4.20.13-arch1-1-ARCH with KDE.
Running pidgin in firejail makes the interface stutter a lot and then freeze entirely for ~5-10 seconds most of the time.
Possibly related to #2395 - it mentions as a workaround ignoring "nosound", but running firejail --ignore=nosound pidgin does not fix the issue.
Reading profile /etc/firejail/pidgin.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 27285, child pid 27286
1 program installed in 4.28 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 62.67 ms
(Pidgin:4): Gtk-WARNING **: 11:38:46.084: Unable to locate theme engine in module_path: "adwaita",
(Pidgin:4): Gtk-WARNING **: 11:38:46.091: Unable to locate theme engine in module_path: "adwaita",
(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.337: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstzbar.so': libzbar.so.0: cannot open shared object file: No such file or directory
(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.398: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstkate.so': libkate.so.1: cannot open shared object file: No such file or directory
(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.430: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstlv2.so': liblilv-0.so.0: cannot open shared object file: No such file or directory
(gst-plugin-scanner:5): GStreamer-WARNING **: 11:38:46.447: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstfluidsynthmidi.so': libfluidsynth.so.2: cannot open shared object file: No such file or directory
(Pidgin:4): Json-CRITICAL **: 11:38:55.854: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.860: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.866: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.869: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.881: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.887: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.891: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.894: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.903: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.914: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.927: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.930: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:38:55.937: json_object_get_string_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:39:08.376: json_object_get_int_member: assertion 'node != NULL' failed
(Pidgin:4): Json-CRITICAL **: 11:39:31.588: json_object_get_int_member: assertion 'node != NULL' failed
7twin
All 7 comments
@7twin The gst-plugin-scanner GStreamer warnings usually mean you haven't installed the packages that provide those plugins. Quite harmless IMHO. As for the others and the perceived stutter, I'm looking into that more closely (although I'm not used to KDE) and have put together an alternative pidgin profile. If you download that and put it into ~/.config/firejail it should be ready for testing. I'd appreciate any feedback.
glitsj16
on 17 Mar 2019
@glitsj16 I'm sort of afraid to test it currently as I rely heavily on pidgin working and post uninstall of firejail it continued to be wonky for some time until some hard reboots. (pidgin worked perfectly fine before firejail though, so it was definitely the issue)
Dropbox also started to re-sync all files for some reason, which I can't take right now. (slow internet and thousands of files are not the best combination) I'll be happy to try it once #2547 with betterdiscord has a way to get it working though, as by that time I should probably be able to experiment again.
A sort of related question too (especially with the above described dropbox issue) - is there a way to exclude processes from being firejailed locally, so even on updates it won't get back - as with deleting the .profile would do?
7twin
on 18 Mar 2019
@7twin No worries, I do understand your arguments. I might go ahead and merge my changes for the pidgin profile in a few days. It should improve functionality on KDE. Running some more extensive testing myself in the days ahead. Pidgin has a rather wide array of plugins and I'm looking for ways to make those work without loosening its sandbox.
As for your question on excluding applications from being firejailed, that's possible yes. Many ways to do that. You could go for a pacman post-install hook for firejail that removes the apps you want to exclude from /usr/lib/firejail/firecfg.conf (that is the file that controls firecfg functionality). If you only have a few applications to exclude that would be overkill and I'd suggest putting a simple wrapper script in your ${HOME}/bin. Ensure it has the exact same name, calling the exact same command with a full path and it will bypass firejail's wrappers in /usr/local/bin. At least it will if ${HOME}/bin has precendence in your $PATH env var (which it should). Here's an example script to always run your pidgin non-sandboxed. Saved as ${HOME}/bin/pidgin and made executable it will bypass firejail:
#!/bin/sh
# wrapper for pidgin :: non-sandboxed
/usr/bin/pidgin "$@"
Do note that .desktop files control whatever is launched via GUI, so make sure the relevant pidgin.desktop file in ~/.local/share/applications points to your ${HOME}/bin/pidgin script.
glitsj16
on 18 Mar 2019
@glitsj16 Regarding the plugins, here's all plugins I use and the pidgin version, to possibly be able to re-create my setup easier:
- extra/pidgin 2.13.0-5
- aur/purple-skypeweb-git 1.5.r10.90007bf-1 (there's an update currently)
- aur/pidgin-opensteamworks-git 1.6.1.r52.gbf7dd28-1 (also an update queued)
- The rest is built-in (not plugins).
Thanks for the excluding explanation too! will definitely give it a shot for the dropbox issue once I reinstall. Though I wonder, wouldn't each update also force the .desktop files to be reset? maybe there should be a non-update overwritten file (in .config or ~?) where you can just exclude certain programs from all profiles or modifications.
7twin
on 18 Mar 2019
@7twin Indeed, you would have to take extra steps to protect that .desktop file from being overwritten. Which is exactly what the chattr command can do, by setting the immutable bit on it, I forgot to mention that important part... See https://en.wikipedia.org/wiki/Chattr for more detailed info.
glitsj16
on 19 Mar 2019
@glitsj16 Thanks will look into it, though the blacklist idea would be more universal too.
7twin
on 20 Mar 2019
@7twin Merged the new whitelist pidgin.profile in https://github.com/netblue30/firejail/pull/2620. Please feel free to reopen this if you still suffer stutter or anything else.
glitsj16
on 27 Mar 2019
Related issues
Vincent43
路
3Comments
francoism90
路
4Comments
Fincer
路
4Comments
HulaHoopWhonix
路
4Comments
thiswillbeyourgithub
路
3Comments
Most helpful comment
@7twin The gst-plugin-scanner GStreamer warnings usually mean you haven't installed the packages that provide those plugins. Quite harmless IMHO. As for the others and the perceived stutter, I'm looking into that more closely (although I'm not used to KDE) and have put together an alternative pidgin profile. If you download that and put it into ~/.config/firejail it should be ready for testing. I'd appreciate any feedback.