github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1644] strange nested loop in firejail 0.9.50 when trying to use it as login-shell #1105

New issue
Closed
opened 2026-05-05 07:27:41 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 07:27:41 -06:00
Owner
Copy link

Originally created by @lowshoe on GitHub (Nov 13, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1644

trying to use firejail as login-shell. that worked perfectly in 0.9.44.10 but now breaks with an error. possibly related to #1326.

root@myhostname:~$ cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="7.4

root@myhostname:~$ uname -a
Linux myhostname 4.1.12-103.9.2.el7uek.x86_64 #2 SMP Tue Oct 31 16:43:46 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux

root@myhostname:~$ grep firejail /etc/passwd
myuser:x:1002:1002::/home/myuser:/bin/firejail

root@myhostname:~$ su -l myuser
Letzte Anmeldung: Montag, den 13. November 2017, 14:30:19 CET auf pts/2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 5181, child pid 5182
Child process initialized in 35.22 ms
Warning: an existing sandbox was detected. -l will run without any additional sandboxing features
Warning: an existing sandbox was detected. '-l'  will run without any additional sandboxing features
[..]
'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Error cmdline_length: cmdline.c:145 build_cmdline: Argument list too long

Parent is shutting down, bye...

the same happens when i try to access the host through ssh with the same user. I also tried with firejail-0.9.48 but the error is the same.

Originally created by @lowshoe on GitHub (Nov 13, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1644 trying to use firejail as login-shell. that worked perfectly in 0.9.44.10 but now breaks with an error. possibly related to #1326. ```sh root@myhostname:~$ cat /etc/os-release NAME="Oracle Linux Server" VERSION="7.4 root@myhostname:~$ uname -a Linux myhostname 4.1.12-103.9.2.el7uek.x86_64 #2 SMP Tue Oct 31 16:43:46 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux root@myhostname:~$ grep firejail /etc/passwd myuser:x:1002:1002::/home/myuser:/bin/firejail root@myhostname:~$ su -l myuser Letzte Anmeldung: Montag, den 13. November 2017, 14:30:19 CET auf pts/2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 5181, child pid 5182 Child process initialized in 35.22 ms Warning: an existing sandbox was detected. -l will run without any additional sandboxing features Warning: an existing sandbox was detected. '-l' will run without any additional sandboxing features [..] '"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Error cmdline_length: cmdline.c:145 build_cmdline: Argument list too long Parent is shutting down, bye... ``` the same happens when i try to access the host through ssh with the same user. I also tried with firejail-0.9.48 but the error is the same.
gitea-mirror 2026-05-05 07:27:41 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 07:27:45 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Nov 18, 2017):

We've seen this one coming and going., definitely a bug!

<!-- gh-comment-id:345448374 --> @netblue30 commented on GitHub (Nov 18, 2017): We've seen this one coming and going., definitely a bug!
gitea-mirror commented 2026-05-05 07:27:46 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

Is this still an issue on 0.9.54?

<!-- gh-comment-id:405115930 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): Is this still an issue on 0.9.54?
gitea-mirror commented 2026-05-05 07:27:48 -06:00
Author
Owner
Copy link

@lowshoe commented on GitHub (Aug 8, 2018):

just tested with ssh. unfortunately yes.

ssh user@host
user@host's password: 
Last login: Wed Aug  8 13:43:15 2018 from myworkstation
Warning: an existing sandbox was detected. -l will run without any additional sandboxing features
Warning: an existing sandbox was detected. '-l'  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'-l'"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. '"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected.

[..]

"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'
'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Error cmdline_length: cmdline.c:145 build_cmdline: Argument list too long
<!-- gh-comment-id:411381428 --> @lowshoe commented on GitHub (Aug 8, 2018): just tested with ssh. unfortunately yes. ``` ssh user@host user@host's password: Last login: Wed Aug 8 13:43:15 2018 from myworkstation Warning: an existing sandbox was detected. -l will run without any additional sandboxing features Warning: an existing sandbox was detected. '-l' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'-l'"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. '"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. ``` [..] ``` "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Error cmdline_length: cmdline.c:145 build_cmdline: Argument list too long ```
gitea-mirror commented 2026-05-05 07:27:49 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 12, 2018):

So you've set up firejail as your shell. Did you also use firecfg by any chance? This looks like a case where some program you're trying to run upon login is also independently sandboxed through firecfg and it requires something that's denied with the defaul profile.

<!-- gh-comment-id:412349558 --> @chiraag-nataraj commented on GitHub (Aug 12, 2018): So you've set up `firejail` as your shell. Did you also use `firecfg` by any chance? This looks like a case where some program you're trying to run upon login is also independently sandboxed through `firecfg` and it requires something that's denied with the defaul profile.
gitea-mirror commented 2026-05-05 07:27:50 -06:00
Author
Owner
Copy link

@lowshoe commented on GitHub (Aug 13, 2018):

No, firecfg is not used. I'm trying to use firejail as login-shell for users that connnect though SSH to a server.

<!-- gh-comment-id:412431399 --> @lowshoe commented on GitHub (Aug 13, 2018): No, firecfg is not used. I'm trying to use firejail as login-shell for users that connnect though SSH to a server.
gitea-mirror commented 2026-05-05 07:27:52 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 14, 2018):

I'm trying to use firejail as login-shell for users that connnect though SSH to a server.

Right, I understand that. Can you edit /etc/firejail/login.users and add the argument --debug to your username's line (there is an example of the format in the file itself). Let's see if we can get some more output.

<!-- gh-comment-id:412714731 --> @chiraag-nataraj commented on GitHub (Aug 14, 2018): > I'm trying to use firejail as login-shell for users that connnect though SSH to a server. Right, I understand that. Can you edit `/etc/firejail/login.users` and add the argument `--debug` to your username's line (there is an example of the format in the file itself). Let's see if we can get some more output.
gitea-mirror commented 2026-05-05 07:27:54 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 14, 2018):

Okay, so I found that if I just login as dummy (a username I made up in my VM), I can get it so that setting /usr/local/bin/firejail as the shell will lead to a warning that /bin/bash will be run without any additional sandboxing. This is strange because I never asked for said additional sandboxing. I'm going to investigate.

<!-- gh-comment-id:412716286 --> @chiraag-nataraj commented on GitHub (Aug 14, 2018): Okay, so I found that if I just login as `dummy` (a username I made up in my VM), I can get it so that setting `/usr/local/bin/firejail` as the shell will lead to a warning that `/bin/bash` will be run without any additional sandboxing. This is strange because I never asked for said additional sandboxing. I'm going to investigate.
gitea-mirror commented 2026-05-05 07:27:55 -06:00
Author
Owner
Copy link

@lowshoe commented on GitHub (Aug 15, 2018):

ok, so i added
myusername:--debug in /etc/firejail/login.users. Now connecting through SSH fails with

Error: invalid --debug command line option

But i can su to that user as root an the host itself:

su -l myusername
Autoselecting /bin/firejail as shell
Command name #/bin/firejail#
Attempting to find default.profile...
Found default profile in /etc/firejail directory
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

DISPLAY is not set
Using the local network stack
Parent pid 10717, child pid 10718
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6
sbox run: /usr/lib64/firejail/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 2, uid 2454, gid 2455, nogroups 1
No supplementary groups
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/timer_stats
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /etc/xdg/autostart
Disable /var/lib/systemd
Disable /var/lib/clamav
Disable /var/spool/mail (requested /var/mail)
Disable /var/opt
Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock)
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/spool/mail
Disable /etc/anacrontab
Disable /etc/cron.deny
Disable /etc/cron.hourly
Disable /etc/cron.monthly
Disable /etc/cron.weekly
Disable /etc/crontab
Disable /etc/cron.d
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.d/rc.local (requested /etc/rc.local)
Disable /etc/rc.d/rc0.d (requested /etc/rc0.d)
Disable /etc/rc.d/rc1.d (requested /etc/rc1.d)
Disable /etc/rc.d/rc2.d (requested /etc/rc2.d)
Disable /etc/rc.d/rc3.d (requested /etc/rc3.d)
Disable /etc/rc.d/rc4.d (requested /etc/rc4.d)
Disable /etc/rc.d/rc5.d (requested /etc/rc5.d)
Disable /etc/rc.d/rc6.d (requested /etc/rc6.d)
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/selinux
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/crontab
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/fusermount
Mounting noexec /tmp/.X11-unix
Disable /sys/fs
Disable /sys/module
Current directory: /home/myusername
DISPLAY is not set
Dropping all capabilities
Install protocol filter: unix,inet,inet6
configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 3, uid 2454, gid 2455, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 06 00 00 0005005f   ret ERRNO(95)
configuring 54 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp.32 (null) 
Dropping all capabilities
Drop privileges: pid 4, uid 2454, gid 2455, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00000000   ret KILL
Dual 32/64 bit seccomp filter configured
configuring 73 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 5, uid 2454, gid 2455, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 40 00 0000009a   jeq modify_ldt 0048 (false 0008)
 0008: 15 3f 00 000000d4   jeq lookup_dcookie 0048 (false 0009)
 0009: 15 3e 00 0000012a   jeq perf_event_open 0048 (false 000a)
 000a: 15 3d 00 00000137   jeq process_vm_writev 0048 (false 000b)
 000b: 15 3c 00 0000009c   jeq _sysctl 0048 (false 000c)
 000c: 15 3b 00 000000b7   jeq afs_syscall 0048 (false 000d)
 000d: 15 3a 00 000000ae   jeq create_module 0048 (false 000e)
 000e: 15 39 00 000000b1   jeq get_kernel_syms 0048 (false 000f)
 000f: 15 38 00 000000b5   jeq getpmsg 0048 (false 0010)
 0010: 15 37 00 000000b6   jeq putpmsg 0048 (false 0011)
 0011: 15 36 00 000000b2   jeq query_module 0048 (false 0012)
 0012: 15 35 00 000000b9   jeq security 0048 (false 0013)
 0013: 15 34 00 0000008b   jeq sysfs 0048 (false 0014)
 0014: 15 33 00 000000b8   jeq tuxcall 0048 (false 0015)
 0015: 15 32 00 00000086   jeq uselib 0048 (false 0016)
 0016: 15 31 00 00000088   jeq ustat 0048 (false 0017)
 0017: 15 30 00 000000ec   jeq vserver 0048 (false 0018)
 0018: 15 2f 00 0000009f   jeq adjtimex 0048 (false 0019)
 0019: 15 2e 00 00000131   jeq clock_adjtime 0048 (false 001a)
 001a: 15 2d 00 000000e3   jeq clock_settime 0048 (false 001b)
 001b: 15 2c 00 000000a4   jeq settimeofday 0048 (false 001c)
 001c: 15 2b 00 000000b0   jeq delete_module 0048 (false 001d)
 001d: 15 2a 00 00000139   jeq finit_module 0048 (false 001e)
 001e: 15 29 00 000000af   jeq init_module 0048 (false 001f)
 001f: 15 28 00 000000ad   jeq ioperm 0048 (false 0020)
 0020: 15 27 00 000000ac   jeq iopl 0048 (false 0021)
 0021: 15 26 00 000000f6   jeq kexec_load 0048 (false 0022)
 0022: 15 25 00 00000140   jeq kexec_file_load 0048 (false 0023)
 0023: 15 24 00 000000a9   jeq reboot 0048 (false 0024)
 0024: 15 23 00 000000a7   jeq swapon 0048 (false 0025)
 0025: 15 22 00 000000a8   jeq swapoff 0048 (false 0026)
 0026: 15 21 00 000000a3   jeq acct 0048 (false 0027)
 0027: 15 20 00 000000a1   jeq chroot 0048 (false 0028)
 0028: 15 1f 00 000000a5   jeq mount 0048 (false 0029)
 0029: 15 1e 00 000000b4   jeq nfsservctl 0048 (false 002a)
 002a: 15 1d 00 0000009b   jeq pivot_root 0048 (false 002b)
 002b: 15 1c 00 000000ab   jeq setdomainname 0048 (false 002c)
 002c: 15 1b 00 000000aa   jeq sethostname 0048 (false 002d)
 002d: 15 1a 00 000000a6   jeq umount2 0048 (false 002e)
 002e: 15 19 00 00000099   jeq vhangup 0048 (false 002f)
 002f: 15 18 00 000000ee   jeq set_mempolicy 0048 (false 0030)
 0030: 15 17 00 00000100   jeq migrate_pages 0048 (false 0031)
 0031: 15 16 00 00000117   jeq move_pages 0048 (false 0032)
 0032: 15 15 00 000000ed   jeq mbind 0048 (false 0033)
 0033: 15 14 00 00000130   jeq open_by_handle_at 0048 (false 0034)
 0034: 15 13 00 0000012f   jeq name_to_handle_at 0048 (false 0035)
 0035: 15 12 00 000000fb   jeq ioprio_set 0048 (false 0036)
 0036: 15 11 00 00000067   jeq syslog 0048 (false 0037)
 0037: 15 10 00 0000012c   jeq fanotify_init 0048 (false 0038)
 0038: 15 0f 00 00000138   jeq kcmp 0048 (false 0039)
 0039: 15 0e 00 000000f8   jeq add_key 0048 (false 003a)
 003a: 15 0d 00 000000f9   jeq request_key 0048 (false 003b)
 003b: 15 0c 00 000000fa   jeq keyctl 0048 (false 003c)
003c: 15 0b 00 000000ce   jeq io_setup 0048 (false 003d)
 003d: 15 0a 00 000000cf   jeq io_destroy 0048 (false 003e)
 003e: 15 09 00 000000d0   jeq io_getevents 0048 (false 003f)
 003f: 15 08 00 000000d1   jeq io_submit 0048 (false 0040)
 0040: 15 07 00 000000d2   jeq io_cancel 0048 (false 0041)
 0041: 15 06 00 000000d8   jeq remap_file_pages 0048 (false 0042)
 0042: 15 05 00 00000116   jeq vmsplice 0048 (false 0043)
 0043: 15 04 00 00000087   jeq personality 0048 (false 0044)
 0044: 15 03 00 00000143   jeq userfaultfd 0048 (false 0045)
 0045: 15 02 00 00000065   jeq ptrace 0048 (false 0046)
 0046: 15 01 00 00000136   jeq process_vm_readv 0048 (false 0047)
 0047: 06 00 00 7fff0000   ret ALLOW
 0048: 06 00 00 00000000   ret KILL
seccomp filter configured
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 2454, gid 2455, nogroups 0
starting application
LD_PRELOAD=(null)
Starting /bin/firejail login shell
execvp argument 0: /bin/firejail
execvp argument 1: -l
Child process initialized in 40.80 ms
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp.protocol seccomp filter
Warning: an existing sandbox was detected. -l will run without any additional sandboxing features
Warning: an existing sandbox was detected. '-l'  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'-l'"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. '"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'
"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'
"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'
"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'

[..]

"'"' '  will run without any additional sandboxing features
monitoring pid 6

Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"
'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"

[..]

'"'"' '  will run without any additional sandboxing features
Error cmdline_length: cmdline.c:145 build_cmdline: Argument list too long
Sandbox monitor: waitpid 6 retval 6 status 256

Parent is shutting down, bye...
<!-- gh-comment-id:413102950 --> @lowshoe commented on GitHub (Aug 15, 2018): ok, so i added ```myusername:--debug``` in ```/etc/firejail/login.users```. Now connecting through SSH fails with ```Error: invalid --debug command line option``` But i can ```su``` to that user as root an the host itself: ``` su -l myusername Autoselecting /bin/firejail as shell Command name #/bin/firejail# Attempting to find default.profile... Found default profile in /etc/firejail directory Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** DISPLAY is not set Using the local network stack Parent pid 10717, child pid 10718 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Build protocol filter: unix,inet,inet6 sbox run: /usr/lib64/firejail/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 2, uid 2454, gid 2455, nogroups 1 No supplementary groups Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/timer_stats Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Disable /etc/xdg/autostart Disable /var/lib/systemd Disable /var/lib/clamav Disable /var/spool/mail (requested /var/mail) Disable /var/opt Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock) Disable /var/spool/anacron Disable /var/spool/cron Disable /var/spool/mail Disable /etc/anacrontab Disable /etc/cron.deny Disable /etc/cron.hourly Disable /etc/cron.monthly Disable /etc/cron.weekly Disable /etc/crontab Disable /etc/cron.d Disable /etc/cron.daily Disable /etc/profile.d Disable /etc/rc.d/rc.local (requested /etc/rc.local) Disable /etc/rc.d/rc0.d (requested /etc/rc0.d) Disable /etc/rc.d/rc1.d (requested /etc/rc1.d) Disable /etc/rc.d/rc2.d (requested /etc/rc2.d) Disable /etc/rc.d/rc3.d (requested /etc/rc3.d) Disable /etc/rc.d/rc4.d (requested /etc/rc4.d) Disable /etc/rc.d/rc5.d (requested /etc/rc5.d) Disable /etc/rc.d/rc6.d (requested /etc/rc6.d) Disable /etc/kernel Disable /etc/grub.d Disable /etc/selinux Disable /etc/modules-load.d Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chage Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chfn Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/chsh Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/crontab Disable /usr/bin/fusermount (requested /bin/fusermount) Disable /usr/bin/fusermount Mounting noexec /tmp/.X11-unix Disable /sys/fs Disable /sys/module Current directory: /home/myusername DISPLAY is not set Dropping all capabilities Install protocol filter: unix,inet,inet6 configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 3, uid 2454, gid 2455, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 06 00 00 0005005f ret ERRNO(95) configuring 54 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp.32 (null) Dropping all capabilities Drop privileges: pid 4, uid 2454, gid 2455, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00000000 ret KILL Dual 32/64 bit seccomp filter configured configuring 73 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp (null) Dropping all capabilities Drop privileges: pid 5, uid 2454, gid 2455, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 40 00 0000009a jeq modify_ldt 0048 (false 0008) 0008: 15 3f 00 000000d4 jeq lookup_dcookie 0048 (false 0009) 0009: 15 3e 00 0000012a jeq perf_event_open 0048 (false 000a) 000a: 15 3d 00 00000137 jeq process_vm_writev 0048 (false 000b) 000b: 15 3c 00 0000009c jeq _sysctl 0048 (false 000c) 000c: 15 3b 00 000000b7 jeq afs_syscall 0048 (false 000d) 000d: 15 3a 00 000000ae jeq create_module 0048 (false 000e) 000e: 15 39 00 000000b1 jeq get_kernel_syms 0048 (false 000f) 000f: 15 38 00 000000b5 jeq getpmsg 0048 (false 0010) 0010: 15 37 00 000000b6 jeq putpmsg 0048 (false 0011) 0011: 15 36 00 000000b2 jeq query_module 0048 (false 0012) 0012: 15 35 00 000000b9 jeq security 0048 (false 0013) 0013: 15 34 00 0000008b jeq sysfs 0048 (false 0014) 0014: 15 33 00 000000b8 jeq tuxcall 0048 (false 0015) 0015: 15 32 00 00000086 jeq uselib 0048 (false 0016) 0016: 15 31 00 00000088 jeq ustat 0048 (false 0017) 0017: 15 30 00 000000ec jeq vserver 0048 (false 0018) 0018: 15 2f 00 0000009f jeq adjtimex 0048 (false 0019) 0019: 15 2e 00 00000131 jeq clock_adjtime 0048 (false 001a) 001a: 15 2d 00 000000e3 jeq clock_settime 0048 (false 001b) 001b: 15 2c 00 000000a4 jeq settimeofday 0048 (false 001c) 001c: 15 2b 00 000000b0 jeq delete_module 0048 (false 001d) 001d: 15 2a 00 00000139 jeq finit_module 0048 (false 001e) 001e: 15 29 00 000000af jeq init_module 0048 (false 001f) 001f: 15 28 00 000000ad jeq ioperm 0048 (false 0020) 0020: 15 27 00 000000ac jeq iopl 0048 (false 0021) 0021: 15 26 00 000000f6 jeq kexec_load 0048 (false 0022) 0022: 15 25 00 00000140 jeq kexec_file_load 0048 (false 0023) 0023: 15 24 00 000000a9 jeq reboot 0048 (false 0024) 0024: 15 23 00 000000a7 jeq swapon 0048 (false 0025) 0025: 15 22 00 000000a8 jeq swapoff 0048 (false 0026) 0026: 15 21 00 000000a3 jeq acct 0048 (false 0027) 0027: 15 20 00 000000a1 jeq chroot 0048 (false 0028) 0028: 15 1f 00 000000a5 jeq mount 0048 (false 0029) 0029: 15 1e 00 000000b4 jeq nfsservctl 0048 (false 002a) 002a: 15 1d 00 0000009b jeq pivot_root 0048 (false 002b) 002b: 15 1c 00 000000ab jeq setdomainname 0048 (false 002c) 002c: 15 1b 00 000000aa jeq sethostname 0048 (false 002d) 002d: 15 1a 00 000000a6 jeq umount2 0048 (false 002e) 002e: 15 19 00 00000099 jeq vhangup 0048 (false 002f) 002f: 15 18 00 000000ee jeq set_mempolicy 0048 (false 0030) 0030: 15 17 00 00000100 jeq migrate_pages 0048 (false 0031) 0031: 15 16 00 00000117 jeq move_pages 0048 (false 0032) 0032: 15 15 00 000000ed jeq mbind 0048 (false 0033) 0033: 15 14 00 00000130 jeq open_by_handle_at 0048 (false 0034) 0034: 15 13 00 0000012f jeq name_to_handle_at 0048 (false 0035) 0035: 15 12 00 000000fb jeq ioprio_set 0048 (false 0036) 0036: 15 11 00 00000067 jeq syslog 0048 (false 0037) 0037: 15 10 00 0000012c jeq fanotify_init 0048 (false 0038) 0038: 15 0f 00 00000138 jeq kcmp 0048 (false 0039) 0039: 15 0e 00 000000f8 jeq add_key 0048 (false 003a) 003a: 15 0d 00 000000f9 jeq request_key 0048 (false 003b) 003b: 15 0c 00 000000fa jeq keyctl 0048 (false 003c) 003c: 15 0b 00 000000ce jeq io_setup 0048 (false 003d) 003d: 15 0a 00 000000cf jeq io_destroy 0048 (false 003e) 003e: 15 09 00 000000d0 jeq io_getevents 0048 (false 003f) 003f: 15 08 00 000000d1 jeq io_submit 0048 (false 0040) 0040: 15 07 00 000000d2 jeq io_cancel 0048 (false 0041) 0041: 15 06 00 000000d8 jeq remap_file_pages 0048 (false 0042) 0042: 15 05 00 00000116 jeq vmsplice 0048 (false 0043) 0043: 15 04 00 00000087 jeq personality 0048 (false 0044) 0044: 15 03 00 00000143 jeq userfaultfd 0048 (false 0045) 0045: 15 02 00 00000065 jeq ptrace 0048 (false 0046) 0046: 15 01 00 00000136 jeq process_vm_readv 0048 (false 0047) 0047: 06 00 00 7fff0000 ret ALLOW 0048: 06 00 00 00000000 ret KILL seccomp filter configured NO_NEW_PRIVS set Drop privileges: pid 1, uid 2454, gid 2455, nogroups 0 starting application LD_PRELOAD=(null) Starting /bin/firejail login shell execvp argument 0: /bin/firejail execvp argument 1: -l Child process initialized in 40.80 ms Installing /run/firejail/mnt/seccomp seccomp filter Installing /run/firejail/mnt/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp.protocol seccomp filter Warning: an existing sandbox was detected. -l will run without any additional sandboxing features Warning: an existing sandbox was detected. '-l' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'-l'"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. '"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' ``` [..] ``` "'"' ' will run without any additional sandboxing features monitoring pid 6 Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'" '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'" ``` [..] ``` '"'"' ' will run without any additional sandboxing features Error cmdline_length: cmdline.c:145 build_cmdline: Argument list too long Sandbox monitor: waitpid 6 retval 6 status 256 Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 07:27:57 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Dec 23, 2020):

I'm getting something quite similar by setting SHELL to the path of a firejail executable.

Just use a non-canonical path for SHELL, like for example /usr/bin///firejail.

<!-- gh-comment-id:750481458 --> @smitsohu commented on GitHub (Dec 23, 2020): I'm getting something quite similar by setting SHELL to the path of a firejail executable. Just use a non-canonical path for SHELL, like for example `/usr/bin///firejail`.
gitea-mirror commented 2026-05-05 07:27:58 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Dec 26, 2020):

@lowshoe you didn't by chance copy the firejail binary to /bin/firejail or create a link with that name?

I know the issue is quite old ....

<!-- gh-comment-id:751354607 --> @smitsohu commented on GitHub (Dec 26, 2020): @lowshoe you didn't by chance copy the firejail binary to `/bin/firejail` or create a link with that name? I know the issue is quite old ....
gitea-mirror commented 2026-05-05 07:27:59 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jan 29, 2021):

I'll send a pull request to close this issue.

If someone finds the issue to persist, please complain here or open a new bug report.

<!-- gh-comment-id:769908954 --> @smitsohu commented on GitHub (Jan 29, 2021): I'll send a pull request to close this issue. If someone finds the issue to persist, please complain here or open a new bug report.
gitea-mirror commented 2026-05-05 07:28:00 -06:00
Author
Owner
Copy link

@Drakano commented on GitHub (May 28, 2021):

It's still present. Just the error text has slightly changed.

environment

[root@localhost ~]# cat /etc/*release
CentOS Linux release 7.8.2003 (Core)
NAME="CentOS Linux"

[root@localhost ~]# uname -a         
Linux localhost.localdomain 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

[root@localhost ~]# yum list installed | grep firejail
firejail.x86_64                      0.9.64.4-1                      installed

[root@localhost ~]# grep firejail /etc/passwd
testuser:x:1004:1004::/home/testuser:/bin/firejail

[root@localhost ~]# grep testuser /etc/firejail/login.users 
testuser:--debug

ssh (w/o firejail debug)

drak@x1:~$ ssh testuser@cent
testuser@192.168.56.113's password: 
Last login: Fri May 28 14:26:26 2021 from x1
Error: too long arguments
Connection to 192.168.56.113 closed.

su -l (w/ debug)

[root@localhost ~]# su -l testuser   
Last login: Fr Mai 28 14:03:09 CEST 2021 on pts/0
Autoselecting /bin/firejail as shell
Command name #/bin/firejail#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Reading profile /etc/firejail/default.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

DISPLAY is not set
Using the local network stack
Parent pid 1671, child pid 1672
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1004, gid 1004, nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
112 79 253:0 /etc /etc ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=112 fsname=/etc dir=/etc fstype=xfs
Mounting noexec /etc
113 112 253:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=113 fsname=/etc dir=/etc fstype=xfs
Mounting read-only /var
114 79 253:0 /var /var ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=114 fsname=/var dir=/var fstype=xfs
Mounting noexec /var
147 114 253:0 /var /var ro,nosuid,nodev,noexec,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=147 fsname=/var dir=/var fstype=xfs
Mounting read-only /usr
150 79 253:0 /usr /usr ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=150 fsname=/usr dir=/usr fstype=xfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1004 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/timer_stats
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /etc/xdg/autostart
Disable /var/lib/systemd
Disable /usr/bin/systemd-run (requested /bin/systemd-run)
Disable /usr/bin/systemd-run
Disable /etc/rc.d/init.d (requested /etc/init.d/)
Disable /var/lib/mysql/mysql.sock
Disable /var/spool/mail (requested /var/mail)
Disable /var/opt
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/spool/mail
Disable /etc/anacrontab
Disable /etc/cron.hourly
Disable /etc/cron.weekly
Disable /etc/cron.d
Disable /etc/cron.daily
Disable /etc/cron.deny
Disable /etc/cron.monthly
Disable /etc/crontab
Disable /etc/profile.d
Disable /etc/rc.d/rc.local (requested /etc/rc.local)
Disable /etc/rc.d/rc0.d (requested /etc/rc0.d)
Disable /etc/rc.d/rc1.d (requested /etc/rc1.d)
Disable /etc/rc.d/rc2.d (requested /etc/rc2.d)
Disable /etc/rc.d/rc3.d (requested /etc/rc3.d)
Disable /etc/rc.d/rc4.d (requested /etc/rc4.d)
Disable /etc/rc.d/rc5.d (requested /etc/rc5.d)
Disable /etc/rc.d/rc6.d (requested /etc/rc6.d)
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/selinux
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Mounting read-only /home/testuser/.bash_logout
212 157 253:0 /home/testuser/.bash_logout /home/testuser/.bash_logout ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=212 fsname=/home/testuser/.bash_logout dir=/home/testuser/.bash_logout fstype=xfs
Mounting read-only /home/testuser/.bash_profile
213 157 253:0 /home/testuser/.bash_profile /home/testuser/.bash_profile ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=213 fsname=/home/testuser/.bash_profile dir=/home/testuser/.bash_profile fstype=xfs
Mounting read-only /home/testuser/.bashrc
214 157 253:0 /home/testuser/.bashrc /home/testuser/.bashrc ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota
mountid=214 fsname=/home/testuser/.bashrc dir=/home/testuser/.bashrc fstype=xfs
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/crontab
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/gpasswd
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/mount
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newgrp
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/newuidmap
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/pkexec
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/su
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/sudo
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/umount
Disable /sys/fs
Disable /sys/module
/etc/pulse/client.conf not found
Current directory: /home/testuser
DISPLAY is not set
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 3, uid 1004, gid 1004, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000006   jmp 000c
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 15 01 00 00000029   jeq socket 000c (false 000b)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 15 00 01 00000001   jeq 1 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 15 00 01 00000002   jeq 2 0010 (false 0011)
 0010: 06 00 00 7fff0000   ret ALLOW
 0011: 15 00 01 0000000a   jeq a 0012 (false 0013)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 06 00 00 0005005f   ret ERRNO(95)
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dropping all capabilities
Drop privileges: pid 4, uid 1004, gid 1004, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 01 00000015   jeq 15 0005 (false 0006)
 0005: 06 00 00 00000001   ret KILL
 0006: 15 00 01 00000034   jeq 34 0007 (false 0008)
 0007: 06 00 00 00000001   ret KILL
 0008: 15 00 01 0000001a   jeq 1a 0009 (false 000a)
 0009: 06 00 00 00000001   ret KILL
 000a: 15 00 01 0000011b   jeq 11b 000b (false 000c)
 000b: 06 00 00 00000001   ret KILL
 000c: 15 00 01 00000155   jeq 155 000d (false 000e)
 000d: 06 00 00 00000001   ret KILL
 000e: 15 00 01 00000156   jeq 156 000f (false 0010)
 000f: 06 00 00 00000001   ret KILL
 0010: 15 00 01 0000007f   jeq 7f 0011 (false 0012)
 0011: 06 00 00 00000001   ret KILL
 0012: 15 00 01 00000080   jeq 80 0013 (false 0014)
 0013: 06 00 00 00000001   ret KILL
 0014: 15 00 01 0000015e   jeq 15e 0015 (false 0016)
 0015: 06 00 00 00000001   ret KILL
 0016: 15 00 01 00000081   jeq 81 0017 (false 0018)
 0017: 06 00 00 00000001   ret KILL
 0018: 15 00 01 0000006e   jeq 6e 0019 (false 001a)
 0019: 06 00 00 00000001   ret KILL
 001a: 15 00 01 00000065   jeq 65 001b (false 001c)
 001b: 06 00 00 00000001   ret KILL
 001c: 15 00 01 00000121   jeq 121 001d (false 001e)
 001d: 06 00 00 00000001   ret KILL
 001e: 15 00 01 00000057   jeq 57 001f (false 0020)
 001f: 06 00 00 00000001   ret KILL
 0020: 15 00 01 00000073   jeq 73 0021 (false 0022)
 0021: 06 00 00 00000001   ret KILL
 0022: 15 00 01 00000067   jeq 67 0023 (false 0024)
 0023: 06 00 00 00000001   ret KILL
 0024: 15 00 01 0000015b   jeq 15b 0025 (false 0026)
 0025: 06 00 00 00000001   ret KILL
 0026: 15 00 01 0000015c   jeq 15c 0027 (false 0028)
 0027: 06 00 00 00000001   ret KILL
 0028: 15 00 01 00000087   jeq 87 0029 (false 002a)
 0029: 06 00 00 00000001   ret KILL
 002a: 15 00 01 00000095   jeq 95 002b (false 002c)
 002b: 06 00 00 00000001   ret KILL
 002c: 15 00 01 0000007c   jeq 7c 002d (false 002e)
 002d: 06 00 00 00000001   ret KILL
 002e: 15 00 01 00000157   jeq 157 002f (false 0030)
 002f: 06 00 00 00000001   ret KILL
 0030: 15 00 01 000000fd   jeq fd 0031 (false 0032)
 0031: 06 00 00 00000001   ret KILL
 0032: 15 00 01 00000150   jeq 150 0033 (false 0034)
 0033: 06 00 00 00000001   ret KILL
 0034: 15 00 01 00000152   jeq 152 0035 (false 0036)
 0035: 06 00 00 00000001   ret KILL
 0036: 15 00 01 0000015d   jeq 15d 0037 (false 0038)
 0037: 06 00 00 00000001   ret KILL
 0038: 15 00 01 0000011e   jeq 11e 0039 (false 003a)
 0039: 06 00 00 00000001   ret KILL
 003a: 15 00 01 0000011f   jeq 11f 003b (false 003c)
 003b: 06 00 00 00000001   ret KILL
 003c: 15 00 01 00000120   jeq 120 003d (false 003e)
 003d: 06 00 00 00000001   ret KILL
 003e: 15 00 01 00000056   jeq 56 003f (false 0040)
 003f: 06 00 00 00000001   ret KILL
 0040: 15 00 01 00000033   jeq 33 0041 (false 0042)
 0041: 06 00 00 00000001   ret KILL
 0042: 15 00 01 0000007b   jeq 7b 0043 (false 0044)
 0043: 06 00 00 00000001   ret KILL
 0044: 15 00 01 000000d9   jeq d9 0045 (false 0046)
 0045: 06 00 00 00000001   ret KILL
 0046: 15 00 01 000000f5   jeq f5 0047 (false 0048)
 0047: 06 00 00 00000001   ret KILL
 0048: 15 00 01 000000f6   jeq f6 0049 (false 004a)
 0049: 06 00 00 00000001   ret KILL
 004a: 15 00 01 000000f7   jeq f7 004b (false 004c)
 004b: 06 00 00 00000001   ret KILL
 004c: 15 00 01 000000f8   jeq f8 004d (false 004e)
 004d: 06 00 00 00000001   ret KILL
 004e: 15 00 01 000000f9   jeq f9 004f (false 0050)
 004f: 06 00 00 00000001   ret KILL
 0050: 15 00 01 00000101   jeq 101 0051 (false 0052)
 0051: 06 00 00 00000001   ret KILL
 0052: 15 00 01 00000112   jeq 112 0053 (false 0054)
 0053: 06 00 00 00000001   ret KILL
 0054: 15 00 01 00000114   jeq 114 0055 (false 0056)
 0055: 06 00 00 00000001   ret KILL
 0056: 15 00 01 00000126   jeq 126 0057 (false 0058)
 0057: 06 00 00 00000001   ret KILL
 0058: 15 00 01 0000013d   jeq 13d 0059 (false 005a)
 0059: 06 00 00 00000001   ret KILL
 005a: 15 00 01 0000013c   jeq 13c 005b (false 005c)
 005b: 06 00 00 00000001   ret KILL
 005c: 15 00 01 0000003d   jeq 3d 005d (false 005e)
 005d: 06 00 00 00000001   ret KILL
 005e: 15 00 01 00000058   jeq 58 005f (false 0060)
 005f: 06 00 00 00000001   ret KILL
 0060: 15 00 01 000000a9   jeq a9 0061 (false 0062)
 0061: 06 00 00 00000001   ret KILL
 0062: 15 00 01 00000082   jeq 82 0063 (false 0064)
 0063: 06 00 00 00000001   ret KILL
 0064: 06 00 00 7fff0000   ret ALLOW
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 5, uid 1004, gid 1004, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 0000009f   jeq adjtimex 0008 (false 0009)
 0008: 06 00 00 00000001   ret KILL
 0009: 15 00 01 00000131   jeq clock_adjtime 000a (false 000b)
 000a: 06 00 00 00000001   ret KILL
 000b: 15 00 01 000000e3   jeq clock_settime 000c (false 000d)
 000c: 06 00 00 00000001   ret KILL
 000d: 15 00 01 000000a4   jeq settimeofday 000e (false 000f)
 000e: 06 00 00 00000001   ret KILL
 000f: 15 00 01 0000009a   jeq modify_ldt 0010 (false 0011)
 0010: 06 00 00 00000001   ret KILL
 0011: 15 00 01 000000d4   jeq lookup_dcookie 0012 (false 0013)
 0012: 06 00 00 00000001   ret KILL
 0013: 15 00 01 0000012a   jeq perf_event_open 0014 (false 0015)
 0014: 06 00 00 00000001   ret KILL
 0015: 15 00 01 00000137   jeq process_vm_writev 0016 (false 0017)
 0016: 06 00 00 00000001   ret KILL
 0017: 15 00 01 000000b0   jeq delete_module 0018 (false 0019)
 0018: 06 00 00 00000001   ret KILL
 0019: 15 00 01 00000139   jeq finit_module 001a (false 001b)
 001a: 06 00 00 00000001   ret KILL
 001b: 15 00 01 000000af   jeq init_module 001c (false 001d)
 001c: 06 00 00 00000001   ret KILL
 001d: 15 00 01 000000a1   jeq chroot 001e (false 001f)
 001e: 06 00 00 00000001   ret KILL
 001f: 15 00 01 000000a5   jeq mount 0020 (false 0021)
 0020: 06 00 00 00000001   ret KILL
 0021: 15 00 01 0000009b   jeq pivot_root 0022 (false 0023)
 0022: 06 00 00 00000001   ret KILL
 0023: 15 00 01 000000a6   jeq umount2 0024 (false 0025)
 0024: 06 00 00 00000001   ret KILL
 0025: 15 00 01 0000009c   jeq _sysctl 0026 (false 0027)
 0026: 06 00 00 00000001   ret KILL
 0027: 15 00 01 000000b7   jeq afs_syscall 0028 (false 0029)
 0028: 06 00 00 00000001   ret KILL
 0029: 15 00 01 000000ae   jeq create_module 002a (false 002b)
 002a: 06 00 00 00000001   ret KILL
 002b: 15 00 01 000000b1   jeq get_kernel_syms 002c (false 002d)
 002c: 06 00 00 00000001   ret KILL
 002d: 15 00 01 000000b5   jeq getpmsg 002e (false 002f)
 002e: 06 00 00 00000001   ret KILL
 002f: 15 00 01 000000b6   jeq putpmsg 0030 (false 0031)
 0030: 06 00 00 00000001   ret KILL
 0031: 15 00 01 000000b2   jeq query_module 0032 (false 0033)
 0032: 06 00 00 00000001   ret KILL
 0033: 15 00 01 000000b9   jeq security 0034 (false 0035)
 0034: 06 00 00 00000001   ret KILL
 0035: 15 00 01 0000008b   jeq sysfs 0036 (false 0037)
 0036: 06 00 00 00000001   ret KILL
 0037: 15 00 01 000000b8   jeq tuxcall 0038 (false 0039)
 0038: 06 00 00 00000001   ret KILL
 0039: 15 00 01 00000086   jeq uselib 003a (false 003b)
 003a: 06 00 00 00000001   ret KILL
 003b: 15 00 01 00000088   jeq ustat 003c (false 003d)
 003c: 06 00 00 00000001   ret KILL
 003d: 15 00 01 000000ec   jeq vserver 003e (false 003f)
 003e: 06 00 00 00000001   ret KILL
 003f: 15 00 01 000000ad   jeq ioperm 0040 (false 0041)
 0040: 06 00 00 00000001   ret KILL
 0041: 15 00 01 000000ac   jeq iopl 0042 (false 0043)
 0042: 06 00 00 00000001   ret KILL
 0043: 15 00 01 000000f6   jeq kexec_load 0044 (false 0045)
 0044: 06 00 00 00000001   ret KILL
 0045: 15 00 01 00000140   jeq kexec_file_load 0046 (false 0047)
 0046: 06 00 00 00000001   ret KILL
 0047: 15 00 01 000000a9   jeq reboot 0048 (false 0049)
 0048: 06 00 00 00000001   ret KILL
 0049: 15 00 01 000000a7   jeq swapon 004a (false 004b)
 004a: 06 00 00 00000001   ret KILL
 004b: 15 00 01 000000a8   jeq swapoff 004c (false 004d)
 004c: 06 00 00 00000001   ret KILL
 004d: 15 00 01 00000130   jeq open_by_handle_at 004e (false 004f)
 004e: 06 00 00 00000001   ret KILL
 004f: 15 00 01 0000012f   jeq name_to_handle_at 0050 (false 0051)
 0050: 06 00 00 00000001   ret KILL
 0051: 15 00 01 000000fb   jeq ioprio_set 0052 (false 0053)
 0052: 06 00 00 00000001   ret KILL
 0053: 15 00 01 00000067   jeq syslog 0054 (false 0055)
 0054: 06 00 00 00000001   ret KILL
 0055: 15 00 01 0000012c   jeq fanotify_init 0056 (false 0057)
 0056: 06 00 00 00000001   ret KILL
 0057: 15 00 01 00000138   jeq kcmp 0058 (false 0059)
 0058: 06 00 00 00000001   ret KILL
 0059: 15 00 01 000000f8   jeq add_key 005a (false 005b)
 005a: 06 00 00 00000001   ret KILL
 005b: 15 00 01 000000f9   jeq request_key 005c (false 005d)
 005c: 06 00 00 00000001   ret KILL
 005d: 15 00 01 000000ed   jeq mbind 005e (false 005f)
 005e: 06 00 00 00000001   ret KILL
 005f: 15 00 01 00000100   jeq migrate_pages 0060 (false 0061)
 0060: 06 00 00 00000001   ret KILL
 0061: 15 00 01 00000117   jeq move_pages 0062 (false 0063)
 0062: 06 00 00 00000001   ret KILL
 0063: 15 00 01 000000fa   jeq keyctl 0064 (false 0065)
 0064: 06 00 00 00000001   ret KILL
 0065: 15 00 01 000000ce   jeq io_setup 0066 (false 0067)
 0066: 06 00 00 00000001   ret KILL
 0067: 15 00 01 000000cf   jeq io_destroy 0068 (false 0069)
 0068: 06 00 00 00000001   ret KILL
 0069: 15 00 01 000000d0   jeq io_getevents 006a (false 006b)
 006a: 06 00 00 00000001   ret KILL
 006b: 15 00 01 000000d1   jeq io_submit 006c (false 006d)
 006c: 06 00 00 00000001   ret KILL
 006d: 15 00 01 000000d2   jeq io_cancel 006e (false 006f)
 006e: 06 00 00 00000001   ret KILL
 006f: 15 00 01 000000d8   jeq remap_file_pages 0070 (false 0071)
 0070: 06 00 00 00000001   ret KILL
 0071: 15 00 01 00000143   jeq userfaultfd 0072 (false 0073)
 0072: 06 00 00 00000001   ret KILL
 0073: 15 00 01 000000a3   jeq acct 0074 (false 0075)
 0074: 06 00 00 00000001   ret KILL
 0075: 15 00 01 00000141   jeq bpf 0076 (false 0077)
 0076: 06 00 00 00000001   ret KILL
 0077: 15 00 01 000000b4   jeq nfsservctl 0078 (false 0079)
 0078: 06 00 00 00000001   ret KILL
 0079: 15 00 01 000000ab   jeq setdomainname 007a (false 007b)
 007a: 06 00 00 00000001   ret KILL
 007b: 15 00 01 000000aa   jeq sethostname 007c (false 007d)
 007c: 06 00 00 00000001   ret KILL
 007d: 15 00 01 00000099   jeq vhangup 007e (false 007f)
 007e: 06 00 00 00000001   ret KILL
 007f: 15 00 01 00000065   jeq ptrace 0080 (false 0081)
 0080: 06 00 00 00000001   ret KILL
 0081: 15 00 01 00000087   jeq personality 0082 (false 0083)
 0082: 06 00 00 00000001   ret KILL
 0083: 15 00 01 00000136   jeq process_vm_readv 0084 (false 0085)
 0084: 06 00 00 00000001   ret KILL
 0085: 06 00 00 7fff0000   ret ALLOW
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
255 109 0:37 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=255 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             220 ..
-rw-r--r-- testuser testuser        1072 seccomp
-rw-r--r-- testuser testuser         808 seccomp.32
-rw-r--r-- testuser testuser         114 seccomp.list
-rw-r--r-- testuser testuser           0 seccomp.postexec
-rw-r--r-- testuser testuser           0 seccomp.postexec32
-rw-r--r-- testuser testuser         160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1004, gid 1004, nogroups 0
Starting application
LD_PRELOAD=(null)
Starting /bin/firejail login shell
execvp argument 0: /bin/firejail
execvp argument 1: -l
Child process initialized in 47.51 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
Warning: an existing sandbox was detected. -l will run without any additional sandboxing features
Warning: an existing sandbox was detected. '-l'  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'-l'"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. '"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' '  will run without any additional sandboxing features
Error: too long arguments
monitoring pid 6

Sandbox monitor: waitpid 6 retval 6 status 256

Parent is shutting down, bye...

<!-- gh-comment-id:850376997 --> @Drakano commented on GitHub (May 28, 2021): It's still present. Just the error text has slightly changed. <details><summary>environment</summary><p> ``` [root@localhost ~]# cat /etc/*release CentOS Linux release 7.8.2003 (Core) NAME="CentOS Linux" [root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [root@localhost ~]# yum list installed | grep firejail firejail.x86_64 0.9.64.4-1 installed [root@localhost ~]# grep firejail /etc/passwd testuser:x:1004:1004::/home/testuser:/bin/firejail [root@localhost ~]# grep testuser /etc/firejail/login.users testuser:--debug ``` </p></details> <details><summary>ssh (w/o firejail debug)</summary><p> ``` drak@x1:~$ ssh testuser@cent testuser@192.168.56.113's password: Last login: Fri May 28 14:26:26 2021 from x1 Error: too long arguments Connection to 192.168.56.113 closed. ``` </p></details> <details><summary>su -l (w/ debug)</summary><p> ``` [root@localhost ~]# su -l testuser Last login: Fr Mai 28 14:03:09 CEST 2021 on pts/0 Autoselecting /bin/firejail as shell Command name #/bin/firejail# Attempting to find default.profile... Found default.profile profile in /etc/firejail directory Reading profile /etc/firejail/default.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** DISPLAY is not set Using the local network stack Parent pid 1671, child pid 1672 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1004, gid 1004, nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 112 79 253:0 /etc /etc ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=112 fsname=/etc dir=/etc fstype=xfs Mounting noexec /etc 113 112 253:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=113 fsname=/etc dir=/etc fstype=xfs Mounting read-only /var 114 79 253:0 /var /var ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=114 fsname=/var dir=/var fstype=xfs Mounting noexec /var 147 114 253:0 /var /var ro,nosuid,nodev,noexec,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=147 fsname=/var dir=/var fstype=xfs Mounting read-only /usr 150 79 253:0 /usr /usr ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=150 fsname=/usr dir=/usr fstype=xfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Cannot find /run/user/1004 directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Disable /run/firejail/appimage blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/timer_stats Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Disable /etc/xdg/autostart Disable /var/lib/systemd Disable /usr/bin/systemd-run (requested /bin/systemd-run) Disable /usr/bin/systemd-run Disable /etc/rc.d/init.d (requested /etc/init.d/) Disable /var/lib/mysql/mysql.sock Disable /var/spool/mail (requested /var/mail) Disable /var/opt Disable /var/spool/anacron Disable /var/spool/cron Disable /var/spool/mail Disable /etc/anacrontab Disable /etc/cron.hourly Disable /etc/cron.weekly Disable /etc/cron.d Disable /etc/cron.daily Disable /etc/cron.deny Disable /etc/cron.monthly Disable /etc/crontab Disable /etc/profile.d Disable /etc/rc.d/rc.local (requested /etc/rc.local) Disable /etc/rc.d/rc0.d (requested /etc/rc0.d) Disable /etc/rc.d/rc1.d (requested /etc/rc1.d) Disable /etc/rc.d/rc2.d (requested /etc/rc2.d) Disable /etc/rc.d/rc3.d (requested /etc/rc3.d) Disable /etc/rc.d/rc4.d (requested /etc/rc4.d) Disable /etc/rc.d/rc5.d (requested /etc/rc5.d) Disable /etc/rc.d/rc6.d (requested /etc/rc6.d) Disable /etc/kernel Disable /etc/grub.d Disable /etc/selinux Disable /etc/modules-load.d Disable /etc/logrotate.conf Disable /etc/logrotate.d Mounting read-only /home/testuser/.bash_logout 212 157 253:0 /home/testuser/.bash_logout /home/testuser/.bash_logout ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=212 fsname=/home/testuser/.bash_logout dir=/home/testuser/.bash_logout fstype=xfs Mounting read-only /home/testuser/.bash_profile 213 157 253:0 /home/testuser/.bash_profile /home/testuser/.bash_profile ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=213 fsname=/home/testuser/.bash_profile dir=/home/testuser/.bash_profile fstype=xfs Mounting read-only /home/testuser/.bashrc 214 157 253:0 /home/testuser/.bashrc /home/testuser/.bashrc ro,relatime master:1 - xfs /dev/mapper/centos-root rw,attr2,inode64,noquota mountid=214 fsname=/home/testuser/.bashrc dir=/home/testuser/.bashrc fstype=xfs Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chage Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chfn Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/chsh Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/crontab Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/gpasswd Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/mount Disable /usr/bin/newgidmap (requested /bin/newgidmap) Disable /usr/bin/newgidmap Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/newgrp Disable /usr/bin/newuidmap (requested /bin/newuidmap) Disable /usr/bin/newuidmap Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/pkexec Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/su Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/sudo Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/umount Disable /sys/fs Disable /sys/module /etc/pulse/client.conf not found Current directory: /home/testuser DISPLAY is not set Install protocol filter: unix,inet,inet6 configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 3, uid 1004, gid 1004, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000002 jeq 2 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 0000000a jeq a 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 06 00 00 0005005f ret ERRNO(95) configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 4, uid 1004, gid 1004, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 00000015 jeq 15 0005 (false 0006) 0005: 06 00 00 00000001 ret KILL 0006: 15 00 01 00000034 jeq 34 0007 (false 0008) 0007: 06 00 00 00000001 ret KILL 0008: 15 00 01 0000001a jeq 1a 0009 (false 000a) 0009: 06 00 00 00000001 ret KILL 000a: 15 00 01 0000011b jeq 11b 000b (false 000c) 000b: 06 00 00 00000001 ret KILL 000c: 15 00 01 00000155 jeq 155 000d (false 000e) 000d: 06 00 00 00000001 ret KILL 000e: 15 00 01 00000156 jeq 156 000f (false 0010) 000f: 06 00 00 00000001 ret KILL 0010: 15 00 01 0000007f jeq 7f 0011 (false 0012) 0011: 06 00 00 00000001 ret KILL 0012: 15 00 01 00000080 jeq 80 0013 (false 0014) 0013: 06 00 00 00000001 ret KILL 0014: 15 00 01 0000015e jeq 15e 0015 (false 0016) 0015: 06 00 00 00000001 ret KILL 0016: 15 00 01 00000081 jeq 81 0017 (false 0018) 0017: 06 00 00 00000001 ret KILL 0018: 15 00 01 0000006e jeq 6e 0019 (false 001a) 0019: 06 00 00 00000001 ret KILL 001a: 15 00 01 00000065 jeq 65 001b (false 001c) 001b: 06 00 00 00000001 ret KILL 001c: 15 00 01 00000121 jeq 121 001d (false 001e) 001d: 06 00 00 00000001 ret KILL 001e: 15 00 01 00000057 jeq 57 001f (false 0020) 001f: 06 00 00 00000001 ret KILL 0020: 15 00 01 00000073 jeq 73 0021 (false 0022) 0021: 06 00 00 00000001 ret KILL 0022: 15 00 01 00000067 jeq 67 0023 (false 0024) 0023: 06 00 00 00000001 ret KILL 0024: 15 00 01 0000015b jeq 15b 0025 (false 0026) 0025: 06 00 00 00000001 ret KILL 0026: 15 00 01 0000015c jeq 15c 0027 (false 0028) 0027: 06 00 00 00000001 ret KILL 0028: 15 00 01 00000087 jeq 87 0029 (false 002a) 0029: 06 00 00 00000001 ret KILL 002a: 15 00 01 00000095 jeq 95 002b (false 002c) 002b: 06 00 00 00000001 ret KILL 002c: 15 00 01 0000007c jeq 7c 002d (false 002e) 002d: 06 00 00 00000001 ret KILL 002e: 15 00 01 00000157 jeq 157 002f (false 0030) 002f: 06 00 00 00000001 ret KILL 0030: 15 00 01 000000fd jeq fd 0031 (false 0032) 0031: 06 00 00 00000001 ret KILL 0032: 15 00 01 00000150 jeq 150 0033 (false 0034) 0033: 06 00 00 00000001 ret KILL 0034: 15 00 01 00000152 jeq 152 0035 (false 0036) 0035: 06 00 00 00000001 ret KILL 0036: 15 00 01 0000015d jeq 15d 0037 (false 0038) 0037: 06 00 00 00000001 ret KILL 0038: 15 00 01 0000011e jeq 11e 0039 (false 003a) 0039: 06 00 00 00000001 ret KILL 003a: 15 00 01 0000011f jeq 11f 003b (false 003c) 003b: 06 00 00 00000001 ret KILL 003c: 15 00 01 00000120 jeq 120 003d (false 003e) 003d: 06 00 00 00000001 ret KILL 003e: 15 00 01 00000056 jeq 56 003f (false 0040) 003f: 06 00 00 00000001 ret KILL 0040: 15 00 01 00000033 jeq 33 0041 (false 0042) 0041: 06 00 00 00000001 ret KILL 0042: 15 00 01 0000007b jeq 7b 0043 (false 0044) 0043: 06 00 00 00000001 ret KILL 0044: 15 00 01 000000d9 jeq d9 0045 (false 0046) 0045: 06 00 00 00000001 ret KILL 0046: 15 00 01 000000f5 jeq f5 0047 (false 0048) 0047: 06 00 00 00000001 ret KILL 0048: 15 00 01 000000f6 jeq f6 0049 (false 004a) 0049: 06 00 00 00000001 ret KILL 004a: 15 00 01 000000f7 jeq f7 004b (false 004c) 004b: 06 00 00 00000001 ret KILL 004c: 15 00 01 000000f8 jeq f8 004d (false 004e) 004d: 06 00 00 00000001 ret KILL 004e: 15 00 01 000000f9 jeq f9 004f (false 0050) 004f: 06 00 00 00000001 ret KILL 0050: 15 00 01 00000101 jeq 101 0051 (false 0052) 0051: 06 00 00 00000001 ret KILL 0052: 15 00 01 00000112 jeq 112 0053 (false 0054) 0053: 06 00 00 00000001 ret KILL 0054: 15 00 01 00000114 jeq 114 0055 (false 0056) 0055: 06 00 00 00000001 ret KILL 0056: 15 00 01 00000126 jeq 126 0057 (false 0058) 0057: 06 00 00 00000001 ret KILL 0058: 15 00 01 0000013d jeq 13d 0059 (false 005a) 0059: 06 00 00 00000001 ret KILL 005a: 15 00 01 0000013c jeq 13c 005b (false 005c) 005b: 06 00 00 00000001 ret KILL 005c: 15 00 01 0000003d jeq 3d 005d (false 005e) 005d: 06 00 00 00000001 ret KILL 005e: 15 00 01 00000058 jeq 58 005f (false 0060) 005f: 06 00 00 00000001 ret KILL 0060: 15 00 01 000000a9 jeq a9 0061 (false 0062) 0061: 06 00 00 00000001 ret KILL 0062: 15 00 01 00000082 jeq 82 0063 (false 0064) 0063: 06 00 00 00000001 ret KILL 0064: 06 00 00 7fff0000 ret ALLOW Dual 32/64 bit seccomp filter configured configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 5, uid 1004, gid 1004, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 0000009f jeq adjtimex 0008 (false 0009) 0008: 06 00 00 00000001 ret KILL 0009: 15 00 01 00000131 jeq clock_adjtime 000a (false 000b) 000a: 06 00 00 00000001 ret KILL 000b: 15 00 01 000000e3 jeq clock_settime 000c (false 000d) 000c: 06 00 00 00000001 ret KILL 000d: 15 00 01 000000a4 jeq settimeofday 000e (false 000f) 000e: 06 00 00 00000001 ret KILL 000f: 15 00 01 0000009a jeq modify_ldt 0010 (false 0011) 0010: 06 00 00 00000001 ret KILL 0011: 15 00 01 000000d4 jeq lookup_dcookie 0012 (false 0013) 0012: 06 00 00 00000001 ret KILL 0013: 15 00 01 0000012a jeq perf_event_open 0014 (false 0015) 0014: 06 00 00 00000001 ret KILL 0015: 15 00 01 00000137 jeq process_vm_writev 0016 (false 0017) 0016: 06 00 00 00000001 ret KILL 0017: 15 00 01 000000b0 jeq delete_module 0018 (false 0019) 0018: 06 00 00 00000001 ret KILL 0019: 15 00 01 00000139 jeq finit_module 001a (false 001b) 001a: 06 00 00 00000001 ret KILL 001b: 15 00 01 000000af jeq init_module 001c (false 001d) 001c: 06 00 00 00000001 ret KILL 001d: 15 00 01 000000a1 jeq chroot 001e (false 001f) 001e: 06 00 00 00000001 ret KILL 001f: 15 00 01 000000a5 jeq mount 0020 (false 0021) 0020: 06 00 00 00000001 ret KILL 0021: 15 00 01 0000009b jeq pivot_root 0022 (false 0023) 0022: 06 00 00 00000001 ret KILL 0023: 15 00 01 000000a6 jeq umount2 0024 (false 0025) 0024: 06 00 00 00000001 ret KILL 0025: 15 00 01 0000009c jeq _sysctl 0026 (false 0027) 0026: 06 00 00 00000001 ret KILL 0027: 15 00 01 000000b7 jeq afs_syscall 0028 (false 0029) 0028: 06 00 00 00000001 ret KILL 0029: 15 00 01 000000ae jeq create_module 002a (false 002b) 002a: 06 00 00 00000001 ret KILL 002b: 15 00 01 000000b1 jeq get_kernel_syms 002c (false 002d) 002c: 06 00 00 00000001 ret KILL 002d: 15 00 01 000000b5 jeq getpmsg 002e (false 002f) 002e: 06 00 00 00000001 ret KILL 002f: 15 00 01 000000b6 jeq putpmsg 0030 (false 0031) 0030: 06 00 00 00000001 ret KILL 0031: 15 00 01 000000b2 jeq query_module 0032 (false 0033) 0032: 06 00 00 00000001 ret KILL 0033: 15 00 01 000000b9 jeq security 0034 (false 0035) 0034: 06 00 00 00000001 ret KILL 0035: 15 00 01 0000008b jeq sysfs 0036 (false 0037) 0036: 06 00 00 00000001 ret KILL 0037: 15 00 01 000000b8 jeq tuxcall 0038 (false 0039) 0038: 06 00 00 00000001 ret KILL 0039: 15 00 01 00000086 jeq uselib 003a (false 003b) 003a: 06 00 00 00000001 ret KILL 003b: 15 00 01 00000088 jeq ustat 003c (false 003d) 003c: 06 00 00 00000001 ret KILL 003d: 15 00 01 000000ec jeq vserver 003e (false 003f) 003e: 06 00 00 00000001 ret KILL 003f: 15 00 01 000000ad jeq ioperm 0040 (false 0041) 0040: 06 00 00 00000001 ret KILL 0041: 15 00 01 000000ac jeq iopl 0042 (false 0043) 0042: 06 00 00 00000001 ret KILL 0043: 15 00 01 000000f6 jeq kexec_load 0044 (false 0045) 0044: 06 00 00 00000001 ret KILL 0045: 15 00 01 00000140 jeq kexec_file_load 0046 (false 0047) 0046: 06 00 00 00000001 ret KILL 0047: 15 00 01 000000a9 jeq reboot 0048 (false 0049) 0048: 06 00 00 00000001 ret KILL 0049: 15 00 01 000000a7 jeq swapon 004a (false 004b) 004a: 06 00 00 00000001 ret KILL 004b: 15 00 01 000000a8 jeq swapoff 004c (false 004d) 004c: 06 00 00 00000001 ret KILL 004d: 15 00 01 00000130 jeq open_by_handle_at 004e (false 004f) 004e: 06 00 00 00000001 ret KILL 004f: 15 00 01 0000012f jeq name_to_handle_at 0050 (false 0051) 0050: 06 00 00 00000001 ret KILL 0051: 15 00 01 000000fb jeq ioprio_set 0052 (false 0053) 0052: 06 00 00 00000001 ret KILL 0053: 15 00 01 00000067 jeq syslog 0054 (false 0055) 0054: 06 00 00 00000001 ret KILL 0055: 15 00 01 0000012c jeq fanotify_init 0056 (false 0057) 0056: 06 00 00 00000001 ret KILL 0057: 15 00 01 00000138 jeq kcmp 0058 (false 0059) 0058: 06 00 00 00000001 ret KILL 0059: 15 00 01 000000f8 jeq add_key 005a (false 005b) 005a: 06 00 00 00000001 ret KILL 005b: 15 00 01 000000f9 jeq request_key 005c (false 005d) 005c: 06 00 00 00000001 ret KILL 005d: 15 00 01 000000ed jeq mbind 005e (false 005f) 005e: 06 00 00 00000001 ret KILL 005f: 15 00 01 00000100 jeq migrate_pages 0060 (false 0061) 0060: 06 00 00 00000001 ret KILL 0061: 15 00 01 00000117 jeq move_pages 0062 (false 0063) 0062: 06 00 00 00000001 ret KILL 0063: 15 00 01 000000fa jeq keyctl 0064 (false 0065) 0064: 06 00 00 00000001 ret KILL 0065: 15 00 01 000000ce jeq io_setup 0066 (false 0067) 0066: 06 00 00 00000001 ret KILL 0067: 15 00 01 000000cf jeq io_destroy 0068 (false 0069) 0068: 06 00 00 00000001 ret KILL 0069: 15 00 01 000000d0 jeq io_getevents 006a (false 006b) 006a: 06 00 00 00000001 ret KILL 006b: 15 00 01 000000d1 jeq io_submit 006c (false 006d) 006c: 06 00 00 00000001 ret KILL 006d: 15 00 01 000000d2 jeq io_cancel 006e (false 006f) 006e: 06 00 00 00000001 ret KILL 006f: 15 00 01 000000d8 jeq remap_file_pages 0070 (false 0071) 0070: 06 00 00 00000001 ret KILL 0071: 15 00 01 00000143 jeq userfaultfd 0072 (false 0073) 0072: 06 00 00 00000001 ret KILL 0073: 15 00 01 000000a3 jeq acct 0074 (false 0075) 0074: 06 00 00 00000001 ret KILL 0075: 15 00 01 00000141 jeq bpf 0076 (false 0077) 0076: 06 00 00 00000001 ret KILL 0077: 15 00 01 000000b4 jeq nfsservctl 0078 (false 0079) 0078: 06 00 00 00000001 ret KILL 0079: 15 00 01 000000ab jeq setdomainname 007a (false 007b) 007a: 06 00 00 00000001 ret KILL 007b: 15 00 01 000000aa jeq sethostname 007c (false 007d) 007c: 06 00 00 00000001 ret KILL 007d: 15 00 01 00000099 jeq vhangup 007e (false 007f) 007e: 06 00 00 00000001 ret KILL 007f: 15 00 01 00000065 jeq ptrace 0080 (false 0081) 0080: 06 00 00 00000001 ret KILL 0081: 15 00 01 00000087 jeq personality 0082 (false 0083) 0082: 06 00 00 00000001 ret KILL 0083: 15 00 01 00000136 jeq process_vm_readv 0084 (false 0085) 0084: 06 00 00 00000001 ret KILL 0085: 06 00 00 7fff0000 ret ALLOW seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 255 109 0:37 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=255 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 220 .. -rw-r--r-- testuser testuser 1072 seccomp -rw-r--r-- testuser testuser 808 seccomp.32 -rw-r--r-- testuser testuser 114 seccomp.list -rw-r--r-- testuser testuser 0 seccomp.postexec -rw-r--r-- testuser testuser 0 seccomp.postexec32 -rw-r--r-- testuser testuser 160 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1004, gid 1004, nogroups 0 Starting application LD_PRELOAD=(null) Starting /bin/firejail login shell execvp argument 0: /bin/firejail execvp argument 1: -l Child process initialized in 47.51 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter Warning: an existing sandbox was detected. -l will run without any additional sandboxing features Warning: an existing sandbox was detected. '-l' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'-l'"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. '"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. "'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Warning: an existing sandbox was detected. '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'-l'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' '"'"'"'"'"'"'"'"' '"'"' ' will run without any additional sandboxing features Error: too long arguments monitoring pid 6 Sandbox monitor: waitpid 6 retval 6 status 256 Parent is shutting down, bye... ``` </p></details>
gitea-mirror commented 2026-05-05 07:28:01 -06:00
Author
Owner
Copy link

@jsquyres commented on GitHub (Jun 2, 2021):

See #4326 for a possible solution.

<!-- gh-comment-id:853446059 --> @jsquyres commented on GitHub (Jun 2, 2021): See #4326 for a possible solution.
gitea-mirror commented 2026-05-05 07:28:02 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 10, 2021):

This issue is fixed by #4326 as I understand.

<!-- gh-comment-id:858431355 --> @rusty-snake commented on GitHub (Jun 10, 2021): This issue is fixed by #4326 as I understand.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1105
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?