Automatically started application in KDE not firejailed

[MrFrank17]

On logout of KDE, open applications will be automatically started on the next login. However, these applications are not firejailed (they are not shown with firejail --list). After closing and reopening the programs, they are firejailed as expected.

Using Kubuntu 20.04. Noticed when using firefox.

Relates to:

• 4092

[glitsj16]

If you can find out where KDE saves this information there might be a way to ensure the apps are properly firejailed at re-login. I'm hoping KDE saves this info in seperate XDG desktop files somewhere under your ${HOME}, and those we know how to deal with (like firecfg does).

[rusty-snake]

@glitsj16 My guess is that they are started over D-Bus, if that's true firecfg.py can already help. I take a closer look tomorrow.

[glitsj16]

@rusty-snake That would be great. We really need a proper/secure way for users to handle this kind of basic functionality, whether it's via D-Bus or otherwise. I have to look at your firecfg.py again soonish in this context. Thanks for the info!

[bbhtt]

Also in Xfce, and by extension on any that offer such, happens when you save the session state and log-out. Sessions are stored in ~/.cache/sessions for Xfce but the path varies by DE. https://bugs.kde.org/show_bug.cgi?id=155341#c10

[rusty-snake]

FYI: https://forum.kde.org/viewtopic.php?t=131789

[bbhtt]

Doesn't seem to work in Xfce, the session files are overwritten on every logout:

Client6_Priority=50
Client6_RestartStyleHint=0
Client7_ClientId=26ba77eb3-50e2-4e9c-a7fe-cf8cb07475c7
Client7_Hostname=local/korte
Client7_CloneCommand=/usr/bin/firefox
Client7_RestartCommand=/usr/bin/firefox,--sm-client-id,26ba77eb3-50e2-4e9c-a7fe-cf8cb07475c7

Though I don't save state and there's an option to do so in Xfce, I've added a logout job to clear any session cache.

Edit. Probably duplicate of https://github.com/netblue30/firejail/issues/359

[rusty-snake]

Related: #1599. In my test they where started as children of kdeinit5. IDK anything about the internals of KDE, but the only workaround I see ATM is to disable session restore or editing the ~/.config/sessions/* + ~/.config/ksmserverrc after-logout/before-login. This could be done by a systemd-user-servcie.

[smitsohu]

You might also want to take a look at the excludeApps= key in ~/.config/ksmserverrc. Note that these things are also exposed in System Settings -> Startup and Shutdown.

If it is not considered too intrusive, maybe firecfg could patch ~/.config/ksmserverrc ? Not sure though if ksmserver is prepared to handle hundreds of application names.

[smitsohu]

Regarding Firefox specifically, you can set env MOZ_APP_LAUNCHER=/usr/bin/firejail; this environment variable was introduced for exactly this reason if I understand correctly. If your distribution comes with a /usr/bin/firefox shell script, there is the side effect that this script will be bypassed in the future, so it's not really a universal/great solution.

[rusty-snake]

Do we want to do anything here?

[h-town]

Do we want to do anything here?

that would be great. just ran into the issue today and couldn't figure out an alternative solution. i expect it's not unique to firefox but that's where i encountered it.

ideally-speaking @kde / ksmserverrc would respect the Exec line from the source .desktop file but getting them to address it for circumstances unique to firejail may be futile.