Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

telegram.profile breaks download, open links und tray icon #4508

Closed
7 tasks done
Schweber opened this issue Sep 4, 2021 · 5 comments
Closed
7 tasks done

telegram.profile breaks download, open links und tray icon #4508

Schweber opened this issue Sep 4, 2021 · 5 comments
Labels
notabug The behavior is as intended or the issue was caused by user error or by an old version

Comments

@Schweber
Copy link

Schweber commented Sep 4, 2021

Using the default telegram.profile, i cannot download files, cannot open links and another tray icon is added every time i re-open the telegram window.

I expect all of this to work out of the box.

I created a telegram.local file whitelisting my download directory but this doesn't change anything. Running telegram-desktop without firejail works fine.

I am running Manjaro Cinnamon 21.1.1 with Kernel 5.10.60-1 and firejail 0.9.66 (no git-version).

Checklist

  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

Log

debug output.txt
@jose1711 jose1711 mentioned this issue Feb 9, 2022
Open
7 tasks
@jose1711
Copy link
Contributor

jose1711 commented Feb 9, 2022

Unable to reproduce the issue with tray icon on Arch Linux and firejail from git (a667275).

@davidebeatrici
Copy link
Contributor

I cannot reproduce on KDE, with firejail 0.9.68 and Telegram Desktop 3.4.8.

However, I have to add the following to the local profile in order for the tray icon to work:

dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
ignore dbus-user none

The message that appears when the D-Bus message is not allowed:

kf.notifications: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP

@kmk3
Copy link
Collaborator

kmk3 commented Feb 14, 2022
edited
Loading

@davidebeatrici commented on Feb 14:

I cannot reproduce on KDE, with firejail 0.9.68 and Telegram Desktop 3.4.8.

However, I have to add the following to the local profile in order for the
tray icon to work:

dbus-user filter
dbus-user.talk org.kde.StatusNotifierWatcher
ignore dbus-user none

From telegram.profile on 0.9.68:

dbus-user filter
dbus-user.own org.telegram.desktop.*
dbus-user.talk org.freedesktop.Notifications
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher

Does it work with allow-tray = yes on /etc/firejail/firejail.config and
nothing on the local profile?

Relates to #4510.

@davidebeatrici
Copy link
Contributor

Confirmed, thanks!

Shouldn't allow-tray be enabled by default?

@kmk3
Copy link
Collaborator

kmk3 commented Feb 14, 2022

@davidebeatrici commented on Feb 14:

Confirmed, thanks!

No problem. Closing this as fixed as of 0.9.68.

Shouldn't allow-tray be enabled by default?

It appears that org.kde.StatusNotifierWatcher is unsafe / allows escaping the
sandbox (thus it's hidden behind allow-tray); see:

@kmk3 kmk3 closed this as completed Feb 14, 2022
@kmk3 kmk3 added the notabug The behavior is as intended or the issue was caused by user error or by an old version label Feb 14, 2022
kmk3 added a commit to kmk3/firejail that referenced this issue Feb 15, 2022
@kmk3
firejail.config: add warning about allow-tray
3fb276d 
According to netblue30#4053, `dbus-user.talk org.kde.StatusNotifierWatcher` is
unsafe and allows escaping the sandbox, but it is required by multiple
programs for tray functionality.  Users may not be aware of this (for
example, see netblue30#4508), so add a warning about it.

Note: allow-tray was added on commit c86cae2 ("Add new condition
ALLOW_TRAY", 2021-09-04) / PR netblue30#4510.
@kmk3 kmk3 mentioned this issue Feb 15, 2022
Merged
kmk3 added a commit to kmk3/firejail that referenced this issue Feb 16, 2022
@kmk3
firejail.config: add warning about allow-tray
b539d3e 
According to netblue30#4053, there is currently no safe (in the sense of not
allowing to escape the sandbox) implementation of
`org.kde.StatusNotifierWatcher`, but it is required by multiple programs
for tray functionality.  Users may not be aware of this (for example,
see netblue30#4508), so add a warning about it.

Note: allow-tray was added on commit c86cae2 ("Add new condition
ALLOW_TRAY", 2021-09-04) / PR netblue30#4510.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
notabug The behavior is as intended or the issue was caused by user error or by an old version
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jose1711 @davidebeatrici @kmk3 @Schweber