[GH-ISSUE #3949] firejail not terminated after browser is killed

gitea-mirror commented

2026-05-05 09:08:57 -06:00

Owner

Originally created by @domivogt on GitHub (Feb 6, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3949

Running iceweasel or seamonkey through a shell script like this:

#!/bin/sh
/usr/local/bin/firejail --shell=none --noautopulse ... --profile=.../seamonkey.profile /usr/bin/iceweasel

Problem is, when the browser is killed, the firejail processes remain running:

$ pstree | grep seamonkey
seamonkey---firejail---firejail-+-dbus-daemon (or chroot-helper or dbus-laucher)

So, the dbus stuff gets started when seamonkey/iceweasel need pulseaudio, but they don't terminate when the browser dies, and keep firejail running. (Things worked fine when browsers still supported alsa.)

Is there a way to force firejail to kill the remaining children when the browser process dies?

Originally created by @domivogt on GitHub (Feb 6, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3949 Running iceweasel or seamonkey through a shell script like this: #!/bin/sh /usr/local/bin/firejail --shell=none --noautopulse ... --profile=.../seamonkey.profile /usr/bin/iceweasel Problem is, when the browser is killed, the firejail processes remain running: $ pstree | grep seamonkey seamonkey---firejail---firejail-+-dbus-daemon (or chroot-helper or dbus-laucher) So, the dbus stuff gets started when seamonkey/iceweasel need pulseaudio, but they don't terminate when the browser dies, and keep firejail running. (Things worked fine when browsers still supported alsa.) Is there a way to force firejail to kill the remaining children when the browser process dies?

gitea-mirror

2026-05-05 09:08:57 -06:00

closed this issue
added the
duplicate
label

gitea-mirror commented

2026-05-05 09:09:01 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 7, 2021):

Likely a duplicate of #928 and some other. I thing we have few issues like this.

seamonkey---firejail---firejail-+-dbus-daemon (or chroot-helper or dbus-laucher)

Why is there a dbus-deamon running in the sandbox? Do you use a SysVinit system like void or an other "not standard" distro?
Also what firejail version do you use?

Is there a way to force firejail to kill the remaining children when the browser process dies?

Actually no, and how should it know which child should be waited on and which should be killed?

@rusty-snake commented on GitHub (Feb 7, 2021): Likely a duplicate of #928 and some other. I thing we have few issues like this. > seamonkey---firejail---firejail-+-dbus-daemon (or chroot-helper or dbus-laucher) Why is there a dbus-deamon running in the sandbox? Do you use a SysVinit system like void or an other "not standard" distro? Also what firejail version do you use? > Is there a way to force firejail to kill the remaining children when the browser process dies? Actually no, and how should it know which child should be waited on and which should be killed?

gitea-mirror commented

2026-05-05 09:09:01 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 9, 2021):

Why is there a dbus-deamon running in the sandbox?

I don't have the faintest idea. There's one running outside of the sandbox. Neither firejail nor iceweasel complain about dbus.

Do you use a SysVinit system like void or an other "not standard" distro?

Yes, Devuan, without a desktop environment and all other stuff that is not strictly required.

Also what firejail version do you use?

Built from source:

$ firejail --version

firejail version 0.9.62

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

how should it know which child should be waited on and which should be killed

Is it at least possible to give a firejail instance some kind of static id (like the program name), and in the start script kill all firejail processes using that id if they're still running? Hypthetical syntax:

$ firejail --killall iceweasel

Well, I could record the PID of the firejal process and kill t if a new one s started.

@domivogt commented on GitHub (Feb 9, 2021): > Why is there a dbus-deamon running in the sandbox? I don't have the faintest idea. There's one running outside of the sandbox. Neither firejail nor iceweasel complain about dbus. > Do you use a SysVinit system like void or an other "not standard" distro? Yes, Devuan, without a desktop environment and all other stuff that is not strictly required. > Also what firejail version do you use? Built from source: $ firejail --version firejail version 0.9.62 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled > how should it know which child should be waited on and which should be killed Is it at least possible to give a firejail instance some kind of static id (like the program name), and in the start script kill all firejail processes using that id if they're still running? Hypthetical syntax: $ firejail --killall iceweasel Well, I could record the PID of the firejal process and kill t if a new one s started.

gitea-mirror commented

2026-05-05 09:09:02 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 9, 2021):

Okay, this works as a very ugly workaround:

--
#!/usr/bin/bash

set -C
set -u

PIDFILE="$HOME/.iceweasel.pid"
if test -f "$PIDFILE"; then
read PID < "$PIDFILE"
kill "$PID"
unset PID
fi
rm -f "$PIDFILE"

/usr/local/bin/firejail /usr/bin/iceweasel &!

umask 077
echo "$!" > "$PIDFILE"

@domivogt commented on GitHub (Feb 9, 2021): Okay, this works as a very ugly workaround: -- #!/usr/bin/bash set -C set -u PIDFILE="$HOME/.iceweasel.pid" if test -f "$PIDFILE"; then read PID < "$PIDFILE" kill "$PID" unset PID fi rm -f "$PIDFILE" /usr/local/bin/firejail <options> /usr/bin/iceweasel &! umask 077 echo "$!" > "$PIDFILE" --

gitea-mirror commented

2026-05-05 09:09:03 -06:00

Author

Owner

@ghost commented on GitHub (Feb 9, 2021):

#!/bin/sh
/usr/local/bin/firejail --shell=none --noautopulse ... --profile=.../seamonkey.profile /usr/bin/iceweasel

Please provide the full command line. We can't be of much help without eyes on all the arguments you have in your script. Also, why are you running iceweasel with the seamonkey profile? Firejail 0.9.62 comes with a dedicated iceweasel.profile. The latter, via redirects through to firefox.profile and firefox.common.profile, contains 'nodbus', while the 0.9.62 seamonkey.profile does not. Not sure if that accounts for the dbus-daemon running in the sandbox.

$ firejail --killall iceweasel

Have you tried the firejail --shutdown=foo yet? For example, if you provide the --name=myweasel option you can call it as firejail --shutdown=myweasel. See 'man firejail' for more info.

@ghost commented on GitHub (Feb 9, 2021): > #!/bin/sh /usr/local/bin/firejail --shell=none --noautopulse ... --profile=.../seamonkey.profile /usr/bin/iceweasel Please provide the _full_ command line. We can't be of much help without eyes on all the arguments you have in your script. Also, why are you running iceweasel with the seamonkey profile? Firejail 0.9.62 comes with a dedicated iceweasel.profile. The latter, via redirects through to firefox.profile and firefox.common.profile, contains 'nodbus', while the 0.9.62 seamonkey.profile does not. Not sure if that accounts for the dbus-daemon running in the sandbox. > $ firejail --killall iceweasel Have you tried the firejail --shutdown=foo yet? For example, if you provide the --name=myweasel option you can call it as `firejail --shutdown=myweasel`. See 'man firejail' for more info.

gitea-mirror commented

2026-05-05 09:09:04 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 9, 2021):

The omitted options are just a couple of --whitelist arguments in the local home directory which I won't post. These two are related to pulseaudio:
--whitelist=$HOME/.config/pulse
--whitelist=$HOME/(firejail home)/.config/pulse \

--

The iceweasel profile simply does not work for me with 0.9.61. No sound.

@domivogt commented on GitHub (Feb 9, 2021): The omitted options are just a couple of --whitelist arguments in the local home directory which I won't post. These two are related to pulseaudio: --whitelist=$HOME/.config/pulse \ --whitelist=$HOME/(firejail home)/.config/pulse \ -- The iceweasel profile simply does not work for me with 0.9.61. No sound.

gitea-mirror commented

2026-05-05 09:09:04 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 9, 2021):

Have you tried the firejail --shutdown=foo yet? For example, if you provide
the --name=myweasel option you can call it as firejail --shutdown=myweasel.

With

$ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel

Firejails complain that no sandbox named "iceweasel" is running and exits. Not very intuitive. Are starting and stopping sandboxes mutually exclusive?

Is there a better way than

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

?

@domivogt commented on GitHub (Feb 9, 2021): > Have you tried the firejail --shutdown=foo yet? For example, if you provide > the --name=myweasel option you can call it as firejail --shutdown=myweasel. With $ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel Firejails complain that no sandbox named "iceweasel" is running and exits. Not very intuitive. Are starting and stopping sandboxes mutually exclusive? Is there a better way than firejail --shutdown=iceweasel 2> /dev/null || true firejail --name=iceweasel ... /use/local/bin/iceweasel ?

gitea-mirror commented

2026-05-05 09:09:05 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 9, 2021):

Have you tried the firejail --shutdown=foo yet? For example, if you provide
the --name=myweasel option you can call it as firejail --shutdown=myweasel.

With

$ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel

Firejails complain that no sandbox named "iceweasel" is running and exits.
Not very intuitive. Are starting and stopping sandboxes mutually exclusive?

Is there a better way than

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

?

A minor enhancement to the above:

#!/bin/sh

firejail --shutdown=iceweasel 2>/dev/null
exec firejail --name=iceweasel iceweasel

You could save this as e.g.: ~/bin/iceweasel and just call it as iceweasel.
It should work until the shutting down problem is diagnosed.

@kmk3 commented on GitHub (Feb 9, 2021): > > Have you tried the firejail --shutdown=foo yet? For example, if you provide > > the --name=myweasel option you can call it as firejail --shutdown=myweasel. > > With > > $ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel > > Firejails complain that no sandbox named "iceweasel" is running and exits. > Not very intuitive. Are starting and stopping sandboxes mutually exclusive? > > Is there a better way than > > firejail --shutdown=iceweasel 2> /dev/null || true > firejail --name=iceweasel ... /use/local/bin/iceweasel > > ? A minor enhancement to the above: ```sh #!/bin/sh firejail --shutdown=iceweasel 2>/dev/null exec firejail --name=iceweasel iceweasel ``` You could save this as e.g.: ~/bin/iceweasel and just call it as `iceweasel`. It should work until the shutting down problem is diagnosed.

gitea-mirror commented

2026-05-05 09:09:06 -06:00

Author

Owner

@ghost commented on GitHub (Feb 9, 2021):

$ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel

Firejails complain that no sandbox named "iceweasel" is running and exits. Not very intuitive. Are starting and stopping sandboxes mutually exclusive?

Indeed they are.

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

I would switch the order here. Start the sandboxed iceweasel first and shut it down when done browsing. Otherwise the processes will hang until the next start, which might be a while.

These two are related to pulseaudio:
--whitelist=$HOME/.config/pulse
--whitelist=$HOME/(firejail home)/.config/pulse
The iceweasel profile simply does not work for me with 0.9.61. No sound.

That's the problem you should be focussing on IMO. Combining --noautopulse and whitelisting the default ${HOME}/.config/pulse doesn't make much sense.

@ghost commented on GitHub (Feb 9, 2021): > $ firejail -name=iceweasel --shutdown=iceweasel ... /usr/local/bin/iceweasel Firejails complain that no sandbox named "iceweasel" is running and exits. Not very intuitive. Are starting and stopping sandboxes mutually exclusive? Indeed they are. > firejail --shutdown=iceweasel 2> /dev/null || true firejail --name=iceweasel ... /use/local/bin/iceweasel I would switch the order here. Start the sandboxed iceweasel first and shut it down when done browsing. Otherwise the processes will hang until the next start, which might be a while. > These two are related to pulseaudio: --whitelist=$HOME/.config/pulse --whitelist=$HOME/(firejail home)/.config/pulse \ The iceweasel profile simply does not work for me with 0.9.61. No sound. That's the problem you should be focussing on IMO. Combining --noautopulse and whitelisting the default ${HOME}/.config/pulse doesn't make much sense.

gitea-mirror commented

2026-05-05 09:09:07 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 9, 2021):

firejail --shutdown=iceweasel 2> /dev/null || true
firejail --name=iceweasel ... /use/local/bin/iceweasel

I would switch the order here. Start the sandboxed iceweasel first and shut
it down when done browsing. Otherwise the processes will hang until the next
start, which might be a while.

But if the primary firejail command (i.e.: the one with --name) never exits,
how would the command(s) after that be executed? Or does firejail actually die
but is just never reaped (i.e.: becomes a zombie process)?

@kmk3 commented on GitHub (Feb 9, 2021): > > firejail --shutdown=iceweasel 2> /dev/null || true > > firejail --name=iceweasel ... /use/local/bin/iceweasel > > I would switch the order here. Start the sandboxed iceweasel first and shut > it down when done browsing. Otherwise the processes will hang until the next > start, which might be a while. But if the primary firejail command (i.e.: the one with `--name`) never exits, how would the command(s) after that be executed? Or does firejail actually die but is just never reaped (i.e.: becomes a zombie process)?

gitea-mirror commented

2026-05-05 09:09:08 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 10, 2021):

Are starting and stopping sandboxes mutually exclusive?
Indeed they are.

Maybe the manpage should mention that.

I would switch the order here. Start the sandboxed iceweasel first and shut it
down when done browsing. Otherwise the processes will hang until the next
start, which might be a while.

But that's the whole point of this topic. I doesn't terminate because the dbus-daemon is still around. If it terminated, the --shutdown wouldn't be necessary. Of course I'd prefer not having bogus dbus and firejail processes lying around, but at leat with the above script iceweasel works if restarted later.

@domivogt commented on GitHub (Feb 10, 2021): >> Are starting and stopping sandboxes mutually exclusive? > Indeed they are. Maybe the manpage should mention that. > I would switch the order here. Start the sandboxed iceweasel first and shut it > down when done browsing. Otherwise the processes will hang until the next > start, which might be a while. But that's the whole point of this topic. I *doesn't* terminate because the dbus-daemon is still around. If it terminated, the --shutdown wouldn't be necessary. Of course I'd prefer not having bogus dbus and firejail processes lying around, but at leat with the above script iceweasel works if restarted later.

gitea-mirror commented

2026-05-05 09:09:08 -06:00

Author

Owner

@ghost commented on GitHub (Feb 10, 2021):

But that's the whole point of this topic.

Fair enough, I get that. Going over the conversations again, I can see how my earlier remark about switching the order caused confusion. Until you can get to the bottom of this I guess the hack you showed is at least something workable.

There have been tons of changes related to D-Bus since firejail 0.9.62. Besides getting improved profiles there's also the fact that your version is vulnerable to this, which is reason enough in and by itself to upgrade firejail asap. Have you considered building the latest stable firejail release? Installing xdg-dbus-proxy together with that firejail upgrade would be best, but I don't know if that's an option on Devuan.

@ghost commented on GitHub (Feb 10, 2021): > But that's the whole point of this topic. Fair enough, I get that. Going over the conversations again, I can see how my earlier remark about switching the order caused confusion. Until you can get to the bottom of this I guess the hack you showed is at least something workable. There have been tons of changes related to D-Bus since firejail 0.9.62. Besides getting improved profiles there's also the fact that your version is vulnerable to [this](https://github.com/netblue30/firejail#security-vulnerabilities), which is reason enough in and by itself to upgrade firejail asap. Have you considered building the latest stable firejail release? Installing [xdg-dbus-proxy](https://github.com/flatpak/xdg-dbus-proxy) together with that firejail upgrade would be best, but I don't know if that's an option on Devuan.

gitea-mirror commented

2026-05-05 09:09:09 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 10, 2021):

Thanks for the information; I've upgraded to 0.9.64.4.

(As a side note: Still don't get sound in the browsers unless "seccomp" is removed from the profiles in the distribution.)

Installing xdg-dbus-proxy together with that firejail upgrade would
be best, but I don't know if that's an option on Devuan.

It is. Devuan is just Debian without systemd. I just have to install xdg-dbus-proxy and then it's used automatically?

@domivogt commented on GitHub (Feb 10, 2021): Thanks for the information; I've upgraded to 0.9.64.4. (As a side note: Still don't get sound in the browsers unless "seccomp" is removed from the profiles in the distribution.) > Installing xdg-dbus-proxy together with that firejail upgrade would > be best, but I don't know if that's an option on Devuan. It is. Devuan is just Debian without systemd. I just have to install xdg-dbus-proxy and then it's used automatically?

gitea-mirror commented

2026-05-05 09:09:09 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 10, 2021):

(As a side note: Still don't get sound in the browsers unless "seccomp" is removed from the profiles in the distribution.)

You run with --seccomp-error-action=log '--seccomp=!chroot' and watch your syslog to know the blocked syscall.

@rusty-snake commented on GitHub (Feb 10, 2021): > (As a side note: Still don't get sound in the browsers unless "seccomp" is removed from the profiles in the distribution.) You run with `--seccomp-error-action=log '--seccomp=!chroot'` and watch your syslog to know the blocked syscall.

gitea-mirror commented

2026-05-05 09:09:10 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 10, 2021):

firejail says:

Reading profile /usr/local/etc/firejail/seamonkey.profile

Reading profile /usr/local/etc/firejail/disable-common.inc

Reading profile /usr/local/etc/firejail/disable-devel.inc

Reading profile /usr/local/etc/firejail/disable-interpreters.inc

Reading profile /usr/local/etc/firejail/disable-programs.inc

Reading profile /usr/local/etc/firejail/whitelist-common.inc

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,

Parent pid 8569, child pid 8572

Blacklist violations are logged to syslog

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,

/var/log/syslog:

Feb 10 22:57:36 ... kernel: [ 8975.953084] audit: type=1326 audit(1612994256.699:2): auid=1000 uid=1000 gid=1000 ses=1 pid=8906 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=0 arch=c000003e syscall=135 compat=0 ip=0x7fa5f92a1777 code=0x7ffc0000

Feb 10 22:57:36 ... kernel: [ 8975.970836] audit: type=1326 audit(1612994256.717:3): auid=1000 uid=1000 gid=1000 ses=1 pid=8909 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=0 arch=c000003e syscall=303 compat=0 ip=0x7fa5f92a228a code=0x7ffc0000

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to open cookie file '/home/.../.config/pulse/cookie': No such file or directory

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to load authentication key '/home/.../.config/pulse/cookie': No such file or directory

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to open cookie file '/home/.../.pulse-cookie': No such file or directory

Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to load authentication key '/home/.../.pulse-cookie': No such file or directory

@domivogt commented on GitHub (Feb 10, 2021): **firejail says:** Reading profile /usr/local/etc/firejail/seamonkey.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 8569, child pid 8572 Blacklist violations are logged to syslog Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, **/var/log/syslog:** Feb 10 22:57:36 ... kernel: [ 8975.953084] audit: type=1326 audit(1612994256.699:2): auid=1000 uid=1000 gid=1000 ses=1 pid=8906 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=0 arch=c000003e syscall=135 compat=0 ip=0x7fa5f92a1777 code=0x7ffc0000 Feb 10 22:57:36 ... kernel: [ 8975.970836] audit: type=1326 audit(1612994256.717:3): auid=1000 uid=1000 gid=1000 ses=1 pid=8909 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=0 arch=c000003e syscall=303 compat=0 ip=0x7fa5f92a228a code=0x7ffc0000 Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to open cookie file '/home/.../.config/pulse/cookie': No such file or directory Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to load authentication key '/home/.../.config/pulse/cookie': No such file or directory Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to open cookie file '/home/.../.pulse-cookie': No such file or directory Feb 10 22:57:37 ... pulseaudio[325]: [pulseaudio] authkey.c: Failed to load authentication key '/home/.../.pulse-cookie': No such file or directory

gitea-mirror commented

2026-05-05 09:09:10 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 10, 2021):

So, how does one figure out what syscalls "135" and "303" are on x86_64?

@domivogt commented on GitHub (Feb 10, 2021): So, how does one figure out what syscalls "135" and "303" are on x86_64?

gitea-mirror commented

2026-05-05 09:09:11 -06:00

Author

Owner

@ghost commented on GitHub (Feb 10, 2021):

So, how does one figure out what syscalls "135" and "303" are on x86_64?

$ firejail --debug-syscalls | grep 135
$ firejail --debug-syscalls | grep 303

And there's the upstream documentation, which is slightly less easy to parse.

@ghost commented on GitHub (Feb 10, 2021): > So, how does one figure out what syscalls "135" and "303" are on x86_64? $ firejail --debug-syscalls | grep 135 $ firejail --debug-syscalls | grep 303 And there's the [upstream documentation](https://github.com/seccomp/libseccomp/blob/v2.5.1/src/syscalls.csv), which is slightly less easy to parse.

gitea-mirror commented

2026-05-05 09:09:11 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 10, 2021):

Okay, 135 is "personality" and 303 is "name_to_handle_at". Now, what does that tell me?

@domivogt commented on GitHub (Feb 10, 2021): Okay, 135 is "personality" and 303 is "name_to_handle_at". Now, what does that tell me?

gitea-mirror commented

2026-05-05 09:09:11 -06:00

Author

Owner

@ghost commented on GitHub (Feb 10, 2021):

It tells you which syscalls to allow in firejail's seccomp option. You'll need to test this.
If you use the seamonkey profile, add the below to seamonkey.local override:

ignore seccomp
seccomp !name_to_handle_at,!personality

If you use the iceweasel profile, add the below to firefox-common.local override:

ignore seccomp !chroot
seccomp -chroot,!name_to_handle_at,!personality

@ghost commented on GitHub (Feb 10, 2021): It tells you which syscalls to allow in firejail's `seccomp` option. You'll need to test this. If you use the seamonkey profile, add the below to seamonkey.local override: ``` ignore seccomp seccomp !name_to_handle_at,!personality ``` If you use the iceweasel profile, add the below to firefox-common.local override: ``` ignore seccomp !chroot seccomp -chroot,!name_to_handle_at,!personality ```

gitea-mirror commented

2026-05-05 09:09:12 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 11, 2021):

Okay, that works for seamonkey. But with that, iceweasel does nothing except showing blank pages.

Trying the iceweasel.profile it says this and exits:

Seccomp list in: -chroot,!name_to_handle_at,!personality, check list: @default-k
eep, prelist: unknown,unknown,

DBus user socket was not found.

No proxies specified

(Note that the xdg-dbus-proxy package is installed.)

@domivogt commented on GitHub (Feb 11, 2021): Okay, that works for seamonkey. But with that, iceweasel does nothing except showing blank pages. Trying the iceweasel.profile it says this and exits: Seccomp list in: -chroot,!name_to_handle_at,!personality, check list: @default-k eep, prelist: unknown,unknown, DBus user socket was not found. No proxies specified (Note that the xdg-dbus-proxy package is installed.)

gitea-mirror commented

2026-05-05 09:09:12 -06:00

Author

Owner

@ghost commented on GitHub (Feb 11, 2021):

Not sure what's happening with iceweasel. I'm about to turn horizontal for the night so I don't have the time right now to install and test it. But here are a few quick things you can re-check:

make sure xdg-dbus-proxy is installed BEFORE building firejail from git (when unsure, rebuild firejail, that shouldn't take all that long)
redo the syscall/syslog check for iceweasel and seamonkey individually, they might make/expect to be able to make different syscalls
keep playing with the seccomp option for testing, but beware this is a pretty important part of sandboxing

@ghost commented on GitHub (Feb 11, 2021): Not sure what's happening with iceweasel. I'm about to turn horizontal for the night so I don't have the time right now to install and test it. But here are a few quick things you can re-check: - make sure xdg-dbus-proxy is installed BEFORE building firejail from git (when unsure, rebuild firejail, that shouldn't take all that long) - redo the syscall/syslog check for iceweasel and seamonkey individually, they might make/expect to be able to make different syscalls - keep playing with the seccomp option for _testing,_ but beware this is a pretty important part of sandboxing

gitea-mirror commented

2026-05-05 09:09:13 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 11, 2021):

DBus user socket was not found.

Read #3769 and #3689.

@rusty-snake commented on GitHub (Feb 11, 2021): > DBus user socket was not found. Read #3769 and #3689.

gitea-mirror commented

2026-05-05 09:09:13 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 11, 2021):

And there's the upstream documentation

That's not upstream, that's third-party. seccomp rules can be loaded into the kernel via prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...) or seccomp(...) (new syscall for this) and can be create directly (which is very ugly), directly with macro-magic (only works in C) or using third-party libraries such as libseccomp. libseccomp is the de facto standard for libraries, all others I know are just a abstraction around libseccomp which is already a abstraction around the kernel. firejail does not link against libseccomp, instead it compiles the rules by itself (fseccomp and fsec-optimize AFAICT). fdns links against libseccomp.

which is slightly less easy to parse.

GitHub has a search function for csv (look at the "Search this file..." at the top of the file) and in your shell you can use awk.

$ wget -qO- "https://raw.githubusercontent.com/seccomp/libseccomp/v2.5.1/src/syscalls.csv" | awk -F',' '$1 == "faccessat2" { print $3 }'
439

So, how does one figure out what syscalls "135" and "303" are on x86_64?

With firejail (as @glitsj16 said)

$ firejail --debug-syscalls | grep "^135[[:space:]]"
135	- personality#

With audit (can also be used for non-native ABI syscalls)

$ ausyscall 135       
personality

@rusty-snake commented on GitHub (Feb 11, 2021): > And there's the upstream documentation That's not upstream, that's third-party. seccomp rules can be loaded into the kernel via `prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...)` or `seccomp(...)` (new syscall for this) and can be create directly (which is very ugly), directly with macro-magic (only works in C) or using third-party libraries such as libseccomp. libseccomp is the de facto standard for libraries, all others I know are just a abstraction around libseccomp which is already a abstraction around the kernel. firejail does not link against libseccomp, instead it compiles the rules by itself (fseccomp and fsec-optimize AFAICT). fdns links against libseccomp. > which is slightly less easy to parse. GitHub has a search function for csv (look at the "Search this file..." at the top of the file) and in your shell you can use awk. ```bash $ wget -qO- "https://raw.githubusercontent.com/seccomp/libseccomp/v2.5.1/src/syscalls.csv" | awk -F',' '$1 == "faccessat2" { print $3 }' 439 ``` > So, how does one figure out what syscalls "135" and "303" are on x86_64? 1. With firejail (as @glitsj16 said) ``` $ firejail --debug-syscalls | grep "^135[[:space:]]" 135 - personality# ``` 2. With audit (can also be used for non-native ABI syscalls) ``` $ ausyscall 135 personality ```

gitea-mirror commented

2026-05-05 09:09:13 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 11, 2021):

Okay, the option --dbus-user=none makes the messages go away, but it does not really help. The browser window is still blank and does not load anything, and syslog shows a bunch of suspicious messages:

Feb 11 20:07:47 ... kernel: [ 6000.114213] Chroot Helper[9650]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000]

Feb 11 20:07:47 ... kernel: [ 6000.114221] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d

Feb 11 20:07:48 ... kernel: [ 6000.447798] Chroot Helper[9689]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000]

Feb 11 20:07:48 ... kernel: [ 6000.447806] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d

Feb 11 20:07:49 ... kernel: [ 6001.377108] Chroot Helper[9725]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000]

Feb 11 20:07:49 ... kernel: [ 6001.377115] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d

(How do you properly format code output in this freakin' editor?)

@domivogt commented on GitHub (Feb 11, 2021): Okay, the option --dbus-user=none makes the messages go away, but it does not really help. The browser window is still blank and does not load anything, and syslog shows a bunch of suspicious messages: Feb 11 20:07:47 ... kernel: [ 6000.114213] Chroot Helper[9650]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000] Feb 11 20:07:47 ... kernel: [ 6000.114221] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 <c7> 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d Feb 11 20:07:48 ... kernel: [ 6000.447798] Chroot Helper[9689]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000] Feb 11 20:07:48 ... kernel: [ 6000.447806] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 <c7> 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d Feb 11 20:07:49 ... kernel: [ 6001.377108] Chroot Helper[9725]: segfault at 0 ip 00007fcd3f86d5f9 sp 00007fcd32b5c450 error 6 in libxul.so[7fcd3f863000+4ac7000] Feb 11 20:07:49 ... kernel: [ 6001.377115] Code: 26 07 48 8d 0d 70 ab ac 04 48 89 08 c7 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 e1 2d 26 07 48 8d 0d 15 ac ac 04 48 89 08 <c7> 04 25 00 00 00 00 00 00 00 00 0f 0b 48 8b 05 c3 2d 26 07 48 8d (How do you properly format code output in this freakin' editor?)

gitea-mirror commented

2026-05-05 09:09:14 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 11, 2021):

And about dbus configuration:

DBUS_SESSION_BUS_ADDRESS is not set. Should it? By whom?
There's some stuff in /run/dbus:

$ ls /run/dbus

-rw-r--r-- 1 root root 5 Feb 11 18:27 pid

srwxrwxrwx 1 root root 0 Feb 11 18:27 system_bus_socket=

Running iceweasel through dbus-run-session does not help in any way. Still segfault messages in syslog.

@domivogt commented on GitHub (Feb 11, 2021): And about dbus configuration: 1) DBUS_SESSION_BUS_ADDRESS is not set. Should it? By whom? 2) There's some stuff in /run/dbus: $ ls /run/dbus -rw-r--r-- 1 root root 5 Feb 11 18:27 pid srwxrwxrwx 1 root root 0 Feb 11 18:27 system_bus_socket= 3) Running iceweasel through dbus-run-session does not help in any way. Still segfault messages in syslog.

gitea-mirror commented

2026-05-05 09:09:14 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 11, 2021):

(How do you properly format code output in this freakin' editor?)

Use a code fence / triple backquotes:

https://spec.commonmark.org/0.29/#code-fence
https://github.github.com/gfm/#code-fence

Example:

log

You can also improve the syntax highlighting by setting the language through
an info string:

https://spec.commonmark.org/0.29/#info-string
https://github.github.com/gfm/#info-string

Example (sh):

#!/bin/sh

# comment
echo hello

Example (console):

$ ls
foo bar

Click on ... then "Quote reply" to see the markdown source of this message.

@kmk3 commented on GitHub (Feb 11, 2021): > (How do you properly format code output in this freakin' editor?) Use a code fence / triple backquotes: <https://spec.commonmark.org/0.29/#code-fence> <https://github.github.com/gfm/#code-fence> Example: ``` log ``` You can also improve the syntax highlighting by setting the language through an info string: <https://spec.commonmark.org/0.29/#info-string> <https://github.github.com/gfm/#info-string> Example (sh): ```sh #!/bin/sh # comment echo hello ``` Example (console): ```console $ ls foo bar ``` Click on ... then "Quote reply" to see the markdown source of this message.

gitea-mirror commented

2026-05-05 09:09:15 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 11, 2021):

There's some stuff in /run/dbus:

That's the system bus. DBUS_SESSION_BUS_ADDRESS is about the session bus.

Should it?

If D-Bus should work properly, yes.

How do you properly format code output in this freakin' editor?)

```
Code-block, created by three back-ticks.
```

`Inline-code created by one back-tick`

https://guides.github.com/features/mastering-markdown/

@rusty-snake commented on GitHub (Feb 11, 2021): > There's some stuff in /run/dbus: That's the system bus. `DBUS_SESSION_BUS_ADDRESS` is about the session bus. > Should it? If D-Bus should work properly, yes. > How do you properly format code output in this freakin' editor?) `````` ``` Code-block, created by three back-ticks. ``` `Inline-code created by one back-tick` `````` https://guides.github.com/features/mastering-markdown/

gitea-mirror commented

2026-05-05 09:09:15 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 11, 2021):

Thanks for the formatting tips.

That's the system bus. DBUS_SESSION_BUS_ADDRESS is about the session bus.
If D-Bus should work properly, yes.

So, this is not really a firejail question, but does that mean that dbus only works if you start the graphical environment through a session manager?

@domivogt commented on GitHub (Feb 11, 2021): Thanks for the formatting tips. > That's the system bus. DBUS_SESSION_BUS_ADDRESS is about the session bus. > If D-Bus should work properly, yes. So, this is not really a firejail question, but does that mean that dbus only works if you start the graphical environment through a session manager?

gitea-mirror commented

2026-05-05 09:09:16 -06:00

Author

Owner

@rusty-snake commented on GitHub (Feb 11, 2021):

So, this is not really a firejail question,

Partly, the dbus-spec has three ways to propagate the location of the socket. Using DBUS_SESSION_BUS_ADDRESS (the preferred way), ~/.dbus and X properties (which does not work without X e.g. Wayland or console).

but does that mean that dbus only works if you start the graphical environment through a session manager?

No, but if you don't use logind, you need to make sure dbus is started and it's socket location is properly propagated.

@rusty-snake commented on GitHub (Feb 11, 2021): > So, this is not really a firejail question, Partly, the dbus-spec has three ways to propagate the location of the socket. Using `DBUS_SESSION_BUS_ADDRESS` (the preferred way), `~/.dbus` and X properties (which does not work without X e.g. Wayland or console). > but does that mean that dbus only works if you start the graphical environment through a session manager? No, but if you don't use logind, you need to make sure dbus is started and it's socket location is properly propagated.

gitea-mirror commented

2026-05-05 09:09:17 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 11, 2021):

I give up. Pulseaudio + Dbus seem to be completely un-configurable, if you don't happen to maintain your own distro. Pieces of junk. If I want processes to communicate I say so.

@domivogt commented on GitHub (Feb 11, 2021): I give up. Pulseaudio + Dbus seem to be completely un-configurable, if you don't happen to maintain your own distro. Pieces of junk. If I want processes to communicate I say so.

gitea-mirror commented

2026-05-05 09:09:17 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 11, 2021):

I give up. Pulseaudio + Dbus seem to be completely un-configurable, if you
don't happen to maintain your own distro. Pieces of junk. If I want processes
to communicate I say so.

Indeed. I'm using apulse on Artix and on D-Bus' case, I just try to block it
as much as possible on firejail, so that 1. firejail doesn't just die because
it can't find D-Bus and 2. so that the sandbox escaping is mitigated.

The following works for me:

Create disable-dbus.local with these contents:

dbus-system none
dbus-user none
ignore dbus-system
ignore dbus-user
# needed to ignore warnings; taken from firejail-profile(5) from v0.9.64
ignore dbus-user.broadcast
ignore dbus-user.call
ignore dbus-user.own
ignore dbus-user.see
ignore dbus-user.talk

Add the following to globals.local:

include disable-dbus.local

@kmk3 commented on GitHub (Feb 11, 2021): > I give up. Pulseaudio + Dbus seem to be completely un-configurable, if you > don't happen to maintain your own distro. Pieces of junk. If I want processes > to communicate I say so. Indeed. I'm using apulse on Artix and on D-Bus' case, I just try to block it as much as possible on firejail, so that 1. firejail doesn't just die because it can't find D-Bus and 2. so that the sandbox escaping is mitigated. The following works for me: Create disable-dbus.local with these contents: ```firejail dbus-system none dbus-user none ignore dbus-system ignore dbus-user # needed to ignore warnings; taken from firejail-profile(5) from v0.9.64 ignore dbus-user.broadcast ignore dbus-user.call ignore dbus-user.own ignore dbus-user.see ignore dbus-user.talk ``` Add the following to globals.local: ```firejail include disable-dbus.local ```

gitea-mirror commented

2026-05-05 09:09:18 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 12, 2021):

Excellent advice regarding apulse, so pulseaudio is gone now. Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I might be able to find a replacement for gnumeric.

@domivogt commented on GitHub (Feb 12, 2021): Excellent advice regarding apulse, so pulseaudio is gone now. Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I might be able to find a replacement for gnumeric.

gitea-mirror commented

2026-05-05 09:09:18 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 12, 2021):

Okay, it turns out that with apulse instead of pulseaudio, sound works out of the box with the distributed seamonkey and iceweasel profiles. No changes are necessary at all. Yay!

If there only was a similar replacement for dbus ...

Thanks a million for all the good advice and support in this thread!

@domivogt commented on GitHub (Feb 12, 2021): Okay, it turns out that with apulse instead of pulseaudio, sound works out of the box with the distributed seamonkey and iceweasel profiles. No changes are necessary at all. Yay! If there only was a similar replacement for dbus ... Thanks a million for all the good advice and support in this thread!

gitea-mirror commented

2026-05-05 09:09:19 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 12, 2021):

Excellent advice regarding apulse, so pulseaudio is gone now.

Thanks. See also sndio/sndiod, which is the sound server from OpenBSD and
is supported on Void Linux:

https://docs.voidlinux.org/config/media/sndio.html

I haven't gotten around to configuring it, but it seems promising.

Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I
might be able to find a replacement for gnumeric.

Okay, it turns out that with apulse instead of pulseaudio, sound works out of
the box with the distributed seamonkey and iceweasel profiles. No changes are
necessary at all. Yay!

If there only was a similar replacement for dbus ...

KISS Linux has the exclusion of dbus and pulseaudio (among others) from the
official repositories as an explicit goal; might want to check it out:

It manages to run Xorg without dbus by default, which is something that I
unfortunately haven't figured out how to do on Artix yet.

Not sure if gnumeric is packaged for it though.

There is also this, which looks like a build-time drop-in (partial?) dbus
replacement for dbus clients (e.g.: Firefox):

https://github.com/emersion/basu

I also remember reading a while back that systemd (or something adjacent) was
considering switching to a smaller IPC middleware in order to break a circular
dependency with dbus, but I can't find the name right now and I'm not sure if
it's a drop-in replacement. (Or maybe it was dbus or pulseaudio switching from
systemd as a dependency...)

@kmk3 commented on GitHub (Feb 12, 2021): > Excellent advice regarding apulse, so pulseaudio is gone now. Thanks. See also [sndio/sndiod][1], which is the sound server from OpenBSD and is supported on Void Linux: * <https://docs.voidlinux.org/config/media/sndio.html> I haven't gotten around to configuring it, but it seems promising. > Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I > might be able to find a replacement for gnumeric. > Okay, it turns out that with apulse instead of pulseaudio, sound works out of > the box with the distributed seamonkey and iceweasel profiles. No changes are > necessary at all. Yay! > > If there only was a similar replacement for dbus ... KISS Linux has the exclusion of dbus and pulseaudio (among others) from the official repositories as an explicit goal; might want to check it out: * [Removed Software][2] * [Excluded Software][3] It manages to run Xorg without dbus by default, which is something that I unfortunately haven't figured out how to do on Artix yet. Not sure if gnumeric is packaged for it though. --- There is also this, which looks like a build-time drop-in (partial?) dbus replacement for dbus clients (e.g.: Firefox): * <https://github.com/emersion/basu> I also remember reading a while back that systemd (or something adjacent) was considering switching to a smaller IPC middleware in order to break a circular dependency with dbus, but I can't find the name right now and I'm not sure if it's a drop-in replacement. (Or maybe it was dbus or pulseaudio switching from systemd as a dependency...) [1]: https://sndio.org/ [2]: https://k1ss.org/software#2.0 [3]: https://k1ss.org/software#3.0

gitea-mirror commented

2026-05-05 09:09:19 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 13, 2021):

Hmpf, everything that uses gtk+-3 has an automatic dependency on dbus (i.e. iceweasel + gnumeric). I really couldn't find an alternative spreadsheet program, except the Kde stuff and the one from Libreoffice which are both even more bloated than Gnumeric already is.

KISS Linux sounds nice, but still seems to depend on systemd? (I actually want a working, stable, i.e. Pöttering-free machine.)

@domivogt commented on GitHub (Feb 13, 2021): Hmpf, everything that uses gtk+-3 has an automatic dependency on dbus (i.e. iceweasel + gnumeric). I really couldn't find an alternative spreadsheet program, except the Kde stuff and the one from Libreoffice which are both even more bloated than Gnumeric already is. KISS Linux sounds nice, but still seems to depend on systemd? (I actually want a working, stable, i.e. Pöttering-free machine.)

gitea-mirror commented

2026-05-05 09:09:19 -06:00

Author

Owner

@domivogt commented on GitHub (Feb 13, 2021):

(Okay, it does not include systemd, but they've hidden that info deep in the FAQ.)

@domivogt commented on GitHub (Feb 13, 2021): (Okay, it does not include systemd, but they've hidden that info deep in the FAQ.)

gitea-mirror commented

2026-05-05 09:09:20 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 3, 2021):

Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I
might be able to find a replacement for gnumeric.

Okay, it turns out that with apulse instead of pulseaudio, sound works out
of the box with the distributed seamonkey and iceweasel profiles. No
changes are necessary at all. Yay!

If there only was a similar replacement for dbus ...

KISS Linux has the exclusion of dbus and pulseaudio (among others) from the
official repositories as an explicit goal; might want to check it out:

Removed Software

Excluded Software

It manages to run Xorg without dbus by default, which is something that I
unfortunately haven't figured out how to do on Artix yet.

Not sure if gnumeric is packaged for it though.

By the way, I just came across a KISS Linux repository that has gnumeric
packaged:

https://github.com/eudaldgr/kiss-garbage

Spreadsheet: gnumeric

Also, the creator of KISS Linux (dylanaraps) disappeared:

And this community-made fork appears to be the de facto continuation of it:

@kmk3 commented on GitHub (Mar 3, 2021): > > Doesn't help for the dbus junk; gnumeric and iceweasel depend on dbus. I > > might be able to find a replacement for gnumeric. > > > Okay, it turns out that with apulse instead of pulseaudio, sound works out > > of the box with the distributed seamonkey and iceweasel profiles. No > > changes are necessary at all. Yay! > > > If there only was a similar replacement for dbus ... > > KISS Linux has the exclusion of dbus and pulseaudio (among others) from the > official repositories as an explicit goal; might want to check it out: > > * [Removed Software](https://k1ss.org/software#2.0) > > * [Excluded Software](https://k1ss.org/software#3.0) > > > It manages to run Xorg without dbus by default, which is something that I > unfortunately haven't figured out how to do on Artix yet. > > Not sure if gnumeric is packaged for it though. By the way, I just came across a KISS Linux repository that has gnumeric packaged: * <https://github.com/eudaldgr/kiss-garbage> > Spreadsheet: gnumeric Also, the creator of KISS Linux (dylanaraps) disappeared: * <https://old.reddit.com/r/kisslinux/comments/kjeqyc/community_run_kiss_community_repo/> * <https://old.reddit.com/r/kisslinux/comments/kqe97x/wheres_dylan/> * <https://old.reddit.com/r/kisslinux/comments/lc8o8i/what_the_hell_happened_to_the_maintainer/> * <https://old.reddit.com/r/kisslinux/comments/ll4mrf/rip_the_site/> * <https://github.com/kisslinux/website/issues/77> * <https://github.com/kisslinux/repo/issues/256> * <https://github.com/kisslinux/community/issues/1749> * <https://old.reddit.com/r/kisslinux/comments/lm9z8b/the_state_of_kiss/> * <https://old.reddit.com/r/kisslinux/comments/lqz04o/new_bdfl_same_direction/> * <https://old.reddit.com/r/kisslinux/comments/lsbz8n/an_update_on_dylan/> And this community-made fork appears to be the de facto continuation of it: * <https://kiss.armaanb.net/> * <https://github.com/kiss-community>

gitea-mirror commented

2026-05-05 09:09:20 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 10, 2021):

Still an issue?

@rusty-snake commented on GitHub (Jun 10, 2021): Still an issue?

gitea-mirror commented

2026-05-05 09:09:21 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 4, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

@rusty-snake commented on GitHub (Aug 4, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

gitea-mirror referenced this issue

2026-05-05 10:18:09 -06:00

[PR #2467] [MERGED] Harden mediainfo.profile #4335

Rows
Columns

[GH-ISSUE #3949] firejail not terminated after browser is killed #2467

umask 077 echo "$!" > "$PIDFILE"

umask 077
echo "$!" > "$PIDFILE"