[GH-ISSUE #5897] Shell script fails to kill-off child processes upon app closure and sandbox termination

gitea-mirror commented

2026-05-05 09:45:42 -06:00

Owner

Originally created by @TeusLollo on GitHub (Jul 11, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5897

Description

It seems that, at least on non-systemd distros (Utilizing runit as init, in my case) varying zombie processes are leftover upon sandbox termination given interaction with dbus-launch gsettings command (Which, on non-systemd distros, is largely necessary to properly set-up custom GTK themes, icons, cursors, and similar) in a custom script.

May be at least partially related to https://github.com/netblue30/firejail/issues/3949 and https://github.com/netblue30/firejail/issues/3224

Steps to Reproduce

It is given the following:

A non-systemd distro (Void Linux, in my case, which runs on runit as init system)
sway as window manager.
No login manager (sway is run on a custom config through a custom script)
A LibreWolf AppImage (From https://gitlab.com/librewolf-community/browser/appimage/-/packages)

A custom .local/share/applications/LibreWolf_Firejailed/ freedesktop-based app setup, which operates as follows:

LibreWolf_Firejailed.desktop

[Desktop Entry]
Version=1.0
Type=Application
Name=LibreWolf (Firejailed)
Comment=LibreWolf Web Browser In A Firejail
Exec=$HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.sh
Icon=$HOME/.local/share/applications/LibreWolf_Firejailed/LibreWolf_Firejailed.png
Terminal=false
StartupNotify=false
Categories=Application;Network;

Hence, LibreWolf_Firejailed.desktop loads librewolf_firejailed.sh, the latter being thus compiled:

#!/bin/sh

# usage: import-gsettings
config="${XDG_CONFIG_HOME:-$HOME/.config}/gtk-3.0/settings.ini"
if [ ! -f "$config" ]; then exit 1; fi

gnome_schema="org.gnome.desktop.interface"

gtk_theme="$(grep 'gtk-theme-name' "$config" | sed 's/.*\s*=\s*//')"
icon_theme="$(grep 'gtk-icon-theme-name' "$config" | sed 's/.*\s*=\s*//')"
cursor_theme="$(grep 'gtk-cursor-theme-name' "$config" | sed 's/.*\s*=\s*//')"
font_name="$(grep 'gtk-font-name' "$config" | sed 's/.*\s*=\s*//')"

dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme"
dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme"
dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme"
dbus-launch gsettings set "$gnome_schema" font-name "$font_name"

firejail --appimage --apparmor --profile="$HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile" "$HOME/.bin/LibreWolf.x86_64.AppImage"

Thus, librewolf_firejailed.sh executes dbus-launch gsettings to import relevant custom theming, and relies upon a custom librewolf_firejailed.profile, the latter being here described:

# Firejail profile for Librewolf
# Description: Firefox fork based on privacy
# This file is overwritten after every install/update
# Persistent local customizations
include librewolf.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/librewolf
noblacklist ${HOME}/.librewolf
noblacklist ${HOME}/.local/share/applications/LibreWolf_Firejailed
#noblacklist ${HOME}/.themes
#noblacklist ${HOME}/.icons
noblacklist ${HOME}/.config/glib-2.0

mkdir ${HOME}/.cache/librewolf
mkdir ${HOME}/.librewolf
whitelist ${HOME}/.cache/librewolf
whitelist ${HOME}/.librewolf
whitelist ${HOME}/.local/share/applications/LibreWolf_Firejailed
#whitelist ${HOME}/.themes
#whitelist ${HOME}/.icons
whitelist ${HOME}/.config/glib-2.0

# Add the next lines to your librewolf.local if you want to use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla

# To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

whitelist /usr/share/doc
whitelist /usr/share/gtk-doc/html
whitelist /usr/share/librewolf
whitelist /usr/share/mozilla
whitelist /usr/share/webext
include whitelist-usr-share-common.inc

# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
#private-bin dbus-launch,dbus-send,librewolf,sh
# Add the next line to your librewolf.local to enable private-etc.
# NOTE: private-etc must first be enabled in firefox-common.local.
#private-etc librewolf

dbus-user filter
dbus-user.own io.gitlab.librewolf.*
dbus-user.own org.mozilla.librewolf.*
# Add the next line to your librewolf.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your librewolf.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your librewolf.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next line to your librewolf.local to allow screensharing under Wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Also add the next line to your librewolf.local if screensharing does not work with
# the above lines (depends on the portal implementation).
#ignore noroot
ignore apparmor
ignore dbus-user none

# Redirect
include firefox-common.profile

Expected behavior

This fairly involved custom setup was necessary on my side to properly sandbox an AppImage-based browser, and correctly import $gnome_schema variables. Indeed, the AppImage-based browser runs perfectly, and correctly imports system themes with this setup (While, without utilizing the dbus-launch gsettings-based schemes, it would absolutely not import custom theming), while otherwise appearing to be properly firejailed. However...

Actual behavior

...It appears that, although the AppImage-based browser runs fine, and is properly terminated by the sway WM (Default keys Super + Shift + Q, depending on sway config, thus I remark that the AppImage-based browser is closed-down by the WM), child processes presumably spawned by the dbus-launch gsettings commands to remain lingering after the sandbox has been closed.

In fact:

syslog reports the following:

2023-07-11T11:34:26.64089 daemon.info: Jul 11 13:34:26 dbus-daemon[2576]: [session uid=1000 pid=2574] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2572 comm="gsettings set org.gnome.desktop.interface gtk-them")

2023-07-11T11:34:26.64297 daemon.info: Jul 11 13:34:26 dbus-daemon[2576]: [session uid=1000 pid=2574] Successfully activated service 'ca.desrt.dconf'

2023-07-11T11:34:26.64899 daemon.info: Jul 11 13:34:26 dbus-daemon[2590]: [session uid=1000 pid=2588] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2586 comm="gsettings set org.gnome.desktop.interface icon-the")

2023-07-11T11:34:26.65153 daemon.info: Jul 11 13:34:26 dbus-daemon[2590]: [session uid=1000 pid=2588] Successfully activated service 'ca.desrt.dconf'

2023-07-11T11:34:26.65867 daemon.info: Jul 11 13:34:26 dbus-daemon[2604]: [session uid=1000 pid=2602] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2600 comm="gsettings set org.gnome.desktop.interface cursor-t")

2023-07-11T11:34:26.66170 daemon.info: Jul 11 13:34:26 dbus-daemon[2604]: [session uid=1000 pid=2602] Successfully activated service 'ca.desrt.dconf'

2023-07-11T11:34:26.67066 daemon.info: Jul 11 13:34:26 dbus-daemon[2618]: [session uid=1000 pid=2616] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2614 comm="gsettings set org.gnome.desktop.interface font-nam")

2023-07-11T11:34:26.67510 daemon.info: Jul 11 13:34:26 dbus-daemon[2618]: [session uid=1000 pid=2616] Successfully activated service 'ca.desrt.dconf'

2023-07-11T11:34:26.73120 kern.info: [  237.206014] loop0: detected capacity change from 0 to 210994
2023-07-11T11:34:26.73910 kern.info: [  237.213648] loop0: detected capacity change from 210994 to 210616
2023-07-11T11:34:26.74713 kern.info: [  237.222142] squashfs: version 4.0 (2009/01/31) Phillip Lougher

2023-07-11T11:35:03.74315 daemon.info: Jul 11 13:35:03 dbus-daemon[3116]: [session uid=1000 pid=3114] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=3112 comm="gsettings set org.gnome.desktop.interface gtk-them")

2023-07-11T11:35:03.74552 daemon.info: Jul 11 13:35:03 dbus-daemon[3116]: [session uid=1000 pid=3114] Successfully activated service 'ca.desrt.dconf'

It never however reports on those dbus-daemon being terminated. Also:

pstree:

      ├─sh───librewolf_firej───firejail─┬─0───2*[{0}]
      │                                 └─firejail───librewolf─┬─Isolated Web Co───23*[{Isolated Web Co}]
      │                                                        ├─Isolated Web Co───22*[{Isolated Web Co}]
      │                                                        ├─Isolated Web Co───24*[{Isolated Web Co}]
      │                                                        ├─Privileged Cont───23*[{Privileged Cont}]
      │                                                        ├─Socket Process───4*[{Socket Process}]
      │                                                        ├─Web Content───17*[{Web Content}]
      │                                                        ├─2*[Web Content───18*[{Web Content}]]
      │                                                        ├─WebExtensions───22*[{WebExtensions}]
      │                                                        ├─librewolf
      │                                                        └─117*[{librewolf}]

Those dbus-daemon are not visible on pstree. And also:

firejail --list:

4486:username::firejail --appimage --apparmor --profile=/home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile /home/username/.bin/LibreWolf.x86_64.AppImage

Indeed, firejail --list does not list such dbus-daemon.

ps auxf, however:

username       2576  0.0  0.0   3240  1840 ?        Ss   13:34   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       2582  0.0  0.0 229032  4252 ?        Sl   13:34   0:00 /usr/libexec/dconf-service

username       2590  0.0  0.0   3240  1780 ?        Ss   13:34   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       2596  0.0  0.0 229032  4160 ?        Sl   13:34   0:00 /usr/libexec/dconf-service

username       2604  0.0  0.0   3240  1932 ?        Ss   13:34   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       2610  0.0  0.0 229032  4308 ?        Sl   13:34   0:00 /usr/libexec/dconf-service

username       2618  0.0  0.0   3240  1800 ?        Ss   13:34   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       2624  0.0  0.0 229032  4204 ?        Sl   13:34   0:00 /usr/libexec/dconf-service

username       3116  0.0  0.0   3240  1776 ?        Ss   13:35   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       3122  0.0  0.0 229032  4208 ?        Sl   13:35   0:00 /usr/libexec/dconf-service

username       3130  0.0  0.0   3240  1848 ?        Ss   13:35   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       3136  0.0  0.0 229032  4320 ?        Sl   13:35   0:00 /usr/libexec/dconf-service

username       3144  0.0  0.0   3240  1856 ?        Ss   13:35   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       3150  0.0  0.0 229032  4296 ?        Sl   13:35   0:00 /usr/libexec/dconf-service

username       3158  0.0  0.0   3240  1764 ?        Ss   13:35   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       3164  0.0  0.0 229032  4324 ?        Sl   13:35   0:00 /usr/libexec/dconf-service

username       4416  0.0  0.0   2612   924 ?        S    13:37   0:00 sh -c $HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.sh

username       4417  0.0  0.0   2612   952 ?        S    13:37   0:00  \_ /bin/sh /home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.sh

username       4486  0.0  0.0   4348  2572 ?        S    13:37   0:00      \_ firejail --appimage --apparmor --profile=/home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile /home/username/.bi

username       4487  0.0  0.0 229012  4340 ?        Sl   13:37   0:00          \_ /usr/bin/xdg-dbus-proxy --fd=4 --args=5

username       4490  0.0  0.0   4360  2256 ?        S    13:37   0:00          \_ firejail --appimage --apparmor --profile=/home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile /home/username

username       4496  9.7  3.9 11977704 648244 ?     Sl   13:37   6:03              \_ librewolf

username       4605  0.0  0.2 209736 36180 ?        Sl   13:37   0:00                  \_ /run/firejail/appimage/librewolf -contentproc -parentBuildID 20230419103845 -prefsLen 23634 -prefMapSize 232816 -appDir /run/fir

username       4649  0.0  0.6 2527800 98696 ?       Sl   13:37   0:00                  \_ /run/firejail/appimage/librewolf -contentproc -childID 1 -isForBrowser -prefsLen 23775 -prefMapSize 232816 -jsInitLen 240056 -pa

username       4681  0.0  0.0      0     0 ?        Z    13:37   0:00                  \_ [librewolf] <defunct>

username       4734  0.3  1.0 19663788 166824 ?     Sl   13:37   0:11                  \_ /run/firejail/appimage/librewolf -contentproc -childID 2 -isForBrowser -prefsLen 27554 -prefMapSize 232816 -jsInitLen 240056 -pa

username       4817  5.1  1.3 2714952 226272 ?      Sl   13:37   3:11                  \_ /run/firejail/appimage/librewolf -contentproc -childID 3 -isForBrowser -prefsLen 24390 -prefMapSize 232816 -jsInitLen 240056 -pa

username       5639  0.0  1.0 2632096 173636 ?      Sl   13:44   0:02                  \_ /run/firejail/appimage/librewolf -contentproc -childID 8 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -pa

username       6412  0.0  0.9 2601332 159220 ?      Sl   13:49   0:01                  \_ /run/firejail/appimage/librewolf -contentproc -childID 9 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -pa

username       7649  0.0  0.7 2544700 121196 ?      Sl   14:02   0:00                  \_ /run/firejail/appimage/librewolf -contentproc -childID 11 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -p

username       7652  0.2  0.9 2589096 162544 ?      Sl   14:02   0:04                  \_ /run/firejail/appimage/librewolf -contentproc -childID 12 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -p

username      10325  0.0  0.4 2498420 74072 ?       Sl   14:36   0:00                  \_ /run/firejail/appimage/librewolf -contentproc -childID 15 -isForBrowser -prefsLen 24504 -prefMapSize 232816 -jsInitLen 240056 -p

username      10786  0.0  0.4 2498420 73532 ?       Sl   14:37   0:00                  \_ /run/firejail/appimage/librewolf -contentproc -childID 16 -isForBrowser -prefsLen 24504 -prefMapSize 232816 -jsInitLen 240056 -p

username      10831  0.0  0.4 2498420 74176 ?       Sl   14:37   0:00                  \_ /run/firejail/appimage/librewolf -contentproc -childID 17 -isForBrowser -prefsLen 24504 -prefMapSize 232816 -jsInitLen 240056 -p

username      10865  1.3  0.7 2572676 120712 ?      Sl   14:37   0:01                  \_ /run/firejail/appimage/librewolf -contentproc -childID 18 -isForBrowser -prefsLen 28325 -prefMapSize 232816 -jsInitLen 240056 -p

username       4434  0.0  0.0   3240  1824 ?        Ss   13:37   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       4440  0.0  0.0 229032  4192 ?        Sl   13:37   0:00 /usr/libexec/dconf-service

username       4448  0.0  0.0   3240  1852 ?        Ss   13:37   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       4454  0.0  0.0 229032  4204 ?        Sl   13:37   0:00 /usr/libexec/dconf-service

username       4462  0.0  0.0   3240  1840 ?        Ss   13:37   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       4468  0.0  0.0 229032  4172 ?        Sl   13:37   0:00 /usr/libexec/dconf-service

username       4476  0.0  0.0   3240  1816 ?        Ss   13:37   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       4482  0.0  0.0 229032  4300 ?        Sl   13:37   0:00 /usr/libexec/dconf-service

username       6006  0.0  0.0   3240  1744 ?        Ss   13:47   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       6012  0.0  0.0 229032  4108 ?        Sl   13:47   0:00 /usr/libexec/dconf-service

username       6020  0.0  0.0   3240  1836 ?        Ss   13:47   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       6026  0.0  0.0 229032  4228 ?        Sl   13:47   0:00 /usr/libexec/dconf-service

username       6034  0.0  0.0   3240  1880 ?        Ss   13:47   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       6040  0.0  0.0 229032  4308 ?        Sl   13:47   0:00 /usr/libexec/dconf-service

username       6048  0.0  0.0   3240  1804 ?        Ss   13:47   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       6054  0.0  0.0 229032  4224 ?        Sl   13:47   0:00 /usr/libexec/dconf-service

Those blocks of

username       2576  0.0  0.0   3240  1840 ?        Ss   13:34   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       2582  0.0  0.0 229032  4252 ?        Sl   13:34   0:00 /usr/libexec/dconf-service

remain lingering after EACH sandbox is terminated. Thus, each time the AppImage-browser is closed, a new block of those

username       2576  0.0  0.0   3240  1840 ?        Ss   13:34   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       2582  0.0  0.0 229032  4252 ?        Sl   13:34   0:00 /usr/libexec/dconf-service

is spawned, and remains lingering until system shut-off, or manual termination.

It is even easier to locate such blocks with htop, but unfortunately pasting htop output is fairly difficult.

Behavior without a profile

Not applicable here.

Additional context

Not sure. The above wall of text should be fairly self-evident. This is an edge case, after all, and largely depends upon usage of dbus-launch gsettings, which is however necessary on nonsystemd distros to ensure that GTK custom theming "sticks".

It should also be noted that sway DM also launches its own scheme of

set $gnome-schema org.gnome.desktop.interface

set $gtk_theme "$(grep 'gtk-theme-name' "$config" | sed 's/.*\s*=\s*//')"
set $icon_theme "$(grep 'gtk-icon-theme-name' "$config" | sed 's/.*\s*=\s*//')"
set $cursor_theme "$(grep 'gtk-cursor-theme-name' "$config" | sed 's/.*\s*=\s*//')"
set $font_name "$(grep 'gtk-font-name' "$config" | sed 's/.*\s*=\s*//')"

exec_always {
        dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme"
        dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme"
        dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme"
        dbus-launch gsettings set "$gnome_schema" font-name "$font_name"
        dbus-launch gsettings set "$gnome-schema" document-font-name "$document-font-name"
        dbus-launch gsettings set "$gnome-schema" monospace-font-name "$monospace-font-name"
}

exec_always import-gsettings \
    gtk-theme:gtk-theme-name \
    icon-theme:gtk-icon-theme-name \
    cursor-theme:gtk-cursor-theme-name \
    font-name:gtk-font-name \
    document-font-name:gtk-document-font-name \
    monospace-font-name:gtk-monospace-font-name \

Yet that is not sufficient to force sandboxed applications to import $gnome_schema variables.

Environment

Void Linux with runit as init.

firejail version 0.9.72

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- IDS support is disabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Checklist

[ X] The issues is caused by firejail (Indeed, none of this happens without firejail, since there would never be any use of the dbus-launch gsettings workaround).
[ X] I have performed a short search for similar issues (to avoid opening a duplicate). I however presume this case to be more involved.
[ X] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages). Indeed I have, and you can read for yourself the contents of such a custom profile above.

Log

Logs are provided above, this is an edge case. I can perform more tests if necessary.

Originally created by @TeusLollo on GitHub (Jul 11, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5897 ### Description It seems that, at least on non-`systemd` distros (Utilizing `runit` as init, in my case) varying zombie processes are leftover upon sandbox termination given interaction with `dbus-launch gsettings` command (Which, on non-`systemd` distros, is largely necessary to properly set-up custom GTK themes, icons, cursors, and similar) in a custom script. May be at least partially related to https://github.com/netblue30/firejail/issues/3949 and https://github.com/netblue30/firejail/issues/3224 ### Steps to Reproduce It is given the following: A non-`systemd` distro (Void Linux, in my case, which runs on `runit` as init system) `sway` as window manager. No login manager (`sway` is run on a custom config through a custom script) A `LibreWolf` AppImage (From https://gitlab.com/librewolf-community/browser/appimage/-/packages) A custom `.local/share/applications/LibreWolf_Firejailed/` freedesktop-based app setup, which operates as follows: `LibreWolf_Firejailed.desktop ` ``` [Desktop Entry] Version=1.0 Type=Application Name=LibreWolf (Firejailed) Comment=LibreWolf Web Browser In A Firejail Exec=$HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.sh Icon=$HOME/.local/share/applications/LibreWolf_Firejailed/LibreWolf_Firejailed.png Terminal=false StartupNotify=false Categories=Application;Network; ``` Hence, `LibreWolf_Firejailed.desktop ` loads `librewolf_firejailed.sh`, the latter being thus compiled: ``` #!/bin/sh # usage: import-gsettings config="${XDG_CONFIG_HOME:-$HOME/.config}/gtk-3.0/settings.ini" if [ ! -f "$config" ]; then exit 1; fi gnome_schema="org.gnome.desktop.interface" gtk_theme="$(grep 'gtk-theme-name' "$config" | sed 's/.*\s*=\s*//')" icon_theme="$(grep 'gtk-icon-theme-name' "$config" | sed 's/.*\s*=\s*//')" cursor_theme="$(grep 'gtk-cursor-theme-name' "$config" | sed 's/.*\s*=\s*//')" font_name="$(grep 'gtk-font-name' "$config" | sed 's/.*\s*=\s*//')" dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme" dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme" dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme" dbus-launch gsettings set "$gnome_schema" font-name "$font_name" firejail --appimage --apparmor --profile="$HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile" "$HOME/.bin/LibreWolf.x86_64.AppImage" ``` Thus, `librewolf_firejailed.sh` executes `dbus-launch gsettings` to import relevant custom theming, and relies upon a custom `librewolf_firejailed.profile`, the latter being here described: ``` # Firejail profile for Librewolf # Description: Firefox fork based on privacy # This file is overwritten after every install/update # Persistent local customizations include librewolf.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/librewolf noblacklist ${HOME}/.librewolf noblacklist ${HOME}/.local/share/applications/LibreWolf_Firejailed #noblacklist ${HOME}/.themes #noblacklist ${HOME}/.icons noblacklist ${HOME}/.config/glib-2.0 mkdir ${HOME}/.cache/librewolf mkdir ${HOME}/.librewolf whitelist ${HOME}/.cache/librewolf whitelist ${HOME}/.librewolf whitelist ${HOME}/.local/share/applications/LibreWolf_Firejailed #whitelist ${HOME}/.themes #whitelist ${HOME}/.icons whitelist ${HOME}/.config/glib-2.0 # Add the next lines to your librewolf.local if you want to use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla # To enable KeePassXC Plugin add one of the following lines to your librewolf.local. # NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them. #whitelist ${RUNUSER}/kpxc_server #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist /usr/share/doc whitelist /usr/share/gtk-doc/html whitelist /usr/share/librewolf whitelist /usr/share/mozilla whitelist /usr/share/webext include whitelist-usr-share-common.inc # Add the next line to your librewolf.local to enable private-bin (Arch Linux). #private-bin dbus-launch,dbus-send,librewolf,sh # Add the next line to your librewolf.local to enable private-etc. # NOTE: private-etc must first be enabled in firefox-common.local. #private-etc librewolf dbus-user filter dbus-user.own io.gitlab.librewolf.* dbus-user.own org.mozilla.librewolf.* # Add the next line to your librewolf.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications # Add the next line to your librewolf.local to allow inhibiting screensavers. #dbus-user.talk org.freedesktop.ScreenSaver # Add the next lines to your librewolf.local for plasma browser integration. #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration #dbus-user.talk org.kde.JobViewServer #dbus-user.talk org.kde.kuiserver # Add the next line to your librewolf.local to allow screensharing under Wayland. #dbus-user.talk org.freedesktop.portal.Desktop # Also add the next line to your librewolf.local if screensharing does not work with # the above lines (depends on the portal implementation). #ignore noroot ignore apparmor ignore dbus-user none # Redirect include firefox-common.profile ``` ### Expected behavior This fairly involved custom setup was necessary on my side to properly sandbox an AppImage-based browser, and correctly import `$gnome_schema` variables. Indeed, the AppImage-based browser runs perfectly, and correctly imports system themes with this setup (While, without utilizing the `dbus-launch gsettings`-based schemes, it would absolutely not import custom theming), while otherwise appearing to be properly firejailed. However... ### Actual behavior ...It appears that, although the AppImage-based browser runs fine, and is properly terminated by the `sway` WM (Default keys Super + Shift + Q, depending on `sway` config, thus I remark that the AppImage-based browser is closed-down by the WM), child processes presumably spawned by the `dbus-launch gsettings` commands to remain lingering after the sandbox has been closed. In fact: `syslog` reports the following: ``` 2023-07-11T11:34:26.64089 daemon.info: Jul 11 13:34:26 dbus-daemon[2576]: [session uid=1000 pid=2574] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2572 comm="gsettings set org.gnome.desktop.interface gtk-them") 2023-07-11T11:34:26.64297 daemon.info: Jul 11 13:34:26 dbus-daemon[2576]: [session uid=1000 pid=2574] Successfully activated service 'ca.desrt.dconf' 2023-07-11T11:34:26.64899 daemon.info: Jul 11 13:34:26 dbus-daemon[2590]: [session uid=1000 pid=2588] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2586 comm="gsettings set org.gnome.desktop.interface icon-the") 2023-07-11T11:34:26.65153 daemon.info: Jul 11 13:34:26 dbus-daemon[2590]: [session uid=1000 pid=2588] Successfully activated service 'ca.desrt.dconf' 2023-07-11T11:34:26.65867 daemon.info: Jul 11 13:34:26 dbus-daemon[2604]: [session uid=1000 pid=2602] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2600 comm="gsettings set org.gnome.desktop.interface cursor-t") 2023-07-11T11:34:26.66170 daemon.info: Jul 11 13:34:26 dbus-daemon[2604]: [session uid=1000 pid=2602] Successfully activated service 'ca.desrt.dconf' 2023-07-11T11:34:26.67066 daemon.info: Jul 11 13:34:26 dbus-daemon[2618]: [session uid=1000 pid=2616] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=2614 comm="gsettings set org.gnome.desktop.interface font-nam") 2023-07-11T11:34:26.67510 daemon.info: Jul 11 13:34:26 dbus-daemon[2618]: [session uid=1000 pid=2616] Successfully activated service 'ca.desrt.dconf' 2023-07-11T11:34:26.73120 kern.info: [ 237.206014] loop0: detected capacity change from 0 to 210994 2023-07-11T11:34:26.73910 kern.info: [ 237.213648] loop0: detected capacity change from 210994 to 210616 2023-07-11T11:34:26.74713 kern.info: [ 237.222142] squashfs: version 4.0 (2009/01/31) Phillip Lougher 2023-07-11T11:35:03.74315 daemon.info: Jul 11 13:35:03 dbus-daemon[3116]: [session uid=1000 pid=3114] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=1000 pid=3112 comm="gsettings set org.gnome.desktop.interface gtk-them") 2023-07-11T11:35:03.74552 daemon.info: Jul 11 13:35:03 dbus-daemon[3116]: [session uid=1000 pid=3114] Successfully activated service 'ca.desrt.dconf' ``` It never however reports on those `dbus-daemon` being terminated. Also: `pstree`: ``` ├─sh───librewolf_firej───firejail─┬─0───2*[{0}] │ └─firejail───librewolf─┬─Isolated Web Co───23*[{Isolated Web Co}] │ ├─Isolated Web Co───22*[{Isolated Web Co}] │ ├─Isolated Web Co───24*[{Isolated Web Co}] │ ├─Privileged Cont───23*[{Privileged Cont}] │ ├─Socket Process───4*[{Socket Process}] │ ├─Web Content───17*[{Web Content}] │ ├─2*[Web Content───18*[{Web Content}]] │ ├─WebExtensions───22*[{WebExtensions}] │ ├─librewolf │ └─117*[{librewolf}] ``` Those `dbus-daemon` are not visible on `pstree`. And also: `firejail --list`: `4486:username::firejail --appimage --apparmor --profile=/home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile /home/username/.bin/LibreWolf.x86_64.AppImage` Indeed, `firejail --list` does not list such `dbus-daemon`. `ps auxf`, however: ``` username 2576 0.0 0.0 3240 1840 ? Ss 13:34 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 2582 0.0 0.0 229032 4252 ? Sl 13:34 0:00 /usr/libexec/dconf-service username 2590 0.0 0.0 3240 1780 ? Ss 13:34 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 2596 0.0 0.0 229032 4160 ? Sl 13:34 0:00 /usr/libexec/dconf-service username 2604 0.0 0.0 3240 1932 ? Ss 13:34 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 2610 0.0 0.0 229032 4308 ? Sl 13:34 0:00 /usr/libexec/dconf-service username 2618 0.0 0.0 3240 1800 ? Ss 13:34 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 2624 0.0 0.0 229032 4204 ? Sl 13:34 0:00 /usr/libexec/dconf-service username 3116 0.0 0.0 3240 1776 ? Ss 13:35 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 3122 0.0 0.0 229032 4208 ? Sl 13:35 0:00 /usr/libexec/dconf-service username 3130 0.0 0.0 3240 1848 ? Ss 13:35 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 3136 0.0 0.0 229032 4320 ? Sl 13:35 0:00 /usr/libexec/dconf-service username 3144 0.0 0.0 3240 1856 ? Ss 13:35 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 3150 0.0 0.0 229032 4296 ? Sl 13:35 0:00 /usr/libexec/dconf-service username 3158 0.0 0.0 3240 1764 ? Ss 13:35 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 3164 0.0 0.0 229032 4324 ? Sl 13:35 0:00 /usr/libexec/dconf-service username 4416 0.0 0.0 2612 924 ? S 13:37 0:00 sh -c $HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.sh username 4417 0.0 0.0 2612 952 ? S 13:37 0:00 \_ /bin/sh /home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.sh username 4486 0.0 0.0 4348 2572 ? S 13:37 0:00 \_ firejail --appimage --apparmor --profile=/home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile /home/username/.bi username 4487 0.0 0.0 229012 4340 ? Sl 13:37 0:00 \_ /usr/bin/xdg-dbus-proxy --fd=4 --args=5 username 4490 0.0 0.0 4360 2256 ? S 13:37 0:00 \_ firejail --appimage --apparmor --profile=/home/username/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile /home/username username 4496 9.7 3.9 11977704 648244 ? Sl 13:37 6:03 \_ librewolf username 4605 0.0 0.2 209736 36180 ? Sl 13:37 0:00 \_ /run/firejail/appimage/librewolf -contentproc -parentBuildID 20230419103845 -prefsLen 23634 -prefMapSize 232816 -appDir /run/fir username 4649 0.0 0.6 2527800 98696 ? Sl 13:37 0:00 \_ /run/firejail/appimage/librewolf -contentproc -childID 1 -isForBrowser -prefsLen 23775 -prefMapSize 232816 -jsInitLen 240056 -pa username 4681 0.0 0.0 0 0 ? Z 13:37 0:00 \_ [librewolf] <defunct> username 4734 0.3 1.0 19663788 166824 ? Sl 13:37 0:11 \_ /run/firejail/appimage/librewolf -contentproc -childID 2 -isForBrowser -prefsLen 27554 -prefMapSize 232816 -jsInitLen 240056 -pa username 4817 5.1 1.3 2714952 226272 ? Sl 13:37 3:11 \_ /run/firejail/appimage/librewolf -contentproc -childID 3 -isForBrowser -prefsLen 24390 -prefMapSize 232816 -jsInitLen 240056 -pa username 5639 0.0 1.0 2632096 173636 ? Sl 13:44 0:02 \_ /run/firejail/appimage/librewolf -contentproc -childID 8 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -pa username 6412 0.0 0.9 2601332 159220 ? Sl 13:49 0:01 \_ /run/firejail/appimage/librewolf -contentproc -childID 9 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -pa username 7649 0.0 0.7 2544700 121196 ? Sl 14:02 0:00 \_ /run/firejail/appimage/librewolf -contentproc -childID 11 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -p username 7652 0.2 0.9 2589096 162544 ? Sl 14:02 0:04 \_ /run/firejail/appimage/librewolf -contentproc -childID 12 -isForBrowser -prefsLen 24423 -prefMapSize 232816 -jsInitLen 240056 -p username 10325 0.0 0.4 2498420 74072 ? Sl 14:36 0:00 \_ /run/firejail/appimage/librewolf -contentproc -childID 15 -isForBrowser -prefsLen 24504 -prefMapSize 232816 -jsInitLen 240056 -p username 10786 0.0 0.4 2498420 73532 ? Sl 14:37 0:00 \_ /run/firejail/appimage/librewolf -contentproc -childID 16 -isForBrowser -prefsLen 24504 -prefMapSize 232816 -jsInitLen 240056 -p username 10831 0.0 0.4 2498420 74176 ? Sl 14:37 0:00 \_ /run/firejail/appimage/librewolf -contentproc -childID 17 -isForBrowser -prefsLen 24504 -prefMapSize 232816 -jsInitLen 240056 -p username 10865 1.3 0.7 2572676 120712 ? Sl 14:37 0:01 \_ /run/firejail/appimage/librewolf -contentproc -childID 18 -isForBrowser -prefsLen 28325 -prefMapSize 232816 -jsInitLen 240056 -p username 4434 0.0 0.0 3240 1824 ? Ss 13:37 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 4440 0.0 0.0 229032 4192 ? Sl 13:37 0:00 /usr/libexec/dconf-service username 4448 0.0 0.0 3240 1852 ? Ss 13:37 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 4454 0.0 0.0 229032 4204 ? Sl 13:37 0:00 /usr/libexec/dconf-service username 4462 0.0 0.0 3240 1840 ? Ss 13:37 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 4468 0.0 0.0 229032 4172 ? Sl 13:37 0:00 /usr/libexec/dconf-service username 4476 0.0 0.0 3240 1816 ? Ss 13:37 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 4482 0.0 0.0 229032 4300 ? Sl 13:37 0:00 /usr/libexec/dconf-service username 6006 0.0 0.0 3240 1744 ? Ss 13:47 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 6012 0.0 0.0 229032 4108 ? Sl 13:47 0:00 /usr/libexec/dconf-service username 6020 0.0 0.0 3240 1836 ? Ss 13:47 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 6026 0.0 0.0 229032 4228 ? Sl 13:47 0:00 /usr/libexec/dconf-service username 6034 0.0 0.0 3240 1880 ? Ss 13:47 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 6040 0.0 0.0 229032 4308 ? Sl 13:47 0:00 /usr/libexec/dconf-service username 6048 0.0 0.0 3240 1804 ? Ss 13:47 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 6054 0.0 0.0 229032 4224 ? Sl 13:47 0:00 /usr/libexec/dconf-service ``` Those blocks of ``` username 2576 0.0 0.0 3240 1840 ? Ss 13:34 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 2582 0.0 0.0 229032 4252 ? Sl 13:34 0:00 /usr/libexec/dconf-service ``` remain lingering after EACH sandbox is terminated. Thus, each time the AppImage-browser is closed, a new block of those ``` username 2576 0.0 0.0 3240 1840 ? Ss 13:34 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 2582 0.0 0.0 229032 4252 ? Sl 13:34 0:00 /usr/libexec/dconf-service ``` is spawned, and remains lingering until system shut-off, or manual termination. It is even easier to locate such blocks with `htop`, but unfortunately pasting `htop` output is fairly difficult. ### Behavior without a profile Not applicable here. ### Additional context Not sure. The above wall of text should be fairly self-evident. This is an edge case, after all, and largely depends upon usage of `dbus-launch gsettings`, which is however necessary on non`systemd` distros to ensure that GTK custom theming "sticks". It should also be noted that `sway` DM also launches its own scheme of ``` set $gnome-schema org.gnome.desktop.interface set $gtk_theme "$(grep 'gtk-theme-name' "$config" | sed 's/.*\s*=\s*//')" set $icon_theme "$(grep 'gtk-icon-theme-name' "$config" | sed 's/.*\s*=\s*//')" set $cursor_theme "$(grep 'gtk-cursor-theme-name' "$config" | sed 's/.*\s*=\s*//')" set $font_name "$(grep 'gtk-font-name' "$config" | sed 's/.*\s*=\s*//')" exec_always { dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme" dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme" dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme" dbus-launch gsettings set "$gnome_schema" font-name "$font_name" dbus-launch gsettings set "$gnome-schema" document-font-name "$document-font-name" dbus-launch gsettings set "$gnome-schema" monospace-font-name "$monospace-font-name" } exec_always import-gsettings \ gtk-theme:gtk-theme-name \ icon-theme:gtk-icon-theme-name \ cursor-theme:gtk-cursor-theme-name \ font-name:gtk-font-name \ document-font-name:gtk-document-font-name \ monospace-font-name:gtk-monospace-font-name \ ``` Yet that is not sufficient to force sandboxed applications to import `$gnome_schema` variables. ### Environment Void Linux with `runit` as init. firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ### Checklist - [ X] The issues is caused by firejail (Indeed, none of this happens without `firejail`, since there would never be any use of the `dbus-launch gsettings` workaround). - [ X] I have performed a short search for similar issues (to avoid opening a duplicate). I however presume this case to be more involved. - [ X] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages). Indeed I have, and you can read for yourself the contents of such a custom profile above. ### Log Logs are provided above, this is an edge case. I can perform more tests if necessary.

gitea-mirror

2026-05-05 09:45:42 -06:00

closed this issue
added the
notourbug
label

gitea-mirror commented

2026-05-05 09:45:45 -06:00

Author

Owner

@TeusLollo commented on GitHub (Jul 11, 2023):

These are possibly relevant:

https://github.com/netblue30/firejail/issues/3224#issuecomment-586122215
https://github.com/netblue30/firejail/issues/3224#issuecomment-586521087

Maybe I could try something like this https://github.com/netblue30/firejail/issues/3224#issuecomment-590019723, but to me it looks it may be better to find a native solution.

@TeusLollo commented on GitHub (Jul 11, 2023): These are possibly relevant: https://github.com/netblue30/firejail/issues/3224#issuecomment-586122215 https://github.com/netblue30/firejail/issues/3224#issuecomment-586521087 Maybe I could try something like this https://github.com/netblue30/firejail/issues/3224#issuecomment-590019723, but to me it looks it may be better to find a native solution.

gitea-mirror commented

2026-05-05 09:45:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 11, 2023):

Enable deterministic-shitutdown and try again.

@rusty-snake commented on GitHub (Jul 11, 2023): Enable `deterministic-shitutdown` and try again.

gitea-mirror commented

2026-05-05 09:45:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 11, 2023):

However, killing zombie processes does not help because killing them is a no-op.

Maybe runit can not collect zombie processes inside pid-namespaces or has some other bug with it?

@rusty-snake commented on GitHub (Jul 11, 2023): However, killing zombie processes does not help because killing them is a no-op. Maybe runit can not collect zombie processes inside pid-namespaces or has some other bug with it?

gitea-mirror commented

2026-05-05 09:45:48 -06:00

Author

Owner

@TeusLollo commented on GitHub (Jul 11, 2023):

I just modified the script with firejail --deterministic-shutdown --appimage --apparmor --profile="$HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile" "$HOME/.bin/LibreWolf.x86_64.AppImage"

And no, those zombie processes still linger.

Indeed, it may be a runit bug, or something else funky going on with dbus-launch.

@TeusLollo commented on GitHub (Jul 11, 2023): I just modified the script with `firejail --deterministic-shutdown --appimage --apparmor --profile="$HOME/.local/share/applications/LibreWolf_Firejailed/librewolf_firejailed.profile" "$HOME/.bin/LibreWolf.x86_64.AppImage"` And no, those zombie processes still linger. Indeed, it may be a `runit` bug, or something else funky going on with `dbus-launch`.

gitea-mirror commented

2026-05-05 09:45:49 -06:00

Author

Owner

@TeusLollo commented on GitHub (Jul 11, 2023):

Okay, I had a chat with Void Linux devs on IRC:

They say those blocks of

username       2576  0.0  0.0   3240  1840 ?        Ss   13:34   0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session

username       2582  0.0  0.0 229032  4252 ?        Sl   13:34   0:00 /usr/libexec/dconf-service

Are not technically zombie processes. Indeed, since those were spawned with dbus-launch, they are expected to stay around, and would not be picked-up by the init system. Something else must be going on.

@TeusLollo commented on GitHub (Jul 11, 2023): Okay, I had a chat with Void Linux devs on IRC: They say those blocks of ``` username 2576 0.0 0.0 3240 1840 ? Ss 13:34 0:00 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session username 2582 0.0 0.0 229032 4252 ? Sl 13:34 0:00 /usr/libexec/dconf-service ``` Are not technically zombie processes. Indeed, since those were spawned with `dbus-launch`, they are expected to stay around, and would not be picked-up by the init system. Something else must be going on.

gitea-mirror commented

2026-05-05 09:45:49 -06:00

Author

Owner

@TeusLollo commented on GitHub (Jul 11, 2023):

OK, just to clarify, since the documentation isn't entirely helpful on this:

Here firejail is run from a shell script. Such a shell script launches both a custom firejail command, and other dbus-based processes.

Is this supported, or should I just close-down the issue?

@TeusLollo commented on GitHub (Jul 11, 2023): OK, just to clarify, since the documentation isn't entirely helpful on this: Here `firejail` is run from a shell script. Such a shell script launches both a custom `firejail` command, and other dbus-based processes. Is this supported, or should I just close-down the issue?

gitea-mirror commented

2026-05-05 09:45:50 -06:00

Author

Owner

@TeusLollo commented on GitHub (Jul 11, 2023):

OK, some more chats have confirmed that this probably is not a firejail issue, but some degree of funkiness with either gsettings or dbus .

Closing this.

@TeusLollo commented on GitHub (Jul 11, 2023): OK, some more chats have confirmed that this probably is not a `firejail` issue, but some degree of funkiness with either `gsettings` or `dbus` . Closing this.

gitea-mirror commented

2026-05-05 09:45:51 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 11, 2023):

It seems that, at least on non-systemd distros (Utilizing runit as init,
in my case) varying zombie processes are leftover upon sandbox termination
given interaction with dbus-launch gsettings command (Which, on
non-systemd distros, is largely necessary to properly set-up custom GTK
themes, icons, cursors, and similar) in a custom script.

Yes, systemd apparently does some dbus-related things by itself as it depends
on dbus IIRC. dbus is optional when not using systemd, so the dbus commands
have to be executed manually or by something else.

dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme"
dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme"
dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme"
dbus-launch gsettings set "$gnome_schema" font-name "$font_name"

The user dbus process is indeed intended to stay around, but it's usually only
one process and it is usually started with the user session.

What happens if dbus-launch is executed in the sway config and then (after a
reboot) you just call gsettings by itself?

See for example:

https://wiki.archlinux.org/title/Init#Dbus

And the following file, which is provided by dbus-runit on Artix:

/etc/X11/xinit/xinitrc.d/80-dbus.sh

#!/bin/sh

# launches a session dbus instance

dbuslaunch="$(command -v dbus-launch)"
if [ -n "$dbuslaunch" ] && [ -x "$dbuslaunch" ] && [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
    if [ -n "$command" ]; then
        command="$dbuslaunch --exit-with-session $command"
    else
        eval " $($dbuslaunch --sh-syntax --exit-with-session)"
    fi
fi

Maybe Void has something similar.

@kmk3 commented on GitHub (Jul 11, 2023): > It seems that, at least on non-`systemd` distros (Utilizing `runit` as init, > in my case) varying zombie processes are leftover upon sandbox termination > given interaction with `dbus-launch gsettings` command (Which, on > non-`systemd` distros, is largely necessary to properly set-up custom GTK > themes, icons, cursors, and similar) in a custom script. Yes, systemd apparently does some dbus-related things by itself as it depends on dbus IIRC. dbus is optional when not using systemd, so the dbus commands have to be executed manually or by something else. > ```sh > dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme" > dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme" > dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme" > dbus-launch gsettings set "$gnome_schema" font-name "$font_name" > ``` The user dbus process is indeed intended to stay around, but it's usually only one process and it is usually started with the user session. What happens if dbus-launch is executed in the sway config and then (after a reboot) you just call `gsettings` by itself? See for example: * <https://wiki.archlinux.org/title/Init#Dbus> And the following file, which is provided by [`dbus-runit`][1] on Artix: * [/etc/X11/xinit/xinitrc.d/80-dbus.sh](https://gitea.artixlinux.org/packages/dbus-runit/src/commit/f63df4c0625648c28e72df728018d735195da549/x86_64/extra/80-dbus.sh) ```sh #!/bin/sh # launches a session dbus instance dbuslaunch="$(command -v dbus-launch)" if [ -n "$dbuslaunch" ] && [ -x "$dbuslaunch" ] && [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then if [ -n "$command" ]; then command="$dbuslaunch --exit-with-session $command" else eval " $($dbuslaunch --sh-syntax --exit-with-session)" fi fi ``` Maybe Void has something similar. [1]: https://packages.artixlinux.org/details/dbus-runit

gitea-mirror commented

2026-05-05 09:45:51 -06:00

Author

Owner

@TeusLollo commented on GitHub (Jul 11, 2023):

dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme"
dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme"
dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme"
dbus-launch gsettings set "$gnome_schema" font-name "$font_name"

Upon more testing, I have confirmed that, in fact I have no need (Anymore, at least) to use dbus-launch gsettings, yet, back when I first set-up my config file, it actually was necessary (For some reason, maybe it was because GTK3 was still so unstable? It was back when each version was breaking something...)

In every case, it is better to dismiss such an heavy usage of dbus-launch, given how it can cause system instabilities, and considered also that old sourcing rules still apply to shell scripts, even when involving dbus, which can cause myriads of troublesome scenarios.

Indeed, I have discovered that sway does not even need to be run with dbus-run-session, although it's in some cases preferable.

In every case, Void devs have promised to eventually clarify this matter, and their preferred method of setting-up window managers, on their own handbook, thus the matter should eventually be cleared.

Thanks for your help.

@TeusLollo commented on GitHub (Jul 11, 2023): > > ```shell > > dbus-launch gsettings set "$gnome_schema" gtk-theme "$gtk_theme" > > dbus-launch gsettings set "$gnome_schema" icon-theme "$icon_theme" > > dbus-launch gsettings set "$gnome_schema" cursor-theme "$cursor_theme" > > dbus-launch gsettings set "$gnome_schema" font-name "$font_name" > > ``` Upon more testing, I have confirmed that, in fact I have no need (Anymore, at least) to use `dbus-launch gsettings`, yet, back when I first set-up my config file, it actually was necessary (For some reason, maybe it was because GTK3 was still so unstable? It was back when each version was breaking something...) In every case, it is better to dismiss such an heavy usage of `dbus-launch`, given how it can cause system instabilities, and considered also that old sourcing rules still apply to shell scripts, even when involving `dbus`, which can cause myriads of troublesome scenarios. Indeed, I have discovered that `sway` does not even need to be run with `dbus-run-session`, although it's in some cases preferable. In every case, Void devs have promised to eventually clarify this matter, and their preferred method of setting-up window managers, on their own handbook, thus the matter should eventually be cleared. Thanks for your help.

Rows
Columns

[GH-ISSUE #5897] Shell script fails to kill-off child processes upon app closure and sandbox termination #3125

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log