[GH-ISSUE #6658] firecfg: seahorse is not sandboxed (.desktop file) #3330

New issue

Closed

opened 2026-05-05 09:55:00 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 09:55:00 -06:00

Owner

Copy link

Originally created by @ginto37 on GitHub (Feb 21, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6658

Description

seahorse AKA Passwords and Keys is not sandboxed with firejail.

Steps to Reproduce

1. Open Activities/Overview mode from the top panel or using the keyboard shortcut
2. Search for seahorse or Password and Keys and launch it
3. In a Terminal, check the output of firejail --list
4. Close Password and Keys

and

1. Open a Terminal
2. Enter seahorse and tap Enter/Return
3. Check the output of firejail --list

Expected behavior

Output in either case should be similar to the following:

3233:USERNAME::/usr/bin/firejail /usr/bin/seahorse

Actual behavior

There is no output in either case.

Behavior without a profile

N/A

Additional context

I found #2591 but sandboxing mysteriously started working in that case so there was no answer there. I've confirmed that the issue exists over numerous reboots over several weeks and after performing all system updates.

Environment

• Name/version/arch of the Linux kernel (uname -srm): Linux 6.8.0-52-generic x86_64
• Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Ubuntu 22.04.5 LTS
• Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
  mesa 1:24.3.3-2"): seahorse 41.0
• Version of Firejail (firejail --version): firejail version 0.9.72

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- IDS support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

• If you use a development version of firejail, also the commit from which it
  was compiled (git rev-parse HEAD):

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Reading profile /etc/firejail/seahorse.profile
Reading profile /etc/firejail/allow-ssh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 4076, child pid 4079
Warning: cannot find /var/run/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping gconf for private /etc
Warning: skipping pango for private /etc
Warning: skipping pkcs11 for private /etc
Warning: skipping ssh for private /etc
Private /etc installed in 64.60 ms
Private /usr/etc installed in 0.00 ms
Child process initialized in 219.41 ms

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

Gist

output goes here

Originally created by @ginto37 on GitHub (Feb 21, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6658 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description seahorse AKA Passwords and Keys is not sandboxed with firejail. ### Steps to Reproduce 1. Open Activities/Overview mode from the top panel or using the keyboard shortcut 2. Search for seahorse or Password and Keys and launch it 3. In a Terminal, check the output of `firejail --list` 4. Close Password and Keys and 1. Open a Terminal 2. Enter `seahorse` and tap Enter/Return 3. Check the output of `firejail --list` ### Expected behavior Output in either case should be similar to the following: 3233:USERNAME::/usr/bin/firejail /usr/bin/seahorse ### Actual behavior There is no output in either case. ### Behavior without a profile N/A ### Additional context I found #2591 but sandboxing mysteriously started working in that case so there was no answer there. I've confirmed that the issue exists over numerous reboots over several weeks and after performing all system updates. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.8.0-52-generic x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Ubuntu 22.04.5 LTS - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): seahorse 41.0 - Version of Firejail (`firejail --version`): firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/seahorse.profile Reading profile /etc/firejail/allow-ssh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 4076, child pid 4079 Warning: cannot find /var/run/utmp Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping crypto-policies for private /etc Warning: skipping gconf for private /etc Warning: skipping pango for private /etc Warning: skipping pkcs11 for private /etc Warning: skipping ssh for private /etc Private /etc installed in 64.60 ms Private /usr/etc installed in 0.00 ms Child process initialized in 219.41 ms Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> [Gist](https://gist.github.com/ginto37/1c64b20db986fd337d4a9483a9d38633.js) ``` output goes here ``` </p> </details>

gitea-mirror 2026-05-05 09:55:00 -06:00

• closed this issue
• added the
  bug
  firecfg
  labels

gitea-mirror commented 2026-05-05 09:55:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 21, 2025):

I guess you have to remove pam_gnome_keyring.so from your PAM configuration.

<!-- gh-comment-id:2674015849 --> @rusty-snake commented on GitHub (Feb 21, 2025): ~I guess you have to remove `pam_gnome_keyring.so` from your PAM configuration.~

gitea-mirror commented 2026-05-05 09:55:03 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Feb 22, 2025):

What is the full path to the program?

What is the output of the following:

sudo firecfg

grep seahorse /etc/firejail/firecfg.config
which -a seahorse
ls -al ~/.local/share/applications
grep '^Exec' ~/.local/share/applications/seahorse.desktop

<!-- gh-comment-id:2676086893 --> @kmk3 commented on GitHub (Feb 22, 2025): What is the full path to the program? What is the output of the following: ```sh sudo firecfg ``` ```sh grep seahorse /etc/firejail/firecfg.config which -a seahorse ls -al ~/.local/share/applications grep '^Exec' ~/.local/share/applications/seahorse.desktop ```

gitea-mirror commented 2026-05-05 09:55:03 -06:00

Author

Owner

Copy link

@ginto37 commented on GitHub (Feb 25, 2025):

$ sudo firecfg
Removing all firejail symlinks:
   seahorse removed
   cvlc removed
   ftp removed
   transmission-gtk removed
   gnome-logs removed
   autokey-run removed
   gnome-font-viewer removed
   gcalccmd removed
   evince-previewer removed
   yubioath-desktop removed
   baobab removed
   man removed
   pdftotext removed
   evince removed
   autokey-shell removed
   wget removed
   gnome-characters removed
   rhythmbox removed
   autokey-gtk removed
   strings removed
   gnome-calculator removed
   nslookup removed
   eog removed
   bleachbit removed
   patch removed
   firefox-esr removed
   enchant-2 removed
   xcalc removed
   evince-thumbnailer removed
   file-roller removed
   gapplication removed
   dnsmasq removed
   gedit removed
   dig removed
   ping removed
   rhythmbox-client removed
   host removed
   Xephyr removed
   enchant-lsmod-2 removed
   yelp removed
   vlc removed

Configuring symlinks in /usr/local/bin based on firecfg.config
   Xephyr created
   autokey-gtk created
   autokey-run created
   autokey-shell created
   baobab created
   bleachbit created
   cvlc created
   dig created
   dnsmasq created
   enchant-2 created
   enchant-lsmod-2 created
   eog created
   evince created
   evince-previewer created
   evince-thumbnailer created
   file-roller created
   firefox-esr created
   ftp created
   gapplication created
   gcalccmd created
   gedit created
   gnome-calculator created
   gnome-characters created
   gnome-font-viewer created
   gnome-logs created
   host created
   man created
   nslookup created
   patch created
   pdftotext created
   ping created
   rhythmbox created
   rhythmbox-client created
   seahorse created
   strings created
   transmission-gtk created
   vlc created
   wget created
   xcalc created
   yelp created

Adding user USERNAME to Firejail access database in /etc/firejail/firejail.users
User USERNAME already in the database

Loading AppArmor profile

Fixing desktop files in /home/USERNAME/.local/share/applications
   org.gnome.Nautilus.desktop skipped: file exists
   org.gnome.Logs.desktop skipped: file exists
   org.gnome.baobab.desktop skipped: file exists
   vlc.desktop skipped: file exists
   org.gnome.gedit.desktop skipped: file exists

$ grep seahorse /etc/firejail/firecfg.config 
seahorse
seahorse-adventures
seahorse-daemon
seahorse-tool

$ which -a seahorse
/usr/local/bin/seahorse
/usr/bin/seahorse
/bin/seahorse

$ ls -al ~/.local/share/applications/
total 40
drwx------  2 USERNAME USERNAME  4096 Feb 23 21:56 .
drwx------ 21 USERNAME USERNAME  4096 Dec 27 06:09 ..
-rw-------  1 USERNAME USERNAME   647 Jan 24 01:11 org.gnome.baobab.desktop
-rw-------  1 USERNAME USERNAME   773 Jan 24 01:11 org.gnome.gedit.desktop
-rw-------  1 USERNAME USERNAME   589 Jan 24 01:11 org.gnome.Logs.desktop
-rw-------  1 USERNAME USERNAME  1264 Jan 24 01:11 org.gnome.Nautilus.desktop
-rw-------  1 USERNAME USERNAME 14918 Feb 23 21:56 vlc.desktop

I couldn't tell you why there's no seahorse.desktop file.

<!-- gh-comment-id:2681012965 --> @ginto37 commented on GitHub (Feb 25, 2025): ```console $ sudo firecfg Removing all firejail symlinks: seahorse removed cvlc removed ftp removed transmission-gtk removed gnome-logs removed autokey-run removed gnome-font-viewer removed gcalccmd removed evince-previewer removed yubioath-desktop removed baobab removed man removed pdftotext removed evince removed autokey-shell removed wget removed gnome-characters removed rhythmbox removed autokey-gtk removed strings removed gnome-calculator removed nslookup removed eog removed bleachbit removed patch removed firefox-esr removed enchant-2 removed xcalc removed evince-thumbnailer removed file-roller removed gapplication removed dnsmasq removed gedit removed dig removed ping removed rhythmbox-client removed host removed Xephyr removed enchant-lsmod-2 removed yelp removed vlc removed Configuring symlinks in /usr/local/bin based on firecfg.config Xephyr created autokey-gtk created autokey-run created autokey-shell created baobab created bleachbit created cvlc created dig created dnsmasq created enchant-2 created enchant-lsmod-2 created eog created evince created evince-previewer created evince-thumbnailer created file-roller created firefox-esr created ftp created gapplication created gcalccmd created gedit created gnome-calculator created gnome-characters created gnome-font-viewer created gnome-logs created host created man created nslookup created patch created pdftotext created ping created rhythmbox created rhythmbox-client created seahorse created strings created transmission-gtk created vlc created wget created xcalc created yelp created Adding user USERNAME to Firejail access database in /etc/firejail/firejail.users User USERNAME already in the database Loading AppArmor profile Fixing desktop files in /home/USERNAME/.local/share/applications org.gnome.Nautilus.desktop skipped: file exists org.gnome.Logs.desktop skipped: file exists org.gnome.baobab.desktop skipped: file exists vlc.desktop skipped: file exists org.gnome.gedit.desktop skipped: file exists ``` ```console $ grep seahorse /etc/firejail/firecfg.config seahorse seahorse-adventures seahorse-daemon seahorse-tool ``` ```console $ which -a seahorse /usr/local/bin/seahorse /usr/bin/seahorse /bin/seahorse ``` ```console $ ls -al ~/.local/share/applications/ total 40 drwx------ 2 USERNAME USERNAME 4096 Feb 23 21:56 . drwx------ 21 USERNAME USERNAME 4096 Dec 27 06:09 .. -rw------- 1 USERNAME USERNAME 647 Jan 24 01:11 org.gnome.baobab.desktop -rw------- 1 USERNAME USERNAME 773 Jan 24 01:11 org.gnome.gedit.desktop -rw------- 1 USERNAME USERNAME 589 Jan 24 01:11 org.gnome.Logs.desktop -rw------- 1 USERNAME USERNAME 1264 Jan 24 01:11 org.gnome.Nautilus.desktop -rw------- 1 USERNAME USERNAME 14918 Feb 23 21:56 vlc.desktop ``` I couldn't tell you why there's no `seahorse.desktop` file.

gitea-mirror commented 2026-05-05 09:55:04 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Feb 25, 2025):

I couldn't tell you why there's no seahorse.desktop file.

The issue is probably because it uses org.foo.bar.desktop instead of just
bar.desktop, in which case org.foo.bar would also need to be in firecfg.

What is the output of the following:

grep -R 'Exec=.*seahorse' /usr/share/applications

Edit: Now I noticed some relevant details in the output (related to #6657):

Fixing desktop files in /home/USERNAME/.local/share/applications
   org.gnome.Nautilus.desktop skipped: file exists
   org.gnome.Logs.desktop skipped: file exists
   org.gnome.baobab.desktop skipped: file exists
   vlc.desktop skipped: file exists
   org.gnome.gedit.desktop skipped: file exists

What is the output of the following?

grep 'Exec' ~/.local/share/applications/*.desktop | LC_ALL=C sort -u

<!-- gh-comment-id:2681756618 --> @kmk3 commented on GitHub (Feb 25, 2025): > I couldn't tell you why there's no `seahorse.desktop` file. The issue is probably because it uses `org.foo.bar.desktop` instead of just `bar.desktop`, in which case `org.foo.bar` would also need to be in firecfg. What is the output of the following: ```sh grep -R 'Exec=.*seahorse' /usr/share/applications ``` Edit: Now I noticed some relevant details in the output (related to #6657): > ``` > Fixing desktop files in /home/USERNAME/.local/share/applications > org.gnome.Nautilus.desktop skipped: file exists > org.gnome.Logs.desktop skipped: file exists > org.gnome.baobab.desktop skipped: file exists > vlc.desktop skipped: file exists > org.gnome.gedit.desktop skipped: file exists > ``` What is the output of the following? ```sh grep 'Exec' ~/.local/share/applications/*.desktop | LC_ALL=C sort -u ```

gitea-mirror commented 2026-05-05 09:55:05 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 25, 2025):

The issue is probably because it uses org.foo.bar.desktop instead of just
bar.desktop, in which case org.foo.bar would also need to be in firecfg.

76509024ef/src/firecfg/desktop_files.c (L68-L71)

What is the output of the following?
grep 'Exec' ~/.local/share/applications/*.desktop | LC_ALL=C sort -u

DBusActivatable is also important

Seahorse seems to be /usr/share/applications/org.gnome.seahorse.Application.desktop

<!-- gh-comment-id:2681879272 --> @rusty-snake commented on GitHub (Feb 25, 2025): > The issue is probably because it uses org.foo.bar.desktop instead of just bar.desktop, in which case org.foo.bar would also need to be in firecfg. https://github.com/netblue30/firejail/blob/76509024ef04e3fea95ecd79b4fe55c72ebace37/src/firecfg/desktop_files.c#L68-L71 > What is the output of the following? > grep 'Exec' ~/.local/share/applications/*.desktop | LC_ALL=C sort -u `DBusActivatable` is also important > - Seahorse seems to be `/usr/share/applications/org.gnome.seahorse.Application.desktop`

gitea-mirror commented 2026-05-05 09:55:06 -06:00

Author

Owner

Copy link

@ginto37 commented on GitHub (Feb 27, 2025):

/usr/share/applications/org.gnome.seahorse.Application.desktop:Exec=seahorse

<!-- gh-comment-id:2687099347 --> @ginto37 commented on GitHub (Feb 27, 2025): ``` /usr/share/applications/org.gnome.seahorse.Application.desktop:Exec=seahorse ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3330

No description provided.