Open MrFrank17 opened 4 years ago
If you can find out where KDE saves this information there might be a way to ensure the apps are properly firejailed at re-login. I'm hoping KDE saves this info in seperate XDG desktop files somewhere under your ${HOME}, and those we know how to deal with (like firecfg does).
@glitsj16 My guess is that they are started over D-Bus, if that's true firecfg.py can already help. I take a closer look tomorrow.
@rusty-snake That would be great. We really need a proper/secure way for users to handle this kind of basic functionality, whether it's via D-Bus or otherwise. I have to look at your firecfg.py again soonish in this context. Thanks for the info!
Also in Xfce, and by extension on any that offer such, happens when you save the session state and log-out. Sessions are stored in ~/.cache/sessions
for Xfce but the path varies by DE. https://bugs.kde.org/show_bug.cgi?id=155341#c10
Doesn't seem to work in Xfce, the session files are overwritten on every logout:
Client6_Priority=50
Client6_RestartStyleHint=0
Client7_ClientId=26ba77eb3-50e2-4e9c-a7fe-cf8cb07475c7
Client7_Hostname=local/korte
Client7_CloneCommand=/usr/bin/firefox
Client7_RestartCommand=/usr/bin/firefox,--sm-client-id,26ba77eb3-50e2-4e9c-a7fe-cf8cb07475c7
Though I don't save state and there's an option to do so in Xfce, I've added a logout job to clear any session cache.
Edit. Probably duplicate of https://github.com/netblue30/firejail/issues/359
Related: #1599. In my test they where started as children of kdeinit5. IDK anything about the internals of KDE, but the only workaround I see ATM is to disable session restore or editing the ~/.config/sessions/* + ~/.config/ksmserverrc after-logout/before-login. This could be done by a systemd-user-servcie.
You might also want to take a look at the excludeApps=
key in ~/.config/ksmserverrc. Note that these things are also exposed in System Settings -> Startup and Shutdown.
If it is not considered too intrusive, maybe firecfg
could patch ~/.config/ksmserverrc ? Not sure though if ksmserver is prepared to handle hundreds of application names.
Regarding Firefox specifically, you can set env MOZ_APP_LAUNCHER=/usr/bin/firejail
; this environment variable was introduced for exactly this reason if I understand correctly.
If your distribution comes with a /usr/bin/firefox shell script, there is the side effect that this script will be bypassed in the future, so it's not really a universal/great solution.
Do we want to do anything here?
Do we want to do anything here?
that would be great. just ran into the issue today and couldn't figure out an alternative solution. i expect it's not unique to firefox but that's where i encountered it.
ideally-speaking @kde / ksmserverrc would respect the Exec line from the source .desktop file but getting them to address it for circumstances unique to firejail may be futile.
On logout of KDE, open applications will be automatically started on the next login. However, these applications are not firejailed (they are not shown with
firejail --list
). After closing and reopening the programs, they are firejailed as expected.Using Kubuntu 20.04. Noticed when using firefox.
Relates to:
4092