github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6071] clamtk: program fails to start #3170

New issue

Closed

opened 2026-05-05 09:47:43 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented

2026-05-05 09:47:43 -06:00

Owner

Originally created by @tetoNidan on GitHub (Oct 28, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6071

Description

clamtk fails to open. When run from the terminal you get:

Reading profile /home/tool/.config/firejail/clamtk.profile
Reading profile /etc/firejail/disable-exec.inc
Parent pid 142897, child pid 142898
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 14.64 ms
WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555.
failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)<
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************

(clamtk:5): Gdk-WARNING **: 20:09:23.592: The program 'clamtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAccess (attempt to access private resource denied)'.
  (Details: serial 182 error_code 10 request_code 130 (MIT-SHM) minor_code 1)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the GDK_SYNCHRONIZE environment
   variable to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Parent is shutting down, bye...

You can run firejail --noprofile clamtk and clamtk runs as expected.

Steps to Reproduce

open terminal and type clamtk or open from the .desktop file.

Expected behavior

Clamtk to open it's gui and be able to scan files and directories.

Actual behavior

Nothing but the error included above in the discription.

Behavior without a profile

clamtk open just fine

Additional context

see description for detailed error message from the terminal

Environment

Linux distribution and version: Arch
Firejail version: 0.9.72

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream. --> I don't know, I did search clamtk in open and closed issues and didn't see a good fit for issue
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail clamtk

Reading profile /home/tool/.config/firejail/clamtk.profile
Reading profile /etc/firejail/disable-exec.inc
Parent pid 240065, child pid 240066
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 14.31 ms
Warning: an existing sandbox was detected. /usr/bin/clamtk will run without any additional sandboxing features
WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555.
failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)<
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************

(clamtk:5): Gdk-WARNING **: 20:28:01.812: The program 'clamtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAccess (attempt to access private resource denied)'.
  (Details: serial 182 error_code 10 request_code 130 (MIT-SHM) minor_code 1)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the GDK_SYNCHRONIZE environment
   variable to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug clamtk

[output goes here](https://pastebin.com/7YPgkVxq)

https://pastebin.com/7YPgkVxq

Originally created by @tetoNidan on GitHub (Oct 28, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/6071  ### Description clamtk fails to open. When run from the terminal you get: ``` Reading profile /home/tool/.config/firejail/clamtk.profile Reading profile /etc/firejail/disable-exec.inc Parent pid 142897, child pid 142898 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/doc Warning: not remounting /run/user/1000/gvfs Child process initialized in 14.64 ms WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555. failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)< LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** (clamtk:5): Gdk-WARNING **: 20:09:23.592: The program 'clamtk' received an X Window System error. This probably reflects a bug in the program. The error was 'BadAccess (attempt to access private resource denied)'. (Details: serial 182 error_code 10 request_code 130 (MIT-SHM) minor_code 1) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the GDK_SYNCHRONIZE environment variable to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) Parent is shutting down, bye... ``` You can run `firejail --noprofile clamtk` and clamtk runs as expected. ### Steps to Reproduce open terminal and type `clamtk` or open from the `.desktop` file. ### Expected behavior Clamtk to open it's gui and be able to scan files and directories. ### Actual behavior Nothing but the error included above in the discription. ### Behavior without a profile clamtk open just fine ### Additional context see description for detailed error message from the terminal ### Environment - Linux distribution and version: Arch - Firejail version: 0.9.72 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). --> I don't know, I did search clamtk in open and closed issues and didn't see a good fit for issue - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail clamtk</code></summary> <p> ``` Reading profile /home/tool/.config/firejail/clamtk.profile Reading profile /etc/firejail/disable-exec.inc Parent pid 240065, child pid 240066 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/doc Warning: not remounting /run/user/1000/gvfs Child process initialized in 14.31 ms Warning: an existing sandbox was detected. /usr/bin/clamtk will run without any additional sandboxing features WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555. failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)< LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** (clamtk:5): Gdk-WARNING **: 20:28:01.812: The program 'clamtk' received an X Window System error. This probably reflects a bug in the program. The error was 'BadAccess (attempt to access private resource denied)'. (Details: serial 182 error_code 10 request_code 130 (MIT-SHM) minor_code 1) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the GDK_SYNCHRONIZE environment variable to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug clamtk</code></summary> <p> [](https://pastebin.com/7YPgkVxq) ``` [output goes here](https://pastebin.com/7YPgkVxq) ``` https://pastebin.com/7YPgkVxq </p> </details>

gitea-mirror closed this issue

2026-05-05 09:47:44 -06:00

gitea-mirror commented

2026-05-05 09:47:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 28, 2023):

Try without ipc-namespace.

@rusty-snake commented on GitHub (Oct 28, 2023): Try without ipc-namespace.

gitea-mirror commented

2026-05-05 09:47:47 -06:00

Author

Owner

@ghost commented on GitHub (Oct 28, 2023):

Reading profile /home/tool/.config/firejail/clamtk.profile

Just curious. Why aren't you using /etc/firejail/clamtk.profile? Is /home/tool/.config/firejail/clamtk.profile an exact copy or did you change anything?

Warning: an existing sandbox was detected. /usr/bin/clamtk will run without any additional sandboxing features

Always use the full path to the clamtk executable (/usr/bin/clamtk) when running firejail from CLI. Otherwise it will run /usr/local/bin/clamtk, which is a symlink created by firecfg.

I cannot exactly reproduce on Arch, although there are some problems. Just installed clamtk, which pulls in clamav 1.2.1-1, updated in the extra repo only yesterday. Are you seeing this with that version? For me clamtk opens fine, but showing yellowish warning bar about unavailable databases.

failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)<
LibClamAV Warning: *** The virus database is older than 7 days! ***

The clamtk profile has net none and protocol unix, and as such doesn't seem to be designed for per-user control of signatures updating. According to the AL wiki you're supposed to use freshclam for updating the signatures. These are configured to reside under /var/lib/clamav, 0640 uid 64/clamav gid 64/clamav. Both nogroups and noroot effectively block clamtk's access to that path. You could change clamtk's settings to put the databases under ~/.clamtk/db (Update Assistant > I would like to update signatures myself). But I don't know if that's at all practical, never used clamtk/clamav before.

Our freshclam.profile does work from CLI, I've tested that just now. Obviously the clamav-freshclam.service would need changes when you want to sandbox that via Firejail. Alternatively, use systemd's sandboxing features. See: https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options.

@ghost commented on GitHub (Oct 28, 2023): > Reading profile /home/tool/.config/firejail/clamtk.profile Just curious. Why aren't you using /etc/firejail/clamtk.profile? Is /home/tool/.config/firejail/clamtk.profile an exact copy or did you change anything? > Warning: an existing sandbox was detected. /usr/bin/clamtk will run without any additional sandboxing features Always use the full path to the clamtk executable (/usr/bin/clamtk) when running firejail from CLI. Otherwise it will run /usr/local/bin/clamtk, which is a symlink created by firecfg. I cannot exactly reproduce on Arch, although there are some problems. Just installed clamtk, which pulls in [clamav 1.2.1-1](https://archlinux.org/packages/extra/x86_64/clamav/), updated in the extra repo only yesterday. Are you seeing this with that version? For me clamtk opens fine, but showing yellowish warning bar about unavailable databases. > failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)< LibClamAV Warning: *** The virus database is older than 7 days! *** The clamtk profile has `net none` and `protocol unix`, and as such doesn't seem to be designed for per-user control of signatures updating. According to the [AL wiki](https://wiki.archlinux.org/title/ClamAV#Updating_database) you're supposed to use `freshclam` for updating the signatures. These are configured to reside under /var/lib/clamav, 0640 uid 64/clamav gid 64/clamav. Both `nogroups` and `noroot` effectively block clamtk's access to that path. You _could_ change clamtk's settings to put the databases under ~/.clamtk/db (Update Assistant > I would like to update signatures myself). But I don't know if that's at all practical, never used clamtk/clamav before. Our freshclam.profile does work from CLI, I've tested that just now. Obviously the clamav-freshclam.service would need changes when you want to sandbox that via Firejail. Alternatively, use systemd's sandboxing features. See: https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options.

gitea-mirror commented

2026-05-05 09:47:48 -06:00

Author

Owner

@tetoNidan commented on GitHub (Oct 28, 2023):

Just curious. Why aren't you using /etc/firejail/clamtk.profile? Is /home/tool/.config/firejail/clamtk.profile an exact copy or did you change anything?

Yes but I changed it back for my reports. I find it easier to use a $USER/.config/firejail copy to test rather than passing multiple arguments in the terminal. That way when you find a fix you can keep that fix and only have to remember that fix when firejail update's profiles and you don't have to transfer arguments to the profile. Hope that makes sense.

Try without ipc-namespace.

That did the trick. but gives the errors and warning. Might me normal for not using ipc-namespace though, I dont know?

WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555. failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)

Failed to create secure directory (/run/user/1000/pulse): Permission denied

Reading profile /home/tool/.config/firejail/clamtk.profile
Reading profile /etc/firejail/disable-exec.inc
Parent pid 464070, child pid 464071
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 14.34 ms
WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555.
failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)<

(clamtk:5): GLib-GIO-CRITICAL **: 08:29:36.653: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(clamtk:5): GLib-GIO-CRITICAL **: 08:29:36.653: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(clamtk:5): GLib-GIO-CRITICAL **: 08:29:36.653: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
Failed to create secure directory (/run/user/1000/pulse): Permission denied

Commenting out net none also seemed to let me manually download new definitions. Progress bar moves and turns green when finished which seems to be normal behavior. I know you can use freshclam but it's nice to have a fully working app. EDIT: Terminal output says update has failed. Guess you cant go by the GUI to tell if definitions are being updated! Is there potential security issue with allowing clamtk to have internet access?

I cannot exactly reproduce on Arch, although there are some problems. Just installed clamtk, which pulls in clamav 1.2.1-1, updated in the extra repo only yesterday. Are you seeing this with that version? For me clamtk opens fine, but showing yellowish warning bar about unavailable databases.

clamtk 6.14-1
clamav 1.2.1-1

And Thanks by the way!

@tetoNidan commented on GitHub (Oct 28, 2023): > Just curious. Why aren't you using /etc/firejail/clamtk.profile? Is /home/tool/.config/firejail/clamtk.profile an exact copy or did you change anything? Yes but I changed it back for my reports. I find it easier to use a `$USER/.config/firejail` copy to test rather than passing multiple arguments in the terminal. That way when you find a fix you can keep that fix and only have to remember that fix when firejail update's profiles and you don't have to transfer arguments to the profile. Hope that makes sense. > Try without ipc-namespace. That did the trick. but gives the errors and warning. Might me normal for not using `ipc-namespace` though, I dont know? `WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555. failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)` `Failed to create secure directory (/run/user/1000/pulse): Permission denied` ``` Reading profile /home/tool/.config/firejail/clamtk.profile Reading profile /etc/firejail/disable-exec.inc Parent pid 464070, child pid 464071 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/doc Warning: not remounting /run/user/1000/gvfs Child process initialized in 14.34 ms WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555. failed remote tk check >500 Can't connect to raw.githubusercontent.com:443 (Temporary failure in name resolution)< (clamtk:5): GLib-GIO-CRITICAL **: 08:29:36.653: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (clamtk:5): GLib-GIO-CRITICAL **: 08:29:36.653: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (clamtk:5): GLib-GIO-CRITICAL **: 08:29:36.653: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed Failed to create secure directory (/run/user/1000/pulse): Permission denied ``` Commenting out `net none` also seemed to let me manually download new definitions. Progress bar moves and turns green when finished which seems to be normal behavior. I know you can use `freshclam` but it's nice to have a fully working app. `EDIT: Terminal output says update has failed.` Guess you cant go by the GUI to tell if definitions are being updated! Is there potential security issue with allowing clamtk to have internet access? >I cannot exactly reproduce on Arch, although there are some problems. Just installed clamtk, which pulls in [clamav 1.2.1-1](https://archlinux.org/packages/extra/x86_64/clamav/), updated in the extra repo only yesterday. Are you seeing this with that version? For me clamtk opens fine, but showing yellowish warning bar about unavailable databases. clamtk 6.14-1 clamav 1.2.1-1 And Thanks by the way!

gitea-mirror commented

2026-05-05 09:47:49 -06:00

Author

Owner

@ghost commented on GitHub (Oct 28, 2023):

Yes but I changed it back for my reports. I find it easier to use a $USER/.config/firejail copy to test rather than passing multiple arguments in the terminal. [...] Hope that makes sense.

It does :) Just wanted to rule out potential additional firejail options that we were not aware of.

The dbus and pulse errors and warning can safely be ignored. It's quite common to see those and similar ones while sandboxing an application. It isn't aware of the imposed restrictions (which is a good thing) and uses its only other option left: complain :)

Commenting out net none also seemed to let me manually download new definitions. [...] EDIT: Terminal output says update has failed.

Can you post the exact output here? In my brief test I had to ignore net none AND expand the allowed protocols with protocol unix,inet,inet6 for sucessfully updating the signatures. When allowing networking it's advised to also add netfilter. Which relates to your other question...

Is there potential security issue with allowing clamtk to have internet access?

Potentially yes. ClamAV can use databases/signature from other repositories or security vendors. Apply common-sense, don't add just anything that's out there and you'll be fine.

@ghost commented on GitHub (Oct 28, 2023): > Yes but I changed it back for my reports. I find it easier to use a $USER/.config/firejail copy to test rather than passing multiple arguments in the terminal. [...] Hope that makes sense. It does :) Just wanted to rule out potential additional firejail options that we were not aware of. The dbus and pulse errors and warning can safely be ignored. It's quite common to see those and similar ones while sandboxing an application. It isn't aware of the imposed restrictions (which is a good thing) and uses its only other option left: complain :) > Commenting out net none also seemed to let me manually download new definitions. [...] EDIT: Terminal output says update has failed. Can you post the exact output here? In my brief test I had to `ignore net none` AND expand the allowed protocols with `protocol unix,inet,inet6` for sucessfully updating the signatures. When allowing networking it's advised to also add `netfilter`. Which relates to your other question... Is there potential security issue with allowing clamtk to have internet access? Potentially yes. ClamAV can use databases/signature [from other repositories or security vendors](https://wiki.archlinux.org/title/ClamAV#Adding_more_databases/signatures_repositories). Apply common-sense, don't add just anything that's out there and you'll be fine.

gitea-mirror commented

2026-05-05 09:47:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 29, 2023):

Is there potential security issue with allowing clamtk to have internet access?
Potentially yes.

Keep in mind that removing net none grants it access to localhost and abstract sockets.

@rusty-snake commented on GitHub (Oct 29, 2023): > Is there potential security issue with allowing clamtk to have internet access? Potentially yes. Keep in mind that removing `net none` grants it access to localhost and abstract sockets.

gitea-mirror commented

2026-05-05 09:47:50 -06:00

Author

Owner

@tetoNidan commented on GitHub (Oct 30, 2023):

Can you post the exact output here? In my brief test I had to ignore net none AND expand the allowed protocols with protocol unix,inet,inet6 for sucessfully updating the signatures. When allowing networking it's advised to also add netfilter. Which relates to your other question...

i will do as soon as I get back to my computer late tonight or late tomorrow.

I will take note that there are security flaws allowing clamtk internet access. Is there a suggested way of updating virus definitions inside the sandbox or should I run /usr/bin/freshclam to update definitions? I have not added any third party definitions to clamxav so I'm assuming that's not a security issue, updating from official clamxav definitions that is.

@tetoNidan commented on GitHub (Oct 30, 2023): > Can you post the exact output here? In my brief test I had to ignore net none AND expand the allowed protocols with protocol unix,inet,inet6 for sucessfully updating the signatures. When allowing networking it's advised to also add netfilter. Which relates to your other question... i will do as soon as I get back to my computer late tonight or late tomorrow. I will take note that there are security flaws allowing clamtk internet access. Is there a suggested way of updating virus definitions inside the sandbox or should I run `/usr/bin/freshclam` to update definitions? I have not added any third party definitions to clamxav so I'm assuming that's not a security issue, updating from official clamxav definitions that is.

gitea-mirror commented

2026-05-05 09:47:51 -06:00

Author

Owner

@tetoNidan commented on GitHub (Oct 31, 2023):

Can you post the exact output here? In my brief test I had to ignore net none AND expand the allowed protocols with protocol unix,inet,inet6 for sucessfully updating the signatures. When allowing networking it's advised to also add netfilter. Which relates to your other question...

Reading profile /home/tool/.config/firejail/clamtk.profile
Reading profile /etc/firejail/disable-exec.inc
Parent pid 238902, child pid 238903
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 14.25 ms
Warning: an existing sandbox was detected. /usr/bin/clamtk will run without any additional sandboxing features
WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555.

(clamtk:5): GLib-GIO-CRITICAL **: 16:14:13.177: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(clamtk:5): GLib-GIO-CRITICAL **: 16:14:13.177: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(clamtk:5): GLib-GIO-CRITICAL **: 16:14:13.177: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Database test passed.

I think that worked. Before my outuput when updating was:

Failed to create secure directory (/run/user/1000/pulse): Permission denied
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
WARNING: remote_cvdhead: Download failed (6) WARNING:  Message: Couldn't resolve host name
WARNING: Failed to get daily database version information from server: https://database.clamav.net
ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.
WARNING: remote_cvdhead: Download failed (6) WARNING:  Message: Couldn't resolve host name
WARNING: Failed to get daily database version information from server: https://database.clamav.net
ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.
ERROR: remote_cvdhead: Download failed (6) ERROR:  Message: Couldn't resolve host name
WARNING: Failed to get daily database version information from server: https://database.clamav.net
ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.
ERROR: Update failed for database: daily
ERROR: Database update process failed: HTTP GET failed
ERROR: Update failed.

My profile looks like this:

# Firejail profile for clamtk
# This file is overwritten after every install/update
# Persistent local customizations
include clamtk.local
# Persistent global definitions
include globals.local

include disable-exec.inc

caps.drop all
#ipc-namespace
ignore net none
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6 
seccomp

netfilter

private-dev

dbus-user none
dbus-system none

restrict-namespaces

Is it best practice to use ignore rather than commenting out thins like #ipc-namespace. I believe this issue is solved. Thanks firejail team!

I was also wondering if I could pick your brains about steam and controllers best practices? Would you like me to create a new issue to discus that?

@tetoNidan commented on GitHub (Oct 31, 2023): > Can you post the exact output here? In my brief test I had to ignore net none AND expand the allowed protocols with protocol unix,inet,inet6 for sucessfully updating the signatures. When allowing networking it's advised to also add netfilter. Which relates to your other question... ``` Reading profile /home/tool/.config/firejail/clamtk.profile Reading profile /etc/firejail/disable-exec.inc Parent pid 238902, child pid 238903 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/doc Warning: not remounting /run/user/1000/gvfs Child process initialized in 14.25 ms Warning: an existing sandbox was detected. /usr/bin/clamtk will run without any additional sandboxing features WARNING **: Unable to connect to dbus: Could not connect: Permission denied at /usr/share/perl5/vendor_perl/Gtk3.pm line 555. (clamtk:5): GLib-GIO-CRITICAL **: 16:14:13.177: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (clamtk:5): GLib-GIO-CRITICAL **: 16:14:13.177: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed (clamtk:5): GLib-GIO-CRITICAL **: 16:14:13.177: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed Failed to create secure directory (/run/user/1000/pulse): Permission denied Database test passed. ``` I think that worked. Before my outuput when updating was: ``` Failed to create secure directory (/run/user/1000/pulse): Permission denied WARNING: Can't query current.cvd.clamav.net WARNING: Invalid DNS reply. Falling back to HTTP mode. WARNING: remote_cvdhead: Download failed (6) WARNING: Message: Couldn't resolve host name WARNING: Failed to get daily database version information from server: https://database.clamav.net ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net. WARNING: remote_cvdhead: Download failed (6) WARNING: Message: Couldn't resolve host name WARNING: Failed to get daily database version information from server: https://database.clamav.net ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net. ERROR: remote_cvdhead: Download failed (6) ERROR: Message: Couldn't resolve host name WARNING: Failed to get daily database version information from server: https://database.clamav.net ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net. ERROR: Update failed for database: daily ERROR: Database update process failed: HTTP GET failed ERROR: Update failed. ``` My profile looks like this: ``` # Firejail profile for clamtk # This file is overwritten after every install/update # Persistent local customizations include clamtk.local # Persistent global definitions include globals.local include disable-exec.inc caps.drop all #ipc-namespace ignore net none no3d nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp netfilter private-dev dbus-user none dbus-system none restrict-namespaces ``` Is it best practice to use `ignore` rather than commenting out thins like `#ipc-namespace`. I believe this issue is solved. Thanks firejail team! I was also wondering if I could pick your brains about `steam` and controllers best practices? Would you like me to create a new issue to discus that?

gitea-mirror commented

2026-05-05 09:47:52 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 31, 2023):

Is it best practice to use ignore rather than commenting out thins like #ipc-namespace

Yes, because you can use .locals. See the Wiki for more.

Would you like me to create a new issue to discus that?

Yes.

@rusty-snake commented on GitHub (Oct 31, 2023): > Is it best practice to use ignore rather than commenting out thins like #ipc-namespace Yes, because you can use .locals. See the Wiki for more. > Would you like me to create a new issue to discus that? Yes.

gitea-mirror commented

2026-05-05 09:47:53 -06:00

Author

Owner

@tetoNidan commented on GitHub (Oct 31, 2023):

Thanks I will close this and start composing my controller question. I will close this and thanks again firejail team!

@tetoNidan commented on GitHub (Oct 31, 2023): Thanks I will close this and start composing my controller question. I will close this and thanks again firejail team!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3170

No description provided.

Rows
Columns