[GH-ISSUE #235] Make debugging easier #168

New issue

Closed

opened 2026-05-05 05:13:11 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 05:13:11 -06:00

Owner

Originally created by @trou on GitHub (Jan 19, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/235

Hello,
currently it can be very difficult to debug problems due to policies. For example, enigmail in thunderbird doesn't work when GPG is using a smartcard, but I cannot find why.
Since firejail is suid, stracing is impossible, --trace doesn't give all syscalls and its output is only available to stdout (which breaks Enigmail for example).

It would be nice to have a --strace mode that could output to a file :)

Originally created by @trou on GitHub (Jan 19, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/235 Hello, currently it can be very difficult to debug problems due to policies. For example, enigmail in thunderbird doesn't work when GPG is using a smartcard, but I cannot find why. Since firejail is suid, stracing is impossible, --trace doesn't give all syscalls and its output is only available to stdout (which breaks Enigmail for example). It would be nice to have a --strace mode that could output to a file :)

gitea-mirror

2026-05-05 05:13:11 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:13:25 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 20, 2016):

strace depends on ptrace system call. ptrace is one of the first syscalls disabled by seccomp. Enabling it inside the sandbox is a huge security risk.

This is how I debug it. I start with /etc/firejail/thunderbird.profile where I comment out all the lines in the file. Then, I bring them in one by one to see where is breaking. If you suspect it is seccomp, comment out seccomp line. Also monitor your syslog for seccomp messages. They look like this:

Jan 19 19:47:21 debian kernel: [11199.682124] audit: type=1326 audit(1453250841.513:2): auid=1000 uid=1000 gid=1000 ses=9 pid=3990 comm="cve_2016_0728" exe="/home/netblue/work/cve/cve_2016_0728" sig=31 syscall=250 compat=0 ip=0x7fed999f9fd9 code=0x0

In this case the process is killed by syscall 250 - keyctl.

@netblue30 commented on GitHub (Jan 20, 2016): strace depends on ptrace system call. ptrace is one of the first syscalls disabled by seccomp. Enabling it inside the sandbox is a huge security risk. This is how I debug it. I start with /etc/firejail/thunderbird.profile where I comment out all the lines in the file. Then, I bring them in one by one to see where is breaking. If you suspect it is seccomp, comment out seccomp line. Also monitor your syslog for seccomp messages. They look like this: ``` Jan 19 19:47:21 debian kernel: [11199.682124] audit: type=1326 audit(1453250841.513:2): auid=1000 uid=1000 gid=1000 ses=9 pid=3990 comm="cve_2016_0728" exe="/home/netblue/work/cve/cve_2016_0728" sig=31 syscall=250 compat=0 ip=0x7fed999f9fd9 code=0x0 ``` In this case the process is killed by syscall 250 - keyctl.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#168

No description provided.

Rows
Columns