fine without firejail

Reproduce
Steps to reproduce the behavior:

  1. Run in bash firejail firefox

Environment

  • Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release)
    Gentoo Linux, Kernel 5.9.9
  • Firejail version
    firejail version 0.9.65

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Additional context
Other context about the problem like related errors to understand the problem.
I think the issue started after my latest kernel upgrade, to 5.9.9 from 5.9.6.

debug output 
OUTPUT OF firejail --debug firefox
Autoselecting /bin/bash as shell
Building quoted command line: 'firefox'
Command name #firefox#
Found firefox.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Found firefox-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/firefox-common.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-runuser-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-runuser-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
conditional BROWSER_DISABLE_U2F, nou2f
conditional BROWSER_DISABLE_U2F, private-dev
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DISPLAY=:0 parsed as 0
DBus user socket was not found.
starting xdg-dbus-proxy
sbox exec: /usr/bin/xdg-dbus-proxy --fd=8 --args=9
Dropping all capabilities
Drop privileges: pid 25925, uid 1000, gid 1000, nogroups 1
No supplementary groups
lupus@thinkpad ~ $ No proxies specified
Originally created by @lupusbytes on GitHub (Nov 22, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3769 **Bug and expected behavior** - Describe the bug. Firefox does not start, instead it prints: ``` Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, DBus user socket was not found. No proxies specified ``` - What did you expect to happen? Firefox starting **No profile and disabling firejail** Firefox works just fine without firejail **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail firefox` **Environment** - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) Gentoo Linux, Kernel 5.9.9 - Firejail version firejail version 0.9.65 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled **Additional context** Other context about the problem like related errors to understand the problem. I think the issue started after my latest kernel upgrade, to 5.9.9 from 5.9.6. <details><summary> debug output </summary> ``` OUTPUT OF firejail --debug firefox Autoselecting /bin/bash as shell Building quoted command line: 'firefox' Command name #firefox# Found firefox.profile profile in /etc/firejail directory Reading profile /etc/firejail/firefox.profile Found whitelist-usr-share-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-usr-share-common.inc Found firefox-common.profile profile in /etc/firejail directory Reading profile /etc/firejail/firefox-common.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found whitelist-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-common.inc Found whitelist-runuser-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-runuser-common.inc Found whitelist-var-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc conditional BROWSER_DISABLE_U2F, nou2f conditional BROWSER_DISABLE_U2F, private-dev Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, DISPLAY=:0 parsed as 0 DBus user socket was not found. starting xdg-dbus-proxy sbox exec: /usr/bin/xdg-dbus-proxy --fd=8 --args=9 Dropping all capabilities Drop privileges: pid 25925, uid 1000, gid 1000, nogroups 1 No supplementary groups lupus@thinkpad ~ $ No proxies specified ``` </details>
gitea-mirror commented 2026-05-05 09:03:28 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 22, 2020):

#3689

<!-- gh-comment-id:731782946 --> @rusty-snake commented on GitHub (Nov 22, 2020): #3689
gitea-mirror commented 2026-05-05 09:03:29 -06:00
Author
Owner
Copy link

@lupusbytes commented on GitHub (Nov 22, 2020):

Reading from the other issue i found

As a workaround dbus-user none might work.

This also seems to work for me

Where does it listen? /run/user/UID/bus?

I have a directory called /run/user/1000/dbus-1 is that what you mean ?

<!-- gh-comment-id:731833354 --> @lupusbytes commented on GitHub (Nov 22, 2020): Reading from the other issue i found > As a workaround dbus-user none might work. This also seems to work for me > Where does it listen? /run/user/UID/bus? I have a directory called `/run/user/1000/dbus-1` is that what you mean ?
gitea-mirror commented 2026-05-05 09:03:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 23, 2020):

What files are in /run/user/1000/dbus-1?

What's the output of echo $DBUS_SESSION_BUS_ADDRESS? If it is empty, does DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/BUS firejail firefox work? (Replace BUS with bus or user_bus_socket or whatever is inside this directory).

<!-- gh-comment-id:732074089 --> @rusty-snake commented on GitHub (Nov 23, 2020): What files are in /run/user/1000/dbus-1? What's the output of `echo $DBUS_SESSION_BUS_ADDRESS`? If it is empty, does `DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/BUS firejail firefox` work? (Replace `BUS` with `bus` or `user_bus_socket` or whatever is inside this directory).
gitea-mirror commented 2026-05-05 09:03:30 -06:00
Author
Owner
Copy link

@lupusbytes commented on GitHub (Nov 23, 2020):

What files are in /run/user/1000/dbus-1?

# tree /run/user/1000/dbus-1/
/run/user/1000/dbus-1/
└── services

What's the output of echo $DBUS_SESSION_BUS_ADDRESS?

nothing.

If it is empty, does DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/BUS firejail firefox work? (Replace BUS with bus or user_bus_socket or whatever is inside this directory).

DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/services firejail firefox makes firefox able to start, but with multiple warnings like
** (process:2950): WARNING **: 18:29:33.150: Failed to connect to bus: Address element ?/run/user/1000/dbus-1/services? does not contain a colon (:)

Note that I am running Gentoo Linux with OpenRC and not systemd. The distribution in the other bug #3689, is also using OpenRC. Could this be related ?

<!-- gh-comment-id:732313861 --> @lupusbytes commented on GitHub (Nov 23, 2020): > What files are in /run/user/1000/dbus-1? ``` # tree /run/user/1000/dbus-1/ /run/user/1000/dbus-1/ └── services ``` > What's the output of `echo $DBUS_SESSION_BUS_ADDRESS`? nothing. >If it is empty, does `DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/BUS firejail firefox` work? (Replace `BUS` with `bus` or `user_bus_socket` or whatever is inside this directory). `DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/services firejail firefox` makes firefox able to start, but with multiple warnings like `** (process:2950): WARNING **: 18:29:33.150: Failed to connect to bus: Address element ?/run/user/1000/dbus-1/services? does not contain a colon (:)` Note that I am running Gentoo Linux with OpenRC and not systemd. The distribution in the other bug #3689, is also using OpenRC. Could this be related ?
gitea-mirror commented 2026-05-05 09:03:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 23, 2020):

/run/user/1000/dbus-1/
└── services

If that's not a socket, ignore the rest of this comment.

DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/services firejail firefox makes firefox able to start, but with multiple warnings like … ?/run/user/1000/dbus-1/services? does not contain a colon (:)

Sorry I give you the wrong format. Right is DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/dbus-1/services. wruc (whitelist-runuser-common.inc) maybe intervene too.

Note that I am running Gentoo Linux with OpenRC and not systemd. The distribution in the other bug #3689, is also using OpenRC. Could this be related ?

It is pretty sure the same reason. As both have DBUS_SESSION_BUS_ADDRESS not set and don't use one of the hardcoded paths. If it works with the env-var hack above, a DBUS_USER_SOCKET_FORMAT3 would likely fix it.

3a3c1007d7/src/firejail/dbus.c (L36-L37)

<!-- gh-comment-id:732322735 --> @rusty-snake commented on GitHub (Nov 23, 2020): > /run/user/1000/dbus-1/ └── services If that's not a socket, ignore the rest of this comment. > DBUS_SESSION_BUS_ADDRESS=/run/user/1000/dbus-1/services firejail firefox makes firefox able to start, but with multiple warnings like … ?/run/user/1000/dbus-1/services? does not contain a colon (:) Sorry I give you the wrong format. Right is `DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/dbus-1/services`. wruc (whitelist-runuser-common.inc) maybe intervene too. > Note that I am running Gentoo Linux with OpenRC and not systemd. The distribution in the other bug #3689, is also using OpenRC. Could this be related ? It is pretty sure the same reason. As both have `DBUS_SESSION_BUS_ADDRESS` not set and don't use one of the hardcoded paths. If it works with the env-var hack above, a `DBUS_USER_SOCKET_FORMAT3` would likely fix it. https://github.com/netblue30/firejail/blob/3a3c1007d7c7351ef15b1d6dafca615aea133163/src/firejail/dbus.c#L36-L37
gitea-mirror commented 2026-05-05 09:03:31 -06:00
Author
Owner
Copy link

@lupusbytes commented on GitHub (Nov 23, 2020):

Sorry I give you the wrong format. Right is DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/dbus-1/services. wruc (whitelist-runuser-common.inc) maybe intervene too.

I'm unsure how to use whitelist-runuser-common.inc
I tried setting whitelist ${RUNUSER}/dbus-1 and whitelist ${RUNUSER}/dbus-1/services but they don't seem to have an effect.

$ DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/dbus-1/services firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 14525, child pid 14528
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 112.14 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

** (process:14526): WARNING **: 20:22:23.783: Failed to connect to bus: Could not connect: Connection refused

** (process:14526): WARNING **: 20:22:23.998: Failed to connect to bus: Could not connect: Connection refused

** (process:14526): WARNING **: 20:22:24.312: Failed to connect to bus: Could not connect: Connection refused

There is no existing sandbox running when I execute the firejail command. I verified this with firejail --list
Do you have other things to try ?

<!-- gh-comment-id:732377475 --> @lupusbytes commented on GitHub (Nov 23, 2020): >Sorry I give you the wrong format. Right is DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/dbus-1/services. wruc (whitelist-runuser-common.inc) maybe intervene too. I'm unsure how to use whitelist-runuser-common.inc I tried setting `whitelist ${RUNUSER}/dbus-1` and `whitelist ${RUNUSER}/dbus-1/services` but they don't seem to have an effect. ``` $ DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/dbus-1/services firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 14525, child pid 14528 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 112.14 ms Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features ** (process:14526): WARNING **: 20:22:23.783: Failed to connect to bus: Could not connect: Connection refused ** (process:14526): WARNING **: 20:22:23.998: Failed to connect to bus: Could not connect: Connection refused ** (process:14526): WARNING **: 20:22:24.312: Failed to connect to bus: Could not connect: Connection refused ``` There is no existing sandbox running when I execute the firejail command. I verified this with `firejail --list` Do you have other things to try ?
gitea-mirror commented 2026-05-05 09:03:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 23, 2020):

There's no "DBus user socket was not found. No proxies specified" anymore, so it seems that firejail can no find the DBus user socket and firefox gets "Connection refused".

If firejail --dbus-user=filter --dbus-user.own=org.mozilla.firefox --noprofile firefox works, the firefox.profile needs to be tweaked. If not, we need to dig in the environment. firejail --dbus-user=filter --dbus-user.own=org.mozilla.firefox --noprofile bash and then echo $DBUS_SESSION_BUS_ADDRESS should show unix:path=/run/firejail/mnt/dbus/user.

There is no existing sandbox running when I execute the firejail command. I verified this with firejail --list

This happens because the first firefox in $PATH is the firecfg symlink.

<!-- gh-comment-id:732383531 --> @rusty-snake commented on GitHub (Nov 23, 2020): There's no "DBus user socket was not found. No proxies specified" anymore, so it seems that firejail can no find the DBus user socket and firefox gets "Connection refused". If `firejail --dbus-user=filter --dbus-user.own=org.mozilla.firefox --noprofile firefox` works, the firefox.profile needs to be tweaked. If not, we need to dig in the environment. `firejail --dbus-user=filter --dbus-user.own=org.mozilla.firefox --noprofile bash` and then `echo $DBUS_SESSION_BUS_ADDRESS` should show `unix:path=/run/firejail/mnt/dbus/user`. > There is no existing sandbox running when I execute the firejail command. I verified this with firejail --list This happens because the first `firefox` in $PATH is the firecfg symlink.
gitea-mirror commented 2026-05-05 09:03:32 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 23, 2020):

Did some testing in artix OpenRC (was the only OpenRC system I found with live desktop). /run/user/1000/dbus-1/services is a directory. $DBUS_SESSION_BUS_ADDRESS is set, and therefore firejail works. OpenRC usually uses dbus-launch which defaults to abstract sockets AFAICS. There is a ~/.dbus/session-bus/LONG-ID. If you source ~/.dbus/session-bus/LONG-ID && export DBUS_SESSION_BUS_ADDRESS && firejail firefox it should work I think.

<!-- gh-comment-id:732426380 --> @rusty-snake commented on GitHub (Nov 23, 2020): Did some testing in artix OpenRC (was the only OpenRC system I found with live desktop). /run/user/1000/dbus-1/services is a directory. `$DBUS_SESSION_BUS_ADDRESS` is set, and therefore firejail works. OpenRC usually uses dbus-launch which defaults to abstract sockets AFAICS. There is a `~/.dbus/session-bus/LONG-ID`. If you `source ~/.dbus/session-bus/LONG-ID && export DBUS_SESSION_BUS_ADDRESS && firejail firefox` it should work I think.
gitea-mirror commented 2026-05-05 09:03:32 -06:00
Author
Owner
Copy link

@lupusbytes commented on GitHub (Nov 24, 2020):

source ~/.dbus/session-bus/LONG-ID && export DBUS_SESSION_BUS_ADDRESS && firejail firefox
I have two different ID's

ls ~/.dbus/session-bus/
1decc0caa1bbc3b7e9f17c4b5c23ff73-0  1decc0caa1bbc3b7e9f17c4b5c23ff73-1

Using the first one works.
How would I go about setting this DBUS_SESSION_BUS_ADDRESS automatically at boot ?
I guess the reason why it's not set is that I'm not using a Desktop Environment, just a very simple tiling window manager called dwm

<!-- gh-comment-id:733135860 --> @lupusbytes commented on GitHub (Nov 24, 2020): >source ~/.dbus/session-bus/LONG-ID && export DBUS_SESSION_BUS_ADDRESS && firejail firefox I have two different ID's ``` ls ~/.dbus/session-bus/ 1decc0caa1bbc3b7e9f17c4b5c23ff73-0 1decc0caa1bbc3b7e9f17c4b5c23ff73-1 ``` Using the first one works. How would I go about setting this DBUS_SESSION_BUS_ADDRESS automatically at boot ? I guess the reason why it's not set is that I'm not using a Desktop Environment, just a very simple tiling window manager called [dwm](https://dwm.suckless.org/)
gitea-mirror commented 2026-05-05 09:03:33 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 24, 2020):

How would I go about setting this DBUS_SESSION_BUS_ADDRESS automatically at boot ?

I've no knowledge of OpenRC and X11. I guess one of the X init/start scripts executes dbus-launch which could be modified to eval `dbus-launch --sh-syntax` or similar.

@kris7t can we do anything to make dbus-user filter work in such situation? Or can we only add change it to e.g Warning: DBus user socket was not found. Set DBUS_SESSION_BUS_ADDRESS or dbus-user none/ignore dbus-user filter.

<!-- gh-comment-id:733147080 --> @rusty-snake commented on GitHub (Nov 24, 2020): > How would I go about setting this DBUS_SESSION_BUS_ADDRESS automatically at boot ? I've no knowledge of OpenRC and X11. I guess one of the X init/start scripts executes `dbus-launch` which could be modified to `` eval `dbus-launch --sh-syntax` `` or similar. ----- @kris7t can we do anything to make `dbus-user filter` work in such situation? Or can we only add change it to e.g `Warning: DBus user socket was not found. Set DBUS_SESSION_BUS_ADDRESS or dbus-user none/ignore dbus-user filter`.
gitea-mirror commented 2026-05-05 09:03:33 -06:00
Author
Owner
Copy link

@kris7t commented on GitHub (Nov 24, 2020):

@rusty-snake We can change it to only emit a warning, but that's probably unsafe, because the sandboxed application still has access to the socket.

A better fix would be to try and find the socket in the filesystem somehow. But I don't know how are application supposed to find the socket (unless you eval dbus-launch --sh-syntax). Normally, you'd dbus-launch your whole user session as an argument (if you don't eval dbus-launch --sh-syntax before launching the session instead), I think, which should set the right environmental variables for the sessions. So if someone is using D-Bus, but DBUS_SESSION_BUS_ADDRESS is not set and the session bus socket is not at its well-know location, I think that's a configuration issue in the environment that should be fixed (and not fixing it is potentially dangerous, because there is a D-Bus socket around that sandboxed applications could connect to without any filtering). If I'm wrong and there's some other method for applications to find the session bus, we should add support for that, of course.

This leaves the case where somebody legitimately wants to use firejail in an environment without an active session bus. This is quite tricky, but one solution would be to essentially pgrep for /usr/bin/dbus-daemon (and maybe also dbus-launch) and only emit an error for dbus-user without a DBUS_SESSION_BUS_ADDRESS is there is at least one such process running. Otherwise we may fall back to a warning that D-Bus sandboxing was requested, but the system is currently not using D-Bus.

<!-- gh-comment-id:733154428 --> @kris7t commented on GitHub (Nov 24, 2020): @rusty-snake We can change it to only emit a warning, but that's probably unsafe, because the sandboxed application still has access to the socket. A better fix would be to try and find the socket in the filesystem somehow. But I don't know how are application supposed to find the socket (unless you eval `dbus-launch --sh-syntax`). Normally, you'd `dbus-launch` your whole user session as an argument (if you don't eval `dbus-launch --sh-syntax` before launching the session instead), I think, which should set the right environmental variables for the sessions. So if someone is using D-Bus, but `DBUS_SESSION_BUS_ADDRESS` is not set and the session bus socket is not at its well-know location, I think that's a configuration issue in the environment that should be fixed (and not fixing it is potentially dangerous, because there is a D-Bus socket around that sandboxed applications could connect to without any filtering). If I'm wrong and there's some other method for applications to find the session bus, we should add support for that, of course. This leaves the case where somebody legitimately wants to use firejail in an environment without an active session bus. This is quite tricky, but one solution would be to essentially `pgrep` for `/usr/bin/dbus-daemon` (and maybe also `dbus-launch`) and only emit an error for `dbus-user` without a `DBUS_SESSION_BUS_ADDRESS` is there is at least one such process running. Otherwise we may fall back to a warning that D-Bus sandboxing was requested, but the system is currently not using D-Bus.
gitea-mirror commented 2026-05-05 09:03:33 -06:00
Author
Owner
Copy link

@lupusbytes commented on GitHub (Nov 24, 2020):

I did som reading and found my simple approach of just having dwm in my ~/.xinitrc was not ideal.
I replaced the line with exec dbus-launch --exit-with-session dwm and now echo $DBUS_SESSION_BUS_ADDRESS outputs
unix:abstract=/tmp/dbus-g5jO7666uf,guid=b6f2501f4e39fdd5c91c2e635fbd629d

<!-- gh-comment-id:733197464 --> @lupusbytes commented on GitHub (Nov 24, 2020): I did som reading and found my simple approach of just having `dwm` in my `~/.xinitrc` was not ideal. I replaced the line with `exec dbus-launch --exit-with-session dwm` and now `echo $DBUS_SESSION_BUS_ADDRESS` outputs `unix:abstract=/tmp/dbus-g5jO7666uf,guid=b6f2501f4e39fdd5c91c2e635fbd629d`
gitea-mirror commented 2026-05-05 09:03:34 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 25, 2020):

ok, IMHO it's then enough to improve the error message.

<!-- gh-comment-id:733852107 --> @rusty-snake commented on GitHub (Nov 25, 2020): ok, IMHO it's then enough to improve the error message.
gitea-mirror commented 2026-05-05 09:03:34 -06:00
Author
Owner
Copy link

@seniorm0ment commented on GitHub (Dec 1, 2020):

I just updated my firejail configs, I am having this issue as well, I can't say I entirely understand the above comments.
I am on Artix, using OpenRC.
My old Firecfg profile for Firefox didn't have the dbus lines at the bottom, commenting these out fixed the issue and it works, but I assume they were added for a reason.

Edit: hm, same issue with keepassxc, commenting out the dbus filter line fixed it

Edit 2: looks like changing filter to none (as seen in #3689) works on both keepassxc, and firefox. Is this the ideal solution?

On a sidenote, is there anyway to stay up to date with the new firejail configs, but without them overwriting your original modifications? I havs them in home .config, and it doesn't overwrite them, however I had to manually remove them, run sudo firecfg to get the new ones, or I would have never known it got updated.

<!-- gh-comment-id:736713145 --> @seniorm0ment commented on GitHub (Dec 1, 2020): I just updated my firejail configs, I am having this issue as well, I can't say I entirely understand the above comments. I am on Artix, using OpenRC. My old Firecfg profile for Firefox didn't have the dbus lines at the bottom, commenting these out fixed the issue and it works, but I assume they were added for a reason. Edit: hm, same issue with keepassxc, commenting out the dbus filter line fixed it Edit 2: looks like changing filter to none (as seen in #3689) works on both keepassxc, and firefox. Is this the ideal solution? On a sidenote, is there anyway to stay up to date with the new firejail configs, but without them overwriting your original modifications? I havs them in home .config, and it doesn't overwrite them, however I had to manually remove them, run sudo firecfg to get the new ones, or I would have never known it got updated.
gitea-mirror commented 2026-05-05 09:03:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 1, 2020):

Summary: You need to ensure that $DBUS_SESSION_BUS_ADDRESS is set. You can do this by adding eval `dbus-launch --sh-syntax` or exec dbus-launch --exit-with-session dwm for example to your xinitrc or whatever session start script you have.

Firefox didn't have the dbus lines at the bottom, commenting these out fixed the issue and it works, but I assume they were added for a reason. … commenting out the dbus filter line fixed it

Using dbus-user none is better (more secure) then ignore dbus-user filter if possible (as workaround). dbus-system none need no change.

hm, same issue with keepassxc,

strictly speaking: same issue with all profile containing dbus-user filter.

Is this the ideal solution?

This is more secure then filter, however, it does not work for all programs.

On a sidenote, is there anyway to stay up to date with the new firejail configs, but without them overwriting your original modifications? I havs them in home .config, and it doesn't overwrite them, however I had to manually remove them, run sudo firecfg to get the new ones, or I would have never known it got updated.

Just create a .local in ~/.config/firejail (or /etc/firejail). Example:

echo "blacklist ${HOME}/this_is_private" >> ~/.config/firejail/firefox.local
echo "ignore nodvd" >> ~/.config/firejail/firefox.local
<!-- gh-comment-id:736722378 --> @rusty-snake commented on GitHub (Dec 1, 2020): Summary: You need to ensure that `$DBUS_SESSION_BUS_ADDRESS` is set. You can do this by adding `` eval `dbus-launch --sh-syntax` `` or ``exec dbus-launch --exit-with-session dwm`` for example to your `xinitrc` or whatever session start script you have. > Firefox didn't have the dbus lines at the bottom, commenting these out fixed the issue and it works, but I assume they were added for a reason. … commenting out the dbus filter line fixed it Using `dbus-user none` is better (more secure) then `ignore dbus-user filter` if possible (as workaround). `dbus-system none` need no change. > hm, same issue with keepassxc, strictly speaking: same issue with all profile containing `dbus-user filter`. > Is this the ideal solution? This is more secure then `filter`, however, it does not work for all programs. > On a sidenote, is there anyway to stay up to date with the new firejail configs, but without them overwriting your original modifications? I havs them in home .config, and it doesn't overwrite them, however I had to manually remove them, run sudo firecfg to get the new ones, or I would have never known it got updated. Just create a `.local` in `~/.config/firejail` (or `/etc/firejail`). Example: ``` echo "blacklist ${HOME}/this_is_private" >> ~/.config/firejail/firefox.local echo "ignore nodvd" >> ~/.config/firejail/firefox.local ```
gitea-mirror commented 2026-05-05 09:03:35 -06:00
Author
Owner
Copy link

@seniorm0ment commented on GitHub (Dec 1, 2020):

I added the second one to my xinit and it didn't work.

sxhkd &
exec bspwm
exec dbus-launch --exit-with-session bspwm

Is my xinit, I tried adding it at the top but it broke my sxhkd.

<!-- gh-comment-id:736735553 --> @seniorm0ment commented on GitHub (Dec 1, 2020): I added the second one to my xinit and it didn't work. ``` sxhkd & exec bspwm exec dbus-launch --exit-with-session bspwm ``` Is my xinit, I tried adding it at the top but it broke my sxhkd.
gitea-mirror commented 2026-05-05 09:03:36 -06:00
Author
Owner
Copy link

@kris7t commented on GitHub (Dec 1, 2020):

I think your whole desktop should run in dbus-launch. For example, you make

exec dbus-lauch --exit-with-session ~/.local/bin/desktop-session.sh

your .xinitrc and then put

#!/usr/bin/env bash
sxhkd &
exec bspwm

into ~/.local/bin/desktop-session.sh.

Although if you wanted to be fancy, I guess something like

exec dbus-launch --exit-with-session bash <<EOF
sxhkd &
exec bspwm
EOF

would also work.

<!-- gh-comment-id:736739719 --> @kris7t commented on GitHub (Dec 1, 2020): I think your whole desktop should run in `dbus-launch`. For example, you make ``` exec dbus-lauch --exit-with-session ~/.local/bin/desktop-session.sh ``` your `.xinitrc` and then put ``` #!/usr/bin/env bash sxhkd & exec bspwm ``` into `~/.local/bin/desktop-session.sh`. Although if you wanted to be fancy, I guess something like ``` exec dbus-launch --exit-with-session bash <<EOF sxhkd & exec bspwm EOF ``` would also work.
gitea-mirror commented 2026-05-05 09:03:36 -06:00
Author
Owner
Copy link

@seniorm0ment commented on GitHub (Dec 1, 2020):

I did the latter (EOF), it seems to have worked, I swapped the profiles back to filter and they launch.
I am curious though, should I have an output for the echo dbus sessipn address? As it is currently empty, as it was previously.

Also is there any chance you could provide a ELI5 explanation as to why the dbus commands were added to the configs, and how they're used? I'm not too familiar with dbus, however I haven't seen anyone else do this (dbus launch script), they generally just use xinitrc withojt a dbuslaunch line either. It looks like dbus is rather important, which makes me wonder why things worked fine before (ignoring the lines being added to firejail configs, I mean my system itself didn't have issues without my desktop running in dbus):

<!-- gh-comment-id:736751259 --> @seniorm0ment commented on GitHub (Dec 1, 2020): I did the latter (EOF), it seems to have worked, I swapped the profiles back to filter and they launch. I am curious though, should I have an output for the echo dbus sessipn address? As it is currently empty, as it was previously. Also is there any chance you could provide a ELI5 explanation as to why the dbus commands were added to the configs, and how they're used? I'm not too familiar with dbus, however I haven't seen anyone else do this (dbus launch script), they generally just use xinitrc withojt a dbuslaunch line either. It looks like dbus is rather important, which makes me wonder why things worked fine before (ignoring the lines being added to firejail configs, I mean my system itself didn't have issues without my desktop running in dbus):
gitea-mirror commented 2026-05-05 09:03:37 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 1, 2020):

Also is there any chance you could provide a ELI5 explanation as to why the dbus commands were added to the configs, and how they're used?

D-Bus is a great way to escape from a sandbox. That's why firejail 0.9.54 added the nodbus command to block the session bus. Since 0.9.60, this command blocks the system bus too. Firejail 0.9.64 split this in dbus-user none (block session bus) and dbus-system none (block system bus) because there are a lot programs which require the session bus but don't need/use the system bus. In addition firejail 0.9.64 added dbus-(user|system) filter to use xdg-dbus-proxy to allow access to the session/system bus, but only for whitelisted names.

I am curious though, should I have an output for the echo dbus sessipn address? As it is currently empty, as it was previously.

Either you made a typo or dbus-launch added a socket to one of the hardcoded places.

<!-- gh-comment-id:736787247 --> @rusty-snake commented on GitHub (Dec 1, 2020): > Also is there any chance you could provide a ELI5 explanation as to why the dbus commands were added to the configs, and how they're used? D-Bus is a great way to escape from a sandbox. That's why firejail 0.9.54 added the `nodbus` command to block the session bus. Since 0.9.60, this command blocks the system bus too. Firejail 0.9.64 split this in `dbus-user none` (block session bus) and `dbus-system none` (block system bus) because there are a lot programs which require the session bus but don't need/use the system bus. In addition firejail 0.9.64 added `dbus-(user|system) filter` to use xdg-dbus-proxy to allow access to the session/system bus, but only for whitelisted names. > I am curious though, should I have an output for the echo dbus sessipn address? As it is currently empty, as it was previously. Either you made a typo or dbus-launch added a socket to one of the hardcoded places.
gitea-mirror commented 2026-05-05 09:03:37 -06:00
Author
Owner
Copy link

@kris7t commented on GitHub (Dec 1, 2020):

Another key point is that it's much better to run with a D-Bus server in your session (systemd user sessions start one anyways) than without, because then at least we know where the bus socket is. The point being, if a privileged application (say, a notification daemon) started up a D-Bus user daemon and it placed a socket in some random filesystem location or as a named socket, sandboxed applications could find that socket and potentially escape through it.

So by ensuring that there's a user D-Bus daemon at all times, we know that we only need to control access to it, and not to some other random socket. Of course, privileged applications could just randomly decide to expose some IPC mechanism in a place that's not easily blocklistable for sandboxing, but that's relatively rarer, and such applications would arguably be broken in terms of security. But D-Bus is nearly ubiquitous for in-session IPC (especially in Gnome and KDE), so declaring any application that uses it broken is untenable.

Note that accidentally starting a D-Bus daemon within a sandbox is much less dangerous, because we could only use it break into a sandbox, not out of, and oftentimes the socked wouldn't even be visible outside the sandbox due to allowlisting.

<!-- gh-comment-id:736796695 --> @kris7t commented on GitHub (Dec 1, 2020): Another key point is that it's much better to run with a D-Bus server in your session (systemd user sessions start one anyways) than without, because then at least we know where the bus socket is. The point being, if a privileged application (say, a notification daemon) started up a D-Bus user daemon and it placed a socket in some random filesystem location or as a named socket, sandboxed applications could find that socket and potentially escape through it. So by ensuring that there's a user D-Bus daemon at all times, we know that we only need to control access to it, and not to some other random socket. Of course, privileged applications could just randomly decide to expose some IPC mechanism in a place that's not easily blocklistable for sandboxing, but that's relatively rarer, and such applications would arguably be broken in terms of security. But D-Bus is nearly ubiquitous for in-session IPC (especially in Gnome and KDE), so declaring any application that uses it broken is untenable. Note that accidentally starting a D-Bus daemon within a sandbox is much less dangerous, because we could only use it break into a sandbox, not out of, and oftentimes the socked wouldn't even be visible outside the sandbox due to allowlisting.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2376
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?