[GH-ISSUE #1980] firejail prevents id.fedoraproject.org redirection in firefox #1330

New issue

Closed

opened 2026-05-05 07:52:58 -06:00 by gitea-mirror · 14 comments

gitea-mirror commented 2026-05-05 07:52:58 -06:00

Owner

Copy link

Originally created by @covex on GitHub (Jun 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1980

Using firejail for a long time, the whole time it happens, that when I want to login to some site using id.fedoraproject.org the redirection freezes and on firefox (59) quit, it crashes.

For example, using http://pagure.io/ clicking on Login should redirect you to an id.fedoraproject.org but it does not. Without firejail it works as expected. I did not found anything using firejail debug mode. Not sure what could be causing this.

Originally created by @covex on GitHub (Jun 5, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1980 Using firejail for a long time, the whole time it happens, that when I want to login to some site using id.fedoraproject.org the redirection freezes and on firefox (59) quit, it crashes. For example, using http://pagure.io/ clicking on Login should redirect you to an id.fedoraproject.org but it does not. Without firejail it works as expected. I did not found anything using firejail debug mode. Not sure what could be causing this.

gitea-mirror closed this issue 2026-05-05 07:53:00 -06:00

gitea-mirror commented 2026-05-05 07:53:02 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Huh. So I just tried this and it seems to be working with the profile I use. I'll give it a try with the default profile and report back.

<!-- gh-comment-id:394690585 --> @chiraag-nataraj commented on GitHub (Jun 5, 2018): Huh. So I just tried this and it seems to be working with the profile I use. I'll give it a try with the default profile and report back.

gitea-mirror commented 2026-05-05 07:53:04 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Okay, so it worked with the default profile as well. I'm also using Firefox 61b8 though, so idk if that is relevant.

Does anything appear in the syslog? It could be that some weird syscall is required (it sounds like the seccomp filter is kicking in and blocking something firefox needs, which forces it to crash).

<!-- gh-comment-id:394691227 --> @chiraag-nataraj commented on GitHub (Jun 5, 2018): Okay, so it worked with the default profile as well. I'm also using Firefox 61b8 though, so idk if that is relevant. Does anything appear in the syslog? It could be that some weird syscall is required (it sounds like the seccomp filter is kicking in and blocking something firefox needs, which forces it to crash).

gitea-mirror commented 2026-05-05 07:53:05 -06:00

Author

Owner

Copy link

@covex commented on GitHub (Jun 5, 2018):

OK, here is what I found in the syslog when I clicked at Login:

Jun  5 16:14:34 me audit[8401]: SECCOMP auid=500 uid=500 gid=500 ses=6 pid=8401 comm=4C617A792049646C65 exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=250 compat=0 ip=0x7f442d2ffb99 code=0x0
Jun  5 16:14:34 me kernel: audit: type=1326 audit(1528208074.196:3753): auid=500 uid=500 gid=500 ses=6 pid=8401 comm=4C617A792049646C65 exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=250 compat=0 ip=0x7f442d2ffb99 code=0x0

<!-- gh-comment-id:394726465 --> @covex commented on GitHub (Jun 5, 2018): OK, here is what I found in the syslog when I clicked at Login: ``` Jun 5 16:14:34 me audit[8401]: SECCOMP auid=500 uid=500 gid=500 ses=6 pid=8401 comm=4C617A792049646C65 exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=250 compat=0 ip=0x7f442d2ffb99 code=0x0 Jun 5 16:14:34 me kernel: audit: type=1326 audit(1528208074.196:3753): auid=500 uid=500 gid=500 ses=6 pid=8401 comm=4C617A792049646C65 exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=250 compat=0 ip=0x7f442d2ffb99 code=0x0 ```

gitea-mirror commented 2026-05-05 07:53:07 -06:00

Author

Owner

Copy link

@covex commented on GitHub (Jun 5, 2018):

Then when I try to quit firefox it crashes with core dump:

Jun  5 16:18:53 me audit[8953]: SECCOMP auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f442110f34f code=0x0
Jun  5 16:18:53 me kernel: audit: type=1326 audit(1528208333.342:3756): auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f442110f34f code=0x0
Jun  5 16:18:53 me kernel: audit: type=1701 audit(1528208333.342:3757): auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 res=1
Jun  5 16:18:53 me audit[8953]: ANOM_ABEND auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 res=1
Jun  5 16:18:53 me systemd[1]: Started Process Core Dump (PID 8954/UID 0).
Jun  5 16:18:53 me kernel: audit: type=1130 audit(1528208333.362:3758): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun  5 16:18:53 me audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun  5 16:18:55 me firejail[1]: monitoring pid 309#012
Jun  5 16:18:56 me systemd-coredump[8955]: Process 8953 (Shutdow~minator) of user 500 dumped core.#012#012Stack trace of thread 308:#012#0  0x00007f442110f34f _ZN15google_breakpad17LinuxPtraceDumper14ThreadsSuspendEv (libxul.so)#012#1  0x00007f4421117b72 _ZN12_GLOBAL__N_117WriteMinidumpImplEPKciliPKvmRKNSt7__cxx114listIN15google_breakpad12MappingEntryESaIS7_EEERKNS5_INS6_9AppMemoryESaISC_EEE (libxul.so)#012#2  0x00007f442111a0a4 _ZN15google_breakpad16ExceptionHandler6DoDumpEiPKvm (libxul.so)#012#3  0x00007f442111a100 _ZN15google_breakpad16ExceptionHandler11ThreadEntryEPv (libxul.so)#012#4  0x00007f4421110e7b _ZN15google_breakpad16ExceptionHandler12GenerateDumpEPNS0_12CrashContextE (libxul.so)
Jun  5 16:18:57 me audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun  5 16:18:57 me kernel: audit: type=1131 audit(1528208337.019:3759): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun  5 16:18:57 me firejail[8397]: exiting...

<!-- gh-comment-id:394728070 --> @covex commented on GitHub (Jun 5, 2018): Then when I try to quit firefox it crashes with core dump: ``` Jun 5 16:18:53 me audit[8953]: SECCOMP auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f442110f34f code=0x0 Jun 5 16:18:53 me kernel: audit: type=1326 audit(1528208333.342:3756): auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f442110f34f code=0x0 Jun 5 16:18:53 me kernel: audit: type=1701 audit(1528208333.342:3757): auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 res=1 Jun 5 16:18:53 me audit[8953]: ANOM_ABEND auid=500 uid=500 gid=500 ses=6 pid=8953 comm="Shutdow~minator" exe="/usr/lib64/firefox/firefox" sig=31 res=1 Jun 5 16:18:53 me systemd[1]: Started Process Core Dump (PID 8954/UID 0). Jun 5 16:18:53 me kernel: audit: type=1130 audit(1528208333.362:3758): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 5 16:18:53 me audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 5 16:18:55 me firejail[1]: monitoring pid 309#012 Jun 5 16:18:56 me systemd-coredump[8955]: Process 8953 (Shutdow~minator) of user 500 dumped core.#012#012Stack trace of thread 308:#012#0 0x00007f442110f34f _ZN15google_breakpad17LinuxPtraceDumper14ThreadsSuspendEv (libxul.so)#012#1 0x00007f4421117b72 _ZN12_GLOBAL__N_117WriteMinidumpImplEPKciliPKvmRKNSt7__cxx114listIN15google_breakpad12MappingEntryESaIS7_EEERKNS5_INS6_9AppMemoryESaISC_EEE (libxul.so)#012#2 0x00007f442111a0a4 _ZN15google_breakpad16ExceptionHandler6DoDumpEiPKvm (libxul.so)#012#3 0x00007f442111a100 _ZN15google_breakpad16ExceptionHandler11ThreadEntryEPv (libxul.so)#012#4 0x00007f4421110e7b _ZN15google_breakpad16ExceptionHandler12GenerateDumpEPNS0_12CrashContextE (libxul.so) Jun 5 16:18:57 me audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 5 16:18:57 me kernel: audit: type=1131 audit(1528208337.019:3759): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-8954-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 5 16:18:57 me firejail[8397]: exiting... ```

gitea-mirror commented 2026-05-05 07:53:09 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

If you do a firejail --debug-syscalls | grep 250, does it give you keyctl? Does firejail --ignore=seccomp firefox work properly?

<!-- gh-comment-id:394730817 --> @chiraag-nataraj commented on GitHub (Jun 5, 2018): If you do a `firejail --debug-syscalls | grep 250`, does it give you `keyctl`? Does `firejail --ignore=seccomp firefox` work properly?

gitea-mirror commented 2026-05-05 07:53:11 -06:00

Author

Owner

Copy link

@covex commented on GitHub (Jun 5, 2018):

$ firejail --debug-syscalls | grep 250
250     - keyctl

with --ignore=seccomp the redirection works, no crash.

<!-- gh-comment-id:394835612 --> @covex commented on GitHub (Jun 5, 2018): ``` $ firejail --debug-syscalls | grep 250 250 - keyctl ``` with --ignore=seccomp the redirection works, no crash.

gitea-mirror commented 2026-05-05 07:53:12 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

Okay, so my suspicion was correct. This is really weird, though, since it means firefox is performing manipulations of the kernel's keyring... @netblue30, any idea why this could be happening?

<!-- gh-comment-id:394836541 --> @chiraag-nataraj commented on GitHub (Jun 5, 2018): Okay, so my suspicion was correct. This is really weird, though, since it means firefox is performing manipulations of the kernel's keyring... @netblue30, any idea why this could be happening?

gitea-mirror commented 2026-05-05 07:53:14 -06:00

Author

Owner

Copy link

@covex commented on GitHub (Jun 5, 2018):

id.fedoraproject.org is a fedora OpenID site serving as a centralized authorization facility for fedora infrastructure. I could imagine it may be trying to search some keys via keyctl. I may ask on fedora lists.
So to solve this, should I add a seccomp.keep keyctl to my firefox profile?

<!-- gh-comment-id:394841464 --> @covex commented on GitHub (Jun 5, 2018): id.fedoraproject.org is a fedora OpenID site serving as a centralized authorization facility for fedora infrastructure. I could imagine it may be trying to search some keys via keyctl. I may ask on fedora lists. So to solve this, should I add a seccomp.keep keyctl to my firefox profile?

gitea-mirror commented 2026-05-05 07:53:15 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jun 5, 2018):

id.fedoraproject.org is a fedora OpenID site serving as a centralized authorization facility for fedora infrastructure. I could imagine it may be trying to search some keys via keyctl.

That doesn't make any sense, since it worked perfectly fine here on Debian (unless you're saying you weren't able to log in? I didn't try that, since I don't have Fedora credentials).

So to solve this, should I add a seccomp.keep keyctl to my firefox profile?

No, that would only allow keyctl 😜 The easiest is probably to edit /etc/firejail/firefox-common.profile to not include keyctl.

<!-- gh-comment-id:394846393 --> @chiraag-nataraj commented on GitHub (Jun 5, 2018): > id.fedoraproject.org is a fedora OpenID site serving as a centralized authorization facility for fedora infrastructure. I could imagine it may be trying to search some keys via keyctl. That doesn't make any sense, since it worked perfectly fine here on Debian (unless you're saying you weren't able to log in? I didn't try that, since I don't have Fedora credentials). > So to solve this, should I add a seccomp.keep keyctl to my firefox profile? No, that would _only_ allow `keyctl` :stuck_out_tongue_winking_eye: The easiest is probably to edit `/etc/firejail/firefox-common.profile` to not include `keyctl`.

gitea-mirror commented 2026-05-05 07:53:17 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jun 7, 2018):

@covex, did removing keyctl from the list of syscalls in /etc/firejail/firefox.profile work?

<!-- gh-comment-id:395565916 --> @chiraag-nataraj commented on GitHub (Jun 7, 2018): @covex, did removing `keyctl` from the list of syscalls in `/etc/firejail/firefox.profile` work?

gitea-mirror commented 2026-05-05 07:53:18 -06:00

Author

Owner

Copy link

@covex commented on GitHub (Jun 8, 2018):

I am using an older version of firejail 0.9.48 there is nothing like this in any firefox config. I was trying to update to latest version 0.9.54, however there is a new feature to specify users that may use firejail in firejail.users, but even thou I configured it with firecfg and added username there, the user was not able to start the firejail. So I gave up and downgraded to 0.9.48, but there is no keyctl in the config. I do not have a solution ATM.

<!-- gh-comment-id:395673138 --> @covex commented on GitHub (Jun 8, 2018): I am using an older version of firejail 0.9.48 there is nothing like this in any firefox config. I was trying to update to latest version 0.9.54, however there is a new feature to specify users that may use firejail in firejail.users, but even thou I configured it with firecfg and added username there, the user was not able to start the firejail. So I gave up and downgraded to 0.9.48, but there is no keyctl in the config. I do not have a solution ATM.

gitea-mirror commented 2026-05-05 07:53:20 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jun 12, 2018):

Try this instead of the seccomp line:

seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,ioprio_set,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,perf_event_open,fanotify_init,kcmp,add_key,request_key,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old

<!-- gh-comment-id:396558378 --> @chiraag-nataraj commented on GitHub (Jun 12, 2018): Try this instead of the `seccomp` line: ``` seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,ioprio_set,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,perf_event_open,fanotify_init,kcmp,add_key,request_key,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old ```

gitea-mirror commented 2026-05-05 07:53:22 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

@covex Did you try that seccomp line? Did it work?

<!-- gh-comment-id:405117380 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): @covex Did you try that `seccomp` line? Did it work?

gitea-mirror commented 2026-05-05 07:53:24 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 21, 2018):

Closing because of no response. @covex, feel free to re-open if you were able to try that seccomp line.

<!-- gh-comment-id:406821283 --> @chiraag-nataraj commented on GitHub (Jul 21, 2018): Closing because of no response. @covex, feel free to re-open if you were able to try that `seccomp` line.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1330

No description provided.