github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1786] Error clone: main.c:2517 main: Invalid argument #1209

New issue
Open
opened 2026-05-05 07:39:28 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 07:39:28 -06:00
Owner
Copy link

Originally created by @fl-chris on GitHub (Feb 25, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1786

Hardware Rock64 (arm64), 4GB ram.
OS: Ubuntu bionic.
Firejail version 0.9.52 and firejail-profiles.

Get the following error when I try to use Firejail Firefox and Firejail Chromium browser.
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Error clone: main.c:2517 main: Invalid argument

Anyone know what is wrong and how to fix it ?

Originally created by @fl-chris on GitHub (Feb 25, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1786 Hardware Rock64 (arm64), 4GB ram. OS: Ubuntu bionic. Firejail version 0.9.52 and firejail-profiles. Get the following error when I try to use Firejail Firefox and Firejail Chromium browser. Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Error clone: main.c:2517 main: Invalid argument Anyone know what is wrong and how to fix it ?
gitea-mirror added the
bug
 label 2026-05-05 07:39:28 -06:00
gitea-mirror commented 2026-05-05 07:39:31 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 5, 2018):

I think you are the first to try it on arm64. Do you have namespaces compiled in the kernel? Look under /boot in the config file, you should see:

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y

Also look for seccomp:

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
<!-- gh-comment-id:370445962 --> @netblue30 commented on GitHub (Mar 5, 2018): I think you are the first to try it on arm64. Do you have namespaces compiled in the kernel? Look under /boot in the config file, you should see: ````` CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y ````` Also look for seccomp: ````` CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y `````
gitea-mirror commented 2026-05-05 07:39:32 -06:00
Author
Owner
Copy link

@fl-chris commented on GitHub (Mar 5, 2018):

Hi, and Thanks for your reply.

Yes, all 8 lines is in the config file with "*=y".

Do you have other suggestions?

<!-- gh-comment-id:370535152 --> @fl-chris commented on GitHub (Mar 5, 2018): Hi, and Thanks for your reply. Yes, all 8 lines is in the config file with "*=y". Do you have other suggestions?
gitea-mirror commented 2026-05-05 07:39:34 -06:00
Author
Owner
Copy link

@johnblommers commented on GitHub (Jul 31, 2018):

I compiled the source code of Firejail version 0.9.54 and did the standard installation without error. I can confirm that this exact issue also manifests on the Pinebook64 which is an arm64 machine running Ubuntu 16.04 LTS MATE. Examining the /proc/config.gz file reveals just one kernel parameter from the above list not present. We do not see this line:

CONFIG_SECCOMP_FILTER=y

The effect is that we cannot use firejail on the Pinebook64.

<!-- gh-comment-id:409080052 --> @johnblommers commented on GitHub (Jul 31, 2018): I compiled the source code of Firejail version 0.9.54 and did the standard installation without error. I can confirm that this exact issue also manifests on the Pinebook64 which is an arm64 machine running Ubuntu 16.04 LTS MATE. Examining the `/proc/config.gz` file reveals just one kernel parameter from the above list not present. We do **not** see this line: ``` CONFIG_SECCOMP_FILTER=y ``` The effect is that we cannot use firejail on the Pinebook64.
gitea-mirror commented 2026-05-05 07:39:35 -06:00
Author
Owner
Copy link

@kevinclevenger commented on GitHub (May 21, 2019):

Using a NanoPC T4 with current Armbian 4.4.178-rk3399. The kernel has all the above options and still get:
Error clone: main.c:2517 main: Invalid argument

<!-- gh-comment-id:494207072 --> @kevinclevenger commented on GitHub (May 21, 2019): Using a NanoPC T4 with current Armbian 4.4.178-rk3399. The kernel has all the above options and still get: Error clone: main.c:2517 main: Invalid argument
gitea-mirror commented 2026-05-05 07:39:37 -06:00
Author
Owner
Copy link

@railgauge commented on GitHub (Oct 7, 2022):

I get the same error on an Arch Arm aarch64 chroot running on Android 9, kernel 4.4.153-perf+
Error clone: main.c:3030 main: Invalid argument
I tried firejail version 0.9.70 and firejail-git (0.9.71)

/proc/config.gz has these options:

CONFIG_NAMESPACES=y
# CONFIG_UTS_NS is not set
CONFIG_IPC_NS (not present in /proc/config.gz)
# CONFIG_USER_NS is not set
# CONFIG_PID_NS is not set
CONFIG_NET_NS=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y

I also tested on a Pinephone Pro aarch64 with newer kernels
/proc/config.gz all aforementioned kernel options are =y
Danctnix Arch kernel 5.17.0-rc8-1
Manjaro Arm kernel 5.19.1-1

It seems to be working when I try "firejail --net=none firefox", the program opens and cannot connect to internet although some warnings are displayed in the terminal:

Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep,
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 602.73 ms
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: cannot access /sys/bus/pci (t=2.33134) [GFX1-]: glxtest: cannot access /sys/bus/pci
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: cannot access /sys/bus/pci (t=2.33134) |[1][GFX1-]: glxtest: DRM render node not clearly detectable. Falling back to using the only one that was found. (t=2.33151) [GFX1-]: glxtest: DRM render node not clearly detectable. Falling back to using the only one that was found.
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: cannot access /sys/bus/pci (t=2.33134) |[1][GFX1-]: glxtest: DRM render node not clearly detectable. Falling back to using the only one that was found. (t=2.33151) |[2][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.33157) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection.
Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs

Seems to be related to older kernel versions? Is this fixable or are devices with old kernels out of luck?

<!-- gh-comment-id:1271973669 --> @railgauge commented on GitHub (Oct 7, 2022): I get the same error on an Arch Arm aarch64 chroot running on Android 9, kernel 4.4.153-perf+ `Error clone: main.c:3030 main: Invalid argument` I tried firejail version 0.9.70 and firejail-git (0.9.71) /proc/config.gz has these options: ``` CONFIG_NAMESPACES=y # CONFIG_UTS_NS is not set CONFIG_IPC_NS (not present in /proc/config.gz) # CONFIG_USER_NS is not set # CONFIG_PID_NS is not set CONFIG_NET_NS=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y ``` I also tested on a Pinephone Pro aarch64 with newer kernels /proc/config.gz all aforementioned kernel options are =y Danctnix Arch kernel 5.17.0-rc8-1 Manjaro Arm kernel 5.19.1-1 It seems to be working when I try "firejail --net=none firefox", the program opens and cannot connect to internet although some warnings are displayed in the terminal: ``` Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !chroot, check list: @default-keep, Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 602.73 ms Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: cannot access /sys/bus/pci (t=2.33134) [GFX1-]: glxtest: cannot access /sys/bus/pci Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: cannot access /sys/bus/pci (t=2.33134) |[1][GFX1-]: glxtest: DRM render node not clearly detectable. Falling back to using the only one that was found. (t=2.33151) [GFX1-]: glxtest: DRM render node not clearly detectable. Falling back to using the only one that was found. Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: cannot access /sys/bus/pci (t=2.33134) |[1][GFX1-]: glxtest: DRM render node not clearly detectable. Falling back to using the only one that was found. (t=2.33151) |[2][GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. (t=2.33157) [GFX1-]: glxtest: VA-API test failed: failed to initialise VAAPI connection. Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs ``` Seems to be related to older kernel versions? Is this fixable or are devices with old kernels out of luck?
gitea-mirror commented 2026-05-05 07:39:39 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 7, 2022):

You should try with --noprofile and --profile=noprofile. However as long as we don't have an option to opt-out of a private pid ns, CONFIG_PID_NS=y will be required I guess.

<!-- gh-comment-id:1271997661 --> @rusty-snake commented on GitHub (Oct 7, 2022): You should try with --noprofile and --profile=noprofile. However as long as we don't have an option to opt-out of a private pid ns, `CONFIG_PID_NS=y` will be required I guess.
gitea-mirror commented 2026-05-05 07:39:41 -06:00
Author
Owner
Copy link

@railgauge commented on GitHub (Oct 7, 2022):

Thank you for your response, --noprofile and --profile=noprofile did not solve the issue, seems like my particular case has multiple issues (clone function and PID namespaces). Pardon my ignorance but could you elaborate at a higher level on the use of CONFIG_PID_NS in firejail? Should a new issue be opened if this is this feasible to work around in the future, and what (if any) consequences/compromises might this have?

<!-- gh-comment-id:1272023987 --> @railgauge commented on GitHub (Oct 7, 2022): Thank you for your response, --noprofile and --profile=noprofile did not solve the issue, seems like my particular case has multiple issues (clone function and PID namespaces). Pardon my ignorance but could you elaborate at a higher level on the use of CONFIG_PID_NS in firejail? Should a new issue be opened if this is this feasible to work around in the future, and what (if any) consequences/compromises might this have?
gitea-mirror commented 2026-05-05 07:39:43 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 7, 2022):

ATM firejail always creates a new pid namespace for the sandbox (see man pid_namespaces for what pid namespaces are). If the kernel does not support this (no CONFIG_PID_NS=y), firejail hardfails.

This force pid namespace is also the cause for other issues making some programs unable or not usable to run in firejail.

So there are two things that should be done someday:

  • Do not hardfail if kernel support is missing (but print a fat warning).
  • Add an option to share the pid namespaces

The consequence for sandboxing are rather drastic if the pid ns is shared.

  • All other processes are visible with all kind of process information (the usual permission check like uid are still be done of course).
  • All other processes are accessible (ptrace, kill, ...). The usual permission check like uid are still be done of course and additional restrictions cause be e,g, user namespaces, capabilities, ... are even more complex.
<!-- gh-comment-id:1272033023 --> @rusty-snake commented on GitHub (Oct 7, 2022): ATM firejail always creates a new pid namespace for the sandbox (see `man pid_namespaces` for what pid namespaces are). If the kernel does not support this (no `CONFIG_PID_NS=y`), firejail hardfails. This force pid namespace is also the cause for other issues making some programs unable or not usable to run in firejail. So there are two things that should be done someday: - Do not hardfail if kernel support is missing (but print a fat warning). - Add an option to share the pid namespaces The consequence for sandboxing are rather drastic if the pid ns is shared. - All other processes are visible with all kind of process information (the usual permission check like uid are still be done of course). - All other processes are accessible (ptrace, kill, ...). The usual permission check like uid are still be done of course and additional restrictions cause be e,g, user namespaces, capabilities, ... are even more complex.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1209
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?