DISPLAY problem with zsh + fvwm + firejail

[Dominik Vogt <dominik.vogt@gmx.de>]

Running commands in firejail (an enhanced sandbox similar to
chroot), there is a problem with a certain way of starting
programs.

Working setup:
--------------

 # Running zsh inside an Rxvt managed by fvwm.
 $ firejail --debug set

Shows (with some added debug output), that zsh was used to run
"set", and that the display variable ist set:

  # args passed to execvp by firejail
  DISPLAY=':0'
  arg0: '/usr/bin/zsh'
  arg1: '-c'
  arg2: ''set' '
  # output of set shell builtin
  DISPLAY=':0'

Failing setup:
--------------

Run the command by the window manager.  Make a menu entry or open
FvwmConsole and type

  exec firejail --debug set

(exec is fvwm's command to run an external command).  Now, the
DISPLAY is set to an empty string:

  # args passed to execvp by firejail
  DISPLAY=':0'
  arg0: '/usr/bin/zsh'
  arg1: '-c'
  arg2: ''set' '
  # output of set shell builtin
  DISPLAY=''     <-------- empty string

--

I can't firgure out what's going on.  For some reason, DISPLAY is
set to an empty string between the final execvp() call in firejail
and the place that uses the value, and the shell may or may not be
involved in this problem.  Note that the same occurs if any shell
is set explicitly:

  exec firejail --debug bash -c xterm -> fails

But it works fine if firejail is told to omit the shell:

  exec firejail --debug xterm -> works

--

One more detail about the way fvwm calls external programs:

  rxvt
  -> zsh
  -> firejail
  -> execvp zsh -c 'firejail command'
  -> zsh
  -> firejail
  -> execvp
  -> zsh -c 'command'
  -> exec?
  -> command
  GOOD

 fvwm
  -> execvp
  -> sh -c 'firejail ...'
  -> sh
  -> firejail
  -> execvp zsh -c 'command'
  -> zsh
  -> exec?
  -> command
  BAD

(Note that you can tell fvwm to use zsh nstead of sh with
"execuseshell /bin/zsh".  This doesn't change anything.)

So, what is the cause of the different bevaviour and/or how can I
debug it?

Ciao

Dominik ^_^  ^_^

--

Dominik Vogt