github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2176] sshd works within chroot, but not firejail chroot #1466

New issue
Closed
opened 2026-05-05 08:07:47 -06:00 by gitea-mirror · 30 comments
gitea-mirror commented 2026-05-05 08:07:47 -06:00
Owner
Copy link

Originally created by @publicsite on GitHub (Oct 13, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2176

Hello,

sshd within a firejail chroot doesn't work, whereas using sshd within a coreutils chroot does. Any help with this would be very much appreciated!

#OpenSSH version (jail)

OpenSSH_7.7p1, LibreSSL 2.7.4

#OpenSSH version (host)

OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1, OpenSSL 1.0.2g 1 Mar 2016

#firejail version

firejail version 0.9.38.10

#firejail command

sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh

#sshd command (within jail)

/usr/sbin/sshd -E logfile.txt

#logfile.txt

Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.

#ssh command (host)

ssh -vvv -T root@localhost

#ssh command (output)

OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.7
debug1: match: OpenSSH_7.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'root'
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection reset by 127.0.0.1 port 22

Originally created by @publicsite on GitHub (Oct 13, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2176 Hello, sshd within a firejail chroot doesn't work, whereas using sshd within a coreutils chroot does. Any help with this would be very much appreciated! > #OpenSSH version (jail) > > OpenSSH_7.7p1, LibreSSL 2.7.4 > > > #OpenSSH version (host) > > OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1, OpenSSL 1.0.2g 1 Mar 2016 > > > #firejail version > > firejail version 0.9.38.10 > > > #firejail command > > sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh > > > #sshd command (within jail) > > /usr/sbin/sshd -E logfile.txt > > > #logfile.txt > > Server listening on 0.0.0.0 port 22. > Server listening on :: port 22. > > > #ssh command (host) > > ssh -vvv -T root@localhost > > > #ssh command (output) > > OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1, OpenSSL 1.0.2g 1 Mar 2016 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug2: resolving "localhost" port 22 > debug2: ssh_connect_direct: needpriv 0 > debug1: Connecting to localhost [127.0.0.1] port 22. > debug1: Connection established. > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_rsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_rsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_dsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_dsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_ecdsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_ed25519 type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_7.7 > debug1: match: OpenSSH_7.7 pat OpenSSH* compat 0x04000000 > debug2: fd 3 setting O_NONBLOCK > debug1: Authenticating to localhost:22 as 'root' > debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts" > debug3: send packet: type 20 > debug1: SSH2_MSG_KEXINIT sent > Connection reset by 127.0.0.1 port 22
gitea-mirror commented 2026-05-05 08:07:50 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Oct 13, 2018):

When you run:

sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh
/usr/sbin/sshd -E logfile.txt

you are starting a jail with the default profile, which will probably block access to some required files.
I don't know if it would solve your problem, but you can try starting with the ssh.profile (there is currently no profile for sshd, but maybe the ssh profile already helps). Otherwise you need to start sshd also in verbose mode and check what's going wrong.

<!-- gh-comment-id:429519726 --> @reinerh commented on GitHub (Oct 13, 2018): When you run: ``` sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh /usr/sbin/sshd -E logfile.txt ``` you are starting a jail with the default profile, which will probably block access to some required files. I don't know if it would solve your problem, but you can try starting with the ssh.profile (there is currently no profile for sshd, but maybe the ssh profile already helps). Otherwise you need to start sshd also in verbose mode and check what's going wrong.
gitea-mirror commented 2026-05-05 08:07:50 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 13, 2018):

Hi, I tried with the ssh.profile, I am using an older version of firejail so I did not have the ssh.profile, and had to remove some lines to get it to go at all, note that despite this no new lines were added to the ssh.profile to get the following output. I have also put the sshd -d verbose output for the command in my previous comment here for you.

#fire jail command (with ssh.profile)

sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh --profile=ssh.profile /bin/sh

#sshd -d output (with firejail & ssh.profile)

Reading profile ssh.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile disable-passwdmgr.inc
Reading profile disable-programs.inc
Parent pid 2224, child pid 2225
The new log directory is /proc/2225/root/var/log
Warning: cannot find /var/run/utmp
Blacklist violations are logged to syslog
Warning: failed to unmount /sys

Child process initialized
~ # /usr/sbin/sshd -d
debug1: sshd version OpenSSH_7.7, LibreSSL 2.7.4
debug1: private host key #0: ssh-rsa SHA256:redacted
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:redacted
debug1: private host key #2: ssh-ed25519 SHA256:redacted
debug1: setgroups() failed: Operation not permitted
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Permission denied.
debug1: Bind to port 22 on ::.
Bind to port 22 on :: failed: Permission denied.
Cannot bind any address.
~ # exit

#fire jail command

sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh /bin/sh

#sshd -d output

debug1: sshd version OpenSSH_7.7, LibreSSL 2.7.4
debug1: private host key #0: ssh-rsa SHA256:redacted
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:redacted
debug1: private host key #2: ssh-ed25519 SHA256:redacted
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 127.0.0.1 port 37402 on 127.0.0.1 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1
debug1: match: OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 5

<!-- gh-comment-id:429560159 --> @publicsite commented on GitHub (Oct 13, 2018): Hi, I tried with the ssh.profile, I am using an older version of firejail so I did not have the ssh.profile, and had to remove some lines to get it to go at all, note that despite this _no_ new lines were added to the ssh.profile to get the following output. I have also put the sshd -d verbose output for the command in my previous comment here for you. > #fire jail command (with ssh.profile) > > sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh --profile=ssh.profile /bin/sh > > > #sshd -d output (with firejail & ssh.profile) > > Reading profile ssh.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile disable-passwdmgr.inc > Reading profile disable-programs.inc > Parent pid 2224, child pid 2225 > The new log directory is /proc/2225/root/var/log > Warning: cannot find /var/run/utmp > Blacklist violations are logged to syslog > Warning: failed to unmount /sys > > Child process initialized > ~ # /usr/sbin/sshd -d > debug1: sshd version OpenSSH_7.7, LibreSSL 2.7.4 > debug1: private host key #0: ssh-rsa SHA256:***redacted*** > debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:***redacted*** > debug1: private host key #2: ssh-ed25519 SHA256:***redacted*** > debug1: setgroups() failed: Operation not permitted > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-d' > debug1: Set /proc/self/oom_score_adj from 0 to -1000 > debug1: Bind to port 22 on 0.0.0.0. > Bind to port 22 on 0.0.0.0 failed: Permission denied. > debug1: Bind to port 22 on ::. > Bind to port 22 on :: failed: Permission denied. > Cannot bind any address. > ~ # exit > > > #fire jail command > > sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh /bin/sh > > > #sshd -d output > > debug1: sshd version OpenSSH_7.7, LibreSSL 2.7.4 > debug1: private host key #0: ssh-rsa SHA256:***redacted*** > debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:***redacted*** > debug1: private host key #2: ssh-ed25519 SHA256:***redacted*** > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-d' > debug1: Set /proc/self/oom_score_adj from 0 to -1000 > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug1: Server will not fork when running in debugging mode. > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 > debug1: inetd sockets after dupping: 3, 3 > Connection from 127.0.0.1 port 37402 on 127.0.0.1 port 22 > debug1: Client protocol version 2.0; client software version OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1 > debug1: match: OpenSSH_7.2p2 Trisquel_GNU/Linux_8.0-1 pat OpenSSH* compat 0x04000000 > debug1: Local version string SSH-2.0-OpenSSH_7.7 > debug1: monitor_read_log: child log fd closed > debug1: do_cleanup > debug1: Killing privsep child 5
gitea-mirror commented 2026-05-05 08:07:51 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 13, 2018):

I just tried to add

--seccomp.keep=lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,newselect,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl

but it produced the same result.

https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c

<!-- gh-comment-id:429572065 --> @publicsite commented on GitHub (Oct 13, 2018): I just tried to add `--seccomp.keep=lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,newselect,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl` but it produced the same result. https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c
gitea-mirror commented 2026-05-05 08:07:52 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 13, 2018):

I think you'll also need to keep a bunch of capabilities. Fortunately someone else already did the work, just take a look at the apparmor profile:

https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor/profiles/extras/usr.sbin.sshd

<!-- gh-comment-id:429572908 --> @smitsohu commented on GitHub (Oct 13, 2018): I think you'll also need to keep a bunch of capabilities. Fortunately someone else already did the work, just take a look at the apparmor profile: https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor/profiles/extras/usr.sbin.sshd
gitea-mirror commented 2026-05-05 08:07:53 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 13, 2018):

Running firejail with the following command didn't help.

sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh /bin/sh --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock --seccomp.keep=lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,newselect,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl

Also running:

sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh --name="wibble" --noprofile /bin/sh

Did not work

<!-- gh-comment-id:429582213 --> @publicsite commented on GitHub (Oct 13, 2018): Running firejail with the following command didn't help. sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh /bin/sh --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock --seccomp.keep=lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,newselect,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl Also running: sudo firejail --chroot="$PWD"/jails/rootfs --shell=/bin/sh --name="wibble" **--noprofile** /bin/sh Did not work
gitea-mirror commented 2026-05-05 08:07:54 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 13, 2018):

Boom.

Have progress.

sudo firejail --noprofile chroot jails/rootfs /bin/sh

Works, so can now start adding profile. Unfortunate --chroot option doesn't fly though.

<!-- gh-comment-id:429582988 --> @publicsite commented on GitHub (Oct 13, 2018): Boom. Have progress. sudo firejail --noprofile chroot jails/rootfs /bin/sh Works, so can now start adding profile. Unfortunate --chroot option doesn't fly though.
gitea-mirror commented 2026-05-05 08:07:55 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 13, 2018):

Just an observation: The seccomp list from openssh-portable and the apparmor capability list don't match. This means that syscalls are missing or the list of capabilities is actually too long, or a combination of both.

firejail version 0.9.38.10

I strongly recommend to upgrade to a more recent firejail version. 0.9.38 effectively has reached EOL.

<!-- gh-comment-id:429584493 --> @smitsohu commented on GitHub (Oct 13, 2018): Just an observation: The seccomp list from openssh-portable and the apparmor capability list don't match. This means that syscalls are missing or the list of capabilities is actually too long, or a combination of both. > firejail version 0.9.38.10 I strongly recommend to upgrade to a more recent firejail version. 0.9.38 effectively has reached EOL.
gitea-mirror commented 2026-05-05 08:07:55 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 14, 2018):

That might be an issue, but the more troubling issue is that the --chroot option in firejail doesn't work with sshd.

The command I have at the moment is:

sudo firejail \ --ignore=noroot \ --noprofile \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ chroot jails/rootfs /bin/sh \ --seccomp.keep=exit_group,chroot,mprotect,set_thread_area,access,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl

But the following syscalls were added to the seccomp list purely because of the chroot hack, rather than bein able to use the firejail option:

exit_group,chroot,mprotect,set_thread_area,access
`
Note that a way to escape a chroot is by using chroot, so it's not secure as it stands.

<!-- gh-comment-id:429586582 --> @publicsite commented on GitHub (Oct 14, 2018): That might be an issue, but the more troubling issue is that the --chroot option in firejail doesn't work with sshd. The command I have at the moment is: ` sudo firejail \ --ignore=noroot \ --noprofile \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ chroot jails/rootfs /bin/sh \ --seccomp.keep=exit_group,chroot,mprotect,set_thread_area,access,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl` But the following syscalls were added to the seccomp list purely because of the chroot hack, rather than bein able to use the firejail option: `exit_group,chroot,mprotect,set_thread_area,access` ` Note that a way to escape a chroot is by using chroot, so it's not secure as it stands.
gitea-mirror commented 2026-05-05 08:07:56 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 14, 2018):

Hi, I compiled from source, and it looks as if the latest version works with the chroot option.

You can now close this ticket.

Ignore me, it's still an issue.

#command

sudo /usr/local/bin/firejail --noprofile --chroot="$PWD/jails/rootfs" /bin/sh

#output

Parent pid 11771, child pid 11772
The new log directory is /proc/11772/root/var/log
Warning: cannot find /var/run/utmp
Child process initialized in 19.45 ms
execvp: No such file or directory

Parent is shutting down, bye...
<!-- gh-comment-id:429587048 --> @publicsite commented on GitHub (Oct 14, 2018): > Hi, I compiled from source, and it looks as if the latest version works with the chroot option. > > You can now close this ticket. Ignore me, it's still an issue. ``` #command sudo /usr/local/bin/firejail --noprofile --chroot="$PWD/jails/rootfs" /bin/sh #output Parent pid 11771, child pid 11772 The new log directory is /proc/11772/root/var/log Warning: cannot find /var/run/utmp Child process initialized in 19.45 ms execvp: No such file or directory Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 08:07:57 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 14, 2018):

#command

sudo /usr/local/bin/firejail --chroot="$PWD/jails/rootfs" --noprofile --shell=/bin/sh \
--caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \
--seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl

#output

Parent pid 13070, child pid 13071
The new log directory is /proc/13071/root/var/log
Warning: cannot find /var/run/utmp
Post-exec seccomp protector enabled
execvp: No such file or directory
Error: failed to run /run/firejail/lib/fseccomp
Error: proc 13070 cannot sync with peer: unexpected EOF
Peer 13071 unexpectedly exited with status 1
<!-- gh-comment-id:429591202 --> @publicsite commented on GitHub (Oct 14, 2018): ``` #command sudo /usr/local/bin/firejail --chroot="$PWD/jails/rootfs" --noprofile --shell=/bin/sh \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ --seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl #output Parent pid 13070, child pid 13071 The new log directory is /proc/13071/root/var/log Warning: cannot find /var/run/utmp Post-exec seccomp protector enabled execvp: No such file or directory Error: failed to run /run/firejail/lib/fseccomp Error: proc 13070 cannot sync with peer: unexpected EOF Peer 13071 unexpectedly exited with status 1 ```
gitea-mirror commented 2026-05-05 08:07:58 -06:00
Author
Owner
Copy link

@crass commented on GitHub (Oct 14, 2018):

@publicsite try this branch and the Error: failed to run /run/firejail/lib/fseccomp. I'm pretty sure this is because I didn't account for chroots in #2186. Hopefully everything else will work too.

<!-- gh-comment-id:429598811 --> @crass commented on GitHub (Oct 14, 2018): @publicsite try [this](https://github.com/crass/firejail/tree/fix-chroot-not-mount-firejail-libdir) branch and the `Error: failed to run /run/firejail/lib/fseccomp`. I'm pretty sure this is because I didn't account for chroots in #2186. Hopefully everything else will work too.
gitea-mirror commented 2026-05-05 08:07:58 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 14, 2018):

@crass

Hi, I checked out using

git clone https://github.com/crass/firejail -b fix-chroot-not-mount-firejail-libdir

But it still gave:

Error: failed to run /run/firejail/lib/fseccomp

After compilation and installation.

<!-- gh-comment-id:429649106 --> @publicsite commented on GitHub (Oct 14, 2018): @crass Hi, I checked out using `git clone https://github.com/crass/firejail -b fix-chroot-not-mount-firejail-libdir` But it still gave: `Error: failed to run /run/firejail/lib/fseccomp` After compilation and installation.
gitea-mirror commented 2026-05-05 08:07:59 -06:00
Author
Owner
Copy link

@crass commented on GitHub (Oct 15, 2018):

Hmm, actually, I'm not getting that error, with or without the changes in my branch. So I'm thinking that the chroot doesn't need the /run/firejail/lib dir. I guess to debug this further, we'll need to know exactly how you're setting up your chroot. If you run sudo chroot "$PWD/jails/rootfs", do you get a shell?

<!-- gh-comment-id:429734147 --> @crass commented on GitHub (Oct 15, 2018): Hmm, actually, I'm not getting that error, with or without the changes in my branch. So I'm thinking that the chroot doesn't need the `/run/firejail/lib` dir. I guess to debug this further, we'll need to know exactly how you're setting up your chroot. If you run `sudo chroot "$PWD/jails/rootfs"`, do you get a shell?
gitea-mirror commented 2026-05-05 08:08:00 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 15, 2018):

That's weird.

All I did was clone the repo, run

./configure
make
sudo make install

then

sudo /usr/local/bin/firejail --chroot="$PWD/jails/rootfs" --noprofile --shell=/bin/sh \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ --seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl

execvp: No such file or directory Error: failed to run /run/firejail/lib/fseccomp Error: proc 8481 cannot sync with peer: unexpected EOF Peer 8482 unexpectedly exited with status 1

when I use coreutils chroot as you said, it works ok.

<!-- gh-comment-id:429870262 --> @publicsite commented on GitHub (Oct 15, 2018): That's weird. All I did was clone the repo, run `./configure` `make` `sudo make install` then ` sudo /usr/local/bin/firejail --chroot="$PWD/jails/rootfs" --noprofile --shell=/bin/sh \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ --seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl ` `execvp: No such file or directory Error: failed to run /run/firejail/lib/fseccomp Error: proc 8481 cannot sync with peer: unexpected EOF Peer 8482 unexpectedly exited with status 1 ` when I use coreutils chroot as you said, it works ok.
gitea-mirror commented 2026-05-05 08:08:00 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 15, 2018):

It should work if you bind-mount /usr{,local/}lib/firejail on $PWD/jails/rootfs/run/firejail/lib

In the moment firejail doesn't take care of this itself. I think we need to change this.

Don't be surprised if /bin/sh still doesn't run with your command. The seccomp filter is too restrictive for /bin/sh and kills it immediately, as you can see in the syslog.

<!-- gh-comment-id:429902791 --> @smitsohu commented on GitHub (Oct 15, 2018): It should work if you bind-mount /usr{,local/}lib/firejail on $PWD/jails/rootfs/run/firejail/lib In the moment firejail doesn't take care of this itself. I think we need to change this. Don't be surprised if /bin/sh still doesn't run with your command. The seccomp filter is too restrictive for /bin/sh and kills it immediately, as you can see in the syslog.
gitea-mirror commented 2026-05-05 08:08:01 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 15, 2018):

I've pushed a fix, could you please build from latest git and let us know if this works?
Thanks!

<!-- gh-comment-id:429917492 --> @smitsohu commented on GitHub (Oct 15, 2018): I've pushed a fix, could you please build from latest git and let us know if this works? Thanks!
gitea-mirror commented 2026-05-05 08:08:01 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Oct 15, 2018):

My impression is that the seccomp filter you found is indeed not suitable for the sshd parent process. If I understand it right, you can enable it with UsePrivilegeSeparation sandbox in /etc/ssh/sshd_config, and it will then restrict an sshd child process.
See here for an example configuration making use of this.

A seccomp filter for the sshd parent process probably has to be much more permissive. For building seccomp filters from scratch you may want to take a look at the seccomp guide and #404 .

<!-- gh-comment-id:429960689 --> @smitsohu commented on GitHub (Oct 15, 2018): My impression is that the seccomp filter you found is indeed not suitable for the sshd parent process. If I understand it right, you can enable it with `UsePrivilegeSeparation sandbox` in `/etc/ssh/sshd_config`, and it will then restrict an sshd child process. See [here](https://infosec.mozilla.org/guidelines/openssh.html) for an example configuration making use of this. A seccomp filter for the sshd parent process probably has to be much more permissive. For building seccomp filters from scratch you may want to take a look at the [seccomp guide](https://firejail.wordpress.com/documentation-2/seccomp-guide/) and #404 .
gitea-mirror commented 2026-05-05 08:08:01 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 15, 2018):

@smitsohu

Hi, I git cloned again with your changes, but unfortunately I get the same

Error: failed to run /run/firejail/lib/fseccomp

Just like to add; when firejail is used like so:

sudo firejail --noprofile chroot jails/rootfs /bin/sh

Or like so:

sudo /usr/local/bin/firejail --noprofile --chroot=jails/rootfs /bin/sh

Both sshd and /bin/sh work, it's just the capabilities whitelist (--seccomp.keep) that doesn't work with the chroot option, which is almost certainly due to the /run/firejail/lib/fseccomp error.

I'm not sure if this makes a difference, but when I ls /run/firejail/lib/ on the host, the directory is empty.

<!-- gh-comment-id:430009343 --> @publicsite commented on GitHub (Oct 15, 2018): @smitsohu Hi, I git cloned again with your changes, but unfortunately I get the same `Error: failed to run /run/firejail/lib/fseccomp` Just like to add; when firejail is used like so: `sudo firejail --noprofile chroot jails/rootfs /bin/sh` Or like so: `sudo /usr/local/bin/firejail --noprofile --chroot=jails/rootfs /bin/sh` Both sshd and /bin/sh work, it's just the capabilities whitelist (--seccomp.keep) that doesn't work with the chroot option, which is almost certainly due to the /run/firejail/lib/fseccomp error. I'm not sure if this makes a difference, but when I `ls /run/firejail/lib/` on the host, the directory is empty.
gitea-mirror commented 2026-05-05 08:08:02 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 15, 2018):

Hi,

fseccomp has been placed in /usr/local/lib/firejail not /run/firejail/lib

Is there any way of changing where firejail looks for fseccomp?

<!-- gh-comment-id:430018198 --> @publicsite commented on GitHub (Oct 15, 2018): Hi, fseccomp has been placed in /usr/local/lib/firejail not /run/firejail/lib Is there any way of changing where firejail looks for fseccomp?
gitea-mirror commented 2026-05-05 08:08:02 -06:00
Author
Owner
Copy link

@crass commented on GitHub (Oct 16, 2018):

@publicsite can you try this repo and see if you get the same issue? Also some changes around /run/firejail/lib have happened recently, are you sure you've run git pull in the master branch to get the latest commits?

<!-- gh-comment-id:430081790 --> @crass commented on GitHub (Oct 16, 2018): @publicsite can you try this [repo](https://github.com/crass/firejail/tree/fix-2148-always-have-helpers-in-sandbox) and see if you get the same issue? Also some changes around `/run/firejail/lib` have happened recently, are you sure you've run `git pull` in the `master` branch to get the latest commits?
gitea-mirror commented 2026-05-05 08:08:03 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 16, 2018):

@crass

$  git clone https://github.com/crass/firejail -b fix-2148-always-have-helpers-in-sandbox
[...]
$   cd firejail
$   git pull
Already up-to-date.
$   ./configure
[...]
$   make
[...]
$  sudo make install
[...]
$  cd ..
$  sudo /usr/local/bin/firejail --chroot="$PWD/jails/rootfs" --noprofile --shell=/bin/sh \
--caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \
--seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl /usr/sbin/sshd
Parent pid 720, child pid 721
The new log directory is /proc/721/root/var/log
Warning: cannot find /var/run/utmp
Post-exec seccomp protector enabled
execvp: No such file or directory
Error: failed to run /run/firejail/lib/firejail/fseccomp
Error: proc 720 cannot sync with peer: unexpected EOF
Peer 721 unexpectedly exited with status 1

It's not finding fseccomp in /usr/local/lib/firejail

<!-- gh-comment-id:430086938 --> @publicsite commented on GitHub (Oct 16, 2018): @crass ``` $ git clone https://github.com/crass/firejail -b fix-2148-always-have-helpers-in-sandbox [...] $ cd firejail $ git pull Already up-to-date. $ ./configure [...] $ make [...] $ sudo make install [...] $ cd .. $ sudo /usr/local/bin/firejail --chroot="$PWD/jails/rootfs" --noprofile --shell=/bin/sh \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ --seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl /usr/sbin/sshd Parent pid 720, child pid 721 The new log directory is /proc/721/root/var/log Warning: cannot find /var/run/utmp Post-exec seccomp protector enabled execvp: No such file or directory Error: failed to run /run/firejail/lib/firejail/fseccomp Error: proc 720 cannot sync with peer: unexpected EOF Peer 721 unexpectedly exited with status 1 ``` It's not finding fseccomp in /usr/local/lib/firejail
gitea-mirror commented 2026-05-05 08:08:03 -06:00
Author
Owner
Copy link

@crass commented on GitHub (Oct 16, 2018):

@publicsite I get this error when running that command:

$ ~/development.forked/firejail.git/installed/bin/firejail --chroot=`pwd`/chroot --noprofile --shell=/bin/sh \
--caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \
--seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl /usr/sbin/sshd
Error: for chroot sandboxes, default seccomp and capabilities filters are
enabled by default. Please remove all --seccomp and --caps options from the
command line.

I'm not understand how you're getting around the check that make sure you're not passing caps and seccomp args... --chroot enforces default caps and seccomp. What are you doing that you're not telling us? 😉

EDIT: Hmm, you're running as root that's why....

<!-- gh-comment-id:430096845 --> @crass commented on GitHub (Oct 16, 2018): @publicsite I get this error when running that command: ``` $ ~/development.forked/firejail.git/installed/bin/firejail --chroot=`pwd`/chroot --noprofile --shell=/bin/sh \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ --seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl /usr/sbin/sshd Error: for chroot sandboxes, default seccomp and capabilities filters are enabled by default. Please remove all --seccomp and --caps options from the command line. ``` I'm not understand how you're getting around the check that make sure you're not passing caps and seccomp args... `--chroot` enforces default caps and seccomp. What are you doing that you're not telling us? :wink: EDIT: Hmm, you're running as root that's why....
gitea-mirror commented 2026-05-05 08:08:03 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 16, 2018):

@crass

That's weird, and certainly not the error I get.

Either way, it's redonculous that I can't pass seccomp args with chroot.

Would be nice to tell firejail how to find fseccomp in /usr/local/lib/firejail

<!-- gh-comment-id:430104696 --> @publicsite commented on GitHub (Oct 16, 2018): @crass That's weird, and certainly not the error I get. Either way, it's redonculous that I can't pass seccomp args with chroot. **Would be nice to tell firejail how to find fseccomp in /usr/local/lib/firejail**
gitea-mirror commented 2026-05-05 08:08:04 -06:00
Author
Owner
Copy link

@crass commented on GitHub (Oct 16, 2018):

Yeah I realized you are by passing that check cause you're running as root. And yes I agree its ridiculous even for a regular user. I hope to change that. Try this branch with the command in the output below (changing paths as needed) and see if you get the same output. There are some added seccomp.keep syscalls from yours, and almost certainly there will need to be more to get it fully functioning. But the seccomp filter is working for me.

Command:

sudo strace -D -f -v -y -yy -s4096 -o /tmp/firejail.strace \
    /usr/local/bin/firejail --debug --trace --chroot=`pwd`/chroot --noprofile --shell=none \
    --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \
    --seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl,setresuid,setresgid,unlink,access,mprotect,arch_prctl,set_tid_address,set_robust_list,rt_sigaction,getrlimit,statfs \
    /usr/sbin/sshd

Output:

Building quoted command line: '/usr/sbin/sshd'
Command name #sshd#
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 12210, child pid 12214
Initializing child process
The new log directory is /proc/12214/root/var/log
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Mounting /dev on /tmp/chroot/dev
Updating /etc/resolv.conf in /tmp/chroot/etc/resolv.conf
Chrooting into /tmp/chroot
Warning: /var/lock not mounted
Mounting tmpfs on /var/tmp
Warning: cannot hide /var/log directory
Warning: cannot find /var/run/utmp
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /dev/port
Disable /sys/fs
Disable /sys/module
/etc/pulse/client.conf not found
Create the new ld.so.preload file
Post-exec seccomp protector enabled
Mount the new ld.so.preload file
Current directory: /tmp
DISPLAY=:0 parsed as 0
Set caps filter 650c44ff
Build keep seccomp filter
sbox run: /run/firejail/lib/firejail/fseccomp keep /run/firejail/mnt/seccomp /run/firejail/mnt/seccomp.postexec setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl,setresuid,setresgid,unlink,access,mprotect,arch_prctl,set_tid_address,set_robust_list,rt_sigaction,getrlimit,statfs (null)
Dropping all capabilities
Drop privileges: pid 2, uid 0, gid 0, nogroups 1
No supplementary groups
2:fseccomp:open /run/firejail/mnt/seccomp.postexec:3
2:fseccomp:exec /run/firejail/lib/firejail/fseccomp:0
2:fseccomp:open /run/firejail/mnt/seccomp:3
seccomp filter configured
configuring 96 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /run/firejail/lib/firejail/fsec-print /run/firejail/mnt/seccomp (null)
Dropping all capabilities
Drop privileges: pid 3, uid 0, gid 0, nogroups 1
No supplementary groups
3:fsec-print:open /run/firejail/mnt/seccomp.postexec:3
3:fsec-print:exec /run/firejail/lib/firejail/fsec-print:0
3:fsec-print:open /run/firejail/mnt/seccomp:3
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 0000003b   jeq execve 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 0000009d   jeq prctl 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 00000074   jeq setgroups 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 15 00 01 00000006   jeq lstat 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 15 00 01 00000005   jeq fstat 0010 (false 0011)
 0010: 06 00 00 7fff0000   ret ALLOW
 0011: 15 00 01 00000002   jeq open 0012 (false 0013)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 01 00000101   jeq openat 0014 (false 0015)
 0014: 06 00 00 7fff0000   ret ALLOW
 0015: 15 00 01 00000004   jeq stat 0016 (false 0017)
 0016: 06 00 00 7fff0000   ret ALLOW
 0017: 15 00 01 0000000c   jeq brk 0018 (false 0019)
 0018: 06 00 00 7fff0000   ret ALLOW
 0019: 15 00 01 000000e4   jeq clock_gettime 001a (false 001b)
 001a: 06 00 00 7fff0000   ret ALLOW
 001b: 15 00 01 00000003   jeq close 001c (false 001d)
 001c: 06 00 00 7fff0000   ret ALLOW
 001d: 15 00 01 0000003c   jeq exit 001e (false 001f)
 001e: 06 00 00 7fff0000   ret ALLOW
 001f: 15 00 01 000000e7   jeq exit_group 0020 (false 0021)
 0020: 06 00 00 7fff0000   ret ALLOW
 0021: 15 00 01 000000ca   jeq futex 0022 (false 0023)
 0022: 06 00 00 7fff0000   ret ALLOW
 0023: 15 00 01 0000006b   jeq geteuid 0024 (false 0025)
 0024: 06 00 00 7fff0000   ret ALLOW
 0025: 15 00 01 00000079   jeq getpgid 0026 (false 0027)
 0026: 06 00 00 7fff0000   ret ALLOW
 0027: 15 00 01 00000027   jeq getpid 0028 (false 0029)
 0028: 06 00 00 7fff0000   ret ALLOW
 0029: 15 00 01 0000013e   jeq getrandom 002a (false 002b)
 002a: 06 00 00 7fff0000   ret ALLOW
 002b: 15 00 01 00000060   jeq gettimeofday 002c (false 002d)
 002c: 06 00 00 7fff0000   ret ALLOW
 002d: 15 00 01 00000066   jeq getuid 002e (false 002f)
 002e: 06 00 00 7fff0000   ret ALLOW
 002f: 15 00 01 0000001c   jeq madvise 0030 (false 0031)
 0030: 06 00 00 7fff0000   ret ALLOW
 0031: 15 00 01 00000009   jeq mmap 0032 (false 0033)
 0032: 06 00 00 7fff0000   ret ALLOW
 0033: 15 00 01 00000019   jeq mremap 0034 (false 0035)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 15 00 01 0000000b   jeq munmap 0036 (false 0037)
 0036: 06 00 00 7fff0000   ret ALLOW
 0037: 15 00 01 00000023   jeq nanosleep 0038 (false 0039)
 0038: 06 00 00 7fff0000   ret ALLOW
 0039: 15 00 01 00000007   jeq poll 003a (false 003b)
 003a: 06 00 00 7fff0000   ret ALLOW
 003b: 15 00 01 0000010e   jeq pselect6 003c (false 003d)
 003c: 06 00 00 7fff0000   ret ALLOW
 003d: 15 00 01 00000000   jeq read 003e (false 003f)
 003e: 06 00 00 7fff0000   ret ALLOW
 003f: 15 00 01 0000000e   jeq rt_sigprocmask 0040 (false 0041)
 0040: 06 00 00 7fff0000   ret ALLOW
 0041: 15 00 01 00000017   jeq select 0042 (false 0043)
 0042: 06 00 00 7fff0000   ret ALLOW
 0043: 15 00 01 000000c9   jeq time 0044 (false 0045)
 0044: 06 00 00 7fff0000   ret ALLOW
 0045: 15 00 01 00000001   jeq write 0046 (false 0047)
 0046: 06 00 00 7fff0000   ret ALLOW
 0047: 15 00 01 00000010   jeq ioctl 0048 (false 0049)
 0048: 06 00 00 7fff0000   ret ALLOW
 0049: 15 00 01 00000075   jeq setresuid 004a (false 004b)
 004a: 06 00 00 7fff0000   ret ALLOW
 004b: 15 00 01 00000077   jeq setresgid 004c (false 004d)
 004c: 06 00 00 7fff0000   ret ALLOW
 004d: 15 00 01 00000057   jeq unlink 004e (false 004f)
 004e: 06 00 00 7fff0000   ret ALLOW
 004f: 15 00 01 00000015   jeq access 0050 (false 0051)
 0050: 06 00 00 7fff0000   ret ALLOW
 0051: 15 00 01 0000000a   jeq mprotect 0052 (false 0053)
 0052: 06 00 00 7fff0000   ret ALLOW
 0053: 15 00 01 0000009e   jeq arch_prctl 0054 (false 0055)
 0054: 06 00 00 7fff0000   ret ALLOW
 0055: 15 00 01 000000da   jeq set_tid_address 0056 (false 0057)
 0056: 06 00 00 7fff0000   ret ALLOW
 0057: 15 00 01 00000111   jeq set_robust_list 0058 (false 0059)
 0058: 06 00 00 7fff0000   ret ALLOW
 0059: 15 00 01 0000000d   jeq rt_sigaction 005a (false 005b)
 005a: 06 00 00 7fff0000   ret ALLOW
 005b: 15 00 01 00000061   jeq getrlimit 005c (false 005d)
 005c: 06 00 00 7fff0000   ret ALLOW
 005d: 15 00 01 00000089   jeq statfs 005e (false 005f)
 005e: 06 00 00 7fff0000   ret ALLOW
 005f: 06 00 00 00000000   ret KILL
seccomp filter configured
Drop privileges: pid 1, uid 0, gid 0, nogroups 0
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/sbin/sshd
Child process initialized in 36.39 ms
Installing /run/firejail/mnt/seccomp seccomp filter
4:sshd:fopen /proc/filesystems:0x560c8d5d9070
4:sshd:access /etc/selinux/config:-1
4:sshd:open /run/firejail/mnt/seccomp.postexec:3
monitoring pid 4

Sandbox monitor: waitpid 4 retval 4 status 159

Parent is shutting down, bye...
<!-- gh-comment-id:430108668 --> @crass commented on GitHub (Oct 16, 2018): Yeah I realized you are by passing that check cause you're running as root. And yes I agree its ridiculous even for a regular user. I hope to change that. Try [this branch](https://github.com/crass/firejail/tree/fix-2148-always-have-helpers-in-sandbox-chroot) with the command in the output below (changing paths as needed) and see if you get the same output. There are some added `seccomp.keep` syscalls from yours, and almost certainly there will need to be more to get it fully functioning. But the seccomp filter is working for me. Command: ``` sudo strace -D -f -v -y -yy -s4096 -o /tmp/firejail.strace \ /usr/local/bin/firejail --debug --trace --chroot=`pwd`/chroot --noprofile --shell=none \ --caps.keep=sys_chroot,sys_resource,sys_tty_config,net_bind_service,chown,fowner,kill,audit_control,audit_write,dac_override,dac_read_search,sys_ptrace,fsetid,setuid,setgid,ipc_lock \ --seccomp.keep=setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl,setresuid,setresgid,unlink,access,mprotect,arch_prctl,set_tid_address,set_robust_list,rt_sigaction,getrlimit,statfs \ /usr/sbin/sshd ``` Output: ``` Building quoted command line: '/usr/sbin/sshd' Command name #sshd# DISPLAY=:0 parsed as 0 Enabling IPC namespace Using the local network stack Parent pid 12210, child pid 12214 Initializing child process The new log directory is /proc/12214/root/var/log Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Mounting /dev on /tmp/chroot/dev Updating /etc/resolv.conf in /tmp/chroot/etc/resolv.conf Chrooting into /tmp/chroot Warning: /var/lock not mounted Mounting tmpfs on /var/tmp Warning: cannot hide /var/log directory Warning: cannot find /var/run/utmp Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /dev/port Disable /sys/fs Disable /sys/module /etc/pulse/client.conf not found Create the new ld.so.preload file Post-exec seccomp protector enabled Mount the new ld.so.preload file Current directory: /tmp DISPLAY=:0 parsed as 0 Set caps filter 650c44ff Build keep seccomp filter sbox run: /run/firejail/lib/firejail/fseccomp keep /run/firejail/mnt/seccomp /run/firejail/mnt/seccomp.postexec setgroups,setgroups32,lstat,lstat64,fstat,fstat64,open,openat,fstatat64,stat,stat64,brk,clock_gettime,close,exit,exit_group,futex,geteuid,geteuid32,getpgid,getpid,getrandom,gettimeofday,getuid,getuid32,madvise,mmap,mmap2,mremap,munmap,nanosleep,poll,pselect6,read,rt_sigprocmask,select,sigprocmask,time,write,socketcall,ioctl,setresuid,setresgid,unlink,access,mprotect,arch_prctl,set_tid_address,set_robust_list,rt_sigaction,getrlimit,statfs (null) Dropping all capabilities Drop privileges: pid 2, uid 0, gid 0, nogroups 1 No supplementary groups 2:fseccomp:open /run/firejail/mnt/seccomp.postexec:3 2:fseccomp:exec /run/firejail/lib/firejail/fseccomp:0 2:fseccomp:open /run/firejail/mnt/seccomp:3 seccomp filter configured configuring 96 seccomp entries in /run/firejail/mnt/seccomp sbox run: /run/firejail/lib/firejail/fsec-print /run/firejail/mnt/seccomp (null) Dropping all capabilities Drop privileges: pid 3, uid 0, gid 0, nogroups 1 No supplementary groups 3:fsec-print:open /run/firejail/mnt/seccomp.postexec:3 3:fsec-print:exec /run/firejail/lib/firejail/fsec-print:0 3:fsec-print:open /run/firejail/mnt/seccomp:3 line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 0000003b jeq execve 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 0000009d jeq prctl 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 00000074 jeq setgroups 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 15 00 01 00000006 jeq lstat 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000005 jeq fstat 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 00000002 jeq open 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 01 00000101 jeq openat 0014 (false 0015) 0014: 06 00 00 7fff0000 ret ALLOW 0015: 15 00 01 00000004 jeq stat 0016 (false 0017) 0016: 06 00 00 7fff0000 ret ALLOW 0017: 15 00 01 0000000c jeq brk 0018 (false 0019) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 15 00 01 000000e4 jeq clock_gettime 001a (false 001b) 001a: 06 00 00 7fff0000 ret ALLOW 001b: 15 00 01 00000003 jeq close 001c (false 001d) 001c: 06 00 00 7fff0000 ret ALLOW 001d: 15 00 01 0000003c jeq exit 001e (false 001f) 001e: 06 00 00 7fff0000 ret ALLOW 001f: 15 00 01 000000e7 jeq exit_group 0020 (false 0021) 0020: 06 00 00 7fff0000 ret ALLOW 0021: 15 00 01 000000ca jeq futex 0022 (false 0023) 0022: 06 00 00 7fff0000 ret ALLOW 0023: 15 00 01 0000006b jeq geteuid 0024 (false 0025) 0024: 06 00 00 7fff0000 ret ALLOW 0025: 15 00 01 00000079 jeq getpgid 0026 (false 0027) 0026: 06 00 00 7fff0000 ret ALLOW 0027: 15 00 01 00000027 jeq getpid 0028 (false 0029) 0028: 06 00 00 7fff0000 ret ALLOW 0029: 15 00 01 0000013e jeq getrandom 002a (false 002b) 002a: 06 00 00 7fff0000 ret ALLOW 002b: 15 00 01 00000060 jeq gettimeofday 002c (false 002d) 002c: 06 00 00 7fff0000 ret ALLOW 002d: 15 00 01 00000066 jeq getuid 002e (false 002f) 002e: 06 00 00 7fff0000 ret ALLOW 002f: 15 00 01 0000001c jeq madvise 0030 (false 0031) 0030: 06 00 00 7fff0000 ret ALLOW 0031: 15 00 01 00000009 jeq mmap 0032 (false 0033) 0032: 06 00 00 7fff0000 ret ALLOW 0033: 15 00 01 00000019 jeq mremap 0034 (false 0035) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 15 00 01 0000000b jeq munmap 0036 (false 0037) 0036: 06 00 00 7fff0000 ret ALLOW 0037: 15 00 01 00000023 jeq nanosleep 0038 (false 0039) 0038: 06 00 00 7fff0000 ret ALLOW 0039: 15 00 01 00000007 jeq poll 003a (false 003b) 003a: 06 00 00 7fff0000 ret ALLOW 003b: 15 00 01 0000010e jeq pselect6 003c (false 003d) 003c: 06 00 00 7fff0000 ret ALLOW 003d: 15 00 01 00000000 jeq read 003e (false 003f) 003e: 06 00 00 7fff0000 ret ALLOW 003f: 15 00 01 0000000e jeq rt_sigprocmask 0040 (false 0041) 0040: 06 00 00 7fff0000 ret ALLOW 0041: 15 00 01 00000017 jeq select 0042 (false 0043) 0042: 06 00 00 7fff0000 ret ALLOW 0043: 15 00 01 000000c9 jeq time 0044 (false 0045) 0044: 06 00 00 7fff0000 ret ALLOW 0045: 15 00 01 00000001 jeq write 0046 (false 0047) 0046: 06 00 00 7fff0000 ret ALLOW 0047: 15 00 01 00000010 jeq ioctl 0048 (false 0049) 0048: 06 00 00 7fff0000 ret ALLOW 0049: 15 00 01 00000075 jeq setresuid 004a (false 004b) 004a: 06 00 00 7fff0000 ret ALLOW 004b: 15 00 01 00000077 jeq setresgid 004c (false 004d) 004c: 06 00 00 7fff0000 ret ALLOW 004d: 15 00 01 00000057 jeq unlink 004e (false 004f) 004e: 06 00 00 7fff0000 ret ALLOW 004f: 15 00 01 00000015 jeq access 0050 (false 0051) 0050: 06 00 00 7fff0000 ret ALLOW 0051: 15 00 01 0000000a jeq mprotect 0052 (false 0053) 0052: 06 00 00 7fff0000 ret ALLOW 0053: 15 00 01 0000009e jeq arch_prctl 0054 (false 0055) 0054: 06 00 00 7fff0000 ret ALLOW 0055: 15 00 01 000000da jeq set_tid_address 0056 (false 0057) 0056: 06 00 00 7fff0000 ret ALLOW 0057: 15 00 01 00000111 jeq set_robust_list 0058 (false 0059) 0058: 06 00 00 7fff0000 ret ALLOW 0059: 15 00 01 0000000d jeq rt_sigaction 005a (false 005b) 005a: 06 00 00 7fff0000 ret ALLOW 005b: 15 00 01 00000061 jeq getrlimit 005c (false 005d) 005c: 06 00 00 7fff0000 ret ALLOW 005d: 15 00 01 00000089 jeq statfs 005e (false 005f) 005e: 06 00 00 7fff0000 ret ALLOW 005f: 06 00 00 00000000 ret KILL seccomp filter configured Drop privileges: pid 1, uid 0, gid 0, nogroups 0 No supplementary groups starting application LD_PRELOAD=(null) execvp argument 0: /usr/sbin/sshd Child process initialized in 36.39 ms Installing /run/firejail/mnt/seccomp seccomp filter 4:sshd:fopen /proc/filesystems:0x560c8d5d9070 4:sshd:access /etc/selinux/config:-1 4:sshd:open /run/firejail/mnt/seccomp.postexec:3 monitoring pid 4 Sandbox monitor: waitpid 4 retval 4 status 159 Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 08:08:04 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 16, 2018):

@smitsohu

Hi,

I changed RUN_FIREJAIL_LIB_DIR before compiling, and got a different error.

#!/bin/sh
git clone https://github.com/netblue30/firejail
#git clone https://github.com/crass/firejail -b fix-2148-always-have-helpers-in-sandbox-chroot
sed -i 's!#define RUN_FIREJAIL_LIB_DIR		"/run/firejail/lib"!#define RUN_FIREJAIL_LIB_DIR		"/usr/local/lib"!g' firejail/src/firejail/firejail.h
cd firejail
./configure
make
sudo make install

I have left a comment at:

be1e3b02bf

<!-- gh-comment-id:430113558 --> @publicsite commented on GitHub (Oct 16, 2018): @smitsohu Hi, I changed RUN_FIREJAIL_LIB_DIR before compiling, and got a different error. ``` #!/bin/sh git clone https://github.com/netblue30/firejail #git clone https://github.com/crass/firejail -b fix-2148-always-have-helpers-in-sandbox-chroot sed -i 's!#define RUN_FIREJAIL_LIB_DIR "/run/firejail/lib"!#define RUN_FIREJAIL_LIB_DIR "/usr/local/lib"!g' firejail/src/firejail/firejail.h cd firejail ./configure make sudo make install ``` I have left a comment at: https://github.com/netblue30/firejail/commit/be1e3b02bfca3fdb836c91b71dce26fce3eaa094
gitea-mirror commented 2026-05-05 08:08:05 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (Oct 16, 2018):

Hi,

/run/firejail/lib/firejail/fseccomp now exists, both in the chroot (as mount bind) and also on the host, but it's giving the same error:

Parent pid 6747, child pid 6748
The new log directory is /proc/6748/root/var/log
Warning: cannot find /var/run/utmp
Post-exec seccomp protector enabled
execvp: No such file or directory
Error: failed to run /run/firejail/lib/fseccomp
Error: proc 6747 cannot sync with peer: unexpected EOF
Peer 6748 unexpectedly exited with status 1

I'm guessing it's not actually possible at this point in time to use a seccomp whitelist with the chroot option.

<!-- gh-comment-id:430181132 --> @publicsite commented on GitHub (Oct 16, 2018): Hi, /run/firejail/lib/firejail/fseccomp now exists, both in the chroot (as mount bind) and also on the host, but it's giving the same error: ``` Parent pid 6747, child pid 6748 The new log directory is /proc/6748/root/var/log Warning: cannot find /var/run/utmp Post-exec seccomp protector enabled execvp: No such file or directory Error: failed to run /run/firejail/lib/fseccomp Error: proc 6747 cannot sync with peer: unexpected EOF Peer 6748 unexpectedly exited with status 1 ``` I'm guessing it's not actually possible at this point in time to use a seccomp whitelist with the chroot option.
gitea-mirror commented 2026-05-05 08:08:05 -06:00
Author
Owner
Copy link

@crass commented on GitHub (Oct 16, 2018):

@publicsite I believe I've done so successfully. When you ran the command above, the strace should have written a file /tmp/firejail.strace. Can you attach that file to a comment here? That should give me a better idea of what is actually happening. Using xz to compress it might be nice as well.

<!-- gh-comment-id:430427493 --> @crass commented on GitHub (Oct 16, 2018): @publicsite I believe I've done so successfully. When you ran the command above, the strace should have written a file `/tmp/firejail.strace`. Can you attach that file to a comment here? That should give me a better idea of what is actually happening. Using xz to compress it might be nice as well.
gitea-mirror commented 2026-05-05 08:08:05 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

@publicsite Is this still an issue?

<!-- gh-comment-id:494192866 --> @chiraag-nataraj commented on GitHub (May 21, 2019): @publicsite Is this still an issue?
gitea-mirror commented 2026-05-05 08:08:06 -06:00
Author
Owner
Copy link

@publicsite commented on GitHub (May 21, 2019):

chiraag-nataraj

I'm not sure, ended up with different solution, and that's what I'm using at present ... though could try giving it another test to see if anything has differed since. Built myself a nice chroot when issue came up last October, so something might have changed 6 months on ...

<!-- gh-comment-id:494591071 --> @publicsite commented on GitHub (May 21, 2019): chiraag-nataraj I'm not sure, ended up with different solution, and that's what I'm using at present ... though could try giving it another test to see if anything has differed since. Built myself a nice chroot when issue came up last October, so something might have changed 6 months on ...
gitea-mirror commented 2026-05-05 08:08:06 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

Okay! If that's the case, I guess I'll go ahead and close this issue for now. If you decide to revisit and run into this, please feel free to re-open!

<!-- gh-comment-id:494591878 --> @chiraag-nataraj commented on GitHub (May 21, 2019): Okay! If that's the case, I guess I'll go ahead and close this issue for now. If you decide to revisit and run into this, please feel free to re-open!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1466
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?