github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2212] firefox: cannot create crash dump and send crash report after crash #1484

New issue
Closed
opened 2026-05-05 08:09:05 -06:00 by gitea-mirror · 23 comments
gitea-mirror commented 2026-05-05 08:09:05 -06:00
Owner
Copy link

Originally created by @juxi500 on GitHub (Oct 23, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2212

Hello, I noticed that when I am running Firefox inside firejail, when Firefox crashes, it is not able to create crash dump and send crash report to Mozilla. Is it intended behaviour or do I have something misconfigured? If you need any more information just let me know.

Thank you very much and have a nice day! :)

Originally created by @juxi500 on GitHub (Oct 23, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2212 Hello, I noticed that when I am running Firefox inside firejail, when Firefox crashes, it is not able to create crash dump and send crash report to Mozilla. Is it intended behaviour or do I have something misconfigured? If you need any more information just let me know. Thank you very much and have a nice day! :)
gitea-mirror commented 2026-05-05 08:09:08 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Oct 23, 2018):

Generally speaking, it's intended.. It may be caused by apparmor (if your distro has apparmor support like ubuntu) or maybe nodbus. If you need crash report you may try to add ignore rule for that options in firefox.local or in command line.

<!-- gh-comment-id:432373424 --> @Vincent43 commented on GitHub (Oct 23, 2018): Generally speaking, it's intended.. It may be caused by `apparmor` (if your distro has apparmor support like ubuntu) or maybe `nodbus`. If you need crash report you may try to add `ignore` rule for that options in `firefox.local` or in command line.
gitea-mirror commented 2026-05-05 08:09:09 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Oct 23, 2018):

@Vincent43 I think it is either caps or seccomp, I've seen it happen many times.

<!-- gh-comment-id:432382883 --> @SkewedZeppelin commented on GitHub (Oct 23, 2018): @Vincent43 I think it is either caps or seccomp, I've seen it happen many times.
gitea-mirror commented 2026-05-05 08:09:09 -06:00
Author
Owner
Copy link

@juxi500 commented on GitHub (Oct 23, 2018):

Generally speaking, it's intended.. It may be caused by apparmor (if your distro has apparmor support like ubuntu) or maybe nodbus. If you need crash report you may try to add ignore rule for that options in firefox.local or in command line.

I use EL7 so I have SeLinux instead of AppArmor... Ok so if I want to disable nodbus I will try ignore nodbus option...? :) Is it a big security risk?

<!-- gh-comment-id:432416568 --> @juxi500 commented on GitHub (Oct 23, 2018): > Generally speaking, it's intended.. It may be caused by `apparmor` (if your distro has apparmor support like ubuntu) or maybe `nodbus`. If you need crash report you may try to add `ignore` rule for that options in `firefox.local` or in command line. I use EL7 so I have SeLinux instead of AppArmor... Ok so if I want to disable nodbus I will try ignore nodbus option...? :) Is it a big security risk?
gitea-mirror commented 2026-05-05 08:09:10 -06:00
Author
Owner
Copy link

@juxi500 commented on GitHub (Oct 23, 2018):

@Vincent43 I think it is either caps or seccomp, I've seen it happen many times.

Is it possible to somehow tell caps or seccomp to let Firefox send crash reports or should I disable them?

<!-- gh-comment-id:432416875 --> @juxi500 commented on GitHub (Oct 23, 2018): > @Vincent43 I think it is either caps or seccomp, I've seen it happen many times. Is it possible to somehow tell caps or seccomp to let Firefox send crash reports or should I disable them?
gitea-mirror commented 2026-05-05 08:09:12 -06:00
Author
Owner
Copy link

@crass commented on GitHub (Oct 25, 2018):

@juxi500 It would be nice if you can find a situation where you can reliably create a crash report in firefox without using firejail (perhaps using one of these suggestions). Then follow these steps:

  1. Cause a crash while running under firejail and see if there is an audit message. An example looks like audit: type=1326 audit(1539671071.136:146): auid=666 uid=0 gid=0 ses=2 subj==unconfined pid=18184 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=8 compat=0 ip=0x7fd821118cd7 code=0x0.
  2. If no audit line, then seccomp is not currently preventing the crash reporter.
  3. If you see an audit line, find the name of the corresponding syscall by searching firejail --debug-syscalls for the syscall number identified in the audit line (lseek in the above example).
  4. Run firefox again with the option --seccomp.keep=<syscall name>[,<syscall name>], where a comma separated list of all syscall names that you've found in the audit messages are given, and do the crash again
  5. If the crash reporter does not pop up, go back to step 3.
  6. If the crash reporter pops up, finished, post the list of syscalls that need to be enabled here.

We should add a firefox-common-crashreporter.profile to be included with the other firefox profiles like we do with the firefox-common-addons.profile.

<!-- gh-comment-id:432891037 --> @crass commented on GitHub (Oct 25, 2018): @juxi500 It would be nice if you can find a situation where you can reliably create a crash report in firefox __without__ using firejail (perhaps using one of [these suggestions](https://superuser.com/questions/678054/force-firefox-to-crash-or-trick-firefox-into-thinking-it-has-crashed-on-windows)). Then follow these steps: 1. Cause a crash while running under firejail and see if there is an audit message. An example looks like `audit: type=1326 audit(1539671071.136:146): auid=666 uid=0 gid=0 ses=2 subj==unconfined pid=18184 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=8 compat=0 ip=0x7fd821118cd7 code=0x0`. 1. If no audit line, then `seccomp` is not currently preventing the crash reporter. 1. If you see an audit line, find the name of the corresponding syscall by searching `firejail --debug-syscalls` for the syscall number identified in the audit line (`lseek` in the above example). 1. Run firefox again with the option `--seccomp.keep=<syscall name>[,<syscall name>]`, where a comma separated list of all syscall names that you've found in the audit messages are given, and do the crash again 1. If the crash reporter does not pop up, go back to step 3. 1. If the crash reporter pops up, finished, post the list of syscalls that need to be enabled here. We should add a `firefox-common-crashreporter.profile` to be included with the other firefox profiles like we do with the `firefox-common-addons.profile`.
gitea-mirror commented 2026-05-05 08:09:12 -06:00
Author
Owner
Copy link

@juxi500 commented on GitHub (Oct 30, 2018):

Well I will try but the "problem" is I can't reliably crash Firefox... :) In my experience it is pretty stable these days (I was looking for reliable way already)... But when I will encounter a crash and I will see something like this in command line I will let you know :)

<!-- gh-comment-id:434486617 --> @juxi500 commented on GitHub (Oct 30, 2018): Well I will try but the "problem" is I can't reliably crash Firefox... :) In my experience it is pretty stable these days (I was looking for reliable way already)... But when I will encounter a crash and I will see something like this in command line I will let you know :)
gitea-mirror commented 2026-05-05 08:09:13 -06:00
Author
Owner
Copy link

@juxi500 commented on GitHub (Nov 3, 2018):

Today I managed to crash Firefox, with caps, seccomp and nodbus ignored, but still it can not send crash reports. (When run without firejail, it is possible to send crash reports)

$ firejail --ignore=seccomp --ignore=caps --ignore=nodbus /home/user/firefox-beta/firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 10261, child pid 10262
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 77.80 ms
[Parent 7, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 736
ExceptionHandler::GenerateDump cloned child ExceptionHandler::WaitForContinueSignal waiting for continue signal...
427
ExceptionHandler::SendContinueSignalToChild sent continue signal to child [Child 117, Chrome_ChildThread] WARNING: pipe error: Broken pipe: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 736
2018-11-03 13:40:07: minidump.cc:5094: ERROR: Minidump could not open minidump /home/user/.mozilla/firefox/12345678.default/minidumps/07bb2bc7-0418-a12a-3706-2a51fa5f2b47.dmp, error 2: No such file or directory
2018-11-03 13:40:07: minidump.cc:5191: ERROR: Minidump cannot open minidump Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.

Parent is shutting down, bye...

Please do you have some ideas what could be the problem?
If you need any more information just let me know.
Have a nice day :)

<!-- gh-comment-id:435585141 --> @juxi500 commented on GitHub (Nov 3, 2018): Today I managed to crash Firefox, with caps, seccomp and nodbus ignored, but still it can not send crash reports. (When run without firejail, it is possible to send crash reports) `$ firejail --ignore=seccomp --ignore=caps --ignore=nodbus /home/user/firefox-beta/firefox` `Reading profile /etc/firejail/firefox.profile` `Reading profile /etc/firejail/firefox.local` `Reading profile /etc/firejail/firefox-common.profile` `Reading profile /etc/firejail/disable-common.inc` `Reading profile /etc/firejail/disable-devel.inc` `Reading profile /etc/firejail/disable-interpreters.inc` `Reading profile /etc/firejail/disable-programs.inc` `Reading profile /etc/firejail/whitelist-common.inc` `Reading profile /etc/firejail/whitelist-var-common.inc` `Parent pid 10261, child pid 10262` `Post-exec seccomp protector enabled` `Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,` `Child process initialized in 77.80 ms` `[Parent 7, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 736` `ExceptionHandler::GenerateDump cloned child ExceptionHandler::WaitForContinueSignal waiting for continue signal...` `427` `ExceptionHandler::SendContinueSignalToChild sent continue signal to child [Child 117, Chrome_ChildThread] WARNING: pipe error: Broken pipe: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 736` `2018-11-03 13:40:07: minidump.cc:5094: ERROR: Minidump could not open minidump /home/user/.mozilla/firefox/12345678.default/minidumps/07bb2bc7-0418-a12a-3706-2a51fa5f2b47.dmp, error 2: No such file or directory` `2018-11-03 13:40:07: minidump.cc:5191: ERROR: Minidump cannot open minidump Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.` `Parent is shutting down, bye...` Please do you have some ideas what could be the problem? If you need any more information just let me know. Have a nice day :)
gitea-mirror commented 2026-05-05 08:09:15 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 20, 2019):

It's most likely the seccomp filter, but I don't know. Is this still an issue?

<!-- gh-comment-id:494151900 --> @chiraag-nataraj commented on GitHub (May 20, 2019): It's most likely the seccomp filter, but I don't know. Is this still an issue?
gitea-mirror commented 2026-05-05 08:09:15 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Jun 21, 2019):

@juxi500 Please provide feedback.
Otherwise this should be closed.

<!-- gh-comment-id:504600199 --> @matu3ba commented on GitHub (Jun 21, 2019): @juxi500 Please provide feedback. Otherwise this should be closed.
gitea-mirror commented 2026-05-05 08:09:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 22, 2019):

@juxi500 I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

<!-- gh-comment-id:523836549 --> @rusty-snake commented on GitHub (Aug 22, 2019): @juxi500 I'm closing here due to inactivity, please fell free to reopen if you still have this issue.
gitea-mirror commented 2026-05-05 08:09:17 -06:00
Author
Owner
Copy link

@byteit101 commented on GitHub (Feb 1, 2020):

I was able to reproduce this. I seem to be stuck hitting https://crash-stats.mozilla.org/signature/?product=Firefox&signature=mozilla%3A%3Aa11y%3A%3ADOMtoATK%3A%3AATKStringConverterHelper%3A%3AFinishUTF16toUTF8 every few days, so I'll try adding those flags and reporting back in a few days when I invariably hit that again

<!-- gh-comment-id:580977454 --> @byteit101 commented on GitHub (Feb 1, 2020): I was able to reproduce this. I seem to be stuck hitting https://crash-stats.mozilla.org/signature/?product=Firefox&signature=mozilla%3A%3Aa11y%3A%3ADOMtoATK%3A%3AATKStringConverterHelper%3A%3AFinishUTF16toUTF8 every few days, so I'll try adding those flags and reporting back in a few days when I invariably hit that again
gitea-mirror commented 2026-05-05 08:09:18 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 1, 2020):

@byteit101 if @chiraag-nataraj is right, you can find the blocked syscall with journalctl --grep=SECCOMP.

<!-- gh-comment-id:581006158 --> @rusty-snake commented on GitHub (Feb 1, 2020): @byteit101 if @chiraag-nataraj is right, you can find the blocked syscall with `journalctl --grep=SECCOMP`.
gitea-mirror commented 2026-05-05 08:09:18 -06:00
Author
Owner
Copy link

@byteit101 commented on GitHub (Feb 12, 2020):

hmm, my journalctl was:
Compiled without pattern matching support

but this is what appeared:

Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: kauditd_printk_skb: 138 callbacks suppressed
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:335): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:336): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:337): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:338): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:339): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:340): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:341): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:342): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:343): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:344): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default"
...

(about 150 lines in total of this repeating)

<!-- gh-comment-id:584962231 --> @byteit101 commented on GitHub (Feb 12, 2020): hmm, my journalctl was: Compiled without pattern matching support but this is what appeared: ``` Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: kauditd_printk_skb: 138 callbacks suppressed Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:335): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:336): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:337): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:338): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:339): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:340): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:341): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:342): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:343): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box kernel: audit: type=1400 audit(1581469425.641:344): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default" Feb 11 20:03:45 debian-box audit[29889]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=29889 comm="firefox-bin" requested_mask="trace" denied_mask="trace" peer="firejail-default" ... ``` (about 150 lines in total of this repeating)
gitea-mirror commented 2026-05-05 08:09:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 12, 2020):

You can also try it with journalctl | grep SECCOMP, however this error is about AppArmor, has you enabled the debian AA profile for firefox or is it just the firejail one?

<!-- gh-comment-id:585195987 --> @rusty-snake commented on GitHub (Feb 12, 2020): You can also try it with `journalctl | grep SECCOMP`, however this error is about AppArmor, has you enabled the debian AA profile for firefox or is it just the firejail one?
gitea-mirror commented 2026-05-05 08:09:20 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 12, 2020):

@byteit101 could you show firejail --version output?

<!-- gh-comment-id:585223193 --> @Vincent43 commented on GitHub (Feb 12, 2020): @byteit101 could you show `firejail --version` output?
gitea-mirror commented 2026-05-05 08:09:20 -06:00
Author
Owner
Copy link

@byteit101 commented on GitHub (Feb 14, 2020):

I think the AA profile was enabled automatically when I upgraded to debian 10

~ firejail --version                                                                                       
firejail version 0.9.62

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
<!-- gh-comment-id:586034179 --> @byteit101 commented on GitHub (Feb 14, 2020): I think the AA profile was enabled automatically when I upgraded to debian 10 ``` ~ firejail --version firejail version 0.9.62 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ```
gitea-mirror commented 2026-05-05 08:09:20 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 14, 2020):

@byteit101 try adding: ptrace (trace,tracedby) peer=@{profile_name}, line in /etc/apparmor.d/local/firejail-default then run systemctl restart apparmor or reboot.

<!-- gh-comment-id:586184931 --> @Vincent43 commented on GitHub (Feb 14, 2020): @byteit101 try adding: `ptrace (trace,tracedby) peer=@{profile_name},` line in `/etc/apparmor.d/local/firejail-default` then run` systemctl restart apparmor` or reboot.
gitea-mirror commented 2026-05-05 08:09:21 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 14, 2020):

ptrace is also blocked by firejails seccomp filter, you should also add allow-debuggers.

<!-- gh-comment-id:586275082 --> @rusty-snake commented on GitHub (Feb 14, 2020): `ptrace` is also blocked by firejails seccomp filter, you should also add `allow-debuggers`.
gitea-mirror commented 2026-05-05 08:09:21 -06:00
Author
Owner
Copy link

@byteit101 commented on GitHub (Feb 17, 2020):

I added @Vincent43's ptrace line to apparmor, and running with:
firejail --ignore=seccomp --ignore=caps --ignore=nodbus firefox I got the Mozilla crash dialog and was able to send a report!

<!-- gh-comment-id:587174734 --> @byteit101 commented on GitHub (Feb 17, 2020): I added @Vincent43's ptrace line to apparmor, and running with: `firejail --ignore=seccomp --ignore=caps --ignore=nodbus firefox` I got the Mozilla crash dialog and was able to send a report!
gitea-mirror commented 2026-05-05 08:09:21 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 19, 2020):

Are all ignores needed? Can you try with firejail --allow-debuggers --ignore=caps --ignore=nodbus firefox.

<!-- gh-comment-id:588234498 --> @rusty-snake commented on GitHub (Feb 19, 2020): Are all ignores needed? Can you try with `firejail --allow-debuggers --ignore=caps --ignore=nodbus firefox`.
gitea-mirror commented 2026-05-05 08:09:22 -06:00
Author
Owner
Copy link

@byteit101 commented on GitHub (Feb 23, 2020):

firejail --ignore=seccomp --ignore=caps --ignore=nodbus firefox shows the dialog
firejail --allow-debuggers --ignore=caps --ignore=nodbus firefox shows the dialog
firejail --allow-debuggers firefox shows the dialog
firejail firefox doesn't show the dialog

<!-- gh-comment-id:590014811 --> @byteit101 commented on GitHub (Feb 23, 2020): `firejail --ignore=seccomp --ignore=caps --ignore=nodbus firefox` **shows** the dialog `firejail --allow-debuggers --ignore=caps --ignore=nodbus firefox` **shows** the dialog `firejail --allow-debuggers firefox` **shows** the dialog `firejail firefox` **doesn't** show the dialog
gitea-mirror commented 2026-05-05 08:09:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 23, 2020):

To summary:
firejail --allow-debuggers firefox
or
firejail --seccomp.drop=@default --ignore=seccomp firefox
or
firejail '--seccomp=!ptrace' firefox
and
@Vincent43 AA rule for apparmor users

<!-- gh-comment-id:590049469 --> @rusty-snake commented on GitHub (Feb 23, 2020): To summary: `firejail --allow-debuggers firefox` or `firejail --seccomp.drop=@default --ignore=seccomp firefox` or `firejail '--seccomp=!ptrace' firefox` and @Vincent43 AA rule for apparmor users
gitea-mirror commented 2026-05-05 08:09:23 -06:00
Author
Owner
Copy link

@byteit101 commented on GitHub (Feb 23, 2020):

Correct

<!-- gh-comment-id:590128690 --> @byteit101 commented on GitHub (Feb 23, 2020): Correct
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1484
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?