[GH-ISSUE #3774] Tray-icon researches #2379

New issue

Closed

opened 2026-05-05 09:03:38 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:03:38 -06:00

Owner

Originally created by @rusty-snake on GitHub (Nov 26, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3774

There are many tray-icon standards:

XEmbed.
- is legacy
- uses X
- has no wayland support therefore
- independent on DBus
A Unity/Ubuntu special standard
- not implemented in Xfce, KDE, ...
- applications cann't relay on it
StatusNotifierItem (freedesktop) (org.freedesktop.StatusNotifierWatcher)
- actually there is no implementation by Apps or DE (has xfce one?)
- was submitted by kde based on the one below
KStatusNotifierItem (KDE) (org.kde.StatusNotifierWatcher)
- is used by sway, GNOME via shell-extension, KDE, ...
- KDE has maybe some additional additions
- I tested under GNOME for now
- this it the one I focus below
...

Which dbus rules are requiered for KStatusNotifierItem?

dbus-user.talk org.kde.StatusNotifierWatcher
- This is unsafe and allows sandbox escapes
- This is always required
dbus-user.own <APP-ID> (or dbus-user.own <Apps Indicator Service> but I never saw it)
- This is required by apps using libayatana (e.g. transmission-gtk)
dbus-user.own org.kde.StatusNotifierItem-<PID>-<ID>
- This is required by apps strictly following the spec (e.g. Qt based)
- YES YOU READ IT RIGHT, <PID>!! fuck yeah!
- The pid is part of the name, meaning you need to add dbus-user.own org.kde.* (obviously unsafe)
- The pid inside the sandbox is used, this means
  - These names are a bit stable if it is for example the second process in the sandbox which registers a tray-icon
  - Names can conflict and apps likely don't expect a other program with the same pid

Originally created by @rusty-snake on GitHub (Nov 26, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3774 ### There are many tray-icon standards: - [XEmbed](https://specifications.freedesktop.org/xembed-spec/xembed-spec-latest.html). - is legacy - uses X - has no wayland support therefore - independent on DBus - A Unity/Ubuntu special standard - not implemented in Xfce, KDE, ... - applications cann't relay on it - [StatusNotifierItem (freedesktop)](https://freedesktop.org/wiki/Specifications/StatusNotifierItem/) (`org.freedesktop.StatusNotifierWatcher`) - actually there is no implementation by Apps or DE (has xfce one?) - was submitted by kde based on the one below - KStatusNotifierItem (KDE) (`org.kde.StatusNotifierWatcher`) - is used by sway, GNOME [via shell-extension](https://github.com/ubuntu/gnome-shell-extension-appindicator), KDE, ... - KDE has maybe some additional additions - I tested under GNOME for now - this it the one I focus below - ... ### Which dbus rules are requiered for KStatusNotifierItem? - `dbus-user.talk org.kde.StatusNotifierWatcher` - This is **unsafe** and allows sandbox escapes - This is always required - `dbus-user.own <APP-ID>` (or `dbus-user.own <Apps Indicator Service>` but I never saw it) - This is required by apps using libayatana (e.g. transmission-gtk) - `dbus-user.own org.kde.StatusNotifierItem-<PID>-<ID>` - This is required by apps strictly following the spec (e.g. Qt based) - YES YOU READ IT RIGHT, `<PID>`!! fuck yeah! - The pid is part of the name, meaning you need to add `dbus-user.own org.kde.*` (obviously **unsafe**) - The pid _inside_ the sandbox is used, this means - These names are a bit stable if it is for example the second process in the sandbox which registers a tray-icon - Names can conflict and apps likely don't expect a other program with the same pid

gitea-mirror

2026-05-05 09:03:38 -06:00

closed this issue
added the
information_old

converted-to-discussion
labels

gitea-mirror commented

2026-05-05 09:03:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 26, 2021):

The pid is part of the name, meaning you need to add dbus-user.own org.kde.* (obviously unsafe)

The alternative is to add hundreds of dbus-user.own org.kde.StatusNotifierItem-<PID>-<ID> commands. However, this takes endless to start firejal.

with open("/proc/sys/kernel/pid_max", "r") as pid_max_fd:
    pid_max = int(pid_max_fd.read())

with open("snw.inc", "w") as snw_inc:
    snw_inc.write("dbus-user.call org.kde.StatusNotifierWatcher=org.freedesktop.DBus.Introspectable.*\n")
    snw_inc.write("dbus-user.call org.kde.StatusNotifierWatcher=org.freedesktop.DBus.Properties.*\n")
    snw_inc.write("dbus-user.call org.kde.StatusNotifierWatcher=org.kde.StatusNotifierWatcher.*@/StatusNotifierWatcher\n")
    for pid in range(pid_max):
        for i in range(9):
            snw_inc.write(f"dbus-user.own org.kde.StatusNotifierItem-{pid}-{i}\n")

@rusty-snake commented on GitHub (Feb 26, 2021): > The pid is part of the name, meaning you need to add `dbus-user.own org.kde.*` (obviously **unsafe**) The alternative is to add hundreds of `dbus-user.own org.kde.StatusNotifierItem-<PID>-<ID>` commands. However, this takes endless to start firejal. ```python3 with open("/proc/sys/kernel/pid_max", "r") as pid_max_fd: pid_max = int(pid_max_fd.read()) with open("snw.inc", "w") as snw_inc: snw_inc.write("dbus-user.call org.kde.StatusNotifierWatcher=org.freedesktop.DBus.Introspectable.*\n") snw_inc.write("dbus-user.call org.kde.StatusNotifierWatcher=org.freedesktop.DBus.Properties.*\n") snw_inc.write("dbus-user.call org.kde.StatusNotifierWatcher=org.kde.StatusNotifierWatcher.*@/StatusNotifierWatcher\n") for pid in range(pid_max): for i in range(9): snw_inc.write(f"dbus-user.own org.kde.StatusNotifierItem-{pid}-{i}\n") ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2379

No description provided.

Rows
Columns