[GH-ISSUE #4073] Flameshot escapes firejail

gitea-mirror commented

2026-05-05 09:12:15 -06:00

Owner

Originally created by @a1346054 on GitHub (Mar 9, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4073

$ firejail --version
firejail version 0.9.64.4

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

$ uname -a
Linux localhost 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

$ flameshot --version
Flameshot v0.8.5-1_bpo10+1(Debian)
Compiled with Qt 5.11.3

Firejail installed from buster-backports repo of debian 10 (buster). Flameshot installed from buster-backports too.

/usr/local/bin/flameshot link to firejail created by firecfg

Using default flameshot.profile not modified in any way, and no flameshot.local exists.

If I run firejail flameshot, then flameshot is correctly running in firejail. But if I run firejail flameshot gui then flameshot ends up running outside of firejail.

If I run /usr/local/bin/flameshot then flameshot is correctly in firejail. But if I run /usr/local/bin/flameshot gui then it is running outside of firejail.

Originally created by @a1346054 on GitHub (Mar 9, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4073 ``` $ firejail --version firejail version 0.9.64.4 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ``` $ uname -a Linux localhost 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux ``` ``` $ cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ``` ``` $ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster ``` ``` $ flameshot --version Flameshot v0.8.5-1_bpo10+1(Debian) Compiled with Qt 5.11.3 ``` Firejail installed from buster-backports repo of debian 10 (buster). Flameshot installed from buster-backports too. `/usr/local/bin/flameshot` link to `firejail` created by `firecfg` Using default `flameshot.profile` not modified in any way, and no `flameshot.local` exists. If I run `firejail flameshot`, then flameshot is correctly running in firejail. But if I run `firejail flameshot gui` then flameshot ends up running outside of firejail. If I run `/usr/local/bin/flameshot` then flameshot is correctly in firejail. But if I run `/usr/local/bin/flameshot gui` then it is running outside of firejail.

gitea-mirror

2026-05-05 09:12:15 -06:00

closed this issue
added the
information_old

stale
labels

gitea-mirror commented

2026-05-05 09:12:17 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 9, 2021):

That's because of D-Bus.

@rusty-snake commented on GitHub (Mar 9, 2021): That's because of D-Bus.

gitea-mirror commented

2026-05-05 09:12:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 9, 2021):

And there is nothing that can be done, if you start it with dbus-user none it does not work and if you firejail the D-Bus activated instance, it crashes.

@rusty-snake commented on GitHub (Mar 9, 2021): And there is nothing that can be done, if you start it with `dbus-user none` it does not work and if you firejail the D-Bus activated instance, it crashes.

gitea-mirror commented

2026-05-05 09:12:18 -06:00

Author

Owner

@a1346054 commented on GitHub (Mar 9, 2021):

I'd recommend putting a comment in the flameshot.profile file then, and disable firecfg from automatically setting up the symlink /usr/local/bin/flameshot

On my system, it's the /usr/lib/x86_64-linux-gnu/firejail/firecfg.config file that determines what gets set up.

@a1346054 commented on GitHub (Mar 9, 2021): I'd recommend putting a comment in the `flameshot.profile` file then, and disable `firecfg` from automatically setting up the symlink `/usr/local/bin/flameshot` On my system, it's the `/usr/lib/x86_64-linux-gnu/firejail/firecfg.config` file that determines what gets set up.

gitea-mirror commented

2026-05-05 09:12:19 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 14, 2021):

I'd recommend putting a comment in the flameshot.profile file then

Makes sense

and disable firecfg from automatically setting up the symlink /usr/local/bin/flameshot

Why?

@rusty-snake commented on GitHub (Apr 14, 2021): > I'd recommend putting a comment in the flameshot.profile file then Makes sense > and disable firecfg from automatically setting up the symlink /usr/local/bin/flameshot Why?

gitea-mirror commented

2026-05-05 09:12:19 -06:00

Author

Owner

@ghost commented on GitHub (Apr 15, 2021):

Flameshot v0.8.5-1_bpo10+1(Debian)

Upstream released v0.9.0. The release notes mention several fixes for Wayland (GNOME/KDE). They offer a Debian 10 deb, have you tried that yet?

... firejail the D-Bus activated instance ...

@rusty-snake May I ask how you're doing that?
Side-note context: ever since I saw this comment in gjs.profile:

# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

I've been using overrides in /etc/dbus-1/services to sandbox them via firejail. That seems to work for the (few) apps I use that benefit from such treatment. So we might be able to get around systemd here IMO, although automating it cfr. firecfg would be a bit more complex. I only briefly looked at flameshot (mostly because I prefer to use fully Wayland supported apps whenever I can), and it has a org.flameshot.Flameshot.service file too. I didn't see it crashing when manipulating that to run firejailed. To be clear, flameshot itself appears to have several Wayland/Xwayland issues that still need proper fixing, but that's out of our reach. Just wondering if you have any thoughts/recommendations on how to side-step these D-Bus activated applications in general, if any.

@ghost commented on GitHub (Apr 15, 2021): > Flameshot v0.8.5-1_bpo10+1(Debian) Upstream released [v0.9.0](https://github.com/flameshot-org/flameshot/releases/tag/v0.9.0). The release notes mention several fixes for Wayland (GNOME/KDE). They offer a Debian 10 deb, have you tried that yet? > ... firejail the D-Bus activated instance ... @rusty-snake May I ask how you're doing that? Side-note context: ever since I saw [this](https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/gjs.profile#L9) comment in gjs.profile: ``` # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them ``` I've been using overrides in `/etc/dbus-1/services` to sandbox them via firejail. That seems to work for the (few) apps I use that benefit from such treatment. So we _might_ be able to get around systemd here IMO, although automating it cfr. firecfg would be a bit more complex. I only briefly looked at flameshot (mostly because I prefer to use fully Wayland supported apps whenever I can), and it has a `org.flameshot.Flameshot.service` file too. I didn't see it crashing when manipulating that to run firejailed. To be clear, flameshot itself appears to have several Wayland/Xwayland issues that still need proper fixing, but that's out of our reach. Just wondering if you have any thoughts/recommendations on how to side-step these D-Bus activated applications in general, if any.

gitea-mirror commented

2026-05-05 09:12:20 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 15, 2021):

Upstream released v0.9.0.

FTR: 2ae7295f1a (diff-9518649b216fa12a3455382e2f478f878d66e062c159f8b530973d0763865a66)

May I ask how you're doing that?

Just wondering if you have any thoughts/recommendations on how to side-step these D-Bus activated applications in general, if any.

firecfg.py 😉
_{Group: https://github.com/rusty-snake/firecfg.py/blob/master/etc/groups/DBus}
^{Code: https://github.com/rusty-snake/firecfg.py/blob/master/firecfg/dbus_service_firejailer.py}

I didn't see it crashing when manipulating that to run firejailed.

Maybe the crash is gone since I tested it.

@rusty-snake commented on GitHub (Apr 15, 2021): > Upstream released v0.9.0. FTR: https://github.com/netblue30/firejail/commit/2ae7295f1a8d24217ccbf0fef149df0042969b56#diff-9518649b216fa12a3455382e2f478f878d66e062c159f8b530973d0763865a66 > May I ask how you're doing that? > > Just wondering if you have any thoughts/recommendations on how to side-step these D-Bus activated applications in general, if any. [firecfg.py](https://github.com/rusty-snake/firecfg.py) :wink: <sub> Group: https://github.com/rusty-snake/firecfg.py/blob/master/etc/groups/DBus </sub> <sup>Code: https://github.com/rusty-snake/firecfg.py/blob/master/firecfg/dbus_service_firejailer.py </sup> > I didn't see it crashing when manipulating that to run firejailed. Maybe the crash is gone since I tested it.

gitea-mirror commented

2026-05-05 09:12:20 -06:00

Author

Owner

@ghost commented on GitHub (Apr 15, 2021):

@rusty-snake Very nice! I hadn't looked at your firecfg.py project in a while. Thanks for the specifics, I'll have to start using it, perhaps bring it into the AUR now that the Arch Wiki mentions it.

@ghost commented on GitHub (Apr 15, 2021): @rusty-snake Very nice! I hadn't looked at your [firecfg.py](https://github.com/rusty-snake/firecfg.py) project in a while. Thanks for the specifics, I'll have to start using it, perhaps bring it into the AUR now that the Arch Wiki [mentions](https://wiki.archlinux.org/index.php/Firejail#Experimental_improved_tools) it.

gitea-mirror commented

2026-05-05 09:12:21 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 4, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

@rusty-snake commented on GitHub (Aug 4, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:18:57 -06:00

[PR #2524] [MERGED] Add dirname to private-bin in spectre-meltdown-checker.profile #4377

Rows
Columns

[GH-ISSUE #4073] Flameshot escapes firejail #2524