github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2616] Firefox 66 is using chroot. Ubuntu 16.04 with seccomp enabled will break firefox. #1659

New issue
Closed
opened 2026-05-05 08:18:29 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 08:18:29 -06:00
Owner
Copy link

Originally created by @Shifting5164 on GitHub (Mar 23, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2616

Running system:
Mozilla Firefox 66.0
Ubuntu 16.04.6 LTS
firejail version 0.9.38.10

Excluding:
Excluding current GTK_IM_MODULE problems with ibus.
Fix: xim firejail firefox

Problem description:
Firefox does not appear to load any webpage. Screen remains blank.

Reproducing error:
firejail firefox -no-remote

Error tracing:
Syslog will show the flowing message

kernel: [12365.382693] audit: type=1326 audit(1553379383.810:159): auid=1000 uid=1000 gid=1000 ses=1 pid=6602 comm="Gecko_IOThread" exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=161 compat=0 ip=0x7f0c793af737 code=0x0

syscall=161 = chroot

Running firefox strace native it turns out firefox is using the chroot syscal

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 81.29   84.804057        1638     51759      5754 futex
  9.31    9.711918         301     32286           poll
  6.73    7.019205         157     44725     32607 recvmsg
  2.53    2.637227         275      9576           epoll_wait
  0.04    0.040942        3149        13           wait4
  0.02    0.016210           2      8027         3 sendmsg
  0.01    0.015347           1     23226        41 read
  0.01    0.010978           1     16357      2436 stat
  0.01    0.009521         115        83           fsync
  0.01    0.008643          12       706        14 ioctl
  0.01    0.008028           2      3775         6 lseek
  0.01    0.007322           1      6507      2483 recvfrom
  0.01    0.007252           0     15278           write
  0.01    0.006250           0     22504           mprotect
  0.00    0.003787           1      3780      1910 access
  0.00    0.003466           1      6547           sched_yield
  0.00    0.002631           3       865           munmap
  0.00    0.001827           0      5841      1322 open
  0.00    0.001151           0      8955           close
  0.00    0.001089           0     11598         6 madvise
  0.00    0.001002           1       918           getdents
  0.00    0.000989           1      1062       123 lstat
  0.00    0.000849           2       560           getuid
  0.00    0.000474           0      3336         7 fcntl
  0.00    0.000316           0      2765           gettid
  0.00    0.000164           0       825       707 getpeername
  0.00    0.000135           0      3544           mmap
  0.00    0.000132           1       194           epoll_ctl
  0.00    0.000127           0      3729           writev
  0.00    0.000083           0      4037           fstat
  0.00    0.000035           0       572       229 rt_sigreturn
  0.00    0.000017           0       268       268 quotactl
  0.00    0.000012           0      3742           getpid
  0.00    0.000010           0       697           setsockopt
  0.00    0.000000           0        33           brk
  0.00    0.000000           0       544         8 rt_sigaction
  0.00    0.000000           0        27           rt_sigprocmask
  0.00    0.000000           0        28           pwrite64
  0.00    0.000000           0         2           readv
  0.00    0.000000           0        35           pipe
  0.00    0.000000           0         1           select
  0.00    0.000000           0        10           shmget
  0.00    0.000000           0        10           shmat
  0.00    0.000000           0        10           shmctl
  0.00    0.000000           0       967           dup
  0.00    0.000000           0        35           dup2
  0.00    0.000000           0       196           socket
  0.00    0.000000           0       530       145 connect
  0.00    0.000000           0       418           sendto
  0.00    0.000000           0         3           shutdown
  0.00    0.000000           0         3           bind
  0.00    0.000000           0       261           getsockname
  0.00    0.000000           0       625           socketpair
  0.00    0.000000           0        71           getsockopt
  0.00    0.000000           0       312           clone
  0.00    0.000000           0         9           execve
  0.00    0.000000           0        52           uname
  0.00    0.000000           0        10           shmdt
  0.00    0.000000           0       341           ftruncate
  0.00    0.000000           0         1           getcwd
  0.00    0.000000           0         4           chdir
  0.00    0.000000           0        48         1 rename
  0.00    0.000000           0        73        63 mkdir
  0.00    0.000000           0         9           rmdir
  0.00    0.000000           0       289         4 unlink
  0.00    0.000000           0         2           symlink
  0.00    0.000000           0        68         2 readlink
  0.00    0.000000           0        69           chmod
  0.00    0.000000           0        12           umask
  0.00    0.000000           0        36           getrlimit
  0.00    0.000000           0        62           getrusage
  0.00    0.000000           0        28           sysinfo
  0.00    0.000000           0       258           getgid
  0.00    0.000000           0       301           geteuid
  0.00    0.000000           0       258           getegid
  0.00    0.000000           0         2           getppid
  0.00    0.000000           0        14           getresuid
  0.00    0.000000           0        14           getresgid
  0.00    0.000000           0        12           capset
  0.00    0.000000           0        61           sigaltstack
  0.00    0.000000           0       294        16 statfs
  0.00    0.000000           0       632           fstatfs
  0.00    0.000000           0       215           getpriority
  0.00    0.000000           0       215           setpriority
  0.00    0.000000           0       586         6 prctl
  0.00    0.000000           0         9           arch_prctl
  0.00    0.000000           0         1           setrlimit
  0.00    0.000000           0         4           chroot
  0.00    0.000000           0        79           readahead
  0.00    0.000000           0       357           sched_getaffinity
  0.00    0.000000           0        66           getdents64
  0.00    0.000000           0         7           set_tid_address
  0.00    0.000000           0       367           fadvise64
  0.00    0.000000           0        50           clock_gettime
  0.00    0.000000           0         2           clock_getres
  0.00    0.000000           0         8           inotify_add_watch
  0.00    0.000000           0        16           newfstatat
  0.00    0.000000           0         2           faccessat
  0.00    0.000000           0       309           set_robust_list
  0.00    0.000000           0         8         8 fallocate
  0.00    0.000000           0        17           eventfd2
  0.00    0.000000           0        10           epoll_create1
  0.00    0.000000           0        10           pipe2
  0.00    0.000000           0         1           inotify_init1
  0.00    0.000000           0        10         6 seccomp
  0.00    0.000000           0       252           getrandom
------ ----------- ----------- --------- --------- ----------------

Circumvention:
/etc/firejail/firefox.profile

noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
#seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
whitelist ${DOWNLOADS}
whitelist ~/.mozilla
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
include /etc/firejail/whitelist-common.inc

NOTE: This will completely disable seccomp protection. This is NOT a fix

Originally created by @Shifting5164 on GitHub (Mar 23, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2616 Running system: Mozilla Firefox 66.0 Ubuntu 16.04.6 LTS firejail version 0.9.38.10 Excluding: Excluding current GTK_IM_MODULE problems with ibus. Fix: `xim firejail firefox` Problem description: Firefox does not appear to load any webpage. Screen remains blank. Reproducing error: firejail firefox -no-remote Error tracing: Syslog will show the flowing message ``` kernel: [12365.382693] audit: type=1326 audit(1553379383.810:159): auid=1000 uid=1000 gid=1000 ses=1 pid=6602 comm="Gecko_IOThread" exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=161 compat=0 ip=0x7f0c793af737 code=0x0 ``` syscall=161 = chroot Running firefox strace native it turns out firefox is using the chroot syscal ``` % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 81.29 84.804057 1638 51759 5754 futex 9.31 9.711918 301 32286 poll 6.73 7.019205 157 44725 32607 recvmsg 2.53 2.637227 275 9576 epoll_wait 0.04 0.040942 3149 13 wait4 0.02 0.016210 2 8027 3 sendmsg 0.01 0.015347 1 23226 41 read 0.01 0.010978 1 16357 2436 stat 0.01 0.009521 115 83 fsync 0.01 0.008643 12 706 14 ioctl 0.01 0.008028 2 3775 6 lseek 0.01 0.007322 1 6507 2483 recvfrom 0.01 0.007252 0 15278 write 0.01 0.006250 0 22504 mprotect 0.00 0.003787 1 3780 1910 access 0.00 0.003466 1 6547 sched_yield 0.00 0.002631 3 865 munmap 0.00 0.001827 0 5841 1322 open 0.00 0.001151 0 8955 close 0.00 0.001089 0 11598 6 madvise 0.00 0.001002 1 918 getdents 0.00 0.000989 1 1062 123 lstat 0.00 0.000849 2 560 getuid 0.00 0.000474 0 3336 7 fcntl 0.00 0.000316 0 2765 gettid 0.00 0.000164 0 825 707 getpeername 0.00 0.000135 0 3544 mmap 0.00 0.000132 1 194 epoll_ctl 0.00 0.000127 0 3729 writev 0.00 0.000083 0 4037 fstat 0.00 0.000035 0 572 229 rt_sigreturn 0.00 0.000017 0 268 268 quotactl 0.00 0.000012 0 3742 getpid 0.00 0.000010 0 697 setsockopt 0.00 0.000000 0 33 brk 0.00 0.000000 0 544 8 rt_sigaction 0.00 0.000000 0 27 rt_sigprocmask 0.00 0.000000 0 28 pwrite64 0.00 0.000000 0 2 readv 0.00 0.000000 0 35 pipe 0.00 0.000000 0 1 select 0.00 0.000000 0 10 shmget 0.00 0.000000 0 10 shmat 0.00 0.000000 0 10 shmctl 0.00 0.000000 0 967 dup 0.00 0.000000 0 35 dup2 0.00 0.000000 0 196 socket 0.00 0.000000 0 530 145 connect 0.00 0.000000 0 418 sendto 0.00 0.000000 0 3 shutdown 0.00 0.000000 0 3 bind 0.00 0.000000 0 261 getsockname 0.00 0.000000 0 625 socketpair 0.00 0.000000 0 71 getsockopt 0.00 0.000000 0 312 clone 0.00 0.000000 0 9 execve 0.00 0.000000 0 52 uname 0.00 0.000000 0 10 shmdt 0.00 0.000000 0 341 ftruncate 0.00 0.000000 0 1 getcwd 0.00 0.000000 0 4 chdir 0.00 0.000000 0 48 1 rename 0.00 0.000000 0 73 63 mkdir 0.00 0.000000 0 9 rmdir 0.00 0.000000 0 289 4 unlink 0.00 0.000000 0 2 symlink 0.00 0.000000 0 68 2 readlink 0.00 0.000000 0 69 chmod 0.00 0.000000 0 12 umask 0.00 0.000000 0 36 getrlimit 0.00 0.000000 0 62 getrusage 0.00 0.000000 0 28 sysinfo 0.00 0.000000 0 258 getgid 0.00 0.000000 0 301 geteuid 0.00 0.000000 0 258 getegid 0.00 0.000000 0 2 getppid 0.00 0.000000 0 14 getresuid 0.00 0.000000 0 14 getresgid 0.00 0.000000 0 12 capset 0.00 0.000000 0 61 sigaltstack 0.00 0.000000 0 294 16 statfs 0.00 0.000000 0 632 fstatfs 0.00 0.000000 0 215 getpriority 0.00 0.000000 0 215 setpriority 0.00 0.000000 0 586 6 prctl 0.00 0.000000 0 9 arch_prctl 0.00 0.000000 0 1 setrlimit 0.00 0.000000 0 4 chroot 0.00 0.000000 0 79 readahead 0.00 0.000000 0 357 sched_getaffinity 0.00 0.000000 0 66 getdents64 0.00 0.000000 0 7 set_tid_address 0.00 0.000000 0 367 fadvise64 0.00 0.000000 0 50 clock_gettime 0.00 0.000000 0 2 clock_getres 0.00 0.000000 0 8 inotify_add_watch 0.00 0.000000 0 16 newfstatat 0.00 0.000000 0 2 faccessat 0.00 0.000000 0 309 set_robust_list 0.00 0.000000 0 8 8 fallocate 0.00 0.000000 0 17 eventfd2 0.00 0.000000 0 10 epoll_create1 0.00 0.000000 0 10 pipe2 0.00 0.000000 0 1 inotify_init1 0.00 0.000000 0 10 6 seccomp 0.00 0.000000 0 252 getrandom ------ ----------- ----------- --------- --------- ---------------- ``` Circumvention: /etc/firejail/firefox.profile ``` noblacklist ${HOME}/.mozilla include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc caps.drop all #seccomp protocol unix,inet,inet6,netlink netfilter tracelog noroot whitelist ${DOWNLOADS} whitelist ~/.mozilla whitelist ~/.cache/mozilla/firefox whitelist ~/dwhelper whitelist ~/.zotero whitelist ~/.lastpass whitelist ~/.vimperatorrc whitelist ~/.vimperator whitelist ~/.pentadactylrc whitelist ~/.pentadactyl whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer whitelist ~/.cache/gnome-mplayer/plugin include /etc/firejail/whitelist-common.inc ``` NOTE: This will completely disable seccomp protection. This is ***NOT*** a fix
gitea-mirror commented 2026-05-05 08:18:32 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Mar 23, 2019):

iirc this has been fixed since 0.9.54

you can use this profile instead https://github.com/netblue30/firejail/blob/master/etc-fixes/0.9.38/firefox.profile

<!-- gh-comment-id:475910200 --> @SkewedZeppelin commented on GitHub (Mar 23, 2019): iirc this has been fixed since 0.9.54 you can use this profile instead https://github.com/netblue30/firejail/blob/master/etc-fixes/0.9.38/firefox.profile
gitea-mirror commented 2026-05-05 08:18:32 -06:00
Author
Owner
Copy link

@Shifting5164 commented on GitHub (Mar 23, 2019):

Yes, it is fixed in this version.

Thanks

<!-- gh-comment-id:475910885 --> @Shifting5164 commented on GitHub (Mar 23, 2019): Yes, it is fixed in this version. Thanks
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1659
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?