github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4173] gnome-calculator hangs with 100% CPU #2563

New issue
Closed
opened 2026-05-05 09:14:16 -06:00 by gitea-mirror · 22 comments
gitea-mirror commented 2026-05-05 09:14:16 -06:00
Owner
Copy link

Originally created by @dsprenkels on GitHub (Apr 8, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4173

Write clear, concise and in textual form.

Bug and expected behavior

On my computer starting gnome-calculator with firejail on (i.e., firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator) results in no window appearing and gnome-calculator running in the background with 100% CPU, until terminated manually.

No profile and disabling firejail

Running firejail --noprofile /usr/bin/gnome-calculator results in the program working correctly.

Reproduce
Steps to reproduce the behavior:

  1. Run in bash `firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator

Environment

# Output of lsb_release -a
LSB Version:	1.4
Distributor ID:	Arch
Description:	Arch Linux
Release:	rolling
Codename:	n/a

# Output of firejail --version
firejail version 0.9.64.4

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Additional context

I started commenting out lines from the profile, and seeing if I could get it to work. The bug was fixed when commenting include disable-shell.inc and private-bin gnome-calculator.

The resulting (fixed) profile:

gnome-calculator.profile.txt

I do not know why gnome-calculator seems to need a shell in my environment, and what is different in my setup that this bug is being triggered. Though I'm happy to provide extra information.

Checklist

  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • If it is a AppImage, --profile=PROFILENAME is used to set the right profile. (n/a)
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
debug output 
OUTPUT OF `firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator`

(gnome-calculator:7): dbind-WARNING **: 16:26:24.661: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-F2n3hxZVuD: No such file or directory

** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:234: Failed to read exchange rates: Failed to open file “/home/daan/.cache/gnome-calculator/rms_five.xls”: No such file or directory

** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:376: Cannot use ECB rates as don't have EUR rate
Originally created by @dsprenkels on GitHub (Apr 8, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4173 Write clear, concise and in textual form. **Bug and expected behavior** On my computer starting `gnome-calculator` with firejail on (i.e., `firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator`) results in no window appearing and `gnome-calculator` running in the background with 100% CPU, until terminated manually. **No profile and disabling firejail** Running `firejail --noprofile /usr/bin/gnome-calculator` results in the program working correctly. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator **Environment** ``` # Output of lsb_release -a LSB Version: 1.4 Distributor ID: Arch Description: Arch Linux Release: rolling Codename: n/a # Output of firejail --version firejail version 0.9.64.4 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Additional context** I started commenting out lines from the profile, and seeing if I could get it to work. The bug was fixed when commenting `include disable-shell.inc` and `private-bin gnome-calculator`. The resulting (fixed) profile: [gnome-calculator.profile.txt](https://github.com/netblue30/firejail/files/6279351/gnome-calculator.profile.txt) I do not know *why* `gnome-calculator` seems to need a shell in my environment, and what is different in my setup that this bug is being triggered. Though I'm happy to provide extra information. **Checklist** - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. (n/a) - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. <details><summary> debug output </summary> ``` OUTPUT OF `firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator` (gnome-calculator:7): dbind-WARNING **: 16:26:24.661: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-F2n3hxZVuD: No such file or directory ** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:234: Failed to read exchange rates: Failed to open file “/home/daan/.cache/gnome-calculator/rms_five.xls”: No such file or directory ** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:376: Cannot use ECB rates as don't have EUR rate ``` </details>
gitea-mirror 2026-05-05 09:14:16 -06:00
gitea-mirror commented 2026-05-05 09:14:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 8, 2021):

Is /usr/bin/gnome-calculator a shell script in Arch?

Does it work with

include allow-bin-sh.inc
include disable-shell.inc
private-bin gnome-calculator,sh

BTW: I read your title as "gnome-calculator does not (start with 100% CPU)" instead of "gnome-calculator does (not start) with 100% CPU". Maybe "gnome-calculator does not start, consuming 100% CPU" would be more clear.

<!-- gh-comment-id:815876415 --> @rusty-snake commented on GitHub (Apr 8, 2021): Is `/usr/bin/gnome-calculator` a shell script in Arch? Does it work with ``` include allow-bin-sh.inc include disable-shell.inc private-bin gnome-calculator,sh ``` BTW: I read your title as "gnome-calculator does not (start with 100% CPU)" instead of "gnome-calculator does (not start) with 100% CPU". Maybe "gnome-calculator does not start, consuming 100% CPU" would be more clear.
gitea-mirror commented 2026-05-05 09:14:21 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 8, 2021):

I've reinstalled gnome-calculator on my Arch Linux box to test this. For now I cannot reproduce.

** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:234: Failed to read exchange rates: Failed to open file “/home/daan/.cache/gnome-calculator/rms_five.xls”: No such file or directory
** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:376: Cannot use ECB rates as don't have EUR rate

These warnings stem from gnome-calculator's 'Financial Mode', relying on currency exchange rates. As those rates fluctuate GC tries to cache them. It's not uncommon to see these warnings. They usually go away when caching succeeded until they are refreshed (controlled by a pref that comes with 'never', 'daily' or 'weekly'). This functionality is working fine for me with the current gnome-calculator.profile.

I started commenting out lines from the profile, and seeing if I could get it to work. The bug was fixed when commenting include disable-shell.inc and private-bin gnome-calculator.

In your gnome-calculator.profile.txt I see #caps.drop all too. Is this a leftover from your attempt to fix whatever is happening to GC? Or do you actually need to have that commented too for the app to work?

OUTPUT OF firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator

A proper debug log might be helpful in this context. Run firejail --debug /usr/bin/gnome-calculator | tee ${HOME}/Downloads/gnome-calculator.debug.log, use the app and attach the log file here please.

<!-- gh-comment-id:816023405 --> @ghost commented on GitHub (Apr 8, 2021): I've reinstalled gnome-calculator on my Arch Linux box to test this. For now I cannot reproduce. > ** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:234: Failed to read exchange rates: Failed to open file “/home/daan/.cache/gnome-calculator/rms_five.xls”: No such file or directory ** (gnome-calculator:7): WARNING **: 16:26:24.670: currency-provider.vala:376: Cannot use ECB rates as don't have EUR rate These warnings stem from gnome-calculator's 'Financial Mode', relying on currency exchange rates. As those rates fluctuate GC tries to cache them. It's not uncommon to see these warnings. They usually go away when caching succeeded until they are refreshed (controlled by a pref that comes with 'never', 'daily' or 'weekly'). This functionality is working fine for me with the current gnome-calculator.profile. > I started commenting out lines from the profile, and seeing if I could get it to work. The bug was fixed when commenting include disable-shell.inc and private-bin gnome-calculator. In your gnome-calculator.profile.txt I see `#caps.drop all` too. Is this a leftover from your attempt to fix whatever is happening to GC? Or do you actually need to have that commented too for the app to work? > OUTPUT OF `firejail --profile=/etc/firejail/gnome-calculator.profile /usr/bin/gnome-calculator` A proper debug log might be helpful in this context. Run `firejail --debug /usr/bin/gnome-calculator | tee ${HOME}/Downloads/gnome-calculator.debug.log`, use the app and attach the log file here please.
gitea-mirror commented 2026-05-05 09:14:21 -06:00
Author
Owner
Copy link

@jose1711 commented on GitHub (Apr 10, 2021):

Arch Linux x86_64 here too + cannot reproduce the issue

<!-- gh-comment-id:817183373 --> @jose1711 commented on GitHub (Apr 10, 2021): Arch Linux x86_64 here too + cannot reproduce the issue
gitea-mirror commented 2026-05-05 09:14:22 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (Apr 13, 2021):

Somehow this comment did not get posted last time, and I did not notice, so let's try again:

Is /usr/bin/gnome-calculator a shell script in Arch?

Nope. It's an ELF binary:

OUTPUT OF: file /usr/bin/gnome-calculator
/usr/bin/gnome-calculator: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=98f36ba39493146b31cf7dbd6411c2bae3e68831, for GNU/Linux 4.4.0, stripped

Does it work with

include allow-bin-sh.inc
include disable-shell.inc
private-bin gnome-calculator,sh

Nope. However, commenting out the private-bin directive again does fix it.

So presumably there is some binary that wants to be accessed. However, I cannot seem to find it:

strace -ff -e trace=process /usr/bin/gnome-calculator 
OUTPUT OF: strace -ff -e trace=process /usr/bin/gnome-calculator
execve("/usr/bin/gnome-calculator", ["/usr/bin/gnome-calculator"], 0x7fff43a2c288 /* 67 vars */) = 0
clone(child_stack=0x7f82a1a91930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138373 attached
, parent_tid=[138373], tls=0x7f82a1a92640, child_tidptr=0x7f82a1a92910) = 138373
[pid 138372] clone(child_stack=0x7f82a1290930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[138374], tls=0x7f82a1291640, child_tidptr=0x7f82a1291910) = 138374
strace: Process 138374 attached
[pid 138372] clone(child_stack=0x7f829bffe930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138375 attached
, parent_tid=[138375], tls=0x7f829bfff640, child_tidptr=0x7f829bfff910) = 138375
[pid 138372] clone(child_stack=0x7f829af96930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138376 attached
, parent_tid=[138376], tls=0x7f829af97640, child_tidptr=0x7f829af97910) = 138376
[pid 138372] clone(child_stack=0x7f829a795930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138377 attached
, parent_tid=[138377], tls=0x7f829a796640, child_tidptr=0x7f829a796910) = 138377
[pid 138372] clone(child_stack=0x7f8299f94930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[138378], tls=0x7f8299f95640, child_tidptr=0x7f8299f95910) = 138378
strace: Process 138378 attached
[pid 138372] clone(child_stack=0x7f8299793930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138379 attached
, parent_tid=[138379], tls=0x7f8299794640, child_tidptr=0x7f8299794910) = 138379
[pid 138378] exit(0)                    = ?
[pid 138378] +++ exited with 0 +++
[pid 138376] exit(0)                    = ?
[pid 138376] +++ exited with 0 +++
[pid 138379] exit(0)                    = ?
[pid 138379] +++ exited with 0 +++
[pid 138372] exit_group(0)              = ?
[pid 138377] +++ exited with 0 +++
[pid 138375] +++ exited with 0 +++
[pid 138374] +++ exited with 0 +++
[pid 138373] +++ exited with 0 +++
+++ exited with 0 +++

Also stracing file operations and grepping on bin gives no results:
strace -ff -e trace=file /usr/bin/gnome-calculator

In your gnome-calculator.profile.txt I see #caps.drop all too. Is this a leftover from your attempt to fix whatever is happening to GC? Or do you actually need to have that commented too for the app to work?

Yes, this was leftover from my debugging efforts. Changing this line has no impact on whether it works or not.

A proper debug log might be helpful in this context. Run firejail --debug /usr/bin/gnome-calculator | tee ${HOME}/Downloads/gnome-calculator.debug.log, use the app and attach the log file here please.

Sure thing:

<!-- gh-comment-id:818735111 --> @dsprenkels commented on GitHub (Apr 13, 2021): Somehow this comment did not get posted last time, and I did not notice, so let's try again: > Is `/usr/bin/gnome-calculator` a shell script in Arch? Nope. It's an ELF binary: ``` OUTPUT OF: file /usr/bin/gnome-calculator /usr/bin/gnome-calculator: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=98f36ba39493146b31cf7dbd6411c2bae3e68831, for GNU/Linux 4.4.0, stripped ``` > Does it work with > ``` > include allow-bin-sh.inc > include disable-shell.inc > private-bin gnome-calculator,sh > ``` Nope. However, commenting out the `private-bin` directive again does fix it. So presumably there is _some_ binary that wants to be accessed. However, I cannot seem to find it: <details> <summary>strace -ff -e trace=process /usr/bin/gnome-calculator</summary> ``` OUTPUT OF: strace -ff -e trace=process /usr/bin/gnome-calculator execve("/usr/bin/gnome-calculator", ["/usr/bin/gnome-calculator"], 0x7fff43a2c288 /* 67 vars */) = 0 clone(child_stack=0x7f82a1a91930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138373 attached , parent_tid=[138373], tls=0x7f82a1a92640, child_tidptr=0x7f82a1a92910) = 138373 [pid 138372] clone(child_stack=0x7f82a1290930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[138374], tls=0x7f82a1291640, child_tidptr=0x7f82a1291910) = 138374 strace: Process 138374 attached [pid 138372] clone(child_stack=0x7f829bffe930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138375 attached , parent_tid=[138375], tls=0x7f829bfff640, child_tidptr=0x7f829bfff910) = 138375 [pid 138372] clone(child_stack=0x7f829af96930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138376 attached , parent_tid=[138376], tls=0x7f829af97640, child_tidptr=0x7f829af97910) = 138376 [pid 138372] clone(child_stack=0x7f829a795930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138377 attached , parent_tid=[138377], tls=0x7f829a796640, child_tidptr=0x7f829a796910) = 138377 [pid 138372] clone(child_stack=0x7f8299f94930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[138378], tls=0x7f8299f95640, child_tidptr=0x7f8299f95910) = 138378 strace: Process 138378 attached [pid 138372] clone(child_stack=0x7f8299793930, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTIDstrace: Process 138379 attached , parent_tid=[138379], tls=0x7f8299794640, child_tidptr=0x7f8299794910) = 138379 [pid 138378] exit(0) = ? [pid 138378] +++ exited with 0 +++ [pid 138376] exit(0) = ? [pid 138376] +++ exited with 0 +++ [pid 138379] exit(0) = ? [pid 138379] +++ exited with 0 +++ [pid 138372] exit_group(0) = ? [pid 138377] +++ exited with 0 +++ [pid 138375] +++ exited with 0 +++ [pid 138374] +++ exited with 0 +++ [pid 138373] +++ exited with 0 +++ +++ exited with 0 +++ ``` </details> Also stracing file operations and grepping on `bin` gives no results: [strace -ff -e trace=file /usr/bin/gnome-calculator](https://github.com/netblue30/firejail/files/6304026/strace.txt) > In your gnome-calculator.profile.txt I see #caps.drop all too. Is this a leftover from your attempt to fix whatever is happening to GC? Or do you actually need to have that commented too for the app to work? Yes, this was leftover from my debugging efforts. Changing this line has no impact on whether it works or not. > A proper debug log might be helpful in this context. Run firejail --debug /usr/bin/gnome-calculator | tee ${HOME}/Downloads/gnome-calculator.debug.log, use the app and attach the log file here please. Sure thing: - [gnome-calculator.debug.log](https://github.com/netblue30/firejail/files/6304042/gnome-calculator.debug.log) (runs successfully) - [gnome-calculator.debug-with-profile.log](https://github.com/netblue30/firejail/files/6304051/gnome-calculator.debug-with-profile.log) (profile enabled; hangs with 100% CPU)
gitea-mirror commented 2026-05-05 09:14:22 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 13, 2021):

Thanks for clearing things up and providing the logs. I can't immediately spot anything fishy in those. Do you have anything in your globals.local that might interfere? Also, the gnome-calculator package on Arch Linux contains two executables in /usr/bin: gnome-calculator and gcalccmd. The latter has its own separate firejail profile BTW. And then there's gnome-calculator-search-provider in /usr/lib. So here's another 'wild' guess to try:

include allow-bin-sh.inc
include disable-shell.inc
private-bin gcalccmd,gnome-calculato*,sh

EDIT: that doesn't make any sense and I would be surprised if it fixed your issue. Still can't explain why I cannot reproduce. Could be a tough nut to crack...

<!-- gh-comment-id:818822787 --> @ghost commented on GitHub (Apr 13, 2021): Thanks for clearing things up and providing the logs. I can't immediately spot anything fishy in those. Do you have anything in your globals.local that might interfere? Also, the gnome-calculator package on Arch Linux contains two executables in /usr/bin: `gnome-calculator` and `gcalccmd.` The latter has its own separate firejail profile BTW. And then there's `gnome-calculator-search-provider` in /usr/lib. So here's another 'wild' guess to try: ``` include allow-bin-sh.inc include disable-shell.inc private-bin gcalccmd,gnome-calculato*,sh ``` EDIT: that doesn't make any sense and I would be surprised if it fixed your issue. Still can't explain why I cannot reproduce. Could be a tough nut to crack...
gitea-mirror commented 2026-05-05 09:14:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 14, 2021):

Does firejail --build gnome-calculator show anything interesting in the generated private-bin line?

<!-- gh-comment-id:819729456 --> @rusty-snake commented on GitHub (Apr 14, 2021): Does `firejail --build gnome-calculator` show anything interesting in the generated `private-bin` line?
gitea-mirror commented 2026-05-05 09:14:23 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (Apr 16, 2021):

Ok. After adding this line:

private-bin gcalccmd,gnome-calculato*,sh

it worked. But when I started removing gcalccmd and other parts it kept working, until I had:

private-bin gnome-calculator,sh

When I looked at the line that I used previously: private-bin gnome-calculator, sh, bash.
I was unaware that the extra spaces after the commas would break this line.

Removing that single space before sh fixed the issue. Though I still do not know why on my setup gnome-calculator needs a shell.

<!-- gh-comment-id:820989456 --> @dsprenkels commented on GitHub (Apr 16, 2021): Ok. After adding this line: ``` private-bin gcalccmd,gnome-calculato*,sh ``` it worked. But when I started removing gcalccmd and other parts it kept working, until I had: ``` private-bin gnome-calculator,sh ``` When I looked at the line that I used previously: `private-bin gnome-calculator, sh, bash`. I was unaware that the extra spaces after the commas would break this line. Removing that single space before `sh` fixed the issue. Though I still do not know why on my setup `gnome-calculator` needs a shell.
gitea-mirror commented 2026-05-05 09:14:24 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 16, 2021):

I was unaware that the extra spaces after the commas would break this line.

Extra spaces indeed break several of firejail's options. Too bad you had to discover this the hard way. I for one also missed it in trying to figure out what was happening on your system. Lesson learned all round I guess.

Though I still do not know why on my setup gnome-calculator needs a shell.

Can't explain that either. Looking at your posted gnome-calculator.debug-with-profile.log once more, the only override we haven't looked at yet is globals.local. Anything in there that might be related?

<!-- gh-comment-id:821028479 --> @ghost commented on GitHub (Apr 16, 2021): > I was unaware that the extra spaces after the commas would break this line. Extra spaces indeed break several of firejail's options. Too bad you had to discover this the hard way. I for one also missed it in trying to figure out what was happening on your system. Lesson learned all round I guess. > Though I still do not know why on my setup gnome-calculator needs a shell. Can't explain that either. Looking at your posted gnome-calculator.debug-with-profile.log once more, the only override we haven't looked at yet is `globals.local.` Anything in there that might be related?
gitea-mirror commented 2026-05-05 09:14:24 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (Apr 16, 2021):

My globals.local's content is only:

noblacklist /volume1/daan

I don't think that should matter.

EDIT: Just to be sure, I double-checked this. As expected, it does not fix the problem.

<!-- gh-comment-id:821060956 --> @dsprenkels commented on GitHub (Apr 16, 2021): My `globals.local`'s content is only: ``` noblacklist /volume1/daan ``` I don't think that should matter. **EDIT**: Just to be sure, I double-checked this. As expected, it does not fix the problem.
gitea-mirror commented 2026-05-05 09:14:25 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (Apr 16, 2021):

I was unaware that the extra spaces after the commas would break this line.

Extra spaces indeed break several of firejail's options. Too bad you had to discover this the hard way. I for one also missed it in trying to figure out what was happening on your system. Lesson learned all round I guess.

Would it maybe be an idea to add a warning when this occurs?

<!-- gh-comment-id:821062187 --> @dsprenkels commented on GitHub (Apr 16, 2021): > > I was unaware that the extra spaces after the commas would break this line. > > Extra spaces indeed break several of firejail's options. Too bad you had to discover this the hard way. I for one also missed it in trying to figure out what was happening on your system. Lesson learned all round I guess. Would it maybe be an idea to add a warning when this occurs?
gitea-mirror commented 2026-05-05 09:14:25 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 16, 2021):

That one line globals.local is indeed irrelevant in this context, what keeps the hunt ongoing for why you need sh in the first place.

Would it maybe be an idea to add a warning when this occurs?

That sure is a sound idea. I'll add the enhancement tag to this to attract more attention to such a feature. Fingers crossed and if you ever find out why your gnome-calculator needs sh, please add that here.
EDIT: perhaps you can add something like "private-bin containing spaces break without error" to the issue title to better reflect this

<!-- gh-comment-id:821080770 --> @ghost commented on GitHub (Apr 16, 2021): That one line globals.local is indeed irrelevant in this context, what keeps the hunt ongoing for why you need sh in the first place. > Would it maybe be an idea to add a warning when this occurs? That sure is a sound idea. I'll add the `enhancement` tag to this to attract more attention to such a feature. Fingers crossed and if you ever find out why your gnome-calculator needs sh, please add that here. EDIT: perhaps you can add something like "private-bin containing spaces break without error" to the issue title to better reflect this
gitea-mirror commented 2026-05-05 09:14:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 16, 2021):

FTR: Spaces in files/paths in firejail profiles need no escape because they are treated as any other char. Therefore private-bin gnome-calculator, sh tells firejail to create a private-bin with gnome-calculator and sh (leading space). That's the expected and wanted behaviour (ATM). However files starting/ending with a space is very uncommon because you can see it depending on the display context. Showing an error for these case should not break any real existing case.

<!-- gh-comment-id:821086616 --> @rusty-snake commented on GitHub (Apr 16, 2021): FTR: Spaces in files/paths in firejail profiles need no escape because they are treated as any other char. Therefore `private-bin gnome-calculator, sh` tells firejail to create a private-bin with `gnome-calculator` and ` sh` (leading space). That's the expected and wanted behaviour (ATM). However files starting/ending with a space is very uncommon because you can see it depending on the display context. Showing an error for these case should not break any real existing case.
gitea-mirror commented 2026-05-05 09:14:26 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (Apr 16, 2021):

Ok. I narrowed down the bug to cd619d3e9d/libproxy/modules/config_gnome3.cpp (L128-L161), in particular this loop: cd619d3e9d/libproxy/modules/config_gnome3.cpp (L158-L160)

I may look into the cause of the bug a bit more; or just open an issue in the libproxy repo. In any case, feel free to close this issue.

<!-- gh-comment-id:821093761 --> @dsprenkels commented on GitHub (Apr 16, 2021): Ok. I narrowed down the bug to https://github.com/libproxy/libproxy/blob/cd619d3e9d683237f6317f979d5c6a7290d7e429/libproxy/modules/config_gnome3.cpp#L128-L161, in particular this loop: https://github.com/libproxy/libproxy/blob/cd619d3e9d683237f6317f979d5c6a7290d7e429/libproxy/modules/config_gnome3.cpp#L158-L160 I may look into the cause of the bug a bit more; or just open an issue in the libproxy repo. In any case, feel free to close this issue.
gitea-mirror commented 2026-05-05 09:14:26 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 16, 2021):

Call to popen2: cd619d3e9d/libproxy/modules/config_gnome3.cpp (L147)
execl /bin/sh: cd619d3e9d/libproxy/modules/config_gnome3.cpp (L101)

EDIT: used to start /usr/libexec/pxgsettings

EDIT2: Any non-default in gsettings list-recursively org.gnome.system.proxy?

<!-- gh-comment-id:821103274 --> @rusty-snake commented on GitHub (Apr 16, 2021): Call to `popen2`: https://github.com/libproxy/libproxy/blob/cd619d3e9d683237f6317f979d5c6a7290d7e429/libproxy/modules/config_gnome3.cpp#L147 `execl` `/bin/sh`: https://github.com/libproxy/libproxy/blob/cd619d3e9d683237f6317f979d5c6a7290d7e429/libproxy/modules/config_gnome3.cpp#L101 EDIT: used to start `/usr/libexec/pxgsettings` EDIT2: Any non-default in `gsettings list-recursively org.gnome.system.proxy`?
gitea-mirror commented 2026-05-05 09:14:27 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (Apr 16, 2021):

My gsettings list-recursively org.gnome.system.proxy contents:

org.gnome.system.proxy ignore-hosts ['localhost', '127.0.0.0/8', '::1']
org.gnome.system.proxy use-same-proxy true
org.gnome.system.proxy mode 'none'
org.gnome.system.proxy autoconfig-url ''
org.gnome.system.proxy.http use-authentication false
org.gnome.system.proxy.http enabled false
org.gnome.system.proxy.http authentication-password ''
org.gnome.system.proxy.http port 8080
org.gnome.system.proxy.http host ''
org.gnome.system.proxy.http authentication-user ''
org.gnome.system.proxy.https port 0
org.gnome.system.proxy.https host ''
org.gnome.system.proxy.ftp port 0
org.gnome.system.proxy.ftp host ''
org.gnome.system.proxy.socks port 0
org.gnome.system.proxy.socks host ''

It doesn't look like there is anything weird in there.

I patched libproxy to provide me with some output to actually test that it is actually that specific while loop that is breaking. It is.
However, when I run gnome-calculator outside of firejail, it looks like that function never gets called.

I am currently starting gnome-calculator and then attaching to it with gdb from a different shell using root permissions. However, I am too late to debug the beginning of the program this way. Do some of you have any advice on how to run gdb directly inside firejail (or start the program without actually running it)?

<!-- gh-comment-id:821112063 --> @dsprenkels commented on GitHub (Apr 16, 2021): My `gsettings list-recursively org.gnome.system.proxy` contents: ``` org.gnome.system.proxy ignore-hosts ['localhost', '127.0.0.0/8', '::1'] org.gnome.system.proxy use-same-proxy true org.gnome.system.proxy mode 'none' org.gnome.system.proxy autoconfig-url '' org.gnome.system.proxy.http use-authentication false org.gnome.system.proxy.http enabled false org.gnome.system.proxy.http authentication-password '' org.gnome.system.proxy.http port 8080 org.gnome.system.proxy.http host '' org.gnome.system.proxy.http authentication-user '' org.gnome.system.proxy.https port 0 org.gnome.system.proxy.https host '' org.gnome.system.proxy.ftp port 0 org.gnome.system.proxy.ftp host '' org.gnome.system.proxy.socks port 0 org.gnome.system.proxy.socks host '' ``` It doesn't look like there is anything weird in there. --- I patched libproxy to provide me with some output to actually test that it is actually that specific while loop that is breaking. It is. However, when I run `gnome-calculator` outside of firejail, it looks like that function never gets called. I am currently starting `gnome-calculator` and then attaching to it with gdb from a different shell using root permissions. However, I am too late to debug the beginning of the program this way. Do some of you have any advice on how to run gdb directly inside firejail (or start the program without actually running it)?
gitea-mirror commented 2026-05-05 09:14:27 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (Apr 16, 2021):

Additionally: I checked that the call to execl actually fails (it does). So I guess adding a check in that file to see if sh exists, before executing it, should probably fix the 100% CPU error. Though it would still be unclear why (in my obscure case) gnome-calculator actually needs to start /usr/libexec/pxgsettings, while in other setups it doesn't.

<!-- gh-comment-id:821117110 --> @dsprenkels commented on GitHub (Apr 16, 2021): Additionally: I checked that the call to `execl` actually fails (it does). So I guess adding a check in that file to see if `sh` exists, before executing it, should probably fix the 100% CPU error. Though it would still be unclear why (in my obscure case) `gnome-calculator` actually needs to start `/usr/libexec/pxgsettings`, while in other setups it doesn't.
gitea-mirror commented 2026-05-05 09:14:28 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 16, 2021):

Though it would still be unclear why (in my obscure case) gnome-calculator actually needs to start /usr/libexec/pxgsettings, while in other setups it doesn't.

I did not even have this file / libproxy insallted. @glitsj16 you?

<!-- gh-comment-id:821118762 --> @rusty-snake commented on GitHub (Apr 16, 2021): > Though it would still be unclear why (in my obscure case) gnome-calculator actually needs to start /usr/libexec/pxgsettings, while in other setups it doesn't. I did not even have this file / libproxy insallted. @glitsj16 you?
gitea-mirror commented 2026-05-05 09:14:28 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 16, 2021):

I did not even have this file / libproxy insallted. @glitsj16 you?

No trace of /usr/libexec/pxgsettings on my Arch. I do have libproxy installed as a dependency for qt5-base, but my libproxy package contains /usr/lib/pxgsettings, not that libexec path

$ pacman -Q libproxy
libproxy 0.4.17-1

@dsprenkels Are you sure you are running a fully updated Arch Linux?

FTR, I have the same gsettings. I run firejail with network no and restricted-network yes BTW, no clue if that would make this kind of difference.

<!-- gh-comment-id:821136070 --> @ghost commented on GitHub (Apr 16, 2021): > I did not even have this file / libproxy insallted. @glitsj16 you? No trace of /usr/libexec/pxgsettings on my Arch. I do have libproxy installed as a dependency for qt5-base, but my libproxy package contains /usr/lib/pxgsettings, not that libexec path ``` $ pacman -Q libproxy libproxy 0.4.17-1 ``` @dsprenkels Are you sure you are running a fully updated Arch Linux? FTR, I have the same gsettings. I run firejail with `network no` and `restricted-network yes` BTW, no clue if that would make this kind of difference.
gitea-mirror commented 2026-05-05 09:14:28 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (May 4, 2021):

@dsprenkels Are you sure you are running a fully updated Arch Linux?

I am sure I tested this using an updated Arch installation. It's weird.

12:36:41 [daan:~] 127 $ pacman -Qo /usr/libexec/pxgsettings
error: No package owns /usr/libexec/pxgsettings

Ok, this is probably problem. Let me investigate this further.

No the file does not exist. This is expected.

<!-- gh-comment-id:831844992 --> @dsprenkels commented on GitHub (May 4, 2021): > @dsprenkels Are you sure you are running a fully updated Arch Linux? I am sure I tested this using an updated Arch installation. It's weird. ``` 12:36:41 [daan:~] 127 $ pacman -Qo /usr/libexec/pxgsettings error: No package owns /usr/libexec/pxgsettings ``` ~~Ok, this is probably problem. Let me investigate this further.~~ No the file does not exist. This is expected.
gitea-mirror commented 2026-05-05 09:14:29 -06:00
Author
Owner
Copy link

@dsprenkels commented on GitHub (May 4, 2021):

I will close this issue for now. I feel bad exhausting your time tracking down such an obscure bug.

I will try investigating further myself, and report back if I find a cause or fix.

<!-- gh-comment-id:831846799 --> @dsprenkels commented on GitHub (May 4, 2021): I will close this issue for now. I feel bad exhausting your time tracking down such an obscure bug. I will try investigating further myself, and report back if I find a cause or fix.
gitea-mirror commented 2026-05-05 09:14:29 -06:00
Author
Owner
Copy link

@jserafim commented on GitHub (Aug 30, 2022):

I'm having this exact issue, except that my environment is a bit different:

# Output of lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.1 LTS
Release:	22.04
Codename:	jammy

# Output of firejail --version
firejail version 0.9.70

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- IDS support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

The quick workaround I'm using to avoid this:

$ cat ~/.config/firejail/gnome-calculator.profile
private-bin gnome-calculator,sh
ignore include disable-shell.inc
include /etc/firejail/gnome-calculator.profile

Edit:
As suggested by @rusty-snake , if I understood correctly:

$ cat /etc/firejail/gnome-calculator.local
private-bin gnome-calculator,sh
ignore include disable-shell.inc
<!-- gh-comment-id:1231354432 --> @jserafim commented on GitHub (Aug 30, 2022): I'm having this exact issue, except that my environment is a bit different: ``` # Output of lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.1 LTS Release: 22.04 Codename: jammy # Output of firejail --version firejail version 0.9.70 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - IDS support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` The quick workaround I'm using to avoid this: ``` $ cat ~/.config/firejail/gnome-calculator.profile private-bin gnome-calculator,sh ignore include disable-shell.inc include /etc/firejail/gnome-calculator.profile ``` Edit: As suggested by @rusty-snake , if I understood correctly: ``` $ cat /etc/firejail/gnome-calculator.local private-bin gnome-calculator,sh ignore include disable-shell.inc ```
gitea-mirror commented 2026-05-05 09:14:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 30, 2022):

$ cat ~/.config/firejail/gnome-calculator.profile
private-bin gnome-calculator,sh
ignore include disable-shell.inc
include /etc/firejail/gnome-calculator.profile

OT: Use locals

<!-- gh-comment-id:1231482014 --> @rusty-snake commented on GitHub (Aug 30, 2022): > ``` > $ cat ~/.config/firejail/gnome-calculator.profile > private-bin gnome-calculator,sh > ignore include disable-shell.inc > include /etc/firejail/gnome-calculator.profile > ``` OT: Use locals
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2563
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?