github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2009] Maximum profile include level was reached #1353

New issue

Closed

opened 2026-05-05 07:55:07 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 07:55:07 -06:00

Owner

Originally created by @ferreum on GitHub (Jun 23, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2009

I seem to have a quite customized setup, and since version 0.9.54 firejail complains (and fails starting) with the above message if I try to start thunderbird (edit: I should say that I linked /usr/local/bin/thunderbird to firejail):

$ thunderbird
Reading profile /home/fe/.config/firejail/thunderbird.profile
Reading profile /home/fe/.local/share/firejail/thunderbird.local
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /home/fe/.config/firejail/disable-common.inc.local
Error: maximum profile include level was reached

The file /home/fe/.local/share/firejail/thunderbird.local doesn't include anything, so /home/fe/.config/firejail/disable-common.inc.local is on the 7th include level. This file contains one further include of ~/.local/share/firejail/disable-common.local but the chain ends there.

My guess is that this happens because the thunderbird profile now includes the firefox profile.

Why is the limit so low? I couldn't find any option to increase the maximum include level.

Originally created by @ferreum on GitHub (Jun 23, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2009 I seem to have a quite customized setup, and since version 0.9.54 firejail complains (and fails starting) with the above message if I try to start thunderbird (edit: I should say that I linked `/usr/local/bin/thunderbird` to firejail): ``` $ thunderbird Reading profile /home/fe/.config/firejail/thunderbird.profile Reading profile /home/fe/.local/share/firejail/thunderbird.local Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /home/fe/.config/firejail/disable-common.inc.local Error: maximum profile include level was reached ``` The file `/home/fe/.local/share/firejail/thunderbird.local` doesn't include anything, so `/home/fe/.config/firejail/disable-common.inc.local` is on the 7th include level. This file contains one further include of `~/.local/share/firejail/disable-common.local` but the chain ends there. My guess is that this happens because the thunderbird profile now includes the firefox profile. Why is the limit so low? I couldn't find any option to increase the maximum include level.

gitea-mirror

2026-05-05 07:55:07 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 07:55:10 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jun 23, 2018):

The limit is 6, defined as MAX_INCLUDE_LEVEL dc96a6c6fa/src/firejail/firejail.h (L107)

and it is enforced here
dc96a6c6fa/src/firejail/profile.c (L1224-L1228)

According to git blame it was added back in the early days before we had .local and .global files.
We should probably consider increasing it maybe to 8 or 10.

@SkewedZeppelin commented on GitHub (Jun 23, 2018): The limit is 6, defined as MAX_INCLUDE_LEVEL https://github.com/netblue30/firejail/blob/dc96a6c6fa677dcad87119bf828f6cea16c8d56d/src/firejail/firejail.h#L107 and it is enforced here https://github.com/netblue30/firejail/blob/dc96a6c6fa677dcad87119bf828f6cea16c8d56d/src/firejail/profile.c#L1224-L1228 According to git blame it was added back in the early days before we had .local and .global files. We should probably consider increasing it maybe to 8 or 10.

gitea-mirror commented

2026-05-05 07:55:11 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jun 24, 2018):

@netblue30 why do we have an include limit?

@Fred-Barclay commented on GitHub (Jun 24, 2018): @netblue30 why do we have an include limit?

gitea-mirror commented

2026-05-05 07:55:12 -06:00

Author

Owner

@reinerh commented on GitHub (Jun 26, 2018):

Maybe to prevent recursion?

@reinerh commented on GitHub (Jun 26, 2018): Maybe to prevent recursion?

gitea-mirror commented

2026-05-05 07:55:13 -06:00

Author

Owner

@ferreum commented on GitHub (Jun 26, 2018):

To prevent (infinite) recursion, the limit doesn't need to be this low - may aswell increase it to 32 or higher. What I'm concerned about is that each recursion may need a hard to determine amout of stack, so this could lead to security issues from stack overflows. This is also why I refrained from patching the limit myself.

@ferreum commented on GitHub (Jun 26, 2018): To prevent (infinite) recursion, the limit doesn't need to be this low - may aswell increase it to 32 or higher. What I'm concerned about is that each recursion may need a hard to determine amout of stack, so this could lead to security issues from stack overflows. This is also why I refrained from patching the limit myself.

gitea-mirror commented

2026-05-05 07:55:14 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 30, 2018):

Yes, it was to prevent infinite recursion - increased the level to 16 - bc2a81b299

@netblue30 commented on GitHub (Jun 30, 2018): Yes, it was to prevent infinite recursion - increased the level to 16 - https://github.com/netblue30/firejail/commit/bc2a81b29961243bdec88dcbb3cd7e7f88ea50e4

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1353

No description provided.

Rows
Columns