[GH-ISSUE #7081] fbwrap sleeps instead of waiting for child to exit, does not preserve return code #3478

New issue

Open

opened 2026-05-05 10:01:32 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 10:01:32 -06:00

Owner

Originally created by @spikethehobbitmage on GitHub (Feb 26, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7081

Description

fbwrap sleeps instead of waiting for the child to exit. This breaks programs that expect to wait for the sandboxed child. All xfce4 applications appear to be affected as is geeqie.

Steps to Reproduce

Launch any xfce4 application using firejail. There will be an extra two second delay before the program starts.

time firejail --noprofile /usr/bin/xfce4-terminal --disable-server -e /bin/true
time firejail --noprofile --allow-bwrap /usr/bin/xfce4-terminal --disable-server -e /bin/true

Expected behavior

Both commands should take close to the same amount of time to complete.

Actual behavior

The version using firejail's fbwrap takes 4 seconds longer than the one using native bwrap.

Behavior without a profile

With or without a profile makes no difference for any affected application that has one.

Additional context

Some programs wait for the wrapped program to exit and may check the exit code. xfce4 applications do this on startup causing a delay before their window opens.

From the bwrap man page:

EXIT STATUS
       The bwrap command returns the exit status of the initial application
       process (pid 2 in the sandbox).

The problem is in the following code in src/fbwrap/main.c:

	// wait child to finish
	//int status;
	//waitpid(child, &status, 0);

	// don't bother waiting
	sleep(2);

	return 0;

It should be changed to:

	// wait for child to finish
	int status;
	waitpid(child, &status, 0);

	return status;

Environment

Linux 6.18.12+deb14-amd64 x86_64
Debian forky/sid
xfce4-terminal 1.1.5 (Xfce 4.20) (For demonstration. All Xfce 4.20 programs are affected.)
firejail version 0.9.78

Checklist

I am using firejail 0.9.78 or later
I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of time firejail --noprofile /usr/bin/xfce4-terminal --disable-server -e /bin/true

firejail version 0.9.78

Parent pid 183678, child pid 183679
Base filesystem installed in 0.04 ms
Child process initialized in 6.62 ms

Parent is shutting down, bye...

real	0m4.117s
user	0m0.074s
sys	0m0.044s

Output of time firejail --noprofile --allow-bwrap /usr/bin/xfce4-terminal --disable-server -e /bin/true

firejail version 0.9.78

Parent pid 183707, child pid 183708
Base filesystem installed in 0.05 ms
Child process initialized in 6.59 ms

Parent is shutting down, bye...

real	0m0.140s
user	0m0.080s
sys	0m0.041s

Originally created by @spikethehobbitmage on GitHub (Feb 26, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7081 ### Description fbwrap sleeps instead of waiting for the child to exit. This breaks programs that expect to wait for the sandboxed child. All xfce4 applications appear to be affected as is geeqie. ### Steps to Reproduce Launch any xfce4 application using firejail. There will be an extra two second delay before the program starts. ``` time firejail --noprofile /usr/bin/xfce4-terminal --disable-server -e /bin/true time firejail --noprofile --allow-bwrap /usr/bin/xfce4-terminal --disable-server -e /bin/true ``` ### Expected behavior Both commands should take close to the same amount of time to complete. ### Actual behavior The version using firejail's fbwrap takes 4 seconds longer than the one using native bwrap. ### Behavior without a profile With or without a profile makes no difference for any affected application that has one. ### Additional context Some programs wait for the wrapped program to exit and may check the exit code. xfce4 applications do this on startup causing a delay before their window opens. From the `bwrap` man page: ``` EXIT STATUS The bwrap command returns the exit status of the initial application process (pid 2 in the sandbox). ``` The problem is in the following code in `src/fbwrap/main.c`: ``` // wait child to finish //int status; //waitpid(child, &status, 0); // don't bother waiting sleep(2); return 0; ``` It should be changed to: ``` // wait for child to finish int status; waitpid(child, &status, 0); return status; ``` ### Environment Linux 6.18.12+deb14-amd64 x86_64 Debian forky/sid xfce4-terminal 1.1.5 (Xfce 4.20) (For demonstration. All Xfce 4.20 programs are affected.) firejail version 0.9.78 ### Checklist - [x] I am using firejail [0.9.78 or later](https://github.com/netblue30/firejail/tree/master/SECURITY.md) - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>time firejail --noprofile /usr/bin/xfce4-terminal --disable-server -e /bin/true</code></summary> <p> ``` firejail version 0.9.78 Parent pid 183678, child pid 183679 Base filesystem installed in 0.04 ms Child process initialized in 6.62 ms Parent is shutting down, bye... real 0m4.117s user 0m0.074s sys 0m0.044s ``` </p> </details> <details> <summary>Output of <code>time firejail --noprofile --allow-bwrap /usr/bin/xfce4-terminal --disable-server -e /bin/true</code></summary> <p> ``` firejail version 0.9.78 Parent pid 183707, child pid 183708 Base filesystem installed in 0.05 ms Child process initialized in 6.59 ms Parent is shutting down, bye... real 0m0.140s user 0m0.080s sys 0m0.041s ``` </p> </details>