[GH-ISSUE #5581] Programs are not sandboxed by default in i3 #3033

New issue

Closed

opened 2026-05-05 09:40:49 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 09:40:49 -06:00

Owner

Copy link

Originally created by @alexmaloteaux on GitHub (Jan 11, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5581

When launching an X11 app for instance firejail firefox from i3 the app launches but is not sandboxed. firejail --list doesnt show any X11 app neither.
Console apps , for instance top, are correctly sandboxed.

It is possible to launch i3 with a provided i3 profile, but what i would like to achieve is to launch i3 normally and then have all the per app profile applied from within i3. I tried from lxde on the same computer and it works flawless so it looks like i3 specific.

Does anybody have an idea if this is a normal feature, bug, misconfiguration or if this has to be addressed from within i3 only.

Best Regards

Originally created by @alexmaloteaux on GitHub (Jan 11, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5581 When launching an X11 app for instance `firejail firefox` from i3 the app launches but is not sandboxed. `firejail --list ` doesnt show any X11 app neither. Console apps , for instance top, are correctly sandboxed. It is possible to launch i3 with a provided i3 profile, but what i would like to achieve is to launch i3 normally and then have all the per app profile applied from within i3. I tried from lxde on the same computer and it works flawless so it looks like i3 specific. Does anybody have an idea if this is a normal feature, bug, misconfiguration or if this has to be addressed from within i3 only. Best Regards

gitea-mirror 2026-05-05 09:40:49 -06:00

• closed this issue
• added the
  firecfg
  needinfo
  notabug
  labels

gitea-mirror commented 2026-05-05 09:40:52 -06:00

Author

Owner

Copy link

@alexmaloteaux commented on GitHub (Jan 11, 2023):

Here is a log of launching firefox:

$ firejail --apparmor  firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 125864, child pid 125867
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 346.80 ms

Parent is shutting down, bye...

<!-- gh-comment-id:1378087107 --> @alexmaloteaux commented on GitHub (Jan 11, 2023): Here is a log of launching firefox: ```console $ firejail --apparmor firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 125864, child pid 125867 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: NVIDIA card detected, nogroups command ignored Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 346.80 ms Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 09:40:53 -06:00

Author

Owner

Copy link

@alexmaloteaux commented on GitHub (Jan 11, 2023):

after some testing, it looks like it works when using "--dbus-system=none" , notifications works too so i will just close this

<!-- gh-comment-id:1378126036 --> @alexmaloteaux commented on GitHub (Jan 11, 2023): after some testing, it looks like it works when using "--dbus-system=none" , notifications works too so i will just close this

gitea-mirror commented 2026-05-05 09:40:53 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jan 11, 2023):

(Re-closing as "not planned" since nothing was changed in firejail)

<!-- gh-comment-id:1378239856 --> @kmk3 commented on GitHub (Jan 11, 2023): (Re-closing as "not planned" since nothing was changed in firejail)

gitea-mirror commented 2026-05-05 09:40:54 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jan 11, 2023):

(Offtopic)

Please see the following links for how to format code blocks in markdown:

• https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks
• https://github.github.com/gfm/#fenced-code-blocks

<!-- gh-comment-id:1378242415 --> @kmk3 commented on GitHub (Jan 11, 2023): (Offtopic) Please see the following links for how to format code blocks in markdown: * <https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks> * <https://github.github.com/gfm/#fenced-code-blocks>

gitea-mirror commented 2026-05-05 09:40:54 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jan 11, 2023):

@alexmaloteaux on Jan 11:

When launching an X11 app for instance firejail firefox from i3 the app
launches but is not sandboxed. firejail --list doesnt show any X11 app
neither. Console apps , for instance top, are correctly sandboxed.

It is possible to launch i3 with a provided i3 profile, but what i would like
to achieve is to launch i3 normally and then have all the per app profile
applied from within i3. I tried from lxde on the same computer and it works
flawless so it looks like i3 specific.

Basic debugging information is missing; please follow the bug report template:

• https://github.com/netblue30/firejail/issues/new?assignees=&labels=&template=bug_report.md&title=

Also, did you run firecfg?

What are the Exec lines in ~/.local/share/applications/firefox.desktop?

<!-- gh-comment-id:1378242586 --> @kmk3 commented on GitHub (Jan 11, 2023): @alexmaloteaux [on Jan 11](https://github.com/netblue30/firejail/issues/5581#issue-1528201496): > When launching an X11 app for instance `firejail firefox` from i3 the app > launches but is not sandboxed. `firejail --list ` doesnt show any X11 app > neither. Console apps , for instance top, are correctly sandboxed. > > It is possible to launch i3 with a provided i3 profile, but what i would like > to achieve is to launch i3 normally and then have all the per app profile > applied from within i3. I tried from lxde on the same computer and it works > flawless so it looks like i3 specific. Basic debugging information is missing; please follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?assignees=&labels=&template=bug_report.md&title=> Also, did you run `firecfg`? What are the `Exec` lines in ~/.local/share/applications/firefox.desktop?

gitea-mirror commented 2026-05-05 09:40:55 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 11, 2023):

OT: In general questions should be asked in Discussions.

<!-- gh-comment-id:1379102192 --> @rusty-snake commented on GitHub (Jan 11, 2023): OT: In general questions should be asked in Discussions.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3033

No description provided.