github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1640] valgrind not working inside firejail #1104

New issue

Closed

opened 2026-05-05 07:27:31 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 07:27:31 -06:00

Owner

Originally created by @sigttou on GitHub (Nov 10, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1640

Hi all,

tried to run a binary inside firejail with valgrind attached to it.

$ firejail valgrind binaries/17164
Reading profile /etc/firejail/default.profile  
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 18138, child pid 18139
Child process initialized
==2== Memcheck, a memory error detector
==2== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==2== Command: binaries/17164
==2==

valgrind:  Fatal error at startup: a function redirection
valgrind:  which is mandatory for this platform-tool combination
valgrind:  cannot be set up.  Details of the redirection are:
valgrind:
valgrind:  A must-be-redirected function
valgrind:  whose name matches the pattern:      strlen
valgrind:  in an object with soname matching:   ld-linux-x86-64.so.2
valgrind:  was not found whilst processing
valgrind:  symbols from the object with soname: ld-linux-x86-64.so.2
valgrind:
valgrind:  Possible fixes: (1, short term): install glibc's debuginfo
valgrind:  package on this machine.  (2, longer term): ask the packagers
valgrind:  for your Linux distribution to please in future ship a non-
valgrind:  stripped ld.so (or whatever the dynamic linker .so is called)
valgrind:  that exports the above-named function using the standard
valgrind:  calling conventions for this platform.  The package you need
valgrind:  to install for fix (1) is called
valgrind:
valgrind:    On Debian, Ubuntu:                 libc6-dbg
valgrind:    On SuSE, openSuSE, Fedora, RHEL:   glibc-debuginfo
valgrind:
valgrind:  Note that if you are debugging a 32 bit process on a
valgrind:  64 bit system, you will need a corresponding 32 bit debuginfo
valgrind:  package (e.g. libc6-dbg:i386).
valgrind:
valgrind:  Cannot continue -- exiting now.  Sorry.


Parent is shutting down, bye...

Anyone has an idea how I could get this to work? Tried white-listing ld-linux-x86-64.so.2 already.

Originally created by @sigttou on GitHub (Nov 10, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1640 Hi all, tried to run a binary inside firejail with valgrind attached to it. ``` $ firejail valgrind binaries/17164 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 18138, child pid 18139 Child process initialized ==2== Memcheck, a memory error detector ==2== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==2== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==2== Command: binaries/17164 ==2== valgrind: Fatal error at startup: a function redirection valgrind: which is mandatory for this platform-tool combination valgrind: cannot be set up. Details of the redirection are: valgrind: valgrind: A must-be-redirected function valgrind: whose name matches the pattern: strlen valgrind: in an object with soname matching: ld-linux-x86-64.so.2 valgrind: was not found whilst processing valgrind: symbols from the object with soname: ld-linux-x86-64.so.2 valgrind: valgrind: Possible fixes: (1, short term): install glibc's debuginfo valgrind: package on this machine. (2, longer term): ask the packagers valgrind: for your Linux distribution to please in future ship a non- valgrind: stripped ld.so (or whatever the dynamic linker .so is called) valgrind: that exports the above-named function using the standard valgrind: calling conventions for this platform. The package you need valgrind: to install for fix (1) is called valgrind: valgrind: On Debian, Ubuntu: libc6-dbg valgrind: On SuSE, openSuSE, Fedora, RHEL: glibc-debuginfo valgrind: valgrind: Note that if you are debugging a 32 bit process on a valgrind: 64 bit system, you will need a corresponding 32 bit debuginfo valgrind: package (e.g. libc6-dbg:i386). valgrind: valgrind: Cannot continue -- exiting now. Sorry. Parent is shutting down, bye... ``` Anyone has an idea how I could get this to work? Tried white-listing ld-linux-x86-64.so.2 already.

gitea-mirror

2026-05-05 07:27:31 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:27:36 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Nov 10, 2017):

The default profile enables seccomp. Firejail's default seccomp blacklist prevents the use of many debugging related syscalls. As valgrind is a debugger, without those syscalls it is useless.

What you can do is the following

mkdir -p ~/.config/firejail
cp /etc/firejail/default.profile ~/.config/firejail/valgrind.profile
sed -i 's/seccomp/#seccomp/' ~/.config/firejail/valgrind.profile

then firejail valgrind [binary]
optionally run sudo firecfg to enable that profile by default so you don't need to prepend firejail everytime.

Optionally you can further refine that profile and create a pull request to upstream it for everyone else.

@SkewedZeppelin commented on GitHub (Nov 10, 2017): The default profile enables `seccomp`. Firejail's default seccomp blacklist prevents the use of many debugging related syscalls. As valgrind is a debugger, without those syscalls it is useless. What you can do is the following ``` mkdir -p ~/.config/firejail cp /etc/firejail/default.profile ~/.config/firejail/valgrind.profile sed -i 's/seccomp/#seccomp/' ~/.config/firejail/valgrind.profile ``` then `firejail valgrind [binary]` optionally run `sudo firecfg` to enable that profile by default so you don't need to prepend `firejail ` everytime. Optionally you can further refine that profile and create a pull request to upstream it for everyone else.

gitea-mirror commented

2026-05-05 07:27:37 -06:00

Author

Owner

@smitsohu commented on GitHub (Nov 10, 2017):

Would it work with seccomp @default, excluding only the two syscalls ptrace and process_vm_readv?

@smitsohu commented on GitHub (Nov 10, 2017): Would it work with `seccomp @default`, excluding only the two syscalls `ptrace` and `process_vm_readv`?

gitea-mirror commented

2026-05-05 07:27:38 -06:00

Author

Owner

@sigttou commented on GitHub (Nov 10, 2017):

@SpotComms tried that, but keeps giving me the same error.

Even when I use --noprofile it gives me the same error

As soon as I figure it out I will create a pull request.

@sigttou commented on GitHub (Nov 10, 2017): @SpotComms tried that, but keeps giving me the same error. Even when I use `--noprofile` it gives me the same error As soon as I figure it out I will create a pull request.

gitea-mirror commented

2026-05-05 07:27:39 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 10, 2017):

on simple programs just a --allow-debuggers should work:

firejail --allow-debuggers valgrind ./a.out

@netblue30 commented on GitHub (Nov 10, 2017): on simple programs just a --allow-debuggers should work: ````` firejail --allow-debuggers valgrind ./a.out `````

gitea-mirror commented

2026-05-05 07:27:40 -06:00

Author

Owner

@sigttou commented on GitHub (Nov 10, 2017):

Thanks, that resolved the issue for me.

Should have read the man page more carefully there.

@sigttou commented on GitHub (Nov 10, 2017): Thanks, that resolved the issue for me. Should have read the man page more carefully there.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1104

No description provided.

Rows
Columns