github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1564] Firetools GUI incorrectly reporting Seccomp & Protocols as disabled #1039

New issue
Closed
opened 2026-05-05 07:20:46 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 07:20:46 -06:00
Owner
Copy link

Originally created by @Irvinehimself on GitHub (Sep 19, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1564

With reference to this post on the Arch Linux forums, the Firetools GUI appears to be incorrectly reporting Seccomp & Protocols as disabled.

Os: Arch Linux
Kernels: linux-hardened 4.13.2, linux-hardened-apparmor 4.13.2
Desktops: xfdesktop 4.12.4-1 , (also tested with a stand alone openbox 3.6.1-3)
Firejail: firejail-apparmor 0.9.50-1
Firectl: firectl 1.0-1
Firetools: firetools 0.9.46-1

Running:

firejail --debug vlc | grep -Ev '(^Disable /|^Mounting read-only /home)'

I get:

[stupidme@mine ~]$ firejail --debug vlc | grep -Ev '(^Disable /|^Mounting read-only /home)'
Reading profile /etc/firejail/vlc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
DISPLAY=:0.0 parsed as 0
Autoselecting /bin/bash as shell
Building quoted command line: 'vlc'
Command name #vlc#
Found vlc profile in /etc/firejail directory
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2276/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2278/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2280/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2282/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2284/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2286/fd
total 0
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null
l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209]
lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0
lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2288/fd
Debug 374: new_name #/tmp/.X11-unix#, whitelist
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null)
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/video0 file
mounting /run/firejail/mnt/dev/sr0 file
Create /dev/shm directory
Copying files in the new bin directory
Checking /usr/local/bin/vlc
firejail exec symlink detected
Checking /usr/bin/vlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/vlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/cvlc
firejail exec symlink detected
Checking /usr/bin/cvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/cvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/nvlc
Checking /usr/bin/nvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/nvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/rvlc
Checking /usr/bin/rvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/rvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/qvlc
Checking /usr/bin/qvlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/qvlc /run/firejail/mnt/bin (null)
Checking /usr/local/bin/svlc
Checking /usr/bin/svlc
sbox run: /usr/lib/firejail/fcopy /usr/bin/svlc /run/firejail/mnt/bin (null)
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Mounting noexec /tmp/.X11-unix
Not blacklist /home/stupidme/.config/vlc
Mounting noexec /home/stupidme
Mounting noexec /tmp
DISPLAY=:0.0 parsed as 0
SECCOMP Filter
  VALIDATE_ARCHITECTURE_64
  EXAMINE_SYSCALL
  WHITELIST 41 socket
  UNKNOWN ENTRY 20!
  WHITELIST 1 write
  WHITELIST 2 open
  WHITELIST 10 mprotect
  WHITELIST 16 ioctl
  RETURN_ERRNO 95 EOPNOTSUPP
SECCOMP Filter
  VALIDATE_ARCHITECTURE_32
  EXAMINE_SYSCALL
  BLACKLIST 21 access
  BLACKLIST 52 getpeername
  BLACKLIST 26 msync
  BLACKLIST 283 timerfd_create
  BLACKLIST 341 unknown
  BLACKLIST 342 unknown
  BLACKLIST 127 rt_sigpending
  BLACKLIST 128 rt_sigtimedwait
  BLACKLIST 350 unknown
  BLACKLIST 129 rt_sigqueueinfo
  BLACKLIST 110 getppid
  BLACKLIST 101 ptrace
  BLACKLIST 289 signalfd4
  BLACKLIST 87 unlink
  BLACKLIST 115 getgroups
  BLACKLIST 103 syslog
  BLACKLIST 347 unknown
  BLACKLIST 348 unknown
  BLACKLIST 135 personality
  BLACKLIST 149 mlock
  BLACKLIST 124 getsid
  BLACKLIST 343 unknown
  BLACKLIST 253 inotify_init
  BLACKLIST 336 unknown
  BLACKLIST 338 unknown
  BLACKLIST 349 unknown
  BLACKLIST 286 timerfd_settime
  BLACKLIST 287 timerfd_gettime
  BLACKLIST 288 accept4
  BLACKLIST 86 link
  BLACKLIST 51 getsockname
  BLACKLIST 123 setfsgid
  BLACKLIST 217 getdents64
  BLACKLIST 245 mq_getsetattr
  BLACKLIST 246 kexec_load
  BLACKLIST 247 waitid
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 257 openat
  BLACKLIST 274 get_robust_list
  BLACKLIST 276 tee
  BLACKLIST 294 inotify_init1
  BLACKLIST 317 seccomp
  BLACKLIST 316 renameat2
  BLACKLIST 61 wait4
  BLACKLIST 88 symlink
  BLACKLIST 169 reboot
  BLACKLIST 130 rt_sigsuspend
  RETURN_ALLOW
SECCOMP Filter
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCALL
  HANDLE_X32
  BLACKLIST 154 modify_ldt
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 311 process_vm_writev
  BLACKLIST 156 _sysctl
  BLACKLIST 183 afs_syscall
  BLACKLIST 174 create_module
  BLACKLIST 177 get_kernel_syms
  BLACKLIST 181 getpmsg
  BLACKLIST 182 putpmsg
  BLACKLIST 178 query_module
  BLACKLIST 185 security
  BLACKLIST 139 sysfs
  BLACKLIST 184 tuxcall
  BLACKLIST 134 uselib
  BLACKLIST 136 ustat
  BLACKLIST 236 vserver
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 227 clock_settime
  BLACKLIST 164 settimeofday
  BLACKLIST 176 delete_module
  BLACKLIST 313 finit_module
  BLACKLIST 175 init_module
  BLACKLIST 173 ioperm
  BLACKLIST 172 iopl
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 169 reboot
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 163 acct
  BLACKLIST 321 bpf
  BLACKLIST 161 chroot
  BLACKLIST 165 mount
  BLACKLIST 180 nfsservctl
  BLACKLIST 155 pivot_root
  BLACKLIST 171 setdomainname
  BLACKLIST 170 sethostname
  BLACKLIST 166 umount2
  BLACKLIST 153 vhangup
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 237 mbind
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 251 ioprio_set
  BLACKLIST 103 syslog
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 135 personality
  BLACKLIST 323 userfaultfd
  BLACKLIST 101 ptrace
  BLACKLIST 310 process_vm_readv
  RETURN_ALLOW
Current directory: /home/stupidme
Dropping all capabilities
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null)
configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null)
Dual 32/64 bit seccomp filter configured
configuring 138 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp (null)
seccomp filter configured

Seccomp files:

noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
VLC media player 2.2.6 Umbrella (revision 2.2.6-0-g1aae78981c)
[00000a67f98b4028] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.

Which, I am reliably informed, shows that “Firejail is clearly using Seccomp filters”, yet the Firetools GUI reports both Seccomp and Protocols as being disabled.

A simple test using the VLC profile shows that Protocols is in fact enabled and working: With protocol unix,inet,inet6,netlink I am able to search/download subtitles; on the other hand, with protocol unix, the search/download plug-in fails.

Similarly, enabling/disabling the seccomp filter in the Wireshark profile produces the following:

Seccomp commented out:

[stupidme@mine ~]$ firejail wireshark
Reading profile /etc/firejail/wireshark.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 26999, child pid 27000
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 88.18 ms
......
......
Parent is shutting down, bye...
[stupidme@mine ~]$

Seccomp un-commented:

[stupidme@mine ~]$ firejail wireshark
Reading profile /home/stupidme/.config/firejail/wireshark.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Error: invalid syscall list
[stupidme@mine ~]$

If you need any more information or would like me to run further tests, I would be glad to help.

Best regards and thanks for the good work
Irvine

Originally created by @Irvinehimself on GitHub (Sep 19, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1564 With reference to [this post](https://bbs.archlinux.org/viewtopic.php?id=230023) on the Arch Linux forums, the Firetools GUI appears to be incorrectly reporting Seccomp & Protocols as disabled. **Os:** Arch Linux **Kernels:** linux-hardened 4.13.2, linux-hardened-apparmor 4.13.2 **Desktops:** xfdesktop 4.12.4-1 , (also tested with a stand alone openbox 3.6.1-3) **Firejail:** firejail-apparmor 0.9.50-1 **Firectl:** firectl 1.0-1 **Firetools:** firetools 0.9.46-1 Running: ``` firejail --debug vlc | grep -Ev '(^Disable /|^Mounting read-only /home)' ``` I get: ``` [stupidme@mine ~]$ firejail --debug vlc | grep -Ev '(^Disable /|^Mounting read-only /home)' Reading profile /etc/firejail/vlc.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc DISPLAY=:0.0 parsed as 0 Autoselecting /bin/bash as shell Building quoted command line: 'vlc' Command name #vlc# Found vlc profile in /etc/firejail directory Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory total 0 lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209] lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0 lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2276/fd total 0 lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209] lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0 lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2278/fd total 0 lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209] lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0 lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2280/fd total 0 lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209] lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0 lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2282/fd total 0 lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209] lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0 lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2284/fd total 0 lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209] lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0 lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2286/fd total 0 lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 0 -> /dev/null l-wx------ 1 stupidme stupidme 64 Sep 18 05:49 1 -> pipe:[38209] lrwx------ 1 stupidme stupidme 64 Sep 18 05:49 2 -> /dev/pts/0 lr-x------ 1 stupidme stupidme 64 Sep 18 05:49 3 -> /proc/2288/fd Debug 374: new_name #/tmp/.X11-unix#, whitelist Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Build protocol filter: unix,inet,inet6,netlink sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory mounting /run/firejail/mnt/dev/video0 file mounting /run/firejail/mnt/dev/sr0 file Create /dev/shm directory Copying files in the new bin directory Checking /usr/local/bin/vlc firejail exec symlink detected Checking /usr/bin/vlc sbox run: /usr/lib/firejail/fcopy /usr/bin/vlc /run/firejail/mnt/bin (null) Checking /usr/local/bin/cvlc firejail exec symlink detected Checking /usr/bin/cvlc sbox run: /usr/lib/firejail/fcopy /usr/bin/cvlc /run/firejail/mnt/bin (null) Checking /usr/local/bin/nvlc Checking /usr/bin/nvlc sbox run: /usr/lib/firejail/fcopy /usr/bin/nvlc /run/firejail/mnt/bin (null) Checking /usr/local/bin/rvlc Checking /usr/bin/rvlc sbox run: /usr/lib/firejail/fcopy /usr/bin/rvlc /run/firejail/mnt/bin (null) Checking /usr/local/bin/qvlc Checking /usr/bin/qvlc sbox run: /usr/lib/firejail/fcopy /usr/bin/qvlc /run/firejail/mnt/bin (null) Checking /usr/local/bin/svlc Checking /usr/bin/svlc sbox run: /usr/lib/firejail/fcopy /usr/bin/svlc /run/firejail/mnt/bin (null) Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin Remounting /proc and /proc/sys filesystems Remounting /sys directory Mounting tmpfs on /tmp directory Whitelisting /tmp/.X11-unix Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Mounting noexec /tmp/.X11-unix Not blacklist /home/stupidme/.config/vlc Mounting noexec /home/stupidme Mounting noexec /tmp DISPLAY=:0.0 parsed as 0 SECCOMP Filter VALIDATE_ARCHITECTURE_64 EXAMINE_SYSCALL WHITELIST 41 socket UNKNOWN ENTRY 20! WHITELIST 1 write WHITELIST 2 open WHITELIST 10 mprotect WHITELIST 16 ioctl RETURN_ERRNO 95 EOPNOTSUPP SECCOMP Filter VALIDATE_ARCHITECTURE_32 EXAMINE_SYSCALL BLACKLIST 21 access BLACKLIST 52 getpeername BLACKLIST 26 msync BLACKLIST 283 timerfd_create BLACKLIST 341 unknown BLACKLIST 342 unknown BLACKLIST 127 rt_sigpending BLACKLIST 128 rt_sigtimedwait BLACKLIST 350 unknown BLACKLIST 129 rt_sigqueueinfo BLACKLIST 110 getppid BLACKLIST 101 ptrace BLACKLIST 289 signalfd4 BLACKLIST 87 unlink BLACKLIST 115 getgroups BLACKLIST 103 syslog BLACKLIST 347 unknown BLACKLIST 348 unknown BLACKLIST 135 personality BLACKLIST 149 mlock BLACKLIST 124 getsid BLACKLIST 343 unknown BLACKLIST 253 inotify_init BLACKLIST 336 unknown BLACKLIST 338 unknown BLACKLIST 349 unknown BLACKLIST 286 timerfd_settime BLACKLIST 287 timerfd_gettime BLACKLIST 288 accept4 BLACKLIST 86 link BLACKLIST 51 getsockname BLACKLIST 123 setfsgid BLACKLIST 217 getdents64 BLACKLIST 245 mq_getsetattr BLACKLIST 246 kexec_load BLACKLIST 247 waitid BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 257 openat BLACKLIST 274 get_robust_list BLACKLIST 276 tee BLACKLIST 294 inotify_init1 BLACKLIST 317 seccomp BLACKLIST 316 renameat2 BLACKLIST 61 wait4 BLACKLIST 88 symlink BLACKLIST 169 reboot BLACKLIST 130 rt_sigsuspend RETURN_ALLOW SECCOMP Filter VALIDATE_ARCHITECTURE EXAMINE_SYSCALL HANDLE_X32 BLACKLIST 154 modify_ldt BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 311 process_vm_writev BLACKLIST 156 _sysctl BLACKLIST 183 afs_syscall BLACKLIST 174 create_module BLACKLIST 177 get_kernel_syms BLACKLIST 181 getpmsg BLACKLIST 182 putpmsg BLACKLIST 178 query_module BLACKLIST 185 security BLACKLIST 139 sysfs BLACKLIST 184 tuxcall BLACKLIST 134 uselib BLACKLIST 136 ustat BLACKLIST 236 vserver BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 227 clock_settime BLACKLIST 164 settimeofday BLACKLIST 176 delete_module BLACKLIST 313 finit_module BLACKLIST 175 init_module BLACKLIST 173 ioperm BLACKLIST 172 iopl BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 169 reboot BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 163 acct BLACKLIST 321 bpf BLACKLIST 161 chroot BLACKLIST 165 mount BLACKLIST 180 nfsservctl BLACKLIST 155 pivot_root BLACKLIST 171 setdomainname BLACKLIST 170 sethostname BLACKLIST 166 umount2 BLACKLIST 153 vhangup BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 237 mbind BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 251 ioprio_set BLACKLIST 103 syslog BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 278 vmsplice BLACKLIST 135 personality BLACKLIST 323 userfaultfd BLACKLIST 101 ptrace BLACKLIST 310 process_vm_readv RETURN_ALLOW Current directory: /home/stupidme Dropping all capabilities Install protocol filter: unix,inet,inet6,netlink configuring 16 seccomp entries in /run/firejail/mnt/seccomp.protocol sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null) configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) Dual 32/64 bit seccomp filter configured configuring 138 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp (null) seccomp filter configured Seccomp files: noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set VLC media player 2.2.6 Umbrella (revision 2.2.6-0-g1aae78981c) [00000a67f98b4028] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. ``` Which, I am reliably informed, shows that “Firejail is clearly using Seccomp filters”, yet the Firetools GUI reports both Seccomp and Protocols as being disabled. A simple test using the VLC profile shows that Protocols is in fact enabled and working: With **protocol unix,inet,inet6,netlink** I am able to search/download subtitles; on the other hand, with **protocol unix**, the search/download plug-in fails. Similarly, enabling/disabling the seccomp filter in the Wireshark profile produces the following: Seccomp commented out: ``` [stupidme@mine ~]$ firejail wireshark Reading profile /etc/firejail/wireshark.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 26999, child pid 27000 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized in 88.18 ms ...... ...... Parent is shutting down, bye... [stupidme@mine ~]$ ``` Seccomp un-commented: ``` [stupidme@mine ~]$ firejail wireshark Reading profile /home/stupidme/.config/firejail/wireshark.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Error: invalid syscall list [stupidme@mine ~]$ ``` If you need any more information or would like me to run further tests, I would be glad to help. Best regards and thanks for the good work Irvine
gitea-mirror commented 2026-05-05 07:20:50 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Sep 19, 2017):

G'day @Irvinehimself
Just to make sure I've understood the situation properly:
Seccomp is in fact enabled.
Firejail reports that seccomp is enabled.
Firetools reports that seccomp is disabled.
Is that right?

<!-- gh-comment-id:330428446 --> @Fred-Barclay commented on GitHub (Sep 19, 2017): G'day @Irvinehimself Just to make sure I've understood the situation properly: Seccomp is in fact enabled. Firejail reports that seccomp is enabled. Firetools reports that seccomp is disabled. Is that right?
gitea-mirror commented 2026-05-05 07:20:52 -06:00
Author
Owner
Copy link

@Irvinehimself commented on GitHub (Sep 19, 2017):

Yes,that appears to be the case. Looking at the debug output, the seccomp filters appear to be enabled. Additionally, the quick and dirty test with the VLC and Wireshark profiles also indicate that both Protocols and Seccomp are enabled, yet the Firetools GUI says they are disabled.

For example, copy/pasting from the Firetools GUI

Home      Shutdown      Join      File Manager      Process Tree      DNS

Command: /usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-cpu-mem-disks.conf 

PID: 1187                       RX: unknown
User: stupidme                  TX: unknown
CPU: 0%                         Seccomp: disabled
Memory: 50876 KiB               Capabilities: 
RSS 28208, shared 22668         User Namespace: enabled
CPU Cores:                      Protocols: disabled

Irvine

<!-- gh-comment-id:330431585 --> @Irvinehimself commented on GitHub (Sep 19, 2017): Yes,that appears to be the case. Looking at the debug output, the seccomp filters appear to be enabled. Additionally, the quick and dirty test with the VLC and Wireshark profiles also indicate that both Protocols and Seccomp are enabled, yet the Firetools GUI says they are disabled. For example, copy/pasting from the Firetools GUI ``` Home Shutdown Join File Manager Process Tree DNS Command: /usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-cpu-mem-disks.conf PID: 1187 RX: unknown User: stupidme TX: unknown CPU: 0% Seccomp: disabled Memory: 50876 KiB Capabilities: RSS 28208, shared 22668 User Namespace: enabled CPU Cores: Protocols: disabled ``` Irvine
gitea-mirror commented 2026-05-05 07:20:53 -06:00
Author
Owner
Copy link

@Irvinehimself commented on GitHub (Sep 19, 2017):

I just realised that the above Firetools GUI example uses a conky profile which you do not have. So, in case you need to examine it, I am attaching it here.

PS
If you wish to add it to the official collection, feel free. (Note it is fairly restrictive, but could do with some tightening up.)
conky.zip

<!-- gh-comment-id:330439694 --> @Irvinehimself commented on GitHub (Sep 19, 2017): I just realised that the above Firetools GUI example uses a conky profile which you do not have. So, in case you need to examine it, I am attaching it here. PS If you wish to add it to the official collection, feel free. (Note it is fairly restrictive, but could do with some tightening up.) [conky.zip](https://github.com/netblue30/firejail/files/1313208/conky.zip)
gitea-mirror commented 2026-05-05 07:20:55 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Sep 19, 2017):

Can you pacman -S checksec and sudo checksec --proc-all? Take a look and see if there is any process with seccomp, if there is seccomp is working. Now if you then run firemon --seccomp and the output is all zeroes, can you try running again as root? Any difference? If not then something is indeed broken.

Also I've added your Conky profile 807ec197d3, thanks!

<!-- gh-comment-id:330566427 --> @SkewedZeppelin commented on GitHub (Sep 19, 2017): Can you `pacman -S checksec` and `sudo checksec --proc-all`? Take a look and see if there is *any* process with seccomp, if there is seccomp is working. Now if you then run `firemon --seccomp` and the output is all zeroes, can you try running again as root? Any difference? If not then something is indeed broken. Also I've added your Conky profile 807ec197d34c90500fe2f81e777c207c2a8d6e8e, thanks!
gitea-mirror commented 2026-05-05 07:20:56 -06:00
Author
Owner
Copy link

@Irvinehimself commented on GitHub (Sep 19, 2017):

Okay, I have run the tests you asked and attached the zipped output. I don't know if it helps, but I also include the output from firejail --list

In summary, the firejailed items appear to be using seccomp-bpf. There was a slight hitch comparing sudo firemon --seccomp with firemon --seccomp. Basically, I use hidepid so firemon can only be run as root. If it matters I will uninstall hidepid. Anyway, firemon shows Seccomp: 2 for everything except Opera, which, I believe, use its own Seccomp sandbox.

Edit
In particular, for comparison with the above copy/paste of the Firetools GUI, I would draw your attention to

951:stupidme:/usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-os-weather-news.conf 
  Seccomp:	2
1137:stupidme:/usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-networks-news.conf 
  Seccomp:	2
1223:stupidme:/usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-cpu-mem-disks.conf 
  Seccomp:	2

Hope this helps
Irvine

FirejailCheckSeccomp.zip

<!-- gh-comment-id:330593169 --> @Irvinehimself commented on GitHub (Sep 19, 2017): Okay, I have run the tests you asked and attached the zipped output. I don't know if it helps, but I also include the output from **firejail --list** In summary, the firejailed items appear to be using seccomp-bpf. There was a slight hitch comparing **sudo firemon --seccomp** with **firemon --seccomp**. Basically, I use **hidepid** so **firemon** can only be run as root. If it matters I will uninstall hidepid. Anyway, **firemon** shows **Seccomp: 2** for everything except Opera, which, I believe, use its own Seccomp sandbox. Edit In particular, for comparison with the above copy/paste of the Firetools GUI, I would draw your attention to ``` 951:stupidme:/usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-os-weather-news.conf Seccomp: 2 1137:stupidme:/usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-networks-news.conf Seccomp: 2 1223:stupidme:/usr/bin/firejail /usr/bin/conky -q -c /home/stupidme/.config/conky/conky-cpu-mem-disks.conf Seccomp: 2 ``` Hope this helps Irvine [FirejailCheckSeccomp.zip](https://github.com/netblue30/firejail/files/1314897/FirejailCheckSeccomp.zip)
gitea-mirror commented 2026-05-05 07:20:58 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Sep 19, 2017):

@Irvinehimself afaik hidepid isn't recommended anymore, and has always broken many things.
But if you had hidepid enabled and you were running firetools without root could that of been the problem?

<!-- gh-comment-id:330599418 --> @SkewedZeppelin commented on GitHub (Sep 19, 2017): @Irvinehimself afaik hidepid isn't recommended anymore, and has always broken many things. But if you had hidepid enabled and you were running firetools without root could that of been the problem?
gitea-mirror commented 2026-05-05 07:20:59 -06:00
Author
Owner
Copy link

@Irvinehimself commented on GitHub (Sep 19, 2017):

I just un-installed hidepid, (and rebooted,) and yes, it was the cause of the problem. There should be a warning about hidepid in the Arch-Wiki, it's caused me other problems in the past, and I will not be re-installing it.

I apologise for any problems and wish you all the best
Irvine

<!-- gh-comment-id:330604450 --> @Irvinehimself commented on GitHub (Sep 19, 2017): I just un-installed hidepid, (and rebooted,) and yes, it was the cause of the problem. There should be a warning about hidepid in the Arch-Wiki, it's caused me other problems in the past, and I will not be re-installing it. I apologise for any problems and wish you all the best Irvine
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1039
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?