qBittorrent tray icon missing from notification panel when running it with firejail

[mYnDstrEAm]

The system tray icon of qBittorrent missing when minimizing it to the notification area

Bug and expected behavior

• When minimizing qBittorent to the tray it does not display an entry in KDE's notification panel (in qBittorrent the setting "Minimize qBittorent to notification area" is enabled)
• In the bottom right when clicking the arrow of the tray to display KDE's notification panel ("Status & Notifications") a entry for qBittorent should display

I get this in the console when starting qBittorrent with firejail:

• Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set
• org.kde.knotifications: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP

No profile and disabling firejail

• What changed calling firejail --noprofile /path/to/program in a terminal?

I don't get these 2 outputs in the console and it minimizes to the notification area

Reproduce
Steps to reproduce the behavior:

1. Run in bash firejail qbittorrent
2. Enable "Minimize qBittorent to notification area" setting
3. Try to minimize to tray

Environment
Debian 10 stable with KDE
Firejail 0.9.62

Additional context
The notification icon shows when running it without firejail

Checklist

• The upstream profile (and redirect profile if exists) have no changes fixing it.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• Programs needed for interaction are listed in the profile.
• A short search for duplicates was performed.
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.

[Neo00001]

run with ignore nodbus

[rusty-snake]

For the record: ignore nodbus only works for 0.9.62. In 0.9.64 either add ignore dbus-user none or set it to filter and add talk rules.

Tray-icon and native-notifications (there are multiple standards in the linux world, IDK how all of them work and which software implements which):

dbus-user filter
dbus-user.talk org.kde.knotifications
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.StatusNotifierItem
ignore dbus-user none

qBittorent may fail with that becaue it has no own rules and error-handling differs between "permission denied" on socket and "permission denied" inside dbus.

---

A hardened solution for 0.9.62:

ignore nodbus
blacklist /run/dbus

[mYnDstrEAm]

I ran kate ~/.config/firejail/qbittorrent.local and added these two lines and it works now. Thank you!

This should probably be added to the qbittorrent.profile.
However, I think that ignore nodbus should probably be replaced with allowing the notification tray icons in specific. You already listed relevant notification permissions. Before it's standardized better it should probably be done by firejail with something like "allow-tray".

[rusty-snake]

This should probably be added to the qbittorrent.profile.

Hmm, qbittorent is a program which mainly deals with (untrusted) data from the internet. This means it has a high attack-surface (e.g. buffer-overflows while processing a bad packet can result in RCE). D-Bus is a good technology for sandbox-escapes. So just allowing all D-Bus is risky. Fortunately we have fine grained D-Bus access policies since 0.9.64. However a lot of D-Bus interfaces are still unsafe and call rules are not maintainable without aliases. IMHO we should add a note for now.

[mYnDstrEAm]

That's why I'm wary of adding it (and I'm not sure what's being allowed when also blacklisting /run/dbus). But somehow qBittorrent and other apps with tray icons should work (completely) with firejail. Looks like Debian recently upgraded its used firejail version in backports to 0.9.64: is it now possible to allow tray-icons in specific? Does this mean that allowing notification area icons would still be unsafe with dbus (if so and if you know related dbus code issues please link them here; haven't looked into zeromq which is probably unlikely to be viable)?

[rusty-snake]

I'm not sure what's being allowed when also blacklisting /run/dbus

/run/dbus/system_bus_socket is the socket of the system-bus which is mainly used for privileged things (NetworkManager, systemd, PackageKit, Bluetooth, ...).

Looks like Debian recently upgraded its used firejail version in backports to 0.9.64: is it now possible to allow tray-icons in specific?

Yes, you can install it and try the rules I posted above. xdg-dbus-proxy must be installed.

OT: I suggest to always use the backports version because it has newer features and the much more recent profiles.

Does this mean that allowing notification area icons would still be unsafe with dbus (if so and if you know related dbus code issues please link them here;

It's not a bug in the D-Bus code. If you want it is a bug in the spec. The issue is that the most DEs populate all there objects/methods/interfaces on all names. Example on GNOME (<= 3.36.1) as I use GNOME and am more familiar but KDE should do the same IIRC. dbus-user.talk org.freedesktop.Notifications (native notifications; notify-send) allows to take screenshots, install extensions (which are commonly used for spyware under linux), execute and shell command outside of the sandbox.

IDK which of the names above are really needed and IDK if they safe under KDE, but based on my previous experience I classify all names as unsafe until I know better.

Using dbus-{user,system}.call rules can be used to allow access only to specific functions/properties/signals. However, these rules are terrible to maintain until we have aliases.

EDIT: and there are some reviews: https://github.com/netblue30/firejail/wiki/Restrict-D-Bus

[aminvakil]

firejail 0.9.72-1 on Arch Linux on KDE Plasma 5.115.0-1 and qbittorrent 4.6.3-1
This works and no new permissions are necessary to add as mentioned in #3707 (comment) :

dbus-user filter
ignore dbus-user none

Also for future readers like me, link has been moved to https://github.com/netblue30/firejail/wiki/Restrict-DBus .