github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1803] memory-deny-write-execute causing hangs and crashes on Arch and derivatives #1224

New issue
Closed
opened 2026-05-05 07:40:56 -06:00 by gitea-mirror · 16 comments
gitea-mirror commented 2026-05-05 07:40:56 -06:00
Owner
Copy link

Originally created by @carloabelli on GitHub (Mar 7, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1803

$ firejail --version
firejail version 0.9.52

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - bind support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - git install support is disabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Linux Distribution: Arch Linux

Launching evince hangs:

$ firejail evince
Reading profile /etc/firejail/evince.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 10320, child pid 10322
Private /etc installed in 3.99 ms
Standard C library installed in 28.80 ms
Program libraries installed in 270.54 ms
GdkPixbuf installed in 9.10 ms
GTK3 installed in 21.09 ms
Pango installed in 0.00 ms
GIO installed in 6.41 ms
Installed 164 libraries and 5 directories
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 371.60 ms
(process never gets beyond this point)

This does not happen with --noprofile:

Parent pid 10766, child pid 10768
Child process initialized in 21.98 ms
Warning: an existing sandbox was detected. /usr/bin/evince will run without any additional sandboxing features
(evince loads fine)

This is also a recent issue and used to work in a previous version of firejail.

Originally created by @carloabelli on GitHub (Mar 7, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1803 ``` $ firejail --version firejail version 0.9.52 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` Linux Distribution: Arch Linux Launching `evince` hangs: ``` $ firejail evince Reading profile /etc/firejail/evince.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 10320, child pid 10322 Private /etc installed in 3.99 ms Standard C library installed in 28.80 ms Program libraries installed in 270.54 ms GdkPixbuf installed in 9.10 ms GTK3 installed in 21.09 ms Pango installed in 0.00 ms GIO installed in 6.41 ms Installed 164 libraries and 5 directories Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized in 371.60 ms (process never gets beyond this point) ``` This does not happen with `--noprofile`: ``` Parent pid 10766, child pid 10768 Child process initialized in 21.98 ms Warning: an existing sandbox was detected. /usr/bin/evince will run without any additional sandboxing features (evince loads fine) ``` This is also a recent issue and used to work in a previous version of firejail.
gitea-mirror 2026-05-05 07:40:56 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 07:40:59 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Mar 7, 2018):

Can you try disabling options in evince profile until you find which one causes breakage?

<!-- gh-comment-id:371098830 --> @Vincent43 commented on GitHub (Mar 7, 2018): Can you try disabling options in [evince profile](https://github.com/netblue30/firejail/blob/master/etc/evince.profile) until you find which one causes breakage?
gitea-mirror commented 2026-05-05 07:41:01 -06:00
Author
Owner
Copy link

@carloabelli commented on GitHub (Mar 7, 2018):

Seems that the memory-deny-write-execute option is causing the breakage.

<!-- gh-comment-id:371206936 --> @carloabelli commented on GitHub (Mar 7, 2018): Seems that the `memory-deny-write-execute` option is causing the breakage.
gitea-mirror commented 2026-05-05 07:41:02 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Mar 7, 2018):

Fixed with 7272c524f7 . Thx for reporting!

<!-- gh-comment-id:371224368 --> @Vincent43 commented on GitHub (Mar 7, 2018): Fixed with https://github.com/netblue30/firejail/commit/7272c524f700ca0b6b4e0552d2d10b73f29b3d11 . Thx for reporting!
gitea-mirror commented 2026-05-05 07:41:03 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Mar 10, 2018):

I'm going to reopen this.
mdwe seems to be causing many graphical programs to hang.
@Fred-Barclay has mention that dda8b2dbaf is causing crashes, but I've checked out to 45e044c275 and am still seeing this hanging issue. I also tested with and without Wayland, that doesn't change anything. I can reproduce on both Arch and Fedora.

Aside from evince (now fixed), many programs are affected as the following: eog, gnome-calculator, and file-roller, baobab, and any other graphical ones with mdwe.

There also seems to be a second issue on Fedora with private-lib causing gedit to hang (related to spell check plugin).

I'd rather not disable mdwe, as it is a powerful feature, but I'm also not sure which package updates or commit is causing this.

#1804 is also a dupe of this, and they confirm https://github.com/netblue30/firejail/issues/1804#issuecomment-372038784 that it is happening on other programs as well. Assuming that they are also actually running 0.9.52 and not 0.9.53, then this is probably caused by a recent package update. Hopefully it is something that can be worked around in firejail.

<!-- gh-comment-id:372055162 --> @SkewedZeppelin commented on GitHub (Mar 10, 2018): I'm going to reopen this. mdwe seems to be causing many graphical programs to hang. @Fred-Barclay has mention that dda8b2dbaf85383c787b2e70982346779471a269 is causing crashes, but I've checked out to 45e044c275aab65c3f9c97a479733ab1db8f4ed2 and am still seeing this hanging issue. I also tested with and without Wayland, that doesn't change anything. I can reproduce on both Arch and Fedora. Aside from evince (now fixed), many programs are affected as the following: eog, gnome-calculator, and file-roller, baobab, and any other graphical ones with mdwe. There also seems to be a second issue on Fedora with private-lib causing gedit to hang (related to spell check plugin). I'd rather not disable mdwe, as it is a powerful feature, but I'm also not sure which package updates or commit is causing this. #1804 is also a dupe of this, and they confirm https://github.com/netblue30/firejail/issues/1804#issuecomment-372038784 that it is happening on other programs as well. Assuming that they are also actually running 0.9.52 and not 0.9.53, then this is probably caused by a recent package update. Hopefully it is something that can be worked around in firejail.
gitea-mirror commented 2026-05-05 07:41:04 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Mar 10, 2018):

Honestly I would favor for disabling mdwe for most graphical apps. It's not feasible in linux desktop unless someone is building his own packages in Gentoo.

I wonder if firejail could print relevant violation to journal so it would be more obvious what's causing crash.

<!-- gh-comment-id:372063393 --> @Vincent43 commented on GitHub (Mar 10, 2018): Honestly I would favor for disabling mdwe for most graphical apps. It's not feasible in linux desktop unless someone is building his own packages in Gentoo. I wonder if firejail could print relevant violation to journal so it would be more obvious what's causing crash.
gitea-mirror commented 2026-05-05 07:41:04 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Mar 10, 2018):

@SkewedZeppelin Just to satisfy my curiosity 😆 can you do firejail --ignore=private-dev eog and see if it works or not?
It breaks with private-dev, but works fine without, for me on Fedora 27 Cinnamon (so no Wayland here), even though mdwe is enabled in the profile.

<!-- gh-comment-id:372064020 --> @Fred-Barclay commented on GitHub (Mar 10, 2018): @SkewedZeppelin Just to satisfy my curiosity :laughing: can you do `firejail --ignore=private-dev eog` and see if it works or not? It breaks with private-dev, but works fine without, for me on Fedora 27 Cinnamon (so no Wayland here), even though mdwe is enabled in the profile.
gitea-mirror commented 2026-05-05 07:41:06 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Mar 10, 2018):

@Vincent43 I would really rather not disable mdwe.

@Fred-Barclay on Arch with GNOME Wayland:

$ /usr/bin/gnome-calculator #works
$ firejail /usr/bin/gnome-calculator #hangs
$ firejail --ignore=private-dev /usr/bin/gnome-calculator #hangs
$ firejail --ignore=memory-deny-write-execute /usr/bin/gnome-calculator #works
$ /usr/bin/eog #works
$ firejail /usr/bin/eog #exits
$ firejail --ignore=private-dev /usr/bin/eog #exits
$ firejail --ignore=memory-deny-write-execute /usr/bin/eog #works

On Fedora 27 with GNOME Wayland, I'm am no longer able to reproduce either issue.

<!-- gh-comment-id:372067288 --> @SkewedZeppelin commented on GitHub (Mar 10, 2018): @Vincent43 I would really rather not disable mdwe. @Fred-Barclay on Arch with GNOME Wayland: ``` $ /usr/bin/gnome-calculator #works $ firejail /usr/bin/gnome-calculator #hangs $ firejail --ignore=private-dev /usr/bin/gnome-calculator #hangs $ firejail --ignore=memory-deny-write-execute /usr/bin/gnome-calculator #works $ /usr/bin/eog #works $ firejail /usr/bin/eog #exits $ firejail --ignore=private-dev /usr/bin/eog #exits $ firejail --ignore=memory-deny-write-execute /usr/bin/eog #works ``` On Fedora 27 with GNOME Wayland, I'm am no longer able to reproduce either issue.
gitea-mirror commented 2026-05-05 07:41:06 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Mar 10, 2018):

Okay, private-dev issue is fixed in b21763636a 🎉

As I recall Wayland and mdwe don't get along well. Maybe we should add a condition in the code to only use mdwe on X11?

<!-- gh-comment-id:372071823 --> @Fred-Barclay commented on GitHub (Mar 10, 2018): Okay, private-dev issue is fixed in b21763636adc4edd63b7991908fffcdb84a048c6 :tada: As I recall Wayland and mdwe don't get along well. Maybe we should add a condition in the code to only use mdwe on X11?
gitea-mirror commented 2026-05-05 07:41:07 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Mar 10, 2018):

@Fred-Barclay It happens under Xorg as well. I don't recall it ever being an issue, no3d and wayland are sometimes (see gnome-2048).

<!-- gh-comment-id:372071912 --> @SkewedZeppelin commented on GitHub (Mar 10, 2018): @Fred-Barclay It happens under Xorg as well. I don't recall it ever being an issue, no3d and wayland are sometimes (see gnome-2048).
gitea-mirror commented 2026-05-05 07:41:08 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 28, 2018):

I don't think there's any point in leaving this bug open. We'll address mdwe issues as they come up.

<!-- gh-comment-id:425570115 --> @chiraag-nataraj commented on GitHub (Sep 28, 2018): I don't think there's any point in leaving this bug open. We'll address mdwe issues as they come up.
gitea-mirror commented 2026-05-05 07:41:09 -06:00
Author
Owner
Copy link

@setpill commented on GitHub (Jul 8, 2019):

mumble, galculator, pavucontrol also affected, see #2840

<!-- gh-comment-id:509226533 --> @setpill commented on GitHub (Jul 8, 2019): mumble, galculator, pavucontrol also affected, see #2840
gitea-mirror commented 2026-05-05 07:41:10 -06:00
Author
Owner
Copy link

@setpill commented on GitHub (Jul 11, 2019):

If the problem is specific to Arch (and mdwe works fine on other distros), it would be preferable to figure out how to make it work on Arch rather than disable it everywhere because it doesn't.

<!-- gh-comment-id:510378018 --> @setpill commented on GitHub (Jul 11, 2019): If the problem is specific to Arch (and mdwe works fine on other distros), it would be preferable to figure out how to make it work on Arch rather than disable it everywhere because it doesn't.
gitea-mirror commented 2026-05-05 07:41:12 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 24, 2019):

Since @glitsj16 has streamlined the comments (#2769, Thanks) it's eays to reenable mdwe if you are not on Arch.

#!/usr/bin/env bash

# Copyright © rusty-snake
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
#    list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
#    this list of conditions and the following disclaimer in the documentation
#    and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

[ -v SYSTEM_PROFILE_LOCATION ] || SYSTEM_PROFILE_LOCATION="/etc/firejail"
[ -v USER_PROFILE_LOCATION ] || USER_PROFILE_LOCATION="$HOME/.config/firejail"

mkdir -p "$USER_PROFILE_LOCATION"
for file in "$SYSTEM_PROFILE_LOCATION"/*.profile; do
        if grep "#memory-deny-write-execute - breaks on Arch" "$file" >/dev/null; then
                profile_name="$(basename "${file%.profile}")"
                echo "memory-deny-write-execute" >> "$USER_PROFILE_LOCATION/$profile_name.local"
                echo "Fixed: $profile_name"
        fi
done

BTW: A better solutions is to implement ?ARCH: (or simelar).

?ARCH: ignore mdwe
mdwe
<!-- gh-comment-id:524558577 --> @rusty-snake commented on GitHub (Aug 24, 2019): Since @glitsj16 has streamlined the comments (#2769, Thanks) it's eays to reenable mdwe if you are not on Arch. ```bash #!/usr/bin/env bash # Copyright © rusty-snake # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # 1. Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. [ -v SYSTEM_PROFILE_LOCATION ] || SYSTEM_PROFILE_LOCATION="/etc/firejail" [ -v USER_PROFILE_LOCATION ] || USER_PROFILE_LOCATION="$HOME/.config/firejail" mkdir -p "$USER_PROFILE_LOCATION" for file in "$SYSTEM_PROFILE_LOCATION"/*.profile; do if grep "#memory-deny-write-execute - breaks on Arch" "$file" >/dev/null; then profile_name="$(basename "${file%.profile}")" echo "memory-deny-write-execute" >> "$USER_PROFILE_LOCATION/$profile_name.local" echo "Fixed: $profile_name" fi done ``` BTW: A better solutions is to implement `?ARCH: ` (or simelar). ``` ?ARCH: ignore mdwe mdwe ```
gitea-mirror commented 2026-05-05 07:41:13 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 24, 2019):

@rusty-snake Great job. Would indeed be handy to have ?ARCH:, ?DEBIAN: and ?FEDORA: (to name just 3) so we can deliver the best profile for users, instead of having to cripple something because it doesn't work on one/some.

<!-- gh-comment-id:524567140 --> @ghost commented on GitHub (Aug 24, 2019): @rusty-snake Great job. Would indeed be handy to have `?ARCH:`, `?DEBIAN:` and `?FEDORA:` (to name just 3) so we can deliver the best profile for users, instead of having to cripple something because it doesn't work on one/some.
gitea-mirror commented 2026-05-05 07:41:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 24, 2019):

/etc/os-release should be present on the most systems. (https://www.freedesktop.org/software/systemd/man/os-release.html) Something like ?OS(NAME=Fedora): or ?OS(NAME="Debian GNU/Linux",VERSION="9 (stretch)"): should be possible, but thats a new issue.

<!-- gh-comment-id:524568436 --> @rusty-snake commented on GitHub (Aug 24, 2019): /etc/os-release should be present on the most systems. (https://www.freedesktop.org/software/systemd/man/os-release.html) Something like `?OS(NAME=Fedora):` or `?OS(NAME="Debian GNU/Linux",VERSION="9 (stretch)"):` should be possible, but thats a new issue.
gitea-mirror commented 2026-05-05 07:41:14 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Aug 25, 2019):

We still don't know the cause of those failures, it's possible that newer libs that Arch ships are the culprit and that means it's just matter of time when it will happen on older distros. I would leave mwde disabled.

<!-- gh-comment-id:524631529 --> @Vincent43 commented on GitHub (Aug 25, 2019): We still don't know the cause of those failures, it's possible that newer libs that Arch ships are the culprit and that means it's just matter of time when it will happen on older distros. I would leave mwde disabled.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1224
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?