github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4494] skypeforlinux - systray icon not shown #2683

New issue
Closed
opened 2026-05-05 09:20:39 -06:00 by gitea-mirror · 12 comments
gitea-mirror commented 2026-05-05 09:20:39 -06:00
Owner
Copy link

Originally created by @T200proX7 on GitHub (Aug 30, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4494

I found out that skypeforlinux has a /usr/bin/skypeforlinux (shellscript) that sets some envs and then starts /usr/share/skypeforlinux/skypeforlinux.

If you set directly in skype "starts on system startup" then skype sets a skypeforlinux.desktop file in the .config/autostart/ pointing directly to /usr/share/skypeforlinux/skypeforlinux -> circumvent firejail.

So i changed the path in the autostart file and prevent to be overwritten with chattr +i.

Now skype is starting obviously in the jail (at it looks like using ps aux | grep firejail, though there are several other processes without firejail upfront), but the problem is there are no icons in the systray.

I checked the filesystem for icons and it looks like that the icons itself are contained somehow in the skypeforlinux (electron binary) and it seems that the appindicator is not able to find these icons. (without firejail icons are shown perfectly)

Originally created by @T200proX7 on GitHub (Aug 30, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4494 I found out that skypeforlinux has a /usr/bin/skypeforlinux (shellscript) that sets some envs and then starts /usr/share/skypeforlinux/skypeforlinux. If you set directly in skype "starts on system startup" then skype sets a skypeforlinux.desktop file in the .config/autostart/ pointing directly to /usr/share/skypeforlinux/skypeforlinux -> circumvent firejail. So i changed the path in the autostart file and prevent to be overwritten with chattr +i. Now skype is starting obviously in the jail (at it looks like using ps aux | grep firejail, though there are several other processes without firejail upfront), but the problem is there are no icons in the systray. I checked the filesystem for icons and it looks like that the icons itself are contained somehow in the skypeforlinux (electron binary) and it seems that the appindicator is not able to find these icons. (without firejail icons are shown perfectly)
gitea-mirror 2026-05-05 09:20:39 -06:00
  • closed this issue
  • added the
    duplicate
         label
gitea-mirror commented 2026-05-05 09:20:42 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 31, 2021):

Duplicate of #1137?

<!-- gh-comment-id:909322002 --> @rusty-snake commented on GitHub (Aug 31, 2021): Duplicate of #1137?
gitea-mirror commented 2026-05-05 09:20:43 -06:00
Author
Owner
Copy link

@yderi commented on GitHub (Oct 18, 2021):

Hello everyone

Are there any updates on how to fix it?

Currently, I'm using --nodbus as a workaround to show the Skype icon in the tray.
Don't know how much it worsens the security.

Currently in use:
firejail version 0.9.66
skypeforlinux version: 8.77
Ubuntu 21.10

<!-- gh-comment-id:945554093 --> @yderi commented on GitHub (Oct 18, 2021): Hello everyone Are there any updates on how to fix it? Currently, I'm using **--nodbus** as a workaround to show the Skype icon in the tray. Don't know how much it worsens the security. Currently in use: firejail version 0.9.66 skypeforlinux version: 8.77 Ubuntu 21.10
gitea-mirror commented 2026-05-05 09:20:45 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 18, 2021):

Currently, I'm using --nodbus as a workaround to show the Skype icon in the tray.
Don't know how much it worsens the security.

--nodbus increases security.

<!-- gh-comment-id:945555995 --> @rusty-snake commented on GitHub (Oct 18, 2021): > Currently, I'm using --nodbus as a workaround to show the Skype icon in the tray. Don't know how much it worsens the security. `--nodbus` increases security.
gitea-mirror commented 2026-05-05 09:20:46 -06:00
Author
Owner
Copy link

@yderi commented on GitHub (Oct 18, 2021):

So, currently, if I start like:
firejail --nodbus /usr/bin/skypeforlinux %U
it works, but requires authentication every time you quit the Skype.

<!-- gh-comment-id:945619415 --> @yderi commented on GitHub (Oct 18, 2021): So, currently, if I start like: firejail --nodbus /usr/bin/skypeforlinux %U it works, but requires authentication every time you quit the Skype.
gitea-mirror commented 2026-05-05 09:20:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 18, 2021):

Ok, the skype flatpak uses

dbus-user filter
dbus-user.own com.skype.Client
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.gtk.Notifications
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk com.canonical.AppMenu.Registrar
dbus-user.talk org.gnome.GConf
dbus-user.talk org.freedesktop.secrets
dbus-system filter
dbus-system.talk org.freedesktop.NetworkManager
dbus-system.talk org.freedesktop.login1
dbus-system.talk org.bluez

which is 1. over permissive and 2. contains permissions that are very likely not used.
So can you try this (put it in ~/.config/firejail/skypeforlinux.local and start without --nodbus)

dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.secrets
dbus-system none
<!-- gh-comment-id:945631251 --> @rusty-snake commented on GitHub (Oct 18, 2021): Ok, the skype flatpak uses ``` dbus-user filter dbus-user.own com.skype.Client dbus-user.talk ca.desrt.dconf dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.gtk.Notifications dbus-user.talk org.freedesktop.Notifications dbus-user.talk com.canonical.AppMenu.Registrar dbus-user.talk org.gnome.GConf dbus-user.talk org.freedesktop.secrets dbus-system filter dbus-system.talk org.freedesktop.NetworkManager dbus-system.talk org.freedesktop.login1 dbus-system.talk org.bluez ``` which is 1. over permissive and 2. contains permissions that are very likely not used. So can you try this (put it in `~/.config/firejail/skypeforlinux.local` and start without `--nodbus`) ``` dbus-user filter dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.secrets dbus-system none ```
gitea-mirror commented 2026-05-05 09:20:48 -06:00
Author
Owner
Copy link

@yderi commented on GitHub (Oct 18, 2021):

Created a local profile as you suggested, but then no icon in the system tray. So it is where we began from.
starting app as following:
firejail /usr/bin/skypeforlinux %U

<!-- gh-comment-id:945640095 --> @yderi commented on GitHub (Oct 18, 2021): Created a local profile as you suggested, but then no icon in the system tray. So it is where we began from. starting app as following: firejail /usr/bin/skypeforlinux %U
gitea-mirror commented 2026-05-05 09:20:49 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 18, 2021):

Then try to extend it with dbus-user.own com.skype.Client (IDK if this is the right) and dbus-user.own org.kde.*. If this does not work, we either need a different name for the first own rule or change filesystem commands.

<!-- gh-comment-id:945645425 --> @rusty-snake commented on GitHub (Oct 18, 2021): Then try to extend it with `dbus-user.own com.skype.Client` (IDK if this is the right) and `dbus-user.own org.kde.*`. If this does not work, we either need a different name for the first own rule or change filesystem commands.
gitea-mirror commented 2026-05-05 09:20:50 -06:00
Author
Owner
Copy link

@yderi commented on GitHub (Oct 18, 2021):

Still no luck with either of them. Mean it starts but no systray icon is present.

<!-- gh-comment-id:945657644 --> @yderi commented on GitHub (Oct 18, 2021): Still no luck with either of them. Mean it starts but no systray icon is present.
gitea-mirror commented 2026-05-05 09:20:51 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 18, 2021):

Then try to ignore private-tmp (#1137).

<!-- gh-comment-id:945662120 --> @rusty-snake commented on GitHub (Oct 18, 2021): Then try to `ignore private-tmp` (#1137).
gitea-mirror commented 2026-05-05 09:20:51 -06:00
Author
Owner
Copy link

@yderi commented on GitHub (Oct 18, 2021):

simply adding the statement:
ignore private-tmp

into the :
~/.config/firejail/skypeforlinux.local

allows starting the Skype and shows the systray icon.

Don't know what way is more secure in skypeforlinux.local

  1. using statement ignore private-tmp

  2. or use the

mkdir /tmp/FOO-tmp
whitelist /tmp/FOO-tmp
env TMPDIR=/tmp/FOO-tmp
env TMP=/tmp/FOO-tmp
<!-- gh-comment-id:945697641 --> @yderi commented on GitHub (Oct 18, 2021): simply adding the statement: `ignore private-tmp` into the : `~/.config/firejail/skypeforlinux.local` allows starting the Skype and shows the systray icon. Don't know what way is more secure in `skypeforlinux.local` 1. using statement `ignore private-tmp` 2. or use the ``` mkdir /tmp/FOO-tmp whitelist /tmp/FOO-tmp env TMPDIR=/tmp/FOO-tmp env TMP=/tmp/FOO-tmp ```
gitea-mirror commented 2026-05-05 09:20:52 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 18, 2021):

If this works, it is the most secure one we have so far.

dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.secrets
dbus-system none

mkdir /tmp/skype
whitelist /tmp/skype
env TMPDIR=/tmp/skype
env TMP=/tmp/skype

closing as duplicate of #1137.

<!-- gh-comment-id:945700747 --> @rusty-snake commented on GitHub (Oct 18, 2021): If this works, it is the most secure one we have so far. ``` dbus-user filter dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.secrets dbus-system none mkdir /tmp/skype whitelist /tmp/skype env TMPDIR=/tmp/skype env TMP=/tmp/skype ``` closing as duplicate of #1137.
gitea-mirror commented 2026-05-05 09:20:52 -06:00
Author
Owner
Copy link

@yderi commented on GitHub (Oct 18, 2021):

I Confirm, the statement above works in my configuration (using skypeforlinux.local).

<!-- gh-comment-id:945708759 --> @yderi commented on GitHub (Oct 18, 2021): I Confirm, the statement above works in my configuration (using `skypeforlinux.local`).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2683
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?