github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2324] Firefox using 100% CPU with firejail when downloading files #1550

New issue
Closed
opened 2026-05-05 08:12:40 -06:00 by gitea-mirror · 20 comments
gitea-mirror commented 2026-05-05 08:12:40 -06:00
Owner
Copy link

Originally created by @mkkot on GitHub (Jan 1, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2324

Firefox 64.0 is using 100% CPU when downloading files via built-in mechanism. To reproduce:
firejail /usr/bin/firefox

Then go to https://www.kernel.org/ or to some other source of big files and simultaneously download as many files as the number of your CPU cores is. Open top or htop and see that Firefox is eating all your cores.

For me downloading on 4 cores without firejail takes about 30% of CPU but with firejail it takes 370%.

Of course it doesn't happen when not paired with firejail. It also works correctly with --noprofile option.

[mk@linux ~]$ firejail --version
firejail version 0.9.56

Compile time support:
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

I also tested with /etc/firejail/firefox.local removed but there was no difference.

[mk@linux ~]$ firejail --debug /usr/bin/firefox 
Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/firefox' 
Command name #firefox#
Found firefox profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 11262, child pid 11263
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 100, nogroups 1
No supplementary groups
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/mk/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/hidraw0 file
mounting /run/firejail/mnt/dev/hidraw1 file
mounting /run/firejail/mnt/dev/usb directory
Process /dev/shm directory
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Disable /mnt
Disable /media
Disable /run/mount
Directory ${DOWNLOADS} resolved as Pobrane
Debug 405: new_name #/home/mk/Pobrane#, whitelist
Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Pobrane
Debug 405: new_name #/home/mk/Downloads#, whitelist
Debug 505: fname #/home/mk/Downloads#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Downloads
Debug 405: new_name #/home/mk/.cache/mozilla/firefox#, whitelist
Debug 505: fname #/home/mk/.cache/mozilla/firefox#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.cache/mozilla/firefox
Debug 405: new_name #/home/mk/.mozilla#, whitelist
Debug 505: fname #/home/mk/.mozilla#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.mozilla
Directory ${DOWNLOADS} resolved as Pobrane
Debug 405: new_name #/home/mk/Pobrane#, whitelist
Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Pobrane
Debug 405: new_name #/home/mk/.pki#, whitelist
Debug 505: fname #/home/mk/.pki#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.pki
Debug 405: new_name #/home/mk/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
	expanded: /home/mk/.XCompose
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
	expanded: /home/mk/.asoundrc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/ibus#, whitelist
Debug 505: fname #/home/mk/.config/ibus#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/ibus
Debug 405: new_name #/home/mk/.config/mimeapps.list#, whitelist
Debug 505: fname #/home/mk/.config/mimeapps.list#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/mimeapps.list
Debug 405: new_name #/home/mk/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
	expanded: /home/mk/.config/pkcs11
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/user-dirs.dirs#, whitelist
Debug 505: fname #/home/mk/.config/user-dirs.dirs#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/user-dirs.dirs
Debug 405: new_name #/home/mk/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
	expanded: /home/mk/.drirc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
	expanded: /home/mk/.icons
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/applications#, whitelist
Debug 505: fname #/home/mk/.local/share/applications#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/applications
Debug 405: new_name #/home/mk/.local/share/icons#, whitelist
Debug 505: fname #/home/mk/.local/share/icons#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/icons
Debug 405: new_name #/home/mk/.local/share/mime#, whitelist
Debug 505: fname #/home/mk/.local/share/mime#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/mime
Debug 405: new_name #/home/mk/.mime.types#, whitelist
Debug 505: fname #/home/mk/.mime.types#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.mime.types
Debug 405: new_name #/home/mk/.cache/fontconfig#, whitelist
Debug 505: fname #/home/mk/.cache/fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.cache/fontconfig
Debug 405: new_name #/home/mk/.config/fontconfig#, whitelist
Debug 505: fname #/home/mk/.config/fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/fontconfig
Debug 405: new_name #/home/mk/.fontconfig#, whitelist
Debug 505: fname #/home/mk/.fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.fontconfig
Debug 405: new_name #/home/mk/.fonts#, whitelist
Debug 505: fname #/home/mk/.fonts#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.fonts
Debug 405: new_name #/home/mk/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
	expanded: /home/mk/.fonts.conf
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
	expanded: /home/mk/.fonts.conf.d
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
	expanded: /home/mk/.fonts.d
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/fonts#, whitelist
Debug 505: fname #/home/mk/.local/share/fonts#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/fonts
Debug 405: new_name #/home/mk/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
	expanded: /home/mk/.pangorc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/gtk-2.0#, whitelist
Debug 505: fname #/home/mk/.config/gtk-2.0#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/gtk-2.0
Debug 405: new_name #/home/mk/.config/gtk-3.0#, whitelist
Debug 505: fname #/home/mk/.config/gtk-3.0#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/gtk-3.0
Debug 405: new_name #/home/mk/.config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc
	expanded: /home/mk/.config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0
	expanded: /home/mk/.config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.gnome2#, whitelist
Debug 505: fname #/home/mk/.gnome2#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.gnome2
Debug 405: new_name #/home/mk/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
	expanded: /home/mk/.gnome2-private
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
	expanded: /home/mk/.gtk-2.0
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
	expanded: /home/mk/.gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0
	expanded: /home/mk/.gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
	expanded: /home/mk/.kde/share/config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
	expanded: /home/mk/.kde/share/config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
	expanded: /home/mk/.kde4/share/config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
	expanded: /home/mk/.kde4/share/config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
	expanded: /home/mk/.local/share/themes
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.themes#, whitelist
Debug 505: fname #/home/mk/.themes#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.themes
Debug 405: new_name #/home/mk/.config/dconf#, whitelist
Debug 505: fname #/home/mk/.config/dconf#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/dconf
Debug 405: new_name #/home/mk/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
	expanded: /home/mk/.config/Kvantum
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/Trolltech.conf#, whitelist
Debug 505: fname #/home/mk/.config/Trolltech.conf#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/Trolltech.conf
Debug 405: new_name #/home/mk/.config/kdeglobals#, whitelist
Debug 505: fname #/home/mk/.config/kdeglobals#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/kdeglobals
Debug 405: new_name #/home/mk/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
	expanded: /home/mk/.config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/kioslaverc#, whitelist
Debug 505: fname #/home/mk/.config/kioslaverc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/kioslaverc
Debug 405: new_name #/home/mk/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
	expanded: /home/mk/.config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/qt5ct#, whitelist
Debug 505: fname #/home/mk/.config/qt5ct#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/qt5ct
Debug 405: new_name #/home/mk/.kde/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals
	expanded: /home/mk/.kde/share/config/kdeglobals
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
	expanded: /home/mk/.kde/share/config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
	expanded: /home/mk/.kde/share/config/kioslaverc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
	expanded: /home/mk/.kde/share/config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
	expanded: /home/mk/.kde/share/config/oxygenrc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
	expanded: /home/mk/.kde/share/icons
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/kdeglobals#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kdeglobals#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kdeglobals
Debug 405: new_name #/home/mk/.kde4/share/config/kio_httprc#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kio_httprc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kio_httprc
Debug 405: new_name #/home/mk/.kde4/share/config/kioslaverc#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kioslaverc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kioslaverc
Debug 405: new_name #/home/mk/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
	expanded: /home/mk/.kde4/share/config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
	expanded: /home/mk/.kde4/share/config/oxygenrc
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
	expanded: /home/mk/.kde4/share/icons
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
	expanded: /home/mk/.local/share/qt5ct
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/home/mk/.cache/kioexec/krun#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
	expanded: /home/mk/.cache/kioexec/krun
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/var/lib/dbus#, whitelist
Debug 405: new_name #/var/lib/menu-xdg#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
	expanded: /var/lib/menu-xdg
	real path: (null)
	realpath: No such file or directory
Debug 405: new_name #/var/cache/fontconfig#, whitelist
Debug 405: new_name #/var/tmp#, whitelist
Debug 405: new_name #/var/run#, whitelist
Replaced whitelist path: whitelist /run
Debug 405: new_name #/var/lock#, whitelist
Replaced whitelist path: whitelist /run/lock
Drop privileges: pid 3, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Drop privileges: pid 4, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
Drop privileges: pid 5, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
Mounting tmpfs on /var directory
Whitelisting /home/mk/Pobrane
634 627 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4
Whitelisting /home/mk/Downloads
635 627 8:3 /mk/Downloads /home/mk/Downloads rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Downloads dir=/home/mk/Downloads fstype=ext4
Whitelisting /home/mk/.cache/mozilla/firefox
636 627 0:46 /mozilla/firefox /home/mk/.cache/mozilla/firefox rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k
fsname=/mozilla/firefox dir=/home/mk/.cache/mozilla/firefox fstype=tmpfs
Whitelisting /home/mk/.mozilla
637 627 8:3 /mk/.mozilla /home/mk/.mozilla rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.mozilla dir=/home/mk/.mozilla fstype=ext4
Whitelisting /home/mk/Pobrane
638 634 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4
Whitelisting /home/mk/.pki
639 627 8:3 /mk/.pki /home/mk/.pki rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.pki dir=/home/mk/.pki fstype=ext4
Whitelisting /home/mk/.config/ibus
640 627 8:3 /mk/.config/ibus /home/mk/.config/ibus rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/ibus dir=/home/mk/.config/ibus fstype=ext4
Whitelisting /home/mk/.config/mimeapps.list
641 627 8:3 /mk/.config/mimeapps.list /home/mk/.config/mimeapps.list rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/mimeapps.list dir=/home/mk/.config/mimeapps.list fstype=ext4
Whitelisting /home/mk/.config/user-dirs.dirs
642 627 8:3 /mk/.config/user-dirs.dirs /home/mk/.config/user-dirs.dirs rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/user-dirs.dirs dir=/home/mk/.config/user-dirs.dirs fstype=ext4
Whitelisting /home/mk/.local/share/applications
643 627 8:3 /mk/.local/share/applications /home/mk/.local/share/applications rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/applications dir=/home/mk/.local/share/applications fstype=ext4
Whitelisting /home/mk/.local/share/icons
644 627 8:3 /mk/.local/share/icons /home/mk/.local/share/icons rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/icons dir=/home/mk/.local/share/icons fstype=ext4
Whitelisting /home/mk/.local/share/mime
645 627 8:3 /mk/.local/share/mime /home/mk/.local/share/mime rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/mime dir=/home/mk/.local/share/mime fstype=ext4
Whitelisting /home/mk/.mime.types
646 627 8:3 /mk/.mime.types /home/mk/.mime.types rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.mime.types dir=/home/mk/.mime.types fstype=ext4
Whitelisting /home/mk/.cache/fontconfig
647 627 0:46 /fontconfig /home/mk/.cache/fontconfig rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k
fsname=/fontconfig dir=/home/mk/.cache/fontconfig fstype=tmpfs
Whitelisting /home/mk/.config/fontconfig
648 627 8:3 /mk/.config/fontconfig /home/mk/.config/fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/fontconfig dir=/home/mk/.config/fontconfig fstype=ext4
Whitelisting /home/mk/.fontconfig
649 627 8:3 /mk/.fontconfig /home/mk/.fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.fontconfig dir=/home/mk/.fontconfig fstype=ext4
Whitelisting /home/mk/.fonts
650 627 8:3 /mk/.fonts /home/mk/.fonts rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.fonts dir=/home/mk/.fonts fstype=ext4
Whitelisting /home/mk/.local/share/fonts
651 627 8:3 /mk/.local/share/fonts /home/mk/.local/share/fonts rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/fonts dir=/home/mk/.local/share/fonts fstype=ext4
Whitelisting /home/mk/.config/gtk-2.0
652 627 8:3 /mk/.config/gtk-2.0 /home/mk/.config/gtk-2.0 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/gtk-2.0 dir=/home/mk/.config/gtk-2.0 fstype=ext4
Whitelisting /home/mk/.config/gtk-3.0
653 627 8:3 /mk/.config/gtk-3.0 /home/mk/.config/gtk-3.0 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/gtk-3.0 dir=/home/mk/.config/gtk-3.0 fstype=ext4
Whitelisting /home/mk/.gnome2
654 627 8:3 /mk/.gnome2 /home/mk/.gnome2 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.gnome2 dir=/home/mk/.gnome2 fstype=ext4
Whitelisting /home/mk/.themes
655 627 8:3 /mk/.themes /home/mk/.themes rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.themes dir=/home/mk/.themes fstype=ext4
Whitelisting /home/mk/.config/dconf
656 627 8:3 /mk/.config/dconf /home/mk/.config/dconf rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/dconf dir=/home/mk/.config/dconf fstype=ext4
Whitelisting /home/mk/.config/Trolltech.conf
657 627 8:3 /mk/.config/Trolltech.conf /home/mk/.config/Trolltech.conf rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/Trolltech.conf dir=/home/mk/.config/Trolltech.conf fstype=ext4
Whitelisting /home/mk/.config/kdeglobals
658 627 8:3 /mk/.config/kdeglobals /home/mk/.config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/kdeglobals dir=/home/mk/.config/kdeglobals fstype=ext4
Whitelisting /home/mk/.config/kioslaverc
659 627 8:3 /mk/.config/kioslaverc /home/mk/.config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/kioslaverc dir=/home/mk/.config/kioslaverc fstype=ext4
Whitelisting /home/mk/.config/qt5ct
660 627 8:3 /mk/.config/qt5ct /home/mk/.config/qt5ct rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/qt5ct dir=/home/mk/.config/qt5ct fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kdeglobals
661 627 8:3 /mk/.kde4/share/config/kdeglobals /home/mk/.kde4/share/config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kdeglobals dir=/home/mk/.kde4/share/config/kdeglobals fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kio_httprc
662 627 8:3 /mk/.kde4/share/config/kio_httprc /home/mk/.kde4/share/config/kio_httprc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kio_httprc dir=/home/mk/.kde4/share/config/kio_httprc fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kioslaverc
663 627 8:3 /mk/.kde4/share/config/kioslaverc /home/mk/.kde4/share/config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kioslaverc dir=/home/mk/.kde4/share/config/kioslaverc fstype=ext4
Whitelisting /var/lib/dbus
664 633 8:2 /lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw
fsname=/lib/dbus dir=/var/lib/dbus fstype=ext4
Whitelisting /var/cache/fontconfig
665 633 8:2 /cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw
fsname=/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4
Whitelisting /var/tmp
666 633 0:70 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw
fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Directory ${DOWNLOADS} resolved as Pobrane
Mounting noexec /home/mk/Pobrane
Mounting noexec /home/mk/Downloads
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/mk/.Xauthority
Mounting read-only /home/mk/.config/kdeglobals
Mounting read-only /home/mk/.config/kioslaverc
Mounting read-only /home/mk/.kde4/share/config/kdeglobals
Mounting read-only /home/mk/.kde4/share/config/kio_httprc
Mounting read-only /home/mk/.kde4/share/config/kioslaverc
Disable /etc/anacrontab
Disable /etc/cron.daily
Disable /etc/cron.hourly
Disable /etc/cron.weekly
Disable /etc/cron.monthly
Disable /etc/cron.d
Disable /etc/cron.deny
Disable /etc/profile.d
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Mounting read-only /home/mk/.bashrc
Mounting read-only /home/mk/.local/share/applications
Not blacklist /home/mk/.pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Warning: /sbin directory link was not blacklisted
Disable /usr/local/sbin
Warning: /usr/sbin directory link was not blacklisted
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /usr/bin/fusermount
Disable /usr/bin/gpasswd
Disable /usr/bin/ksu
Disable /usr/bin/mount
Disable /usr/bin/ncat
Disable /usr/bin/newgidmap
Disable /usr/bin/newgrp
Disable /usr/bin/newuidmap
Disable /usr/bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/procmail
Disable /usr/bin/sg
Disable /usr/bin/strace
Disable /usr/bin/su
Disable /usr/bin/sudo
Disable /usr/bin/umount
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/xev
Disable /usr/bin/xinput
Disable /usr/bin/xfce4-terminal
Mounting noexec /tmp/.X11-unix
Disable /usr/bin/bwrap
Disable /usr/bin/as
Disable /usr/bin/gcc (requested /usr/bin/cc)
Disable /usr/bin/c++filt
Disable /usr/bin/c++
Disable /usr/bin/c89
Disable /usr/bin/c99
Disable /usr/bin/cpp
Disable /usr/bin/cpp2html
Disable /usr/bin/g++
Disable /usr/bin/gcc
Disable /usr/bin/gcc-ranlib
Disable /usr/bin/gcc-nm
Disable /usr/bin/gcc-ar
Disable /usr/bin/gccmakedep
Disable /usr/bin/ld
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/include
Disable /usr/bin/clang-format
Disable /usr/bin/clang-include-fixer
Disable /usr/bin/clang-apply-replacements
Disable /usr/bin/clang-offload-bundler
Disable /usr/bin/clangd
Disable /usr/bin/clang-refactor
Disable /usr/bin/clang-reorder-fields
Disable /usr/bin/clang-7 (requested /usr/bin/clang)
Disable /usr/bin/clang-import-test
Disable /usr/bin/clang-func-mapping
Disable /usr/bin/clang-query
Disable /usr/bin/clang-7
Disable /usr/bin/clang-check
Disable /usr/bin/clang-tidy
Disable /usr/bin/clang-7 (requested /usr/bin/clang-cpp)
Disable /usr/bin/clang-7 (requested /usr/bin/clang++)
Disable /usr/bin/clang-rename
Disable /usr/bin/clang-change-namespace
Disable /usr/bin/clang-7 (requested /usr/bin/clang-cl)
Disable /usr/bin/llvm-tblgen
Disable /usr/bin/llvm-undname
Disable /usr/bin/llvm-cxxdump
Disable /usr/bin/llvm-c-test
Disable /usr/bin/llvm-nm
Disable /usr/bin/llvm-pdbutil
Disable /usr/bin/llvm-rtdyld
Disable /usr/bin/llvm-mca
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-dlltool)
Disable /usr/bin/llvm-cat
Disable /usr/bin/llvm-strings
Disable /usr/bin/llvm-stress
Disable /usr/bin/llvm-objcopy (requested /usr/bin/llvm-strip)
Disable /usr/bin/llvm-objcopy
Disable /usr/bin/llvm-dwarfdump
Disable /usr/bin/llvm-PerfectShuffle
Disable /usr/bin/llvm-exegesis
Disable /usr/bin/llvm-extract
Disable /usr/bin/llvm-size
Disable /usr/bin/llvm-ar
Disable /usr/bin/llvm-bcanalyzer
Disable /usr/bin/llvm-config
Disable /usr/bin/llvm-split
Disable /usr/bin/llvm-mc
Disable /usr/bin/llvm-diff
Disable /usr/bin/llvm-profdata
Disable /usr/bin/llvm-objdump
Disable /usr/bin/llvm-opt-report
Disable /usr/bin/llvm-rc
Disable /usr/bin/llvm-cfi-verify
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-lib)
Disable /usr/bin/llvm-mt
Disable /usr/bin/llvm-readobj (requested /usr/bin/llvm-readelf)
Disable /usr/bin/llvm-lto
Disable /usr/bin/llvm-symbolizer
Disable /usr/bin/llvm-link
Disable /usr/bin/llvm-cvtres
Disable /usr/bin/llvm-dwp
Disable /usr/bin/llvm-lto2
Disable /usr/bin/llvm-as
Disable /usr/bin/llvm-xray
Disable /usr/bin/llvm-readobj
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-ranlib)
Disable /usr/bin/llvm-dis
Disable /usr/bin/llvm-cov
Disable /usr/bin/llvm-cxxfilt
Disable /usr/bin/llvm-modextract
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/bin/java)
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/lib/jvm/default/bin/java)
Disable /usr/share/java
Disable /usr/bin/rust-gdb
Disable /usr/bin/rust-lldb
Disable /usr/bin/rustc
Disable /usr/bin/openssl
Disable /usr/bin/openssl-1.0
Disable /usr/bin/luac5.2
Disable /usr/bin/lua
Disable /usr/bin/lua (requested /usr/bin/lua5.3)
Disable /usr/bin/luac5.1
Disable /usr/bin/luac (requested /usr/bin/luac5.3)
Disable /usr/bin/lua5.2
Disable /usr/bin/luac
Disable /usr/bin/lua5.1
Disable /usr/lib/lua
Disable /usr/bin/core_perl/cpan
Disable /usr/bin/core_perl
Disable /usr/bin/perl
Disable /usr/lib/perl5
Disable /usr/share/perl-image-exiftool
Disable /usr/share/perl5
Disable /usr/bin/ruby
Disable /usr/lib/ruby
Disable /usr/bin/python2.7 (requested /usr/bin/python2)
Disable /usr/bin/python2.7-config (requested /usr/bin/python2-config)
Disable /usr/bin/python2-pylupdate5
Disable /usr/bin/python2-pyrcc5
Disable /usr/bin/python2.7-config
Disable /usr/bin/python2-pyuic5
Disable /usr/bin/python2.7
Disable /usr/lib/python2.6
Disable /usr/lib/python2.7
Disable /usr/bin/python3.7m-config (requested /usr/bin/python3.7-config)
Disable /usr/bin/python3.7 (requested /usr/bin/python3)
Disable /usr/bin/python3.7m-config (requested /usr/bin/python3-config)
Disable /usr/bin/python3.7m
Disable /usr/bin/python3.7m-config
Disable /usr/bin/python3.7
Disable /usr/lib/python3.6
Disable /usr/lib/python3.7
Not blacklist /home/mk/.mozilla
Disable /tmp/ssh-ZaxvlS8w0ta9
Not blacklist /home/mk/.cache/mozilla
Mounting read-only /home/mk/.config/user-dirs.dirs
Mounting read-only /home/mk/.local/share/applications
Mounting noexec /home/mk
Mounting noexec /tmp
Disable /sys/fs
Disable /sys/module
Drop privileges: pid 6, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
873 627 0:68 /pulse /home/mk/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
fsname=/pulse dir=/home/mk/.config/pulse fstype=tmpfs
blacklist /dev/dvb
blacklist /dev/sr0
Create the new ld.so.preload file
Post-exec seccomp protector enabled
Mount the new ld.so.preload file
Current directory: /home/mk
DISPLAY=:0.0 parsed as 0
Dropping all capabilities
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 7, uid 1000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 15 00 01 00000010   jeq 10 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 06 00 00 0005005f   ret ERRNO(95)
Build drop seccomp filter
sbox run: /usr/lib/firejail/fseccomp drop /run/firejail/mnt/seccomp /run/firejail/mnt/seccomp.postexec @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice (null) 
Dropping all capabilities
Drop privileges: pid 8, uid 1000, gid 100, nogroups 1
No supplementary groups
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
sbox run: /usr/lib/firejail/fsec-optimize /run/firejail/mnt/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 9, uid 1000, gid 100, nogroups 1
No supplementary groups
configuring 73 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 10, uid 1000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 40 00 0000009f   jeq adjtimex 0048 (false 0008)
 0008: 15 3f 00 00000131   jeq clock_adjtime 0048 (false 0009)
 0009: 15 3e 00 000000e3   jeq clock_settime 0048 (false 000a)
 000a: 15 3d 00 000000a4   jeq settimeofday 0048 (false 000b)
 000b: 15 3c 00 0000009a   jeq modify_ldt 0048 (false 000c)
 000c: 15 3b 00 000000d4   jeq lookup_dcookie 0048 (false 000d)
 000d: 15 3a 00 0000012a   jeq perf_event_open 0048 (false 000e)
 000e: 15 39 00 00000137   jeq process_vm_writev 0048 (false 000f)
 000f: 15 38 00 000000b0   jeq delete_module 0048 (false 0010)
 0010: 15 37 00 00000139   jeq finit_module 0048 (false 0011)
 0011: 15 36 00 000000af   jeq init_module 0048 (false 0012)
 0012: 15 35 00 0000009c   jeq _sysctl 0048 (false 0013)
 0013: 15 34 00 000000b7   jeq afs_syscall 0048 (false 0014)
 0014: 15 33 00 000000ae   jeq create_module 0048 (false 0015)
 0015: 15 32 00 000000b1   jeq get_kernel_syms 0048 (false 0016)
 0016: 15 31 00 000000b5   jeq getpmsg 0048 (false 0017)
 0017: 15 30 00 000000b6   jeq putpmsg 0048 (false 0018)
 0018: 15 2f 00 000000b2   jeq query_module 0048 (false 0019)
 0019: 15 2e 00 000000b9   jeq security 0048 (false 001a)
 001a: 15 2d 00 0000008b   jeq sysfs 0048 (false 001b)
 001b: 15 2c 00 000000b8   jeq tuxcall 0048 (false 001c)
 001c: 15 2b 00 00000086   jeq uselib 0048 (false 001d)
 001d: 15 2a 00 00000088   jeq ustat 0048 (false 001e)
 001e: 15 29 00 000000ec   jeq vserver 0048 (false 001f)
 001f: 15 28 00 000000ad   jeq ioperm 0048 (false 0020)
 0020: 15 27 00 000000ac   jeq iopl 0048 (false 0021)
 0021: 15 26 00 000000f6   jeq kexec_load 0048 (false 0022)
 0022: 15 25 00 00000140   jeq kexec_file_load 0048 (false 0023)
 0023: 15 24 00 000000a9   jeq reboot 0048 (false 0024)
 0024: 15 23 00 000000ee   jeq set_mempolicy 0048 (false 0025)
 0025: 15 22 00 00000100   jeq migrate_pages 0048 (false 0026)
 0026: 15 21 00 00000117   jeq move_pages 0048 (false 0027)
 0027: 15 20 00 000000ed   jeq mbind 0048 (false 0028)
 0028: 15 1f 00 000000a7   jeq swapon 0048 (false 0029)
 0029: 15 1e 00 000000a8   jeq swapoff 0048 (false 002a)
 002a: 15 1d 00 000000a3   jeq acct 0048 (false 002b)
 002b: 15 1c 00 000000f8   jeq add_key 0048 (false 002c)
 002c: 15 1b 00 00000141   jeq bpf 0048 (false 002d)
 002d: 15 1a 00 0000012c   jeq fanotify_init 0048 (false 002e)
 002e: 15 19 00 000000d2   jeq io_cancel 0048 (false 002f)
 002f: 15 18 00 000000cf   jeq io_destroy 0048 (false 0030)
 0030: 15 17 00 000000d0   jeq io_getevents 0048 (false 0031)
 0031: 15 16 00 000000ce   jeq io_setup 0048 (false 0032)
 0032: 15 15 00 000000d1   jeq io_submit 0048 (false 0033)
 0033: 15 14 00 000000fb   jeq ioprio_set 0048 (false 0034)
 0034: 15 13 00 00000138   jeq kcmp 0048 (false 0035)
 0035: 15 12 00 000000fa   jeq keyctl 0048 (false 0036)
 0036: 15 11 00 000000a5   jeq mount 0048 (false 0037)
 0037: 15 10 00 0000012f   jeq name_to_handle_at 0048 (false 0038)
 0038: 15 0f 00 000000b4   jeq nfsservctl 0048 (false 0039)
 0039: 15 0e 00 00000130   jeq open_by_handle_at 0048 (false 003a)
 003a: 15 0d 00 00000087   jeq personality 0048 (false 003b)
 003b: 15 0c 00 0000009b   jeq pivot_root 0048 (false 003c)
 003c: 15 0b 00 00000136   jeq process_vm_readv 0048 (false 003d)
 003d: 15 0a 00 00000065   jeq ptrace 0048 (false 003e)
 003e: 15 09 00 000000d8   jeq remap_file_pages 0048 (false 003f)
 003f: 15 08 00 000000f9   jeq request_key 0048 (false 0040)
 0040: 15 07 00 000000ab   jeq setdomainname 0048 (false 0041)
 0041: 15 06 00 000000aa   jeq sethostname 0048 (false 0042)
 0042: 15 05 00 00000067   jeq syslog 0048 (false 0043)
 0043: 15 04 00 000000a6   jeq umount2 0048 (false 0044)
 0044: 15 03 00 00000143   jeq userfaultfd 0048 (false 0045)
 0045: 15 02 00 00000099   jeq vhangup 0048 (false 0046)
 0046: 15 01 00 00000116   jeq vmsplice 0048 (false 0047)
 0047: 06 00 00 7fff0000   ret ALLOW
 0048: 06 00 00 00000000   ret KILL
seccomp filter configured
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/firefox
Child process initialized in 152.33 ms
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.protocol seccomp filter
monitoring pid 11
Originally created by @mkkot on GitHub (Jan 1, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2324 Firefox 64.0 is using 100% CPU when downloading files via built-in mechanism. To reproduce: `firejail /usr/bin/firefox` Then go to https://www.kernel.org/ or to some other source of big files and simultaneously download as many files as the number of your CPU cores is. Open top or htop and see that Firefox is eating all your cores. For me downloading on 4 cores without firejail takes about 30% of CPU but with firejail it takes 370%. Of course it doesn't happen when not paired with firejail. It also works correctly with --noprofile option. ``` [mk@linux ~]$ firejail --version firejail version 0.9.56 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` I also tested with /etc/firejail/firefox.local removed but there was no difference. ``` [mk@linux ~]$ firejail --debug /usr/bin/firefox Autoselecting /bin/bash as shell Building quoted command line: '/usr/bin/firefox' Command name #firefox# Found firefox profile in /etc/firejail directory Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox.local Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc DISPLAY=:0.0 parsed as 0 Using the local network stack Parent pid 11262, child pid 11263 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Build protocol filter: unix,inet,inet6,netlink sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 100, nogroups 1 No supplementary groups Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/mk/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory mounting /run/firejail/mnt/dev/hidraw0 file mounting /run/firejail/mnt/dev/hidraw1 file mounting /run/firejail/mnt/dev/usb directory Process /dev/shm directory Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Disable /mnt Disable /media Disable /run/mount Directory ${DOWNLOADS} resolved as Pobrane Debug 405: new_name #/home/mk/Pobrane#, whitelist Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/Pobrane Debug 405: new_name #/home/mk/Downloads#, whitelist Debug 505: fname #/home/mk/Downloads#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/Downloads Debug 405: new_name #/home/mk/.cache/mozilla/firefox#, whitelist Debug 505: fname #/home/mk/.cache/mozilla/firefox#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.cache/mozilla/firefox Debug 405: new_name #/home/mk/.mozilla#, whitelist Debug 505: fname #/home/mk/.mozilla#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.mozilla Directory ${DOWNLOADS} resolved as Pobrane Debug 405: new_name #/home/mk/Pobrane#, whitelist Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/Pobrane Debug 405: new_name #/home/mk/.pki#, whitelist Debug 505: fname #/home/mk/.pki#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.pki Debug 405: new_name #/home/mk/.XCompose#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose expanded: /home/mk/.XCompose real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.asoundrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc expanded: /home/mk/.asoundrc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.config/ibus#, whitelist Debug 505: fname #/home/mk/.config/ibus#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/ibus Debug 405: new_name #/home/mk/.config/mimeapps.list#, whitelist Debug 505: fname #/home/mk/.config/mimeapps.list#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/mimeapps.list Debug 405: new_name #/home/mk/.config/pkcs11#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11 expanded: /home/mk/.config/pkcs11 real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.config/user-dirs.dirs#, whitelist Debug 505: fname #/home/mk/.config/user-dirs.dirs#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/user-dirs.dirs Debug 405: new_name #/home/mk/.drirc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc expanded: /home/mk/.drirc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons expanded: /home/mk/.icons real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.local/share/applications#, whitelist Debug 505: fname #/home/mk/.local/share/applications#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.local/share/applications Debug 405: new_name #/home/mk/.local/share/icons#, whitelist Debug 505: fname #/home/mk/.local/share/icons#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.local/share/icons Debug 405: new_name #/home/mk/.local/share/mime#, whitelist Debug 505: fname #/home/mk/.local/share/mime#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.local/share/mime Debug 405: new_name #/home/mk/.mime.types#, whitelist Debug 505: fname #/home/mk/.mime.types#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.mime.types Debug 405: new_name #/home/mk/.cache/fontconfig#, whitelist Debug 505: fname #/home/mk/.cache/fontconfig#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.cache/fontconfig Debug 405: new_name #/home/mk/.config/fontconfig#, whitelist Debug 505: fname #/home/mk/.config/fontconfig#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/fontconfig Debug 405: new_name #/home/mk/.fontconfig#, whitelist Debug 505: fname #/home/mk/.fontconfig#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.fontconfig Debug 405: new_name #/home/mk/.fonts#, whitelist Debug 505: fname #/home/mk/.fonts#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.fonts Debug 405: new_name #/home/mk/.fonts.conf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf expanded: /home/mk/.fonts.conf real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.fonts.conf.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d expanded: /home/mk/.fonts.conf.d real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.fonts.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d expanded: /home/mk/.fonts.d real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.local/share/fonts#, whitelist Debug 505: fname #/home/mk/.local/share/fonts#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.local/share/fonts Debug 405: new_name #/home/mk/.pangorc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc expanded: /home/mk/.pangorc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.config/gtk-2.0#, whitelist Debug 505: fname #/home/mk/.config/gtk-2.0#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/gtk-2.0 Debug 405: new_name #/home/mk/.config/gtk-3.0#, whitelist Debug 505: fname #/home/mk/.config/gtk-3.0#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/gtk-3.0 Debug 405: new_name #/home/mk/.config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc expanded: /home/mk/.config/gtkrc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0 expanded: /home/mk/.config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.gnome2#, whitelist Debug 505: fname #/home/mk/.gnome2#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.gnome2 Debug 405: new_name #/home/mk/.gnome2-private#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private expanded: /home/mk/.gnome2-private real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.gtk-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0 expanded: /home/mk/.gtk-2.0 real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc expanded: /home/mk/.gtkrc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0 expanded: /home/mk/.gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc expanded: /home/mk/.kde/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 expanded: /home/mk/.kde/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc expanded: /home/mk/.kde4/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 expanded: /home/mk/.kde4/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.local/share/themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes expanded: /home/mk/.local/share/themes real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.themes#, whitelist Debug 505: fname #/home/mk/.themes#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.themes Debug 405: new_name #/home/mk/.config/dconf#, whitelist Debug 505: fname #/home/mk/.config/dconf#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/dconf Debug 405: new_name #/home/mk/.config/Kvantum#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum expanded: /home/mk/.config/Kvantum real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.config/Trolltech.conf#, whitelist Debug 505: fname #/home/mk/.config/Trolltech.conf#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/Trolltech.conf Debug 405: new_name #/home/mk/.config/kdeglobals#, whitelist Debug 505: fname #/home/mk/.config/kdeglobals#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/kdeglobals Debug 405: new_name #/home/mk/.config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc expanded: /home/mk/.config/kio_httprc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.config/kioslaverc#, whitelist Debug 505: fname #/home/mk/.config/kioslaverc#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/kioslaverc Debug 405: new_name #/home/mk/.config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist expanded: /home/mk/.config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.config/qt5ct#, whitelist Debug 505: fname #/home/mk/.config/qt5ct#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.config/qt5ct Debug 405: new_name #/home/mk/.kde/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals expanded: /home/mk/.kde/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc expanded: /home/mk/.kde/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc expanded: /home/mk/.kde/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist expanded: /home/mk/.kde/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc expanded: /home/mk/.kde/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons expanded: /home/mk/.kde/share/icons real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde4/share/config/kdeglobals#, whitelist Debug 505: fname #/home/mk/.kde4/share/config/kdeglobals#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kdeglobals Debug 405: new_name #/home/mk/.kde4/share/config/kio_httprc#, whitelist Debug 505: fname #/home/mk/.kde4/share/config/kio_httprc#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kio_httprc Debug 405: new_name #/home/mk/.kde4/share/config/kioslaverc#, whitelist Debug 505: fname #/home/mk/.kde4/share/config/kioslaverc#, cfg.homedir #/home/mk# Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kioslaverc Debug 405: new_name #/home/mk/.kde4/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist expanded: /home/mk/.kde4/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde4/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc expanded: /home/mk/.kde4/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.kde4/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons expanded: /home/mk/.kde4/share/icons real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.local/share/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct expanded: /home/mk/.local/share/qt5ct real path: (null) realpath: No such file or directory Debug 405: new_name #/home/mk/.cache/kioexec/krun#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun expanded: /home/mk/.cache/kioexec/krun real path: (null) realpath: No such file or directory Debug 405: new_name #/var/lib/dbus#, whitelist Debug 405: new_name #/var/lib/menu-xdg#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg expanded: /var/lib/menu-xdg real path: (null) realpath: No such file or directory Debug 405: new_name #/var/cache/fontconfig#, whitelist Debug 405: new_name #/var/tmp#, whitelist Debug 405: new_name #/var/run#, whitelist Replaced whitelist path: whitelist /run Debug 405: new_name #/var/lock#, whitelist Replaced whitelist path: whitelist /run/lock Drop privileges: pid 3, uid 1000, gid 100, nogroups 0 Supplementary groups: 50 Mounting a new /home directory Mounting a new /root directory Create a new user directory Drop privileges: pid 4, uid 1000, gid 100, nogroups 0 Supplementary groups: 50 Drop privileges: pid 5, uid 1000, gid 100, nogroups 0 Supplementary groups: 50 Mounting tmpfs on /var directory Whitelisting /home/mk/Pobrane 634 627 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4 Whitelisting /home/mk/Downloads 635 627 8:3 /mk/Downloads /home/mk/Downloads rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/Downloads dir=/home/mk/Downloads fstype=ext4 Whitelisting /home/mk/.cache/mozilla/firefox 636 627 0:46 /mozilla/firefox /home/mk/.cache/mozilla/firefox rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k fsname=/mozilla/firefox dir=/home/mk/.cache/mozilla/firefox fstype=tmpfs Whitelisting /home/mk/.mozilla 637 627 8:3 /mk/.mozilla /home/mk/.mozilla rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.mozilla dir=/home/mk/.mozilla fstype=ext4 Whitelisting /home/mk/Pobrane 638 634 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4 Whitelisting /home/mk/.pki 639 627 8:3 /mk/.pki /home/mk/.pki rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.pki dir=/home/mk/.pki fstype=ext4 Whitelisting /home/mk/.config/ibus 640 627 8:3 /mk/.config/ibus /home/mk/.config/ibus rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/ibus dir=/home/mk/.config/ibus fstype=ext4 Whitelisting /home/mk/.config/mimeapps.list 641 627 8:3 /mk/.config/mimeapps.list /home/mk/.config/mimeapps.list rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/mimeapps.list dir=/home/mk/.config/mimeapps.list fstype=ext4 Whitelisting /home/mk/.config/user-dirs.dirs 642 627 8:3 /mk/.config/user-dirs.dirs /home/mk/.config/user-dirs.dirs rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/user-dirs.dirs dir=/home/mk/.config/user-dirs.dirs fstype=ext4 Whitelisting /home/mk/.local/share/applications 643 627 8:3 /mk/.local/share/applications /home/mk/.local/share/applications rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.local/share/applications dir=/home/mk/.local/share/applications fstype=ext4 Whitelisting /home/mk/.local/share/icons 644 627 8:3 /mk/.local/share/icons /home/mk/.local/share/icons rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.local/share/icons dir=/home/mk/.local/share/icons fstype=ext4 Whitelisting /home/mk/.local/share/mime 645 627 8:3 /mk/.local/share/mime /home/mk/.local/share/mime rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.local/share/mime dir=/home/mk/.local/share/mime fstype=ext4 Whitelisting /home/mk/.mime.types 646 627 8:3 /mk/.mime.types /home/mk/.mime.types rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.mime.types dir=/home/mk/.mime.types fstype=ext4 Whitelisting /home/mk/.cache/fontconfig 647 627 0:46 /fontconfig /home/mk/.cache/fontconfig rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k fsname=/fontconfig dir=/home/mk/.cache/fontconfig fstype=tmpfs Whitelisting /home/mk/.config/fontconfig 648 627 8:3 /mk/.config/fontconfig /home/mk/.config/fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/fontconfig dir=/home/mk/.config/fontconfig fstype=ext4 Whitelisting /home/mk/.fontconfig 649 627 8:3 /mk/.fontconfig /home/mk/.fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.fontconfig dir=/home/mk/.fontconfig fstype=ext4 Whitelisting /home/mk/.fonts 650 627 8:3 /mk/.fonts /home/mk/.fonts rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.fonts dir=/home/mk/.fonts fstype=ext4 Whitelisting /home/mk/.local/share/fonts 651 627 8:3 /mk/.local/share/fonts /home/mk/.local/share/fonts rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.local/share/fonts dir=/home/mk/.local/share/fonts fstype=ext4 Whitelisting /home/mk/.config/gtk-2.0 652 627 8:3 /mk/.config/gtk-2.0 /home/mk/.config/gtk-2.0 rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/gtk-2.0 dir=/home/mk/.config/gtk-2.0 fstype=ext4 Whitelisting /home/mk/.config/gtk-3.0 653 627 8:3 /mk/.config/gtk-3.0 /home/mk/.config/gtk-3.0 rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/gtk-3.0 dir=/home/mk/.config/gtk-3.0 fstype=ext4 Whitelisting /home/mk/.gnome2 654 627 8:3 /mk/.gnome2 /home/mk/.gnome2 rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.gnome2 dir=/home/mk/.gnome2 fstype=ext4 Whitelisting /home/mk/.themes 655 627 8:3 /mk/.themes /home/mk/.themes rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.themes dir=/home/mk/.themes fstype=ext4 Whitelisting /home/mk/.config/dconf 656 627 8:3 /mk/.config/dconf /home/mk/.config/dconf rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/dconf dir=/home/mk/.config/dconf fstype=ext4 Whitelisting /home/mk/.config/Trolltech.conf 657 627 8:3 /mk/.config/Trolltech.conf /home/mk/.config/Trolltech.conf rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/Trolltech.conf dir=/home/mk/.config/Trolltech.conf fstype=ext4 Whitelisting /home/mk/.config/kdeglobals 658 627 8:3 /mk/.config/kdeglobals /home/mk/.config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/kdeglobals dir=/home/mk/.config/kdeglobals fstype=ext4 Whitelisting /home/mk/.config/kioslaverc 659 627 8:3 /mk/.config/kioslaverc /home/mk/.config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/kioslaverc dir=/home/mk/.config/kioslaverc fstype=ext4 Whitelisting /home/mk/.config/qt5ct 660 627 8:3 /mk/.config/qt5ct /home/mk/.config/qt5ct rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.config/qt5ct dir=/home/mk/.config/qt5ct fstype=ext4 Whitelisting /home/mk/.kde4/share/config/kdeglobals 661 627 8:3 /mk/.kde4/share/config/kdeglobals /home/mk/.kde4/share/config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.kde4/share/config/kdeglobals dir=/home/mk/.kde4/share/config/kdeglobals fstype=ext4 Whitelisting /home/mk/.kde4/share/config/kio_httprc 662 627 8:3 /mk/.kde4/share/config/kio_httprc /home/mk/.kde4/share/config/kio_httprc rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.kde4/share/config/kio_httprc dir=/home/mk/.kde4/share/config/kio_httprc fstype=ext4 Whitelisting /home/mk/.kde4/share/config/kioslaverc 663 627 8:3 /mk/.kde4/share/config/kioslaverc /home/mk/.kde4/share/config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw fsname=/mk/.kde4/share/config/kioslaverc dir=/home/mk/.kde4/share/config/kioslaverc fstype=ext4 Whitelisting /var/lib/dbus 664 633 8:2 /lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw fsname=/lib/dbus dir=/var/lib/dbus fstype=ext4 Whitelisting /var/cache/fontconfig 665 633 8:2 /cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw fsname=/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4 Whitelisting /var/tmp 666 633 0:70 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Directory ${DOWNLOADS} resolved as Pobrane Mounting noexec /home/mk/Pobrane Mounting noexec /home/mk/Downloads Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Mounting read-only /home/mk/.Xauthority Mounting read-only /home/mk/.config/kdeglobals Mounting read-only /home/mk/.config/kioslaverc Mounting read-only /home/mk/.kde4/share/config/kdeglobals Mounting read-only /home/mk/.kde4/share/config/kio_httprc Mounting read-only /home/mk/.kde4/share/config/kioslaverc Disable /etc/anacrontab Disable /etc/cron.daily Disable /etc/cron.hourly Disable /etc/cron.weekly Disable /etc/cron.monthly Disable /etc/cron.d Disable /etc/cron.deny Disable /etc/profile.d Disable /etc/kernel Disable /etc/grub.d Disable /etc/modules-load.d Disable /etc/logrotate.conf Disable /etc/logrotate.d Mounting read-only /home/mk/.bashrc Mounting read-only /home/mk/.local/share/applications Not blacklist /home/mk/.pki Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Warning: /sbin directory link was not blacklisted Disable /usr/local/sbin Warning: /usr/sbin directory link was not blacklisted Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/crontab Disable /usr/bin/expiry Disable /usr/bin/fusermount Disable /usr/bin/gpasswd Disable /usr/bin/ksu Disable /usr/bin/mount Disable /usr/bin/ncat Disable /usr/bin/newgidmap Disable /usr/bin/newgrp Disable /usr/bin/newuidmap Disable /usr/bin/ntfs-3g Disable /usr/bin/pkexec Disable /usr/bin/procmail Disable /usr/bin/sg Disable /usr/bin/strace Disable /usr/bin/su Disable /usr/bin/sudo Disable /usr/bin/umount Disable /usr/bin/unix_chkpwd Disable /usr/bin/xev Disable /usr/bin/xinput Disable /usr/bin/xfce4-terminal Mounting noexec /tmp/.X11-unix Disable /usr/bin/bwrap Disable /usr/bin/as Disable /usr/bin/gcc (requested /usr/bin/cc) Disable /usr/bin/c++filt Disable /usr/bin/c++ Disable /usr/bin/c89 Disable /usr/bin/c99 Disable /usr/bin/cpp Disable /usr/bin/cpp2html Disable /usr/bin/g++ Disable /usr/bin/gcc Disable /usr/bin/gcc-ranlib Disable /usr/bin/gcc-nm Disable /usr/bin/gcc-ar Disable /usr/bin/gccmakedep Disable /usr/bin/ld Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib Disable /usr/bin/x86_64-pc-linux-gnu-gcc Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1 Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar Disable /usr/bin/x86_64-pc-linux-gnu-g++ Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib Disable /usr/bin/x86_64-pc-linux-gnu-gcc Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1 Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar Disable /usr/bin/x86_64-pc-linux-gnu-g++ Disable /usr/include Disable /usr/bin/clang-format Disable /usr/bin/clang-include-fixer Disable /usr/bin/clang-apply-replacements Disable /usr/bin/clang-offload-bundler Disable /usr/bin/clangd Disable /usr/bin/clang-refactor Disable /usr/bin/clang-reorder-fields Disable /usr/bin/clang-7 (requested /usr/bin/clang) Disable /usr/bin/clang-import-test Disable /usr/bin/clang-func-mapping Disable /usr/bin/clang-query Disable /usr/bin/clang-7 Disable /usr/bin/clang-check Disable /usr/bin/clang-tidy Disable /usr/bin/clang-7 (requested /usr/bin/clang-cpp) Disable /usr/bin/clang-7 (requested /usr/bin/clang++) Disable /usr/bin/clang-rename Disable /usr/bin/clang-change-namespace Disable /usr/bin/clang-7 (requested /usr/bin/clang-cl) Disable /usr/bin/llvm-tblgen Disable /usr/bin/llvm-undname Disable /usr/bin/llvm-cxxdump Disable /usr/bin/llvm-c-test Disable /usr/bin/llvm-nm Disable /usr/bin/llvm-pdbutil Disable /usr/bin/llvm-rtdyld Disable /usr/bin/llvm-mca Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-dlltool) Disable /usr/bin/llvm-cat Disable /usr/bin/llvm-strings Disable /usr/bin/llvm-stress Disable /usr/bin/llvm-objcopy (requested /usr/bin/llvm-strip) Disable /usr/bin/llvm-objcopy Disable /usr/bin/llvm-dwarfdump Disable /usr/bin/llvm-PerfectShuffle Disable /usr/bin/llvm-exegesis Disable /usr/bin/llvm-extract Disable /usr/bin/llvm-size Disable /usr/bin/llvm-ar Disable /usr/bin/llvm-bcanalyzer Disable /usr/bin/llvm-config Disable /usr/bin/llvm-split Disable /usr/bin/llvm-mc Disable /usr/bin/llvm-diff Disable /usr/bin/llvm-profdata Disable /usr/bin/llvm-objdump Disable /usr/bin/llvm-opt-report Disable /usr/bin/llvm-rc Disable /usr/bin/llvm-cfi-verify Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-lib) Disable /usr/bin/llvm-mt Disable /usr/bin/llvm-readobj (requested /usr/bin/llvm-readelf) Disable /usr/bin/llvm-lto Disable /usr/bin/llvm-symbolizer Disable /usr/bin/llvm-link Disable /usr/bin/llvm-cvtres Disable /usr/bin/llvm-dwp Disable /usr/bin/llvm-lto2 Disable /usr/bin/llvm-as Disable /usr/bin/llvm-xray Disable /usr/bin/llvm-readobj Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-ranlib) Disable /usr/bin/llvm-dis Disable /usr/bin/llvm-cov Disable /usr/bin/llvm-cxxfilt Disable /usr/bin/llvm-modextract Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/bin/java) Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/lib/jvm/default/bin/java) Disable /usr/share/java Disable /usr/bin/rust-gdb Disable /usr/bin/rust-lldb Disable /usr/bin/rustc Disable /usr/bin/openssl Disable /usr/bin/openssl-1.0 Disable /usr/bin/luac5.2 Disable /usr/bin/lua Disable /usr/bin/lua (requested /usr/bin/lua5.3) Disable /usr/bin/luac5.1 Disable /usr/bin/luac (requested /usr/bin/luac5.3) Disable /usr/bin/lua5.2 Disable /usr/bin/luac Disable /usr/bin/lua5.1 Disable /usr/lib/lua Disable /usr/bin/core_perl/cpan Disable /usr/bin/core_perl Disable /usr/bin/perl Disable /usr/lib/perl5 Disable /usr/share/perl-image-exiftool Disable /usr/share/perl5 Disable /usr/bin/ruby Disable /usr/lib/ruby Disable /usr/bin/python2.7 (requested /usr/bin/python2) Disable /usr/bin/python2.7-config (requested /usr/bin/python2-config) Disable /usr/bin/python2-pylupdate5 Disable /usr/bin/python2-pyrcc5 Disable /usr/bin/python2.7-config Disable /usr/bin/python2-pyuic5 Disable /usr/bin/python2.7 Disable /usr/lib/python2.6 Disable /usr/lib/python2.7 Disable /usr/bin/python3.7m-config (requested /usr/bin/python3.7-config) Disable /usr/bin/python3.7 (requested /usr/bin/python3) Disable /usr/bin/python3.7m-config (requested /usr/bin/python3-config) Disable /usr/bin/python3.7m Disable /usr/bin/python3.7m-config Disable /usr/bin/python3.7 Disable /usr/lib/python3.6 Disable /usr/lib/python3.7 Not blacklist /home/mk/.mozilla Disable /tmp/ssh-ZaxvlS8w0ta9 Not blacklist /home/mk/.cache/mozilla Mounting read-only /home/mk/.config/user-dirs.dirs Mounting read-only /home/mk/.local/share/applications Mounting noexec /home/mk Mounting noexec /tmp Disable /sys/fs Disable /sys/module Drop privileges: pid 6, uid 1000, gid 100, nogroups 0 Supplementary groups: 50 873 627 0:68 /pulse /home/mk/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 fsname=/pulse dir=/home/mk/.config/pulse fstype=tmpfs blacklist /dev/dvb blacklist /dev/sr0 Create the new ld.so.preload file Post-exec seccomp protector enabled Mount the new ld.so.preload file Current directory: /home/mk DISPLAY=:0.0 parsed as 0 Dropping all capabilities Install protocol filter: unix,inet,inet6,netlink configuring 16 seccomp entries in /run/firejail/mnt/seccomp.protocol sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 7, uid 1000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 15 00 01 00000010 jeq 10 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 06 00 00 0005005f ret ERRNO(95) Build drop seccomp filter sbox run: /usr/lib/firejail/fseccomp drop /run/firejail/mnt/seccomp /run/firejail/mnt/seccomp.postexec @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice (null) Dropping all capabilities Drop privileges: pid 8, uid 1000, gid 100, nogroups 1 No supplementary groups Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, sbox run: /usr/lib/firejail/fsec-optimize /run/firejail/mnt/seccomp (null) Dropping all capabilities Drop privileges: pid 9, uid 1000, gid 100, nogroups 1 No supplementary groups configuring 73 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp (null) Dropping all capabilities Drop privileges: pid 10, uid 1000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 40 00 0000009f jeq adjtimex 0048 (false 0008) 0008: 15 3f 00 00000131 jeq clock_adjtime 0048 (false 0009) 0009: 15 3e 00 000000e3 jeq clock_settime 0048 (false 000a) 000a: 15 3d 00 000000a4 jeq settimeofday 0048 (false 000b) 000b: 15 3c 00 0000009a jeq modify_ldt 0048 (false 000c) 000c: 15 3b 00 000000d4 jeq lookup_dcookie 0048 (false 000d) 000d: 15 3a 00 0000012a jeq perf_event_open 0048 (false 000e) 000e: 15 39 00 00000137 jeq process_vm_writev 0048 (false 000f) 000f: 15 38 00 000000b0 jeq delete_module 0048 (false 0010) 0010: 15 37 00 00000139 jeq finit_module 0048 (false 0011) 0011: 15 36 00 000000af jeq init_module 0048 (false 0012) 0012: 15 35 00 0000009c jeq _sysctl 0048 (false 0013) 0013: 15 34 00 000000b7 jeq afs_syscall 0048 (false 0014) 0014: 15 33 00 000000ae jeq create_module 0048 (false 0015) 0015: 15 32 00 000000b1 jeq get_kernel_syms 0048 (false 0016) 0016: 15 31 00 000000b5 jeq getpmsg 0048 (false 0017) 0017: 15 30 00 000000b6 jeq putpmsg 0048 (false 0018) 0018: 15 2f 00 000000b2 jeq query_module 0048 (false 0019) 0019: 15 2e 00 000000b9 jeq security 0048 (false 001a) 001a: 15 2d 00 0000008b jeq sysfs 0048 (false 001b) 001b: 15 2c 00 000000b8 jeq tuxcall 0048 (false 001c) 001c: 15 2b 00 00000086 jeq uselib 0048 (false 001d) 001d: 15 2a 00 00000088 jeq ustat 0048 (false 001e) 001e: 15 29 00 000000ec jeq vserver 0048 (false 001f) 001f: 15 28 00 000000ad jeq ioperm 0048 (false 0020) 0020: 15 27 00 000000ac jeq iopl 0048 (false 0021) 0021: 15 26 00 000000f6 jeq kexec_load 0048 (false 0022) 0022: 15 25 00 00000140 jeq kexec_file_load 0048 (false 0023) 0023: 15 24 00 000000a9 jeq reboot 0048 (false 0024) 0024: 15 23 00 000000ee jeq set_mempolicy 0048 (false 0025) 0025: 15 22 00 00000100 jeq migrate_pages 0048 (false 0026) 0026: 15 21 00 00000117 jeq move_pages 0048 (false 0027) 0027: 15 20 00 000000ed jeq mbind 0048 (false 0028) 0028: 15 1f 00 000000a7 jeq swapon 0048 (false 0029) 0029: 15 1e 00 000000a8 jeq swapoff 0048 (false 002a) 002a: 15 1d 00 000000a3 jeq acct 0048 (false 002b) 002b: 15 1c 00 000000f8 jeq add_key 0048 (false 002c) 002c: 15 1b 00 00000141 jeq bpf 0048 (false 002d) 002d: 15 1a 00 0000012c jeq fanotify_init 0048 (false 002e) 002e: 15 19 00 000000d2 jeq io_cancel 0048 (false 002f) 002f: 15 18 00 000000cf jeq io_destroy 0048 (false 0030) 0030: 15 17 00 000000d0 jeq io_getevents 0048 (false 0031) 0031: 15 16 00 000000ce jeq io_setup 0048 (false 0032) 0032: 15 15 00 000000d1 jeq io_submit 0048 (false 0033) 0033: 15 14 00 000000fb jeq ioprio_set 0048 (false 0034) 0034: 15 13 00 00000138 jeq kcmp 0048 (false 0035) 0035: 15 12 00 000000fa jeq keyctl 0048 (false 0036) 0036: 15 11 00 000000a5 jeq mount 0048 (false 0037) 0037: 15 10 00 0000012f jeq name_to_handle_at 0048 (false 0038) 0038: 15 0f 00 000000b4 jeq nfsservctl 0048 (false 0039) 0039: 15 0e 00 00000130 jeq open_by_handle_at 0048 (false 003a) 003a: 15 0d 00 00000087 jeq personality 0048 (false 003b) 003b: 15 0c 00 0000009b jeq pivot_root 0048 (false 003c) 003c: 15 0b 00 00000136 jeq process_vm_readv 0048 (false 003d) 003d: 15 0a 00 00000065 jeq ptrace 0048 (false 003e) 003e: 15 09 00 000000d8 jeq remap_file_pages 0048 (false 003f) 003f: 15 08 00 000000f9 jeq request_key 0048 (false 0040) 0040: 15 07 00 000000ab jeq setdomainname 0048 (false 0041) 0041: 15 06 00 000000aa jeq sethostname 0048 (false 0042) 0042: 15 05 00 00000067 jeq syslog 0048 (false 0043) 0043: 15 04 00 000000a6 jeq umount2 0048 (false 0044) 0044: 15 03 00 00000143 jeq userfaultfd 0048 (false 0045) 0045: 15 02 00 00000099 jeq vhangup 0048 (false 0046) 0046: 15 01 00 00000116 jeq vmsplice 0048 (false 0047) 0047: 06 00 00 7fff0000 ret ALLOW 0048: 06 00 00 00000000 ret KILL seccomp filter configured noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 100, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/firefox Child process initialized in 152.33 ms Installing /run/firejail/mnt/seccomp seccomp filter Installing /run/firejail/mnt/seccomp.protocol seccomp filter monitoring pid 11 ```
gitea-mirror commented 2026-05-05 08:12:42 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Jan 2, 2019):

I've seen similar behavior o that site. You may try with firejail --ignore=seccomp.

<!-- gh-comment-id:450877418 --> @Vincent43 commented on GitHub (Jan 2, 2019): I've seen similar behavior o that site. You may try with `firejail --ignore=seccomp`.
gitea-mirror commented 2026-05-05 08:12:43 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Jan 2, 2019):

I haven't been able to duplicate (I'm on Arch). Even 7 simultaneous downloads don't take my CPU above ~26%.

<!-- gh-comment-id:450906981 --> @Fred-Barclay commented on GitHub (Jan 2, 2019): I haven't been able to duplicate (I'm on Arch). Even 7 simultaneous downloads don't take my CPU above ~26%.
gitea-mirror commented 2026-05-05 08:12:43 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Jan 2, 2019):

@Fred-Barclay can you go to https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/ and try to open several commits, each on a new tab?

<!-- gh-comment-id:450944859 --> @Vincent43 commented on GitHub (Jan 2, 2019): @Fred-Barclay can you go to https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/ and try to open several commits, each on a new tab?
gitea-mirror commented 2026-05-05 08:12:44 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jan 2, 2019):

I can't really reproduce either. Downloading a 10GB file at 150Mbps doesn't push any of my cores past 20%.

And I tried opening a bunch of large commits from there and all of them loaded near instantly.

I am sure there are a lot of variables that effect this result which is why we don't all see the same like: processor (and microcode), kernel version, kernel config, distro compiler flags, network speed, drive, disk encryption, browser (and extensions), etc.

<!-- gh-comment-id:450952907 --> @SkewedZeppelin commented on GitHub (Jan 2, 2019): I can't really reproduce either. Downloading a 10GB file at 150Mbps doesn't push any of my cores past 20%. And I tried opening a bunch of large commits from there and all of them loaded near instantly. I am sure there are a lot of variables that effect this result which is why we don't all see the same like: processor (and microcode), kernel version, kernel config, distro compiler flags, network speed, drive, disk encryption, browser (and extensions), etc.
gitea-mirror commented 2026-05-05 08:12:44 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Jan 2, 2019):

It could be also issues related to that site itself in a specific time period.

<!-- gh-comment-id:450959804 --> @Vincent43 commented on GitHub (Jan 2, 2019): It could be also issues related to that site itself in a specific time period.
gitea-mirror commented 2026-05-05 08:12:45 -06:00
Author
Owner
Copy link

@mkkot commented on GitHub (Jan 3, 2019):

Guys, this has nothing to do with kernel.org. I just used the site as it has easily available big files to download. The problem is with downloading files with firefox and firejail. I tried firejail --ignore=seccomp but it doesn't change anything. I will try to dig more and see if I can narrow down the problem.

//Edit: this doesn't happen on fresh firefox profile. However, please try to change this setting:

przechwycenie obrazu ekranu_2019-01-03_10-02-42

Now you should be able to reproduce the issue.

<!-- gh-comment-id:451083099 --> @mkkot commented on GitHub (Jan 3, 2019): Guys, this has nothing to do with kernel.org. I just used the site as it has easily available big files to download. The problem is with downloading files with firefox and firejail. I tried firejail --ignore=seccomp but it doesn't change anything. I will try to dig more and see if I can narrow down the problem. //Edit: this doesn't happen on fresh firefox profile. However, please try to change this setting: ![przechwycenie obrazu ekranu_2019-01-03_10-02-42](https://user-images.githubusercontent.com/10531790/50629964-0a334800-0f3f-11e9-8eff-9694c4884e07.png) Now you should be able to reproduce the issue.
gitea-mirror commented 2026-05-05 08:12:46 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Jan 3, 2019):

Yep, it's "Always ask you where to save files" that does it! This is the progress from 0 to 5 simultaneous downloads:
increasing

<!-- gh-comment-id:451151714 --> @Fred-Barclay commented on GitHub (Jan 3, 2019): Yep, it's "Always ask you where to save files" that does it! This is the progress from 0 to 5 simultaneous downloads: ![increasing](https://user-images.githubusercontent.com/11165995/50641618-1ebb1480-0f2e-11e9-8797-d24d029dc2d9.png)
gitea-mirror commented 2026-05-05 08:12:47 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 9, 2019):

hello, i have tried to reproduce and i don't have this problem while using firejailed firefox, manjaro kde edition, firejail 0.9.57 r4574 from 18 december

<!-- gh-comment-id:452677474 --> @ghost commented on GitHub (Jan 9, 2019): hello, i have tried to reproduce and i don't have this problem while using firejailed firefox, manjaro kde edition, firejail 0.9.57 r4574 from 18 december
gitea-mirror commented 2026-05-05 08:12:48 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 9, 2019):

I tried to reproduce:

  • Firefox esr
  • Fedora 29 + GNOME + Wayland
  • "Always ask you where to save files"
  • 8 Simultane downloads
  • firejail 0.9.56

Result:

  • CPU 100%
  • Firefox 25-50% CPU
  • Tracker 100% CPU
<!-- gh-comment-id:452824114 --> @rusty-snake commented on GitHub (Jan 9, 2019): I tried to reproduce: * Firefox esr * Fedora 29 + GNOME + Wayland * "Always ask you where to save files" * 8 Simultane downloads * firejail 0.9.56 Result: * CPU 100% * Firefox 25-50% CPU * [Tracker](https://wiki.gnome.org/Projects/Tracker) 100% CPU
gitea-mirror commented 2026-05-05 08:12:48 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Feb 7, 2019):

Unfortunately, I cannot reproduce this either 😕

<!-- gh-comment-id:461513812 --> @chiraag-nataraj commented on GitHub (Feb 7, 2019): Unfortunately, I cannot reproduce this either :confused:
gitea-mirror commented 2026-05-05 08:12:49 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Mar 19, 2019):

I'm pretty sure that I have a solution for this. What I've done is to create a file ~/.local/bin/firefox-esr which is all of:

#!/bin/sh
2> /dev/null 1> /dev/null cpulimit -l 50 firejail firefox-esr "$@" &

The directory ~/.local/bin is the first item in my $PATH.

<!-- gh-comment-id:474517220 --> @Boruch-Baum commented on GitHub (Mar 19, 2019): I'm pretty sure that I have a solution for this. What I've done is to create a file `~/.local/bin/firefox-esr` which is all of: #!/bin/sh 2> /dev/null 1> /dev/null cpulimit -l 50 firejail firefox-esr "$@" & The directory `~/.local/bin` is the first item in my `$PATH`.
gitea-mirror commented 2026-05-05 08:12:50 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 19, 2019):

@Boruch-Baum Does that actually work? IMHO it would eternally loop, executing firefox-esr in ~/.local/bin on each iteration (causing even higher CPU usage and confusing your system into a fit). It would only work if you called firefox-esr in that shell script by its full path.

<!-- gh-comment-id:474555214 --> @ghost commented on GitHub (Mar 19, 2019): @Boruch-Baum Does that actually work? IMHO it would eternally loop, executing firefox-esr in ~/.local/bin on each iteration (causing even higher CPU usage and confusing your system into a fit). It would only work if you called firefox-esr in that shell script by its full path.
gitea-mirror commented 2026-05-05 08:12:50 -06:00
Author
Owner
Copy link

@Boruch-Baum commented on GitHub (Mar 19, 2019):

@glitsj16 : Yup, it's how I'm writing this comment now - a firefox instance in a firejail under cpulimit, as launched by that wrapper script. Pretty cool, eh? I had started launching firefox under cpulimit years ago, without firejail, so it was just natural for me to try this. My guess is that firejail internally canonicalizes the path of \foo which would avoid the loop.

<!-- gh-comment-id:474560216 --> @Boruch-Baum commented on GitHub (Mar 19, 2019): @glitsj16 : Yup, it's how I'm writing this comment now - a firefox instance in a firejail under cpulimit, as launched by that wrapper script. Pretty cool, eh? I had started launching firefox under cpulimit years ago, without firejail, so it was just natural for me to try this. My guess is that firejail internally canonicalizes the path of `\foo` which would avoid the loop.
gitea-mirror commented 2026-05-05 08:12:51 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Mar 20, 2019):

Duplicate of #2608

<!-- gh-comment-id:474655433 --> @Fred-Barclay commented on GitHub (Mar 20, 2019): Duplicate of #2608
gitea-mirror commented 2026-05-05 08:12:51 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Mar 20, 2019):

Also sorry for the noise! Was trying to use Github's "mark as duplicate" tool. Anyhow, this looks like it's similar to #2608 #2330 #1730

https://help.github.com/en/articles/about-duplicate-issues-and-pull-requests

<!-- gh-comment-id:474655796 --> @Fred-Barclay commented on GitHub (Mar 20, 2019): Also sorry for the noise! Was trying to use Github's "mark as duplicate" tool. Anyhow, this looks like it's similar to #2608 #2330 #1730 https://help.github.com/en/articles/about-duplicate-issues-and-pull-requests
gitea-mirror commented 2026-05-05 08:12:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 20, 2019):

Upstream released Firefox 66, which carries a Linux-specific fix for Firefox freezing when downloading files (see releasenotes and bug report).

<!-- gh-comment-id:474814078 --> @ghost commented on GitHub (Mar 20, 2019): Upstream released Firefox 66, which carries a Linux-specific fix for Firefox freezing when downloading files (see [releasenotes](https://www.mozilla.org/en-US/firefox/66.0/releasenotes/) and [bug report](https://bugzilla.mozilla.org/show_bug.cgi?id=1517101)).
gitea-mirror commented 2026-05-05 08:12:52 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

@mkkot Is your issue resolved?

<!-- gh-comment-id:494314471 --> @chiraag-nataraj commented on GitHub (May 21, 2019): @mkkot Is your issue resolved?
gitea-mirror commented 2026-05-05 08:12:52 -06:00
Author
Owner
Copy link

@mkkot commented on GitHub (May 21, 2019):

I will answer to that when I get home next week. Can't check now.

wt., 21 maj 2019 o 11:28 ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
napisał(a):

@mkkot https://github.com/mkkot Is your issue resolved?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2324?email_source=notifications&email_token=ACQLHTXFHUKUA7OOII5DATLPWO6FLA5CNFSM4GMXO73KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV3KHZY#issuecomment-494314471,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACQLHTR7BRWTF27K6P6E4OLPWO6FLANCNFSM4GMXO73A
.

--
Pozdrawiam / Greetings
Marcin Kocur █
Brak odpowiedzi? / No answer?
http://koci.net.pl/email/

<!-- gh-comment-id:494505157 --> @mkkot commented on GitHub (May 21, 2019): I will answer to that when I get home next week. Can't check now. wt., 21 maj 2019 o 11:28 ಚಿರಾಗ್ ನಟರಾಜ್ <notifications@github.com> napisał(a): > @mkkot <https://github.com/mkkot> Is your issue resolved? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/2324?email_source=notifications&email_token=ACQLHTXFHUKUA7OOII5DATLPWO6FLA5CNFSM4GMXO73KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV3KHZY#issuecomment-494314471>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/ACQLHTR7BRWTF27K6P6E4OLPWO6FLANCNFSM4GMXO73A> > . > -- Pozdrawiam / Greetings Marcin Kocur █ Brak odpowiedzi? / No answer? http://koci.net.pl/email/
gitea-mirror commented 2026-05-05 08:12:53 -06:00
Author
Owner
Copy link

@mkkot commented on GitHub (May 23, 2019):

Firefox 66.0.2:
Przechwycenie obrazu ekranu_2019-05-23_22-39-53

I think I will have to read about some performance visualizers to debug this issue.

<!-- gh-comment-id:495378360 --> @mkkot commented on GitHub (May 23, 2019): Firefox 66.0.2: ![Przechwycenie obrazu ekranu_2019-05-23_22-39-53](https://user-images.githubusercontent.com/10531790/58285004-3cd5c400-7dac-11e9-994c-616d1294e7ad.png) I think I will have to read about some performance visualizers to debug this issue.
gitea-mirror commented 2026-05-05 08:12:53 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 20, 2020):

Closing this due to inactivity.

<!-- gh-comment-id:576250284 --> @ghost commented on GitHub (Jan 20, 2020): Closing this due to inactivity.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1550
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?