github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1590] error with private-tmp & /tmp as tmpfs #1061

New issue
Closed
opened 2026-05-05 07:22:53 -06:00 by gitea-mirror · 42 comments
gitea-mirror commented 2026-05-05 07:22:53 -06:00
Owner
Copy link

Originally created by @step- on GitHub (Oct 5, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1590

My distro, Fatdog64, mounts /tmp on a tmpfs in RAM. It's the default setup OOTB. Firejail seems to not like it. Is there some way around it? Note that

# firejail --noprofile --private-tmp echo OK
Parent pid 25719, child pid 25720
The new log directory is /proc/25720/root/var/log
Error mount tmpfs: fs_whitelist.c:774 fs_whitelist: No such file or directory
Error: proc 25719 cannot sync with peer: unexpected EOF
Peer 25720 unexpectedly exited with status 1

# firejail --noprofile echo OK
Parent pid 25730, child pid 25731
The new log directory is /proc/25731/root/var/log
Child process initialized in 34.86 ms
OK

Parent is shutting down, bye...

# mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
#

System info

# uname -r
4.12.13

# firejail --version  # compiled github commit 2017.10.05 3884057 x86_64
firejail version 0.9.51

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

# cat /proc/filesystems
nodev	sysfs
nodev	rootfs
nodev	tmpfs
nodev	bdev
nodev	proc
nodev	cpuset
nodev	cgroup
nodev	cgroup2
nodev	devtmpfs
nodev	binfmt_misc
nodev	debugfs
nodev	securityfs
nodev	sockfs
nodev	dax
nodev	bpf
nodev	pipefs
nodev	ramfs
nodev	rpc_pipefs
nodev	devpts
	ext3
	ext2
	ext4
	squashfs
	minix
	vfat
	msdos
	iso9660
nodev	nfs
nodev	nfs4
nodev	nfsd
nodev	cifs
	ntfs
	fuseblk
nodev	fuse
nodev	fusectl
	udf
	xfs
	f2fs
nodev	pstore
nodev	aufs
nodev	mqueue
	btrfs
#
Originally created by @step- on GitHub (Oct 5, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1590 My distro, Fatdog64, mounts /tmp on a tmpfs in RAM. It's the default setup OOTB. Firejail seems to not like it. Is there some way around it? Note that ``` # firejail --noprofile --private-tmp echo OK Parent pid 25719, child pid 25720 The new log directory is /proc/25720/root/var/log Error mount tmpfs: fs_whitelist.c:774 fs_whitelist: No such file or directory Error: proc 25719 cannot sync with peer: unexpected EOF Peer 25720 unexpectedly exited with status 1 # firejail --noprofile echo OK Parent pid 25730, child pid 25731 The new log directory is /proc/25731/root/var/log Child process initialized in 34.86 ms OK Parent is shutting down, bye... # mount | grep /tmp tmpfs on /tmp type tmpfs (rw,relatime) tmpfs on /tmp type tmpfs (rw,relatime) # ``` System info ``` # uname -r 4.12.13 # firejail --version # compiled github commit 2017.10.05 3884057 x86_64 firejail version 0.9.51 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled # cat /proc/filesystems nodev sysfs nodev rootfs nodev tmpfs nodev bdev nodev proc nodev cpuset nodev cgroup nodev cgroup2 nodev devtmpfs nodev binfmt_misc nodev debugfs nodev securityfs nodev sockfs nodev dax nodev bpf nodev pipefs nodev ramfs nodev rpc_pipefs nodev devpts ext3 ext2 ext4 squashfs minix vfat msdos iso9660 nodev nfs nodev nfs4 nodev nfsd nodev cifs ntfs fuseblk nodev fuse nodev fusectl udf xfs f2fs nodev pstore nodev aufs nodev mqueue btrfs # ```
gitea-mirror 2026-05-05 07:22:53 -06:00
gitea-mirror commented 2026-05-05 07:22:58 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 6, 2017):

Until we figure out what's going on, as root user open /etc/firejail/globals.local in a text editor and add "ignore private-tmp" to that file. This will disable private-tmp globally.

<!-- gh-comment-id:334762319 --> @netblue30 commented on GitHub (Oct 6, 2017): Until we figure out what's going on, as root user open /etc/firejail/globals.local in a text editor and add "ignore private-tmp" to that file. This will disable private-tmp globally.
gitea-mirror commented 2026-05-05 07:22:59 -06:00
Author
Owner
Copy link

@step- commented on GitHub (Oct 6, 2017):

OK, thank you. This is a better temporary fix than patching all the *.profile files in /etc/firejail.

<!-- gh-comment-id:334767500 --> @step- commented on GitHub (Oct 6, 2017): OK, thank you. This is a better temporary fix than patching all the *.profile files in /etc/firejail.
gitea-mirror commented 2026-05-05 07:23:00 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 6, 2017):

The file is included in all profile, so it should do the job.

<!-- gh-comment-id:334773091 --> @netblue30 commented on GitHub (Oct 6, 2017): The file is included in all profile, so it should do the job.
gitea-mirror commented 2026-05-05 07:23:01 -06:00
Author
Owner
Copy link

@jplien commented on GitHub (Oct 12, 2017):

Not sure if it's the same bug, but my /tmp is a symlink, and firejail recently started failing with:
Error: invalid whitelist path /tmp/.X11-unix

The workaround above resolved the problem for me. Maybe also related to #744 about blacklisting a symlink?

<!-- gh-comment-id:335988344 --> @jplien commented on GitHub (Oct 12, 2017): Not sure if it's the same bug, but my /tmp is a symlink, and firejail recently started failing with: Error: invalid whitelist path /tmp/.X11-unix The workaround above resolved the problem for me. Maybe also related to #744 about blacklisting a symlink?
gitea-mirror commented 2026-05-05 07:23:02 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jan 8, 2018):

Hmm, is this bug still valid? I actually do the same thing the OP does (mount /tmp as a tmpfs), but my firejail works fine with private-tmp. @step- and @jplien, is this still an issue?

<!-- gh-comment-id:355954344 --> @chiraag-nataraj commented on GitHub (Jan 8, 2018): Hmm, is this bug still valid? I actually do the same thing the OP does (mount `/tmp` as a tmpfs), but my firejail works fine with `private-tmp`. @step- and @jplien, is this still an issue?
gitea-mirror commented 2026-05-05 07:23:03 -06:00
Author
Owner
Copy link

@jplien commented on GitHub (Jan 9, 2018):

I just updated to 0.9.52 (Debian testing) and when I comment out "ignore private-tmp" globals.local, it fails to start firefox.

If I run with --debug I get:
Error: invalid whitelist path /tmp/.X11-unix

In my case / is my SSD, and /tmp is a symlink to my HDD (ext4) which is mounted under /mnt/.

<!-- gh-comment-id:356160731 --> @jplien commented on GitHub (Jan 9, 2018): I just updated to 0.9.52 (Debian testing) and when I comment out "ignore private-tmp" globals.local, it fails to start firefox. If I run with --debug I get: Error: invalid whitelist path /tmp/.X11-unix In my case / is my SSD, and /tmp is a symlink to my HDD (ext4) which is mounted under /mnt/.
gitea-mirror commented 2026-05-05 07:23:03 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jan 9, 2018):

Does /tmp/.X11-unix exist?

<!-- gh-comment-id:356163098 --> @chiraag-nataraj commented on GitHub (Jan 9, 2018): Does `/tmp/.X11-unix` exist?
gitea-mirror commented 2026-05-05 07:23:05 -06:00
Author
Owner
Copy link

@jplien commented on GitHub (Jan 9, 2018):

Yes

jplien@argos:~$ ls -ld /tmp/.X11-unix/
drwxrwxrwt 2 root root 4096 Jan 8 21:11 /tmp/.X11-unix/

<!-- gh-comment-id:356173691 --> @jplien commented on GitHub (Jan 9, 2018): Yes jplien@argos:~$ ls -ld /tmp/.X11-unix/ drwxrwxrwt 2 root root 4096 Jan 8 21:11 /tmp/.X11-unix/
gitea-mirror commented 2026-05-05 07:23:06 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Jan 9, 2018):

@jplien Does the line disable-mnt exist in globals.local or your firefox profile?

<!-- gh-comment-id:356182461 --> @Fred-Barclay commented on GitHub (Jan 9, 2018): @jplien Does the line `disable-mnt` exist in globals.local or your firefox profile?
gitea-mirror commented 2026-05-05 07:23:07 -06:00
Author
Owner
Copy link

@jplien commented on GitHub (Jan 9, 2018):

I did a grep and it is in some profiles but not in firefox or firefox-esr. I checked all of the files in this list:

Found firefox-esr profile in /etc/firejail directory
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc

<!-- gh-comment-id:356196154 --> @jplien commented on GitHub (Jan 9, 2018): I did a grep and it is in some profiles but not in firefox or firefox-esr. I checked all of the files in this list: Found firefox-esr profile in /etc/firejail directory Reading profile /etc/firejail/firefox-esr.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc
gitea-mirror commented 2026-05-05 07:23:08 -06:00
Author
Owner
Copy link

@step- commented on GitHub (Jan 9, 2018):

@chiraag-nataraj , it seems @jplien is on to something. This is my debug log for commit f66ea88:

# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK' 
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 20675, child pid 20676
The new log directory is /proc/20676/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 393: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Error mount tmpfs: fs_whitelist.c:859 fs_whitelist: No such file or directory
Error: proc 20675 cannot sync with peer: unexpected EOF
Peer 20676 unexpectedly exited with status 1

and in /tmp

# find /tmp/.X11-unix -ls
  1022    0 drwxrwxrwt   2 root     root           60 Jan  9 18:33 /tmp/.X11-unix
  1023    0 srwxrwxrwx   1 root     root            0 Jan  9 18:33 /tmp/.X11-unix/X0
# file /tmp/.X11-unix/X0
/tmp/.X11-unix/X0: socket

I guess the socket file triggers the error in fs_whitelist.c:859.

<!-- gh-comment-id:356403249 --> @step- commented on GitHub (Jan 9, 2018): @chiraag-nataraj , it seems @jplien is on to something. This is my debug log for commit f66ea88: ``` # firejail --noprofile --private-tmp --debug echo OK Autoselecting /bin/sh as shell Building quoted command line: 'echo' 'OK' Command name #echo# DISPLAY=:0 parsed as 0 Enabling IPC namespace Using the local network stack Parent pid 20675, child pid 20676 The new log directory is /proc/20676/root/var/log Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/timer_list Disable /proc/kallsyms Disable /lib/modules Disable /dev/port Debug 393: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Error mount tmpfs: fs_whitelist.c:859 fs_whitelist: No such file or directory Error: proc 20675 cannot sync with peer: unexpected EOF Peer 20676 unexpectedly exited with status 1 ``` and in /tmp ``` # find /tmp/.X11-unix -ls 1022 0 drwxrwxrwt 2 root root 60 Jan 9 18:33 /tmp/.X11-unix 1023 0 srwxrwxrwx 1 root root 0 Jan 9 18:33 /tmp/.X11-unix/X0 # file /tmp/.X11-unix/X0 /tmp/.X11-unix/X0: socket ``` I guess the socket file triggers the error in fs_whitelist.c:859.
gitea-mirror commented 2026-05-05 07:23:09 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

@step- Nah, the socket shouldn't trigger that error. I have the same socket and everything works fine. Is your /tmp also symlinked to somewhere in /mnt?

@jplien Do you happen to have disable-mnt enabled in /etc/firejail/firejail.config?

<!-- gh-comment-id:405117778 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): @step- Nah, the socket shouldn't trigger that error. I have the same socket and everything works fine. Is your `/tmp` also symlinked to somewhere in `/mnt`? @jplien Do you happen to have `disable-mnt` enabled in `/etc/firejail/firejail.config`?
gitea-mirror commented 2026-05-05 07:23:11 -06:00
Author
Owner
Copy link

@step- commented on GitHub (Jul 16, 2018):

@chiraag-nataraj
Yes, my /tmp is mounted on /mnt.
My distro, Fatdog64, mounts /tmp as a tmpfs in RAM. It's the default setup OOTB.

<!-- gh-comment-id:405154549 --> @step- commented on GitHub (Jul 16, 2018): @chiraag-nataraj Yes, my /tmp is mounted on /mnt. My distro, Fatdog64, mounts /tmp as a tmpfs in RAM. It's the default setup OOTB.
gitea-mirror commented 2026-05-05 07:23:12 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 16, 2018):

@step- Mine's also a tmpfs (Debian), but that doesn't really imply it's mounted in /mnt... Anyway, can you do the same checks we asked @jplien to do? So either disable-mnt in the profile file(s) or disable-mnt in firejail.config? Meanwhile, I'll download Fatdog64 and give it a whirl.

<!-- gh-comment-id:405204866 --> @chiraag-nataraj commented on GitHub (Jul 16, 2018): @step- Mine's also a tmpfs (Debian), but that doesn't really imply it's mounted in `/mnt`... Anyway, can you do the same checks we asked @jplien to do? So either `disable-mnt` in the profile file(s) or `disable-mnt` in `firejail.config`? Meanwhile, I'll download Fatdog64 and give it a whirl.
gitea-mirror commented 2026-05-05 07:23:13 -06:00
Author
Owner
Copy link

@step- commented on GitHub (Jul 16, 2018):

@chiraag-nataraj oops, you're right, it's tmpfs but it isn't mounted on /tmp. It's tmpfs on /tmp type tmpfs (rw,relatime). So I'm not goint to do the same checks you asked jplien. Waiting for further instructions.

<!-- gh-comment-id:405305393 --> @step- commented on GitHub (Jul 16, 2018): @chiraag-nataraj oops, you're right, it's tmpfs but it isn't mounted on /tmp. It's tmpfs on /tmp type tmpfs (rw,relatime). So I'm not goint to do the same checks you asked jplien. Waiting for further instructions.
gitea-mirror commented 2026-05-05 07:23:14 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 16, 2018):

Can someone please run firejail --private-tmp --debug-whitelists?

EDIT: Just realized it's already there:

Debug 393: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Error mount tmpfs: fs_whitelist.c:859 fs_whitelist: No such file or directory
<!-- gh-comment-id:405306043 --> @smitsohu commented on GitHub (Jul 16, 2018): Can someone please run `firejail --private-tmp --debug-whitelists`? EDIT: Just realized it's already there: ``` Debug 393: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Error mount tmpfs: fs_whitelist.c:859 fs_whitelist: No such file or directory ```
gitea-mirror commented 2026-05-05 07:23:16 -06:00
Author
Owner
Copy link

@step- commented on GitHub (Jul 16, 2018):

@smitsohu

# firejail --noprofile --private-tmp --debug-whitelists
Parent pid 22130, child pid 22131
The new log directory is /proc/22131/root/var/log
Debug 449: new_name #/tmp/.X11-unix#, whitelist
real path /tmp/.X11-unix
Mounting tmpfs on /tmp directory
Error mount tmpfs: fs_whitelist.c:966 fs_whitelist: No such file or directory
Error: proc 22130 cannot sync with peer: unexpected EOF
Peer 22131 unexpectedly exited with status 1
<!-- gh-comment-id:405310660 --> @step- commented on GitHub (Jul 16, 2018): @smitsohu ``` # firejail --noprofile --private-tmp --debug-whitelists Parent pid 22130, child pid 22131 The new log directory is /proc/22131/root/var/log Debug 449: new_name #/tmp/.X11-unix#, whitelist real path /tmp/.X11-unix Mounting tmpfs on /tmp directory Error mount tmpfs: fs_whitelist.c:966 fs_whitelist: No such file or directory Error: proc 22130 cannot sync with peer: unexpected EOF Peer 22131 unexpectedly exited with status 1 ```
gitea-mirror commented 2026-05-05 07:23:18 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

Hmmm, my X11 socket is owned by my user, not root:

$ find /tmp/.X11-unix/ -ls
     9961      0 drwxrwxrwt   2 root     root           60 Jul 22 10:57 /tmp/.X11-unix/
    19735      0 srwxrwxrwx   1 chiraag  chiraag         0 Jul 22 10:57 /tmp/.X11-unix/X0
<!-- gh-comment-id:406891401 --> @chiraag-nataraj commented on GitHub (Jul 22, 2018): Hmmm, my X11 socket is owned by my user, not root: ``` $ find /tmp/.X11-unix/ -ls 9961 0 drwxrwxrwt 2 root root 60 Jul 22 10:57 /tmp/.X11-unix/ 19735 0 srwxrwxrwx 1 chiraag chiraag 0 Jul 22 10:57 /tmp/.X11-unix/X0 ```
gitea-mirror commented 2026-05-05 07:23:19 -06:00
Author
Owner
Copy link

@step- commented on GitHub (Jul 22, 2018):

# find /tmp/.X11-unix/ -ls
  1105    0 drwxrwxrwt   2 root     root           60 Jul 22 21:03 /tmp/.X11-unix/
  1106    0 srwxrwxrwx   1 root     root            0 Jul 22 21:03 /tmp/.X11-unix/X0

Mine is owned by root because root is my $USER and real identity. Fatdog64 is a sudo-less GNU/Linux multi-user system, but the default user is root and everyone is encouraged to run as root.
There exists a regular user named 'spot', which I use to run browsers and other network programs. I tried running firejail as user spot without success. The terminal transcript follows.

# run-as-spot firejail --noprofile --private-tmp echo OK
Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly.
See "man firejail-users" for more details.
# firecfg
Removing all firejail symlinks:

Configuring symlinks in /usr/local/bin based on firecfg.config
   Xephyr created
   cherrytree created
   cvlc created
   dnsmasq created
8< --- snip snip --- 8<
   vlc created
   wget created
   xpra created
Error: cannot detect login user in order to set desktop files in ~/.local/share/applications
# man firejail-users
# cat /etc/firejail/firejail.users
cat: /etc/firejail/firejail.users: No such file or directory
# echo spot > /etc/firejail/firejail.users
# su spot
spot$  firejail --noprofile --private-tmp echo OK
Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly.
See "man firejail-users" for more details.
spot$ cat /etc/firejail/firejail.users
spot
spot$

So, several issues involving user detection on my system...

<!-- gh-comment-id:406895368 --> @step- commented on GitHub (Jul 22, 2018): ``` # find /tmp/.X11-unix/ -ls 1105 0 drwxrwxrwt 2 root root 60 Jul 22 21:03 /tmp/.X11-unix/ 1106 0 srwxrwxrwx 1 root root 0 Jul 22 21:03 /tmp/.X11-unix/X0 ``` Mine is owned by root because root is my `$USER` and real identity. Fatdog64 is a sudo-less GNU/Linux multi-user system, but the default user is root and everyone is encouraged to run as root. There exists a regular user named 'spot', which I use to run browsers and other network programs. I tried running firejail as user spot without success. The terminal transcript follows. ``` # run-as-spot firejail --noprofile --private-tmp echo OK Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly. See "man firejail-users" for more details. # firecfg Removing all firejail symlinks: Configuring symlinks in /usr/local/bin based on firecfg.config Xephyr created cherrytree created cvlc created dnsmasq created 8< --- snip snip --- 8< vlc created wget created xpra created Error: cannot detect login user in order to set desktop files in ~/.local/share/applications # man firejail-users # cat /etc/firejail/firejail.users cat: /etc/firejail/firejail.users: No such file or directory # echo spot > /etc/firejail/firejail.users # su spot spot$ firejail --noprofile --private-tmp echo OK Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly. See "man firejail-users" for more details. spot$ cat /etc/firejail/firejail.users spot spot$ ``` So, several issues involving user detection on my system...
gitea-mirror commented 2026-05-05 07:23:20 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

Hmm, interesting. How did you install firejail? Compile from source?

<!-- gh-comment-id:406899687 --> @chiraag-nataraj commented on GitHub (Jul 22, 2018): Hmm, interesting. How did you install firejail? Compile from source?
gitea-mirror commented 2026-05-05 07:23:21 -06:00
Author
Owner
Copy link

@step- commented on GitHub (Jul 22, 2018):

Yes, I built 2bea8f6 from git source. The build recipe essentially does

/configure --prefix=/usr --libdir=/usr/lib64 &&
	make &&
	make install-strip

and adds /etc/firejail/globals.local, which reads:

# private-tmp directive doesn't work for Fatdog64
# https://github.com/netblue30/firejail/issues/1590
ignore private-tmp
<!-- gh-comment-id:406900968 --> @step- commented on GitHub (Jul 22, 2018): Yes, I built 2bea8f6 from git source. The build recipe essentially does ``` /configure --prefix=/usr --libdir=/usr/lib64 && make && make install-strip ``` and adds /etc/firejail/globals.local, which reads: ``` # private-tmp directive doesn't work for Fatdog64 # https://github.com/netblue30/firejail/issues/1590 ignore private-tmp ```
gitea-mirror commented 2026-05-05 07:23:23 -06:00
Author
Owner
Copy link

@jplien commented on GitHub (Jul 24, 2018):

Yes disable-mnt is set in firefox-common.profile for me.

<!-- gh-comment-id:407267394 --> @jplien commented on GitHub (Jul 24, 2018): Yes disable-mnt is set in firefox-common.profile for me.
gitea-mirror commented 2026-05-05 07:23:24 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 24, 2018):

@jplien Try commenting out disable-mnt and your issue should be resolved (hopefully).

<!-- gh-comment-id:407367792 --> @chiraag-nataraj commented on GitHub (Jul 24, 2018): @jplien Try commenting out `disable-mnt` and your issue should be resolved (hopefully).
gitea-mirror commented 2026-05-05 07:23:26 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 19, 2018):

@jplien Were you able to try commenting out disable-mnt?

<!-- gh-comment-id:414149270 --> @chiraag-nataraj commented on GitHub (Aug 19, 2018): @jplien Were you able to try commenting out `disable-mnt`?
gitea-mirror commented 2026-05-05 07:23:27 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 20, 2019):

Is this still an issue for @step- and/or @jplien?

<!-- gh-comment-id:494032753 --> @chiraag-nataraj commented on GitHub (May 20, 2019): Is this still an issue for @step- and/or @jplien?
gitea-mirror commented 2026-05-05 07:23:28 -06:00
Author
Owner
Copy link

@step- commented on GitHub (May 22, 2019):

@chiraag-nataraj, yes, it is still an issue, and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local.

I compiled the latest commit 43cbc6d.

# mv /etc/firejail/globals.local{,-SUSPENDED}

# firejail --noprofile --private-tmp echo OK
Parent pid 10622, child pid 10623
The new log directory is /proc/10623/root/var/log
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 10622 cannot sync with peer: unexpected EOF
Peer 10623 unexpectedly exited with status 1

# firejail --noprofile echo OK
Parent pid 10698, child pid 10699
The new log directory is /proc/10699/root/var/log
Child process initialized in 32.89 ms
OK

Parent is shutting down, bye...

# uname -r
4.19.44

# firejail --version
firejail version 0.9.60~rc2

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK' 
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 10909, child pid 10910
The new log directory is /proc/10910/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 409: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Debug 226: skip whitelisting of /tmp/.X11-unix
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 10909 cannot sync with peer: unexpected EOF
Peer 10910 unexpectedly exited with status 1

# ls -ld /tmp/.X11-unix/
drwxrwxrwt 2 root root 60 May 22 12:19 /tmp/.X11-unix/

# cat /etc/firejail/globals.local-SUSPENDED
ignore private-tmp

# mv /etc/firejail/globals.local{-SUSPENDED,} 

# firejail --noprofile --private-tmp --debug echo OK
Autoselecting /bin/sh as shell
Building quoted command line: 'echo' 'OK' 
Command name #echo#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 11087, child pid 11091
The new log directory is /proc/11091/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /dev/port
Debug 409: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Debug 226: skip whitelisting of /tmp/.X11-unix
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 11087 cannot sync with peer: unexpected EOF
Peer 11091 unexpectedly exited with status 1
<!-- gh-comment-id:494761072 --> @step- commented on GitHub (May 22, 2019): @chiraag-nataraj, yes, it is still an issue, and now there's an error message even if I add `ignore private-tmp` to /etc/firejail/globals.local. I compiled the latest commit 43cbc6d. ```sh # mv /etc/firejail/globals.local{,-SUSPENDED} # firejail --noprofile --private-tmp echo OK Parent pid 10622, child pid 10623 The new log directory is /proc/10623/root/var/log Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory Error: proc 10622 cannot sync with peer: unexpected EOF Peer 10623 unexpectedly exited with status 1 # firejail --noprofile echo OK Parent pid 10698, child pid 10699 The new log directory is /proc/10699/root/var/log Child process initialized in 32.89 ms OK Parent is shutting down, bye... # uname -r 4.19.44 # firejail --version firejail version 0.9.60~rc2 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled # firejail --noprofile --private-tmp --debug echo OK Autoselecting /bin/sh as shell Building quoted command line: 'echo' 'OK' Command name #echo# DISPLAY=:0 parsed as 0 Enabling IPC namespace Using the local network stack Parent pid 10909, child pid 10910 The new log directory is /proc/10910/root/var/log Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Basic read-only filesystem: Mounting read-only /etc Mounting read-only /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/timer_list Disable /proc/kallsyms Disable /lib/modules Disable /dev/port Debug 409: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Whitelisting /tmp/.X11-unix Debug 226: skip whitelisting of /tmp/.X11-unix Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory Error: proc 10909 cannot sync with peer: unexpected EOF Peer 10910 unexpectedly exited with status 1 # ls -ld /tmp/.X11-unix/ drwxrwxrwt 2 root root 60 May 22 12:19 /tmp/.X11-unix/ # cat /etc/firejail/globals.local-SUSPENDED ignore private-tmp # mv /etc/firejail/globals.local{-SUSPENDED,} # firejail --noprofile --private-tmp --debug echo OK Autoselecting /bin/sh as shell Building quoted command line: 'echo' 'OK' Command name #echo# DISPLAY=:0 parsed as 0 Enabling IPC namespace Using the local network stack Parent pid 11087, child pid 11091 The new log directory is /proc/11091/root/var/log Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Basic read-only filesystem: Mounting read-only /etc Mounting read-only /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/timer_list Disable /proc/kallsyms Disable /lib/modules Disable /dev/port Debug 409: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Whitelisting /tmp/.X11-unix Debug 226: skip whitelisting of /tmp/.X11-unix Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory Error: proc 11087 cannot sync with peer: unexpected EOF Peer 11091 unexpectedly exited with status 1 ```
gitea-mirror commented 2026-05-05 07:23:29 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 22, 2019):

Can I see the output of findmnt?

<!-- gh-comment-id:494765005 --> @chiraag-nataraj commented on GitHub (May 22, 2019): Can I see the output of `findmnt`?
gitea-mirror commented 2026-05-05 07:23:30 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (May 22, 2019):

@jplien @step- Whitelisting in symlinked top level directories (like /tmp in your case) is not allowed in most cases. #2041 should address this in the future, but we are not there yet.

@step-

Debug 226: skip whitelisting of /tmp/.X11-unix

This makes me think there is a symbolic link somewhere.

and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local.

That's because of --noprofile

@chiraag-nataraj Confusingly the mounting on /run/firejail/mnt/orig-tmp apparently first succeeds here
43cbc6d5f5/src/firejail/fs_whitelist.c (L725-L730)

only to fail a little later with No such file or directory
43cbc6d5f5/src/firejail/fs_whitelist.c (L993-L994)

<!-- gh-comment-id:494772191 --> @smitsohu commented on GitHub (May 22, 2019): @jplien @step- Whitelisting in symlinked top level directories (like /tmp in your case) is not allowed in most cases. #2041 should address this in the future, but we are not there yet. @step- > Debug 226: skip whitelisting of /tmp/.X11-unix This makes me think there is a symbolic link somewhere. > and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local. That's because of `--noprofile` @chiraag-nataraj Confusingly the mounting on `/run/firejail/mnt/orig-tmp` apparently first succeeds here https://github.com/netblue30/firejail/blob/43cbc6d5f59ddabef7e83d3dd78a5c9db06c4525/src/firejail/fs_whitelist.c#L725-L730 only to fail a little later with `No such file or directory` https://github.com/netblue30/firejail/blob/43cbc6d5f59ddabef7e83d3dd78a5c9db06c4525/src/firejail/fs_whitelist.c#L993-L994
gitea-mirror commented 2026-05-05 07:23:31 -06:00
Author
Owner
Copy link

@step- commented on GitHub (May 22, 2019):

@chiraag-nataraj

Can I see the output of findmnt?

# findmnt 
TARGET                       SOURCE                  FSTYPE   OPTIONS
/                            aufs                    aufs     rw,relatime,si=f17293007f47e3d0
├─/proc                      proc                    proc     rw,relatime
├─/sys                       sysfs                   sysfs    rw,relatime
│ ├─/sys/fs/cgroup           cgroup                  cgroup   rw,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,pids
│ └─/sys/fs/fuse/connections fusectl                 fusectl  rw,relatime
├─/dev                       devtmpfs                devtmpfs rw,relatime,size=8202780k,nr_inodes=2050695,mode=755
│ ├─/dev/pts                 devpts                  devpts   rw,relatime,gid=3,mode=620,ptmxmode=000
│ └─/dev/shm                 tmpfs                   tmpfs    rw,relatime,mode=777
├─/aufs/pup_init             tmpfs                   tmpfs    ro,relatime,mode=755
├─/aufs/kernel-modules       /dev/loop0              squashfs ro,relatime
├─/aufs/devbase              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro               /dev/loop1              squashfs ro,relatime
├─/aufs/devsave              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_save             /dev/sdb2[/os-fd64-803/fd64save]
│                                                    ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_rw               tmpfs                   tmpfs    rw,relatime,mode=755,gid=500
├─/tmp                       tmpfs                   tmpfs    rw,relatime
├─/mnt/sdb2                  /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
│ └─/mnt/sdb2                /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro10             /dev/loop10             squashfs ro,relatime
├─/aufs/pup_ro11             /dev/loop11             squashfs ro,relatime
├─/aufs/pup_ro12             /dev/loop12             squashfs ro,relatime
├─/aufs/pup_ro13             /dev/loop13             squashfs ro,relatime
├─/mnt/FDOG                  /dev/sdg1               ext4     rw,relatime
├─/mnt/LxData                /dev/sdg1[/lxdata]      ext4     rw,relatime
├─/mnt/S                     /dev/sdg1[/s]           ext4     rw,relatime
├─/aufs/pup_ro14             /dev/loop14             squashfs ro,relatime
├─/aufs/pup_ro15             /dev/loop15             squashfs ro,relatime
├─/aufs/pup_ro16             /dev/loop16             squashfs ro,relatime
├─/aufs/pup_ro17             /dev/loop17             squashfs ro,relatime
└─/aufs/pup_ro18             /dev/loop18             squashfs ro,relatime
<!-- gh-comment-id:494929487 --> @step- commented on GitHub (May 22, 2019): @chiraag-nataraj > Can I see the output of `findmnt`? ``` # findmnt TARGET SOURCE FSTYPE OPTIONS / aufs aufs rw,relatime,si=f17293007f47e3d0 ├─/proc proc proc rw,relatime ├─/sys sysfs sysfs rw,relatime │ ├─/sys/fs/cgroup cgroup cgroup rw,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,pids │ └─/sys/fs/fuse/connections fusectl fusectl rw,relatime ├─/dev devtmpfs devtmpfs rw,relatime,size=8202780k,nr_inodes=2050695,mode=755 │ ├─/dev/pts devpts devpts rw,relatime,gid=3,mode=620,ptmxmode=000 │ └─/dev/shm tmpfs tmpfs rw,relatime,mode=777 ├─/aufs/pup_init tmpfs tmpfs ro,relatime,mode=755 ├─/aufs/kernel-modules /dev/loop0 squashfs ro,relatime ├─/aufs/devbase /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr ├─/aufs/pup_ro /dev/loop1 squashfs ro,relatime ├─/aufs/devsave /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr ├─/aufs/pup_save /dev/sdb2[/os-fd64-803/fd64save] │ ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr ├─/aufs/pup_rw tmpfs tmpfs rw,relatime,mode=755,gid=500 ├─/tmp tmpfs tmpfs rw,relatime ├─/mnt/sdb2 /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr │ └─/mnt/sdb2 /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr ├─/aufs/pup_ro10 /dev/loop10 squashfs ro,relatime ├─/aufs/pup_ro11 /dev/loop11 squashfs ro,relatime ├─/aufs/pup_ro12 /dev/loop12 squashfs ro,relatime ├─/aufs/pup_ro13 /dev/loop13 squashfs ro,relatime ├─/mnt/FDOG /dev/sdg1 ext4 rw,relatime ├─/mnt/LxData /dev/sdg1[/lxdata] ext4 rw,relatime ├─/mnt/S /dev/sdg1[/s] ext4 rw,relatime ├─/aufs/pup_ro14 /dev/loop14 squashfs ro,relatime ├─/aufs/pup_ro15 /dev/loop15 squashfs ro,relatime ├─/aufs/pup_ro16 /dev/loop16 squashfs ro,relatime ├─/aufs/pup_ro17 /dev/loop17 squashfs ro,relatime └─/aufs/pup_ro18 /dev/loop18 squashfs ro,relatime ```
gitea-mirror commented 2026-05-05 07:23:32 -06:00
Author
Owner
Copy link

@step- commented on GitHub (May 22, 2019):

@smitsohu

@step-

and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local.

That's because of --noprofile

Even without --noprofile

# cat /etc/firejail/globals.local 
ignore private-tmp

# firejail --private-tmp echo OK
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable server.profile **

Parent pid 19620, child pid 19621
The new log directory is /proc/19621/root/var/log
Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory
Error: proc 19620 cannot sync with peer: unexpected EOF
Peer 19621 unexpectedly exited with status 1
<!-- gh-comment-id:494931649 --> @step- commented on GitHub (May 22, 2019): @smitsohu > @step- > > > and now there's an error message even if I add ignore private-tmp to /etc/firejail/globals.local. > > That's because of `--noprofile` Even without `--noprofile` ```sh # cat /etc/firejail/globals.local ignore private-tmp # firejail --private-tmp echo OK Reading profile /etc/firejail/server.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable server.profile ** Parent pid 19620, child pid 19621 The new log directory is /proc/19621/root/var/log Error mount tmpfs: fs_whitelist.c:994 fs_whitelist: No such file or directory Error: proc 19620 cannot sync with peer: unexpected EOF Peer 19621 unexpectedly exited with status 1 ```
gitea-mirror commented 2026-05-05 07:23:32 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (May 22, 2019):

Even without --noprofile

Ah right, there is a second reason. Profiles are parsed after the command line options. This means if you want to skip a command line option, the corresponding --ignore= must be present on the command line.

<!-- gh-comment-id:494954920 --> @smitsohu commented on GitHub (May 22, 2019): > Even without --noprofile Ah right, there is a second reason. Profiles are parsed after the command line options. This means if you want to skip a command line option, the corresponding `--ignore=` must be present on the command line.
gitea-mirror commented 2026-05-05 07:23:33 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 23, 2019):

@chiraag-nataraj

Can I see the output of findmnt?

# findmnt 
TARGET                       SOURCE                  FSTYPE   OPTIONS
/                            aufs                    aufs     rw,relatime,si=f17293007f47e3d0
├─/proc                      proc                    proc     rw,relatime
├─/sys                       sysfs                   sysfs    rw,relatime
│ ├─/sys/fs/cgroup           cgroup                  cgroup   rw,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,pids
│ └─/sys/fs/fuse/connections fusectl                 fusectl  rw,relatime
├─/dev                       devtmpfs                devtmpfs rw,relatime,size=8202780k,nr_inodes=2050695,mode=755
│ ├─/dev/pts                 devpts                  devpts   rw,relatime,gid=3,mode=620,ptmxmode=000
│ └─/dev/shm                 tmpfs                   tmpfs    rw,relatime,mode=777
├─/aufs/pup_init             tmpfs                   tmpfs    ro,relatime,mode=755
├─/aufs/kernel-modules       /dev/loop0              squashfs ro,relatime
├─/aufs/devbase              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro               /dev/loop1              squashfs ro,relatime
├─/aufs/devsave              /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_save             /dev/sdb2[/os-fd64-803/fd64save]
│                                                    ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_rw               tmpfs                   tmpfs    rw,relatime,mode=755,gid=500
├─/tmp                       tmpfs                   tmpfs    rw,relatime
├─/mnt/sdb2                  /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
│ └─/mnt/sdb2                /dev/sdb2               ext4     rw,relatime,block_validity,delalloc,barrier,user_xattr
├─/aufs/pup_ro10             /dev/loop10             squashfs ro,relatime
├─/aufs/pup_ro11             /dev/loop11             squashfs ro,relatime
├─/aufs/pup_ro12             /dev/loop12             squashfs ro,relatime
├─/aufs/pup_ro13             /dev/loop13             squashfs ro,relatime
├─/mnt/FDOG                  /dev/sdg1               ext4     rw,relatime
├─/mnt/LxData                /dev/sdg1[/lxdata]      ext4     rw,relatime
├─/mnt/S                     /dev/sdg1[/s]           ext4     rw,relatime
├─/aufs/pup_ro14             /dev/loop14             squashfs ro,relatime
├─/aufs/pup_ro15             /dev/loop15             squashfs ro,relatime
├─/aufs/pup_ro16             /dev/loop16             squashfs ro,relatime
├─/aufs/pup_ro17             /dev/loop17             squashfs ro,relatime
└─/aufs/pup_ro18             /dev/loop18             squashfs ro,relatime

Okay, so /tmp isn't a symlink. If /tmp/.X11-unix isn't a symbolic link either, I'm very confused. Just to confirm, can you do an ls -lh /tmp/.X11-unix and report back with the output?

<!-- gh-comment-id:495024262 --> @chiraag-nataraj commented on GitHub (May 23, 2019): > @chiraag-nataraj > > > Can I see the output of `findmnt`? > > ``` > # findmnt > TARGET SOURCE FSTYPE OPTIONS > / aufs aufs rw,relatime,si=f17293007f47e3d0 > ├─/proc proc proc rw,relatime > ├─/sys sysfs sysfs rw,relatime > │ ├─/sys/fs/cgroup cgroup cgroup rw,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,pids > │ └─/sys/fs/fuse/connections fusectl fusectl rw,relatime > ├─/dev devtmpfs devtmpfs rw,relatime,size=8202780k,nr_inodes=2050695,mode=755 > │ ├─/dev/pts devpts devpts rw,relatime,gid=3,mode=620,ptmxmode=000 > │ └─/dev/shm tmpfs tmpfs rw,relatime,mode=777 > ├─/aufs/pup_init tmpfs tmpfs ro,relatime,mode=755 > ├─/aufs/kernel-modules /dev/loop0 squashfs ro,relatime > ├─/aufs/devbase /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr > ├─/aufs/pup_ro /dev/loop1 squashfs ro,relatime > ├─/aufs/devsave /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr > ├─/aufs/pup_save /dev/sdb2[/os-fd64-803/fd64save] > │ ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr > ├─/aufs/pup_rw tmpfs tmpfs rw,relatime,mode=755,gid=500 > ├─/tmp tmpfs tmpfs rw,relatime > ├─/mnt/sdb2 /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr > │ └─/mnt/sdb2 /dev/sdb2 ext4 rw,relatime,block_validity,delalloc,barrier,user_xattr > ├─/aufs/pup_ro10 /dev/loop10 squashfs ro,relatime > ├─/aufs/pup_ro11 /dev/loop11 squashfs ro,relatime > ├─/aufs/pup_ro12 /dev/loop12 squashfs ro,relatime > ├─/aufs/pup_ro13 /dev/loop13 squashfs ro,relatime > ├─/mnt/FDOG /dev/sdg1 ext4 rw,relatime > ├─/mnt/LxData /dev/sdg1[/lxdata] ext4 rw,relatime > ├─/mnt/S /dev/sdg1[/s] ext4 rw,relatime > ├─/aufs/pup_ro14 /dev/loop14 squashfs ro,relatime > ├─/aufs/pup_ro15 /dev/loop15 squashfs ro,relatime > ├─/aufs/pup_ro16 /dev/loop16 squashfs ro,relatime > ├─/aufs/pup_ro17 /dev/loop17 squashfs ro,relatime > └─/aufs/pup_ro18 /dev/loop18 squashfs ro,relatime > ``` Okay, so `/tmp` isn't a symlink. If `/tmp/.X11-unix` isn't a symbolic link either, I'm very confused. Just to confirm, can you do an `ls -lh /tmp/.X11-unix` and report back with the output?
gitea-mirror commented 2026-05-05 07:23:34 -06:00
Author
Owner
Copy link

@jplien commented on GitHub (May 23, 2019):

I was still having problems with /tmp in firejail as of today. This thread spurred me to do something I'd been meaning to do for a long time: switch /tmp from a symlink to a bind mount. This seems to have resolved the issues I was having. I was able to remove ignore private-tmp from globals.local and it starts just fine now.

<!-- gh-comment-id:495039956 --> @jplien commented on GitHub (May 23, 2019): I was still having problems with /tmp in firejail as of today. This thread spurred me to do something I'd been meaning to do for a long time: switch /tmp from a symlink to a bind mount. This seems to have resolved the issues I was having. I was able to remove ignore private-tmp from globals.local and it starts just fine now.
gitea-mirror commented 2026-05-05 07:23:36 -06:00
Author
Owner
Copy link

@step- commented on GitHub (May 23, 2019):

@smitsohu

@jplien @step- Whitelisting in symlinked top level directories (like /tmp in your case) is not allowed in most cases. #2041 should address this in the future, but we are not there yet.

I'm not sure why you think that my /tmp is symlinked. This is what I have:

# ls -ld /tmp
drwxrwxrwt 16 root root 900 May 23 08:10 /tmp
# readlink -f /tmp
/tmp
<!-- gh-comment-id:495104019 --> @step- commented on GitHub (May 23, 2019): @smitsohu > @jplien @step- Whitelisting in symlinked top level directories (like /tmp in your case) is not allowed in most cases. #2041 should address this in the future, but we are not there yet. I'm not sure why you think that my /tmp is symlinked. This is what I have: ```sh # ls -ld /tmp drwxrwxrwt 16 root root 900 May 23 08:10 /tmp # readlink -f /tmp /tmp ```
gitea-mirror commented 2026-05-05 07:23:37 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 23, 2019):

@step- How about readlink -f /tmp/.X11-unix?

<!-- gh-comment-id:495116209 --> @chiraag-nataraj commented on GitHub (May 23, 2019): @step- How about `readlink -f /tmp/.X11-unix`?
gitea-mirror commented 2026-05-05 07:23:38 -06:00
Author
Owner
Copy link

@step- commented on GitHub (May 23, 2019):

@step- How about readlink -f /tmp/.X11-unix?

# readlink -f /tmp/.X11-unix
/tmp/.X11-unix
<!-- gh-comment-id:495118645 --> @step- commented on GitHub (May 23, 2019): > @step- How about `readlink -f /tmp/.X11-unix`? ```sh # readlink -f /tmp/.X11-unix /tmp/.X11-unix ```
gitea-mirror commented 2026-05-05 07:23:39 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 23, 2019):

I'm not sure why you think that my /tmp is symlinked. This is what I have:

Looking at the code in fs_whitelist.c, the "skip whitelisting of " lines come about when either:

  1. The mount point doesn't exist.
  2. The mount point is a symbolic link.

Question: Is your /run/ directory a symlink to anywhere?

<!-- gh-comment-id:495124663 --> @chiraag-nataraj commented on GitHub (May 23, 2019): > I'm not sure why you think that my /tmp is symlinked. This is what I have: Looking at the code in `fs_whitelist.c`, the "skip whitelisting of " lines come about when either: 1. The mount point doesn't exist. 2. The mount point is a symbolic link. Question: Is your `/run/` directory a symlink to anywhere?
gitea-mirror commented 2026-05-05 07:23:40 -06:00
Author
Owner
Copy link

@step- commented on GitHub (May 23, 2019):

Yes, it is

# ls -ld /run
lrwxrwxrwx 1 root root 3 May 21 22:26 /run -> tmp
<!-- gh-comment-id:495326640 --> @step- commented on GitHub (May 23, 2019): Yes, it is ```sh # ls -ld /run lrwxrwxrwx 1 root root 3 May 21 22:26 /run -> tmp ```
gitea-mirror commented 2026-05-05 07:23:41 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 23, 2019):

I think that's what's causing the issue...firejail stores the original stuff in /run/firejail/<blah>, and...well...it can't really do that in your case. You should mount it as a separate tmpfs (not symlink it) and you should be fine.

<!-- gh-comment-id:495405956 --> @chiraag-nataraj commented on GitHub (May 23, 2019): I think that's what's causing the issue...`firejail` stores the original stuff in `/run/firejail/<blah>`, and...well...it can't really do that in your case. You should mount it as a separate `tmpfs` (not symlink it) and you should be fine.
gitea-mirror commented 2026-05-05 07:23:42 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (May 24, 2019):

Also quoting the FHS

/run should not be writable for unprivileged users; it is a major security problem if any user can write in this directory.

<!-- gh-comment-id:495428206 --> @smitsohu commented on GitHub (May 24, 2019): Also quoting the [FHS](https://refspecs.linuxfoundation.org/FHS_3.0/fhs-3.0.pdf) > /run should not be writable for unprivileged users; it is a major security problem if any user can write in this directory.
gitea-mirror commented 2026-05-05 07:23:43 -06:00
Author
Owner
Copy link

@step- commented on GitHub (May 24, 2019):

@chiraag-nataraj @smitsohu Thank you for providing an explanation of this issue, and for the FHS quote. Fatdog64 is designed as a non-sudo GNU Linux, so its view of security is different from the mainstream view, see Fatdog64 FAQ. I will ponder your recommendations and extend them to the Fatdog64 dev team for comments. Thank you again.

<!-- gh-comment-id:495533099 --> @step- commented on GitHub (May 24, 2019): @chiraag-nataraj @smitsohu Thank you for providing an explanation of this issue, and for the FHS quote. Fatdog64 is designed as a non-sudo GNU Linux, so its view of security is different from the mainstream view, see [Fatdog64 FAQ](http://distro.ibiblio.org/fatdog/web/faqs/login.html). I will ponder your recommendations and extend them to the Fatdog64 dev team for comments. Thank you again.
gitea-mirror commented 2026-05-05 07:23:44 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 24, 2019):

No problem! I'll go ahead and close this issue since it seems we (finally!) figured out what was going on. If you're still running into the problem after un-symlinking /run, please feel free to re-open and we'll do some further debugging :)

<!-- gh-comment-id:495619447 --> @chiraag-nataraj commented on GitHub (May 24, 2019): No problem! I'll go ahead and close this issue since it seems we (finally!) figured out what was going on. If you're still running into the problem after un-symlinking `/run`, please feel free to re-open and we'll do some further debugging :)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1061
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?