github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #201] protocol.c:168:3 error: 'EM_ARM' undeclared (first use in this function) #139

New issue
Closed
opened 2026-05-05 05:09:13 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 05:09:13 -06:00
Owner
Copy link

Originally created by @S0AndS0 on GitHub (Dec 26, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/201

Errors occur when [make] command is run.

Error dump start:
cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c network_main.c -o network_main.o
cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c no_sandbox.c -o no_sandbox.o
cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c output.c -o output.o
cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c profile.c -o profile.o
cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c protocol.c -o protocol.o
protocol.c: In function 'protocol_filter':
protocol.c:168:3: error: 'EM_ARM' undeclared (first use in this function)
protocol.c:168:3: note: each undeclared identifier is reported only once for each function it appears in
make[1]: *** [protocol.o] Error 1
make[1]: Leaving directory `/home/${USER?}/firejail_source/f
irejail/src/firejail'
make: *** [src/firejail] Error 2
-~-~Error dump end

-~-~Notes start
Hardware: Android tablet with Linux inside via Debian Kit application; with modified source code for ARMhf support. Think of it as a permissive-chroot of Debian Wheezy.

Command : $(cat /etc/*-release | grep -i "version")
Output : VERSION_ID="7" \n VERSION="7 (wheezy)"

Command : $(cat /etc/*-release | grep -i "version")
Output: VERSION_ID="7" \n ID=debian

Command: $(cat /proc/cpuinfo | grep -i "model|architecture")
Output: model name : ARMv7 Processor rev 5 (v71) /n CPU architecture : 7
-~-~Notes end

Installation commands used

sudo apt-get install automake make git-core bridge-utils
mkdir ~/firejail_source && cd ~/firejail_source
sudo git clone https://github.com/netblue30/firejail/
sudo chown -R ${USER}:${USER} /firejail_source/firejail
cd /firejail_source/firejail
./configure
--- Output of configure start
gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... ranlib
checking for main in -lpthread... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking linux/seccomp.h usability... no
checking linux/seccomp.h presence... no
checking for linux/seccomp.h... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/lib/Makefile
config.status: creating src/firejail/Makefile
config.status: creating src/firemon/Makefile
config.status: creating src/libtrace/Makefile
config.status: creating src/libtracelog/Makefile
config.status: creating src/ftee/Makefile

Configuration options:
prefix: /usr/local
sysconfdir: ${prefix}/etc
seccomp: -DHAVE_SECCOMP
<linux/seccomp.h>:
chroot: -DHAVE_CHROOT
bind: -DHAVE_BIND
fatal warnings:
---~ Output of configure end

______ test 1 end ____ test 2 start ____

Ran similar on another Android device, this time on a normal chroot via Linux Deploy app with Kali 2.0 distro installed. Errors pop upon [./configrue] and not on [make]
--- configure start
localhost:/firejail_source/firejail$ ./configure
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in /home/epic/firejail_source/firejail': configure: error: C compiler cannot create executables Seeconfig.log' for more details
--~- configure end

Any further information neaded to aid in solving errors? I'll be trying Raspbian on a RPi and Ubuntu 14.04 on an old 32bit PC but was aiming for Android+Linux+Firejailed processes.

Originally created by @S0AndS0 on GitHub (Dec 26, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/201 Errors occur when [make] command is run. Error dump start: cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c network_main.c -o network_main.o cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c no_sandbox.c -o no_sandbox.o cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c output.c -o output.o cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c profile.c -o profile.o cc -ggdb -O2 -DVERSION='"0.9.36"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DHAVE_SECCOMP -DHAVE_CHROOT -DHAVE_BIND -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -c protocol.c -o protocol.o protocol.c: In function 'protocol_filter': protocol.c:168:3: error: 'EM_ARM' undeclared (first use in this function) protocol.c:168:3: note: each undeclared identifier is reported only once for each function it appears in make[1]: **\* [protocol.o] Error 1 make[1]: Leaving directory `/home/${USER?}/firejail_source/f irejail/src/firejail' make: **\* [src/firejail] Error 2 -~-~Error dump end -~-~Notes start Hardware: Android tablet with Linux inside via Debian Kit application; with modified source code for ARMhf support. Think of it as a permissive-chroot of Debian Wheezy. Command : $(cat /etc/*-release | grep -i "version") Output : VERSION_ID="7" \n VERSION="7 (wheezy)" Command : $(cat /etc/*-release | grep -i "version") Output: VERSION_ID="7" \n ID=debian Command: $(cat /proc/cpuinfo | grep -i "model|architecture") Output: model name : ARMv7 Processor rev 5 (v71) /n CPU architecture : 7 -~-~Notes end Installation commands used sudo apt-get install automake make git-core bridge-utils mkdir ~/firejail_source && cd ~/firejail_source sudo git clone https://github.com/netblue30/firejail/ sudo chown -R ${USER}:${USER} ~/firejail_source/firejail cd ~/firejail_source/firejail ./configure -~-~- Output of configure start gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for a BSD-compatible install... /usr/bin/install -c checking for ranlib... ranlib checking for main in -lpthread... yes checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking pthread.h usability... yes checking pthread.h presence... yes checking for pthread.h... yes checking linux/seccomp.h usability... no checking linux/seccomp.h presence... no checking for linux/seccomp.h... no configure: creating ./config.status config.status: creating Makefile config.status: creating src/lib/Makefile config.status: creating src/firejail/Makefile config.status: creating src/firemon/Makefile config.status: creating src/libtrace/Makefile config.status: creating src/libtracelog/Makefile config.status: creating src/ftee/Makefile Configuration options: prefix: /usr/local sysconfdir: ${prefix}/etc seccomp: -DHAVE_SECCOMP <linux/seccomp.h>: chroot: -DHAVE_CHROOT bind: -DHAVE_BIND fatal warnings: -~-~-~ Output of configure end ______ test 1 end ____ test 2 start ____ Ran similar on another Android device, this time on a normal chroot via Linux Deploy app with Kali 2.0 distro installed. Errors pop upon [./configrue] and not on [make] -~-~- configure start localhost:~/firejail_source/firejail$ ./configure checking for gcc... gcc checking whether the C compiler works... no configure: error: in `/home/epic/firejail_source/firejail': configure: error: C compiler cannot create executables See`config.log' for more details -~-~- configure end Any further information neaded to aid in solving errors? I'll be trying Raspbian on a RPi and Ubuntu 14.04 on an old 32bit PC but was aiming for Android+Linux+Firejailed processes.
gitea-mirror 2026-05-05 05:09:13 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 05:09:18 -06:00
Author
Owner
Copy link

@S0AndS0 commented on GitHub (Dec 26, 2015):

An update and what seems to be a working answer.
above tested Android devices did have gcc installed, not sure why the second one failed to detect, and RPi from github source firejail errored out at the same place as first above tests on Android.

Now the solution, running the following three commands resulted in installing firejail without errors

echo 'deb http://ftp.de.debian.org/debian stretch main' | sudo tee -a /etc/apt/sources.list.d/sid_stretch.list

sudo apt-get update

sudo apt-get install firejail

Note1 for readers; use [sudo nano /etc/apt/sources.list.d/sid_stretch.list] to comment out list when done to avoid polution of current install from acedental [sudo apt-get upgrade] commands at a latter time, run [sudo apt-get update] to add and remove sources list from active apt-get lists. Utilize [sudo apt-get install firejail] a second time to latter update if neaded.

Note2: answer was found via [Crtl^f] "rasp" at the following link
https://l3net.wordpress.com/projects/firejail/comment-page-3/#comment-7806
perhaps instructions should be added to main installation docs as a "fool-proof" way of installing.

Note3: would have edited original issue to include solution but either github or browser doesn't much care to do anything when those button are pushed. Self closing issue now if allowed.

<!-- gh-comment-id:167327214 --> @S0AndS0 commented on GitHub (Dec 26, 2015): An update and what seems to be a working answer. above tested Android devices did have gcc installed, not sure why the second one failed to detect, and RPi from github source firejail errored out at the same place as first above tests on Android. Now the solution, running the following three commands resulted in installing firejail without errors echo 'deb http://ftp.de.debian.org/debian stretch main' | sudo tee -a /etc/apt/sources.list.d/sid_stretch.list sudo apt-get update sudo apt-get install firejail Note1 for readers; use [sudo nano /etc/apt/sources.list.d/sid_stretch.list] to comment out list when done to avoid polution of current install from acedental [sudo apt-get upgrade] commands at a latter time, run [sudo apt-get update] to add and remove sources list from active apt-get lists. Utilize [sudo apt-get install firejail] a second time to latter update if neaded. Note2: answer was found via [Crtl^f] "rasp" at the following link https://l3net.wordpress.com/projects/firejail/comment-page-3/#comment-7806 perhaps instructions should be added to main installation docs as a "fool-proof" way of installing. Note3: would have edited original issue to include solution but either github or browser doesn't much care to do anything when those button are pushed. Self closing issue now if allowed.
gitea-mirror commented 2026-05-05 05:09:21 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 27, 2015):

Thank you for letting me know. I'll keep an eye on ARM.

<!-- gh-comment-id:167418126 --> @netblue30 commented on GitHub (Dec 27, 2015): Thank you for letting me know. I'll keep an eye on ARM.
gitea-mirror commented 2026-05-05 05:09:22 -06:00
Author
Owner
Copy link

@S0AndS0 commented on GitHub (Dec 28, 2015):

Quick update;
One of my devices had no problems with apt-get sources list mangling, the other however seems to have missed dependancies as I recieve errors even trying the help option on firejail

firejail --help

Error mkdir:shm_create_firejail_dir(122): No such file or directory

The error is on a fresh install of Kali Sana on ARMhf CPU via bogged Debian Kit app. searching through the logs of the Android device that this did install well on didn't reveal any log of packages that where installed in addition to firejail (think I saw six lib...s) so I ran the following on the device that firejail didn't error out on

ldd $(which firejail)

    libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0x40282000)
    libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x402a5000)
    /lib/ld-linux-armhf.so.3 (0x40037000)

After checking through both working and non-working device's apt logs I found the working one had had automake make and gcc packages installed and remembering that the m4 package was installed by one of those I issued install requests on the non-working device like so

apt-get install -t sana automake make gcc

but still no dice, even tried removing the preferances files under /etc/apt/preferences.d/ directory that where set up to prevent acidental dist upgrade too and a pruge/remove/reinstall of firejail

Here's the contence of files used to tell apt-get what priorities to install from

cat /etc/apt/preferences.d/kali

Package: *
Pin: release o=sana
Pin-Proirity: 100

cat /etc/apt/preferences.d/prevent_kernel_upgrade

Package: /(linux|nividia)/
Pin: release *
Pin-Proirity: -5

cat /etc/apt/preferences.d/stretch

Package: *
Pin: release a=stretch
Pin-Proirity: 1000

The above files are in case any new reader wishes to try using apt-get method of firejail installation, however, the install commands must be changed a bit to reflect the targeted releases now available to install packages from.
For example to install firejail spicifficly from stretch repos

apt-get install --target-release stretch firejail

And to install packages from kali repos, such as metasploit and beef

apt-get install -t sana metasploit-framework framework2 teamsploit beef

The working device had similar files setup so I'll be working on testing nginx and other jails on the one that works and hope that source installation works on the next version releice of firejail.
Is there a full list of firejail's dependancies? bridge-utilis and m4 are the ones I know about from reading comments on the old home page.

<!-- gh-comment-id:167641136 --> @S0AndS0 commented on GitHub (Dec 28, 2015): Quick update; One of my devices had no problems with apt-get sources list mangling, the other however seems to have missed dependancies as I recieve errors even trying the help option on firejail # firejail --help Error mkdir:shm_create_firejail_dir(122): No such file or directory The error is on a fresh install of Kali Sana on ARMhf CPU via bogged Debian Kit app. searching through the logs of the Android device that this did install well on didn't reveal any log of packages that where installed in addition to firejail (think I saw six lib...s) so I ran the following on the device that firejail didn't error out on # ldd $(which firejail) ``` libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0x40282000) libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x402a5000) /lib/ld-linux-armhf.so.3 (0x40037000) ``` After checking through both working and non-working device's apt logs I found the working one had had automake make and gcc packages installed and remembering that the m4 package was installed by one of those I issued install requests on the non-working device like so # apt-get install -t sana automake make gcc but still no dice, even tried removing the preferances files under /etc/apt/preferences.d/ directory that where set up to prevent acidental dist upgrade too and a pruge/remove/reinstall of firejail Here's the contence of files used to tell apt-get what priorities to install from # cat /etc/apt/preferences.d/kali Package: * Pin: release o=sana Pin-Proirity: 100 # cat /etc/apt/preferences.d/prevent_kernel_upgrade Package: /(linux|nividia)/ Pin: release * Pin-Proirity: -5 # cat /etc/apt/preferences.d/stretch Package: * Pin: release a=stretch Pin-Proirity: 1000 The above files are in case any new reader wishes to try using apt-get method of firejail installation, however, the install commands must be changed a bit to reflect the targeted releases now available to install packages from. For example to install firejail spicifficly from stretch repos # apt-get install --target-release stretch firejail And to install packages from kali repos, such as metasploit and beef # apt-get install -t sana metasploit-framework framework2 teamsploit beef The working device had similar files setup so I'll be working on testing nginx and other jails on the one that works and hope that source installation works on the next version releice of firejail. Is there a full list of firejail's dependancies? bridge-utilis and m4 are the ones I know about from reading comments on the old home page.
gitea-mirror commented 2026-05-05 05:09:23 -06:00
Author
Owner
Copy link

@S0AndS0 commented on GitHub (Dec 29, 2015):

Additionall depends found

apt-get install libc6-dev

Above command revieled new errors on non-working device; found listed depends at following link
https://github.com/netblue30/firejail/blob/master/platform/debian/control

Looks like the libs have bad kernel version requiremnts or requests because it wishes me to preform an upgrade to 3.2 or greater. Kinda odd because the device that didn't have isues is running kernel version 3.0.83 and the non working device is running a slighly higher kernel version 3.1.10.

And thank you @netblue30 for keeping an eye on these CPUs the low power requirements make them easy to find within insecure consumer products so it'd be sweet see firejail make it's way into standered development practices.

<!-- gh-comment-id:167742073 --> @S0AndS0 commented on GitHub (Dec 29, 2015): Additionall depends found apt-get install libc6-dev Above command revieled new errors on non-working device; found listed depends at following link https://github.com/netblue30/firejail/blob/master/platform/debian/control Looks like the libs have bad kernel version requiremnts or requests because it wishes me to preform an upgrade to 3.2 or greater. Kinda odd because the device that didn't have isues is running kernel version 3.0.83 and the non working device is running a slighly higher kernel version 3.1.10. And thank you @netblue30 for keeping an eye on these CPUs the low power requirements make them easy to find within insecure consumer products so it'd be sweet see firejail make it's way into standered development practices.
gitea-mirror commented 2026-05-05 05:09:25 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Dec 29, 2015):

We will have to find what exactly are the dependencies. Thanks!

<!-- gh-comment-id:167844281 --> @netblue30 commented on GitHub (Dec 29, 2015): We will have to find what exactly are the dependencies. Thanks!
gitea-mirror commented 2026-05-05 05:09:28 -06:00
Author
Owner
Copy link

@S0AndS0 commented on GitHub (Jan 2, 2016):

Most welcome, once we've figured out all dependancies I'll set about learning the extra bits bellow~
https://busybox.net/FAQ.html#adding
http://forums.androidcentral.com/software-development-hacking/4446-how-installing-busybox-hand.html
~ for adding Firejail into Android's BuysBox options. Then I can finally start mucking with how applications see the file system and network :-D

I'll be testing on some other CPU builds shortly and post back if I find some paturns in listed depends.

Edit/Update

Just ran start to finish on the following guide's links, bug report in comments for amd64 builds
https://www.digitalocean.com/community/tutorials/how-to-use-firejail-to-set-up-a-wordpress-installation-in-a-jailed-environment
Either I'm missing something or there's inknown depends that are not being listed anywhere for this kind of setup.
Additional bugs reported for ARM not wanting to debootstrap mount proc to proc and failing to build a chroot for firejail to mount.

<!-- gh-comment-id:168421984 --> @S0AndS0 commented on GitHub (Jan 2, 2016): Most welcome, once we've figured out all dependancies I'll set about learning the extra bits bellow~ https://busybox.net/FAQ.html#adding http://forums.androidcentral.com/software-development-hacking/4446-how-installing-busybox-hand.html ~ for adding Firejail into Android's BuysBox options. Then I can finally start mucking with how applications see the file system and network :-D I'll be testing on some other CPU builds shortly and post back if I find some paturns in listed depends. # Edit/Update Just ran start to finish on the following guide's links, bug report in comments for amd64 builds https://www.digitalocean.com/community/tutorials/how-to-use-firejail-to-set-up-a-wordpress-installation-in-a-jailed-environment Either I'm missing something or there's inknown depends that are not being listed anywhere for this kind of setup. Additional bugs reported for ARM not wanting to debootstrap mount proc to proc and failing to build a chroot for firejail to mount.
gitea-mirror commented 2026-05-05 05:09:30 -06:00
Author
Owner
Copy link

@S0AndS0 commented on GitHub (Jan 15, 2016):

Results so seem to show that the guide on Digital Ocean needs to be looked at closely as trying to follow them step by step on Ubuntu and using dpkg does not result in working firejail chroot. Even when using my methods of installation it seems new errors are appearing, such as the Warning: failed to unmount /sys and Warning: default profile disabled by chroot --chroot option errors that have now shown up.

While this may have resulted in a working firejail install and chroot jail the errors are likely going to
be an issue for keeping these various jails truly separated.

Here are the logs of full operation on a VPS hosted by D.O. $5 per/month plan ($0.007 per/hour) running Debian Jessie on x86_64 CPU

# Altered ssh then altered the following, note I've only included changes to defaults bellow
root@debian:~# grep -vE '#' /etc/ssh/sshd_config
Port <Port above 1024>
ListenAddress <static IP of server>
LoginGraceTime 90
PermitRootLogin without-password
PasswordAuthentication no
MaxStartups 10:30:60
Banner /etc/issue.net
# Check for errors
root@debian:~# sshd -T
# Tested alterations with second terminal window, if all good continue, if not fix errors
# Make sure system is up to date and `screen` and `rsync` is installed
root@debian:~# apt-get update && apt-get upgrade && apt-get install screen
# Start the rest of configurations and upgrades within `screen` session such that buggy ssh connections don't interfear
root@debian:~# screen -RD ssh
root@debian:~# apt-get dist-upgrade && apt-get install debootstrap bridge-utils
# Configure `apt-get` sources lists and prefferances for *controlled* mangling
root@debian:~# echo 'deb http://ftp.de.debian.org/debian stretch main' | tee -a /etc/apt/sources.list.d/stretch.list
root@debian:~# echo 'Package: /(linux|nividia)/' | tee -a /etc/apt/preferences.d/prevent_kernel_upgrade
root@debian:~# echo 'Pin: release *' | tee -a /etc/apt/preferences.d/prevent_kernel_upgrade
root@debian:~# echo 'Pin-Priority: -5' | tee -a /etc/apt/preferences.d/prevent_kernel_upgrade
root@debian:~# echo 'Package: *' | tee -a /etc/apt/preferences.d/jessie
root@debian:~# echo 'Pin: release o=jessie' | tee -a /etc/apt/preferences.d/jessie
root@debian:~# echo 'Pin-Priority: 100' | tee -a /etc/apt/preferences.d/jessie
root@debian:~# echo 'Package: *' | tee -a /etc/apt/preferences.d/stretch
root@debian:~# echo 'Pin: release a=stretch' | tee -a /etc/apt/preferences.d/stretch
root@debian:~# echo 'Pin-Priority: 1000' | tee -a /etc/apt/preferences.d/stretch
root@debian:~# apt-get update
root@debian:~# apt-get install --target-release stretch firejail
## Start: Logs of install through apt-get
root@debain:~# apt-get install --target-release stretch firejail 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
The following package was 
automatically installed and is no longer required:
  liblockfile1 
Use 'apt-get autoremove' to remove it. 
The following NEW packages will be installed:
  firejail 0 upgraded, 1 newly installed, 0 to remove and 372 not upgraded. 
Need to get 136 kB of archives. 
After this operation, 456 kB of additional disk space will be used. 
Get:1 http://ftp.de.debian.org/debian/ stretch/main firejail amd64 0.9.36-1 [136 kB] 
Fetched 136 kB in 0s (159 kB/s) 
Selecting previously unselected package firejail. (Reading database ... 33520 files and directories currently installed.) 
Preparing to unpack .../firejail_0.9.36-1_amd64.deb ... Unpacking firejail (0.9.36-1) ... 
Processing triggers for man-db (2.7.0.2-5) ... Setting up firejail (0.9.36-1) ... 
## End: Logs of install through apt-get
# Setup bridge and forwarding to and from server's interface on standerd http port
root@debian:~# brctl addbr br0
root@debian:~# ifconfig br0 10.10.20.1/24
root@debian:~# echo "1" > /proc/sys/net/ipv4/ip_forward
root@debian:~# iptables -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to 10.10.20.10:80
root@debian:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@debian:~# iptables -A FORWARD -i eth0 -o br0 -p TCP -m tcp --dport 80 -j ACCEPT
root@debian:~# iptables -A FORWARD -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root@debian:~# iptables -A FORWARD -i br0 -j ACCEPT
root@debian:~# iptables -P FORWARD DROP
# Setup base directory for chroot jails and change working directory
root@debian:~# mkdir /jails
root@debian:~# cd /jails/
# Note the Debian image on D.O. is not an AMD 64bit but instead Intel 64bit (AKA x86_64), tests and documentation of debootstrap
#  seem to show that leaving off `--arch=` is OK if not cross- compiling.
root@debian:/jails# debootstrap stable db
root@debian:/jails# rsync -azvh db/ www
root@debian:/jails# firejail --chroot=/jails/db --name=db
Warning: default profile disabled by chroot --chroot option
Perent pid 2213, child pid 2214
The new log directory is /proc/2214/root/var/log
Warning: failed to unmount /sys
Child process initialized
[root@debian:~#] apt-get update && apt-get upgrade
# This results in Debian stable repo's servers to be queried

While this does work, I'll be empoying additional mesures to limit potintial damages to the rest of the file system or to VPS host. I've previously read that Firejail is compatible with AppArmor, is it also compatible with Selinux? I ask because though AppArmor doesn't seem overly difficult to brush up on, I'm already "down the rabbit hole" with learning Selinux and how it relates to some of the costom ROMs available for Android.

Conclusion that I can draw based off tests;

  • Firejail operates best on x86_64 CPUs on Debian with a minimum amount of mucking with apt-get
  • Debootstrap does not much like Ubuntu 14 or chrooting inside of an exsisting chroot on Kali 2 so far
  • Neither my methods nor do the other documented methods on D.O. result in un-erroring installation

Lastly as this was one of the more successfull tests I ran ldd $(which firejail) to see if there where any apperant differances.

ldd $(which firejail)
 linux-vdso.so.1 (0x00007ffcd0df6000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9922dfc000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9922a53000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f9923356000)
<!-- gh-comment-id:171939179 --> @S0AndS0 commented on GitHub (Jan 15, 2016): Results so seem to show that the guide on Digital Ocean needs to be looked at closely as trying to follow them step by step on Ubuntu and using `dpkg` does not result in working firejail chroot. Even when using my methods of installation it seems new errors are appearing, such as the `Warning: failed to unmount /sys` and `Warning: default profile disabled by chroot --chroot option` errors that have now shown up. While this may have resulted in a _working_ firejail install and chroot jail the errors are likely going to be an issue for keeping these various jails truly separated. Here are the logs of full operation on a VPS hosted by D.O. $5 per/month plan ($0.007 per/hour) running Debian Jessie on x86_64 CPU ``` # Altered ssh then altered the following, note I've only included changes to defaults bellow root@debian:~# grep -vE '#' /etc/ssh/sshd_config Port <Port above 1024> ListenAddress <static IP of server> LoginGraceTime 90 PermitRootLogin without-password PasswordAuthentication no MaxStartups 10:30:60 Banner /etc/issue.net # Check for errors root@debian:~# sshd -T # Tested alterations with second terminal window, if all good continue, if not fix errors # Make sure system is up to date and `screen` and `rsync` is installed root@debian:~# apt-get update && apt-get upgrade && apt-get install screen # Start the rest of configurations and upgrades within `screen` session such that buggy ssh connections don't interfear root@debian:~# screen -RD ssh root@debian:~# apt-get dist-upgrade && apt-get install debootstrap bridge-utils # Configure `apt-get` sources lists and prefferances for *controlled* mangling root@debian:~# echo 'deb http://ftp.de.debian.org/debian stretch main' | tee -a /etc/apt/sources.list.d/stretch.list root@debian:~# echo 'Package: /(linux|nividia)/' | tee -a /etc/apt/preferences.d/prevent_kernel_upgrade root@debian:~# echo 'Pin: release *' | tee -a /etc/apt/preferences.d/prevent_kernel_upgrade root@debian:~# echo 'Pin-Priority: -5' | tee -a /etc/apt/preferences.d/prevent_kernel_upgrade root@debian:~# echo 'Package: *' | tee -a /etc/apt/preferences.d/jessie root@debian:~# echo 'Pin: release o=jessie' | tee -a /etc/apt/preferences.d/jessie root@debian:~# echo 'Pin-Priority: 100' | tee -a /etc/apt/preferences.d/jessie root@debian:~# echo 'Package: *' | tee -a /etc/apt/preferences.d/stretch root@debian:~# echo 'Pin: release a=stretch' | tee -a /etc/apt/preferences.d/stretch root@debian:~# echo 'Pin-Priority: 1000' | tee -a /etc/apt/preferences.d/stretch root@debian:~# apt-get update root@debian:~# apt-get install --target-release stretch firejail ## Start: Logs of install through apt-get root@debain:~# apt-get install --target-release stretch firejail Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: liblockfile1 Use 'apt-get autoremove' to remove it. The following NEW packages will be installed: firejail 0 upgraded, 1 newly installed, 0 to remove and 372 not upgraded. Need to get 136 kB of archives. After this operation, 456 kB of additional disk space will be used. Get:1 http://ftp.de.debian.org/debian/ stretch/main firejail amd64 0.9.36-1 [136 kB] Fetched 136 kB in 0s (159 kB/s) Selecting previously unselected package firejail. (Reading database ... 33520 files and directories currently installed.) Preparing to unpack .../firejail_0.9.36-1_amd64.deb ... Unpacking firejail (0.9.36-1) ... Processing triggers for man-db (2.7.0.2-5) ... Setting up firejail (0.9.36-1) ... ## End: Logs of install through apt-get # Setup bridge and forwarding to and from server's interface on standerd http port root@debian:~# brctl addbr br0 root@debian:~# ifconfig br0 10.10.20.1/24 root@debian:~# echo "1" > /proc/sys/net/ipv4/ip_forward root@debian:~# iptables -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to 10.10.20.10:80 root@debian:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root@debian:~# iptables -A FORWARD -i eth0 -o br0 -p TCP -m tcp --dport 80 -j ACCEPT root@debian:~# iptables -A FORWARD -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT root@debian:~# iptables -A FORWARD -i br0 -j ACCEPT root@debian:~# iptables -P FORWARD DROP # Setup base directory for chroot jails and change working directory root@debian:~# mkdir /jails root@debian:~# cd /jails/ # Note the Debian image on D.O. is not an AMD 64bit but instead Intel 64bit (AKA x86_64), tests and documentation of debootstrap # seem to show that leaving off `--arch=` is OK if not cross- compiling. root@debian:/jails# debootstrap stable db root@debian:/jails# rsync -azvh db/ www root@debian:/jails# firejail --chroot=/jails/db --name=db Warning: default profile disabled by chroot --chroot option Perent pid 2213, child pid 2214 The new log directory is /proc/2214/root/var/log Warning: failed to unmount /sys Child process initialized [root@debian:~#] apt-get update && apt-get upgrade # This results in Debian stable repo's servers to be queried ``` While this does work, I'll be empoying additional mesures to limit potintial damages to the rest of the file system or to VPS host. I've previously read that Firejail is compatible with AppArmor, is it also compatible with Selinux? I ask because though AppArmor doesn't seem overly difficult to brush up on, I'm already "down the rabbit hole" with learning Selinux and how it relates to some of the costom ROMs available for Android. Conclusion that I can draw based off tests; - Firejail operates best on x86_64 CPUs on Debian with a minimum amount of mucking with `apt-get` - Debootstrap does not much like Ubuntu 14 or chrooting inside of an exsisting chroot on Kali 2 so far - Neither my methods nor do the other documented methods on D.O. result in un-erroring installation Lastly as this was one of the more successfull tests I ran `ldd $(which firejail)` to see if there where any apperant differances. ``` ldd $(which firejail) linux-vdso.so.1 (0x00007ffcd0df6000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9922dfc000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9922a53000) /lib64/ld-linux-x86-64.so.2 (0x00007f9923356000) ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#139
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?