[GH-ISSUE #1137] Chrome applications (including electron) that use system tray sets empty tray icon when private-tmp is active

gitea-mirror commented

2026-05-05 06:39:25 -06:00

Owner

Originally created by @msva on GitHub (Mar 9, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1137

I've found that slack (which have private-tmp active in default system-wide profile) started to render empty icon in the tray.
Debugging showed that on every start it creates two directories under /tmp, named like .org.chromium.Chromium.[6 random alphanumeric]. And one of them contains icons/hicolor/24x24/apps path, and in the apps directory, it places is a files (may be more than one), that named like: chrome_app_indicator2_[32 random hex digit].png.

I guess, it tells systemtray to load icon from that path, but since the path exists only in private bin, system tray fails to do that.

I'd try to work it around with whitelist /tmp/.org.chromium.Chromium.*, but... whitelist (and friends) does not support regex 😺

// Although, I anyway not sure, if whitelist works in reverse way and allows to create whitelisted files on host system...

And, it is also happens when running chrome/chromium under firejail and using chrome apps, as it also happens with another electron-based apps.

Originally created by @msva on GitHub (Mar 9, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1137 I've found that `slack` (which have `private-tmp` active in default system-wide profile) started to render empty icon in the tray. Debugging showed that on every start it creates two directories under `/tmp`, named like `.org.chromium.Chromium.[6 random alphanumeric]`. And one of them contains `icons/hicolor/24x24/apps` path, and in the `apps` directory, it places is a files (may be more than one), that named like: `chrome_app_indicator2_[32 random hex digit].png`. I guess, it tells systemtray to load icon from that path, but since the path exists only in private bin, system tray fails to do that. I'd try to work it around with `whitelist /tmp/.org.chromium.Chromium.*`, but... `whitelist` (and friends) does not support regex 😺 // Although, I anyway not sure, if `whitelist` works in reverse way and allows to ***create*** whitelisted files on host system... And, it is also happens when running `chrome`/`chromium` under firejail and using chrome apps, as it also happens with another electron-based apps.

gitea-mirror added the

enhancement

label 2026-05-05 06:39:25 -06:00

gitea-mirror commented

2026-05-05 06:39:28 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 9, 2017):

I would try to comment out (add a #) private-tmp in /etc/firejail/slack.profile.

@netblue30 commented on GitHub (Mar 9, 2017): I would try to comment out (add a #) private-tmp in /etc/firejail/slack.profile.

gitea-mirror commented

2026-05-05 06:39:30 -06:00

Author

Owner

@msva commented on GitHub (Mar 9, 2017):

I would try to comment out (add a #) private-tmp in
/etc/firejail/slack.profile.

Yes, it helps (that is how I debugged that it is private-tmp's fault).

But it has side-effects:

it will (obviously) expose entire /tmp to slack
that change will be rewritten after next firejail upgrade.

@msva commented on GitHub (Mar 9, 2017): > I would try to comment out (add a #) private-tmp in > /etc/firejail/slack.profile. Yes, it helps (that is how I debugged that it is private-tmp's fault). But it has side-effects: 1) it will (obviously) expose entire /tmp to slack 2) that change will be rewritten after next firejail upgrade.

gitea-mirror commented

2026-05-05 06:39:31 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 10, 2017):

For 2) is easy, I'll remove it from the profile.

For 1), can you figure out what files or directories it uses in /tmp? We can whitelist /tmp. At minimum, we need just a "whitelist /tmp/.X11-unix" and the directories/files created by slack.

@netblue30 commented on GitHub (Mar 10, 2017): For 2) is easy, I'll remove it from the profile. For 1), can you figure out what files or directories it uses in /tmp? We can whitelist /tmp. At minimum, we need just a "whitelist /tmp/.X11-unix" and the directories/files created by slack.

gitea-mirror commented

2026-05-05 06:39:34 -06:00

Author

Owner

@msva commented on GitHub (Mar 10, 2017):

as far as I looked in private /tmp inside jail, it only creates directory
"Slack Crashes" and two directories I described above
(".org.chromium.Chromium.[a-zA-Z0-9]{6}"), and uses nothing from system's /tmp

@msva commented on GitHub (Mar 10, 2017): as far as I looked in private /tmp inside jail, it only creates directory "Slack Crashes" and two directories I described above (".org.chromium.Chromium.[a-zA-Z0-9]{6}"), and uses nothing from system's /tmp

gitea-mirror commented

2026-05-05 06:39:35 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 10, 2017):

OK, so I only need to add some basic globbing/regx support in whitelists, something like

--whitelist=.org.chromium.Chromium.*

@netblue30 commented on GitHub (Mar 10, 2017): OK, so I only need to add some basic globbing/regx support in whitelists, something like ````` --whitelist=.org.chromium.Chromium.* `````

gitea-mirror commented

2026-05-05 06:39:37 -06:00

Author

Owner

@msva commented on GitHub (Apr 9, 2017):

Hi there!

Is it ant progress about this? 😎

@msva commented on GitHub (Apr 9, 2017): Hi there! Is it ant progress about this? 😎

gitea-mirror commented

2026-05-05 06:39:40 -06:00

Author

Owner

@msva commented on GitHub (Aug 1, 2017):

I'm not sure if whitelist now supports wildcards (at least, it doesn't compain on *), but this is still the issue.
And, I'm not sure, if it will work as intended out of the box, since it creates that directories (containing the tray icon png file) in runtime (i.e. after start), and they have unique names every time.
So, I'm not sure, if it will be enough to just whitelist that directories (with wildcard), or will firejail need to "proxy" that directories in "outter" /tmp?..
How do you think, @netblue30 ?

@msva commented on GitHub (Aug 1, 2017): I'm not sure if whitelist now supports wildcards (at least, it doesn't compain on `*`), but this is still the issue. And, I'm not sure, if it will work as intended out of the box, since it **creates** that directories (containing the tray icon png file) in runtime (i.e. after start), and they have unique names every time. So, I'm not sure, if it will be enough to just whitelist that directories (with wildcard), or will firejail need to "proxy" that directories in "outter" /tmp?.. How do you think, @netblue30 ?

gitea-mirror commented

2026-05-05 06:39:41 -06:00

Author

Owner

@msva commented on GitHub (Aug 1, 2017):

By the way, the same thing is actual for chrome forks. For example, Yandex Browser just created /tmp/.ru.yandex.desktop.browser.MJGCGo directory. I bet new Opera doing it in the similar way.
So, we definitely need a way to somehow whitelist not-yet-created directories by mask (to not just manually blacklist files from /tmp to prevent proprietary things to access, but just sandbox them in their own /tmp, but having some directories they creating in outter /tmp.

Or, maybe, do a LD_PRELOAD hack to hijack that files creation/writing to them and do the same in "external" copy in "outter" /tmp.

@msva commented on GitHub (Aug 1, 2017): By the way, the same thing is actual for chrome forks. For example, Yandex Browser just created `/tmp/.ru.yandex.desktop.browser.MJGCGo` directory. I bet new Opera doing it in the similar way. So, we definitely need a way to somehow whitelist not-yet-created directories by mask (to not just manually blacklist files from /tmp to prevent proprietary things to access, but just sandbox them in their own /tmp, but having some directories they creating in outter /tmp. Or, maybe, do a LD_PRELOAD hack to hijack that files creation/writing to them and do the same in "external" copy in "outter" /tmp.

gitea-mirror commented

2026-05-05 06:39:45 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 29, 2018):

Hey all,

I'm actually currently using private-tmp with slack and it's actually the only way it works (apparently Electron apps need /tmp to be executable, and my /tmp is mounted noexec). I've attached the profile I'm using currently - can someone else test and report back if it works for them?
slack.txt

@chiraag-nataraj commented on GitHub (Mar 29, 2018): Hey all, I'm actually currently using `private-tmp` with `slack` and it's actually the _only_ way it works (apparently Electron apps need `/tmp` to be executable, and my `/tmp` is mounted `noexec`). I've attached the profile I'm using currently - can someone else test and report back if it works for them? [slack.txt](https://github.com/netblue30/firejail/files/1860620/slack.txt)

gitea-mirror commented

2026-05-05 06:39:48 -06:00

Author

Owner

@alien2003 commented on GitHub (Mar 22, 2019):

The same with wire-desktop and slack for me

(slack:18): Gtk-WARNING **: 11:39:28.818: Theme parsing error: gtk.css:1:107: Failed to import: Error opening file /home/alien/.local/share/gnome-shell/extensions/unite@hardpixel.eu/styles/buttons-right.css: No such file or directory

(slack:18): Gtk-WARNING **: 11:39:28.819: Theme parsing error: gtk.css:2:113: Failed to import: Error opening file /home/alien/.local/share/gnome-shell/extensions/unite@hardpixel.eu/styles/buttons-right-tiled.css: No such file or directory

@alien2003 commented on GitHub (Mar 22, 2019): The same with wire-desktop and slack for me ``` (slack:18): Gtk-WARNING **: 11:39:28.818: Theme parsing error: gtk.css:1:107: Failed to import: Error opening file /home/alien/.local/share/gnome-shell/extensions/unite@hardpixel.eu/styles/buttons-right.css: No such file or directory (slack:18): Gtk-WARNING **: 11:39:28.819: Theme parsing error: gtk.css:2:113: Failed to import: Error opening file /home/alien/.local/share/gnome-shell/extensions/unite@hardpixel.eu/styles/buttons-right-tiled.css: No such file or directory ```

gitea-mirror commented

2026-05-05 06:39:50 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Mar 22, 2019):

@alien2003
try adding the following to ~/.config/firejail/[broken program].local or globals.local

noblacklist ${HOME}/.local/share/gnome-shell
whitelist ${HOME}/.local/share/gnome-shell
read-only ${HOME}/.local/share/gnome-shell

@SkewedZeppelin commented on GitHub (Mar 22, 2019): @alien2003 try adding the following to `~/.config/firejail/[broken program].local` or globals.local ``` noblacklist ${HOME}/.local/share/gnome-shell whitelist ${HOME}/.local/share/gnome-shell read-only ${HOME}/.local/share/gnome-shell ```

gitea-mirror commented

2026-05-05 06:39:53 -06:00

Author

Owner

@alien2003 commented on GitHub (Mar 22, 2019):

@SkewedZeppelin No errors in terminal now but the icon is still missing. I use Gnome 3.30.2 on Manjaro with this extension for tay icons: https://extensions.gnome.org/extension/615/appindicator-support/

@alien2003 commented on GitHub (Mar 22, 2019): @SkewedZeppelin No errors in terminal now but the icon is still missing. I use Gnome 3.30.2 on Manjaro with this extension for tay icons: https://extensions.gnome.org/extension/615/appindicator-support/

gitea-mirror commented

2026-05-05 06:39:55 -06:00

Author

Owner

@alien2003 commented on GitHub (Mar 22, 2019):

Seems to be ok with this extension: https://extensions.gnome.org/extension/1503/tray-icons/

@alien2003 commented on GitHub (Mar 22, 2019): Seems to be ok with this extension: https://extensions.gnome.org/extension/1503/tray-icons/

gitea-mirror commented

2026-05-05 06:39:57 -06:00

Author

Owner

@intika commented on GitHub (May 19, 2019):

Same issue with skype... as its chromium based...

Awaiting wildcards support for white-list here are some possible solutions....

(Edit: not good) run the application with an other user dedicated to that application... (with dbus-lauch)
(Edit: not good) Ohhh i found a quick easy solution ! just prefix the binary with dbus-launch...
firejail --profile=/etc/firejail/skypeforlinux.profile dbus-launch skypeforlinux
dbus-launch will proxify the necessary stuff and keep the tmp jailed...

Note that with dbus-launcher it's buggy and slow to use it with... so left with no solution... have to dig a little deeper... Wildcards white list is not implemented yet as of 05/2019

Edit:
i think i found the problem and its not related at all...
here is the solution export TMPDIR=${HOME}/whatever

After some debugging... here is my little report

First of all the problem seems to be caused by an empty $TMPDIR environment variable when --private-tmp is used (firejail bug ?)

So basically the solution is to create a directory accessible by the user let say /tmpjail then set $TMPDIR to that directory under the profile file like so:
env TMPDIR=/tmpjail

@netblue30 for firejail a reliable solution could be a new feature (let say --accessible-tmp) that would mount a tmpfs to the main namespace under /tmp/tmpjail (and white list it) then set $TMPDIR and $TMP to /tmp/tmpjail (this solution would solve the problem and keep the /tmp jailed)
A quick easy solution would be editing the problematic profiles like skype use "mkdir" to create /tmp/tmpjail, whitelist it then set the tmp variable to that file...

@intika commented on GitHub (May 19, 2019): Same issue with skype... as its chromium based... *Awaiting wildcards support for white-list here are some possible solutions....* 1. (Edit: not good) run the application with an other user dedicated to that application... (with dbus-lauch) 2. (Edit: not good) Ohhh i found a quick easy solution ! just prefix the binary with dbus-launch... `firejail --profile=/etc/firejail/skypeforlinux.profile dbus-launch skypeforlinux` dbus-launch will proxify the necessary stuff and keep the tmp jailed... Note that with dbus-launcher it's buggy and slow to use it with... so left with no solution... have to dig a little deeper... Wildcards white list is not implemented yet as of 05/2019 **Edit:** i think i found the problem and its not related at all... here is **the solution** `export TMPDIR=${HOME}/whatever` After some debugging... here is my little report First of all the problem seems to be caused by an empty $TMPDIR environment variable when --private-tmp is used (firejail bug ?) So basically the solution is to create a directory accessible by the user let say /tmpjail then set $TMPDIR to that directory under the profile file like so: `env TMPDIR=/tmpjail` @netblue30 for firejail a reliable solution could be a new feature (let say --accessible-tmp) that would mount a tmpfs to the main namespace under /tmp/tmpjail (and white list it) then set $TMPDIR and $TMP to /tmp/tmpjail (this solution would solve the problem and keep the /tmp jailed) A quick easy solution would be editing the problematic profiles like skype use "mkdir" to create /tmp/tmpjail, whitelist it then set the tmp variable to that file...

gitea-mirror commented

2026-05-05 06:39:58 -06:00

Author

Owner

@smitsohu commented on GitHub (Jul 25, 2020):

Whitelist globbing was added recently by @netblue30, so whitelist /tmp/.org.chromium.Chromium.* should work now in Firejail master.
Could someone confirm?

@smitsohu commented on GitHub (Jul 25, 2020): Whitelist globbing was added recently by @netblue30, so `whitelist /tmp/.org.chromium.Chromium.*` should work now in Firejail master. Could someone confirm?

gitea-mirror commented

2026-05-05 06:40:00 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 25, 2020):

@smitsohu if I got this right, /tmp/foobar.XXXX is create by foobar. This still did not help.

@rusty-snake commented on GitHub (Jul 25, 2020): @smitsohu if I got this right, `/tmp/foobar.XXXX` is create by foobar. This still did not help.

gitea-mirror commented

2026-05-05 06:40:02 -06:00

Author

Owner

@smitsohu commented on GitHub (Jul 25, 2020):

@rusty-snake I see. Then the only solutions are indeed

ignore private-tmp
@intika 's proposal

@smitsohu commented on GitHub (Jul 25, 2020): @rusty-snake I see. Then the only solutions are indeed * `ignore private-tmp` * @intika 's proposal

gitea-mirror commented

2026-05-05 06:40:06 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 5, 2020):

result from #3540:

ignore private-tmp

mkdir /tmp/FOO-tmp
whitelist /tmp/FOO-tmp
env TMPDIR=/tmp/FOO-tmp
env TMP=/tmp/FOO-tmp

# IF dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
# ELIF dbus-user none
ignore dbus-user none
dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
# FI

edit: removed useless dbus-user.talk org.freedesktop.StatusNotifierItem lines, see #3774.

Would it make sense to add a private-tmp-exposed which does the /tmp/FOO-tmp stuff?

@rusty-snake commented on GitHub (Aug 5, 2020): result from #3540: ``` ignore private-tmp mkdir /tmp/FOO-tmp whitelist /tmp/FOO-tmp env TMPDIR=/tmp/FOO-tmp env TMP=/tmp/FOO-tmp # IF dbus-user filter dbus-user.talk org.kde.StatusNotifierWatcher # ELIF dbus-user none ignore dbus-user none dbus-user filter dbus-user.talk org.kde.StatusNotifierWatcher # FI ``` edit: removed useless `dbus-user.talk org.freedesktop.StatusNotifierItem` lines, see #3774. --- Would it make sense to add a `private-tmp-exposed` which does the `/tmp/FOO-tmp` stuff?

Rows
Columns

[GH-ISSUE #1137] Chrome applications (including electron) that use system tray sets empty tray icon when private-tmp is active #786