github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2695] reboot works with --seccomp #1696

New issue
Closed
opened 2026-05-05 08:21:13 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 08:21:13 -06:00
Owner
Copy link

Originally created by @berezhinskiy on GitHub (May 14, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2695

Firejail version 0.9.52

# firejail --noprofile --nogroups --seccomp --caps.drop=all --debug reboot

I expect that reboot will be denied due to --seccomp option.
Nevertheless, reboot works. Here is output:

Autoselecting /bin/bash as shell
Building quoted command line: 'reboot'
Command name #reboot#
DISPLAY is not set
Enabling IPC namespace
Using the local network stack
Parent pid 1478, child pid 1479
The new log directory is /proc/1479/root/var/log
Host network configured
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /sys/fs
Current directory: /home/ubuntu
DISPLAY is not set
Dropping all capabilities
configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null)
sbox file descriptors:
total 0
lrwx------ 1 root root 64 May 14 14:25 0 -> /dev/null
lrwx------ 1 root root 64 May 14 14:25 1 -> /dev/pts/0
lrwx------ 1 root root 64 May 14 14:25 2 -> /dev/pts/0
lr-x------ 1 root root 64 May 14 14:25 3 -> /proc/4/fd
Dropping all capabilities
Username root, no supplementary groups
SECCOMP Filter
  VALIDATE_ARCHITECTURE_32
  EXAMINE_SYSCALL
  BLACKLIST 21 access
  BLACKLIST 52 getpeername
  BLACKLIST 26 msync
  BLACKLIST 283 timerfd_create
  BLACKLIST 341 unknown
  BLACKLIST 342 unknown
  BLACKLIST 127 rt_sigpending
  BLACKLIST 128 rt_sigtimedwait
  BLACKLIST 350 unknown
  BLACKLIST 129 rt_sigqueueinfo
  BLACKLIST 110 getppid
  BLACKLIST 101 ptrace
  BLACKLIST 289 signalfd4
  BLACKLIST 87 unlink
  BLACKLIST 115 getgroups
  BLACKLIST 103 syslog
  BLACKLIST 347 unknown
  BLACKLIST 348 unknown
  BLACKLIST 135 personality
  BLACKLIST 149 mlock
  BLACKLIST 124 getsid
  BLACKLIST 343 unknown
  BLACKLIST 253 inotify_init
  BLACKLIST 336 unknown
  BLACKLIST 338 unknown
  BLACKLIST 349 unknown
  BLACKLIST 286 timerfd_settime
  BLACKLIST 287 timerfd_gettime
  BLACKLIST 288 accept4
  BLACKLIST 86 link
  BLACKLIST 51 getsockname
  BLACKLIST 123 setfsgid
  BLACKLIST 217 getdents64
  BLACKLIST 245 mq_getsetattr
  BLACKLIST 246 kexec_load
  BLACKLIST 247 waitid
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 257 openat
  BLACKLIST 274 get_robust_list
  BLACKLIST 276 tee
  BLACKLIST 294 inotify_init1
  BLACKLIST 317 seccomp
  BLACKLIST 316 renameat2
  BLACKLIST 61 wait4
  BLACKLIST 88 symlink
  BLACKLIST 169 reboot
  BLACKLIST 130 rt_sigsuspend
  RETURN_ALLOW
Dual 32/64 bit seccomp filter configured
configuring 138 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null)
sbox file descriptors:
total 0
lrwx------ 1 root root 64 May 14 14:25 0 -> /dev/null
lrwx------ 1 root root 64 May 14 14:25 1 -> /dev/pts/0
lrwx------ 1 root root 64 May 14 14:25 2 -> /dev/pts/0
lr-x------ 1 root root 64 May 14 14:25 3 -> /proc/7/fd
Dropping all capabilities
Username root, no supplementary groups
SECCOMP Filter
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCALL
  HANDLE_X32
  BLACKLIST 154 modify_ldt
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 311 process_vm_writev
  BLACKLIST 156 _sysctl
  BLACKLIST 183 afs_syscall
  BLACKLIST 174 create_module
  BLACKLIST 177 get_kernel_syms
  BLACKLIST 181 getpmsg
  BLACKLIST 182 putpmsg
  BLACKLIST 178 query_module
  BLACKLIST 185 security
  BLACKLIST 139 sysfs
  BLACKLIST 184 tuxcall
  BLACKLIST 134 uselib
  BLACKLIST 136 ustat
  BLACKLIST 236 vserver
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 227 clock_settime
  BLACKLIST 164 settimeofday
  BLACKLIST 176 delete_module
  BLACKLIST 313 finit_module
  BLACKLIST 175 init_module
  BLACKLIST 173 ioperm
  BLACKLIST 172 iopl
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 169 reboot
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 163 acct
  BLACKLIST 321 bpf
  BLACKLIST 161 chroot
  BLACKLIST 165 mount
  BLACKLIST 180 nfsservctl
  BLACKLIST 155 pivot_root
  BLACKLIST 171 setdomainname
  BLACKLIST 170 sethostname
  BLACKLIST 166 umount2
  BLACKLIST 153 vhangup
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 237 mbind
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 251 ioprio_set
  BLACKLIST 103 syslog
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 135 personality
  BLACKLIST 323 userfaultfd
  BLACKLIST 101 ptrace
  BLACKLIST 310 process_vm_readv
  RETURN_ALLOW
seccomp filter configured

Seccomp files:
-rw-r--r-- 1 root root 1104 May 14 14:25 /run/firejail/mnt/seccomp
-rw-r--r-- 1 root root  808 May 14 14:25 /run/firejail/mnt/seccomp.32
-rw-r--r-- 1 root root  824 May 14 14:25 /run/firejail/mnt/seccomp.64
-rw-r--r-- 1 root root    0 May 14 14:25 /run/firejail/mnt/seccomp.postexec
-rw-r--r-- 1 root root    0 May 14 14:25 /run/firejail/mnt/seccomp.protocol

Username root, no supplementary groups
starting application
LD_PRELOAD=(null)
Running 'reboot'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'reboot'
Child process initialized in 39.09 ms
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.32 seccomp filter
Failed to connect to bus: No data available
Connection to XXXXXX closed by remote host.
Connection to XXXXXX closed.
Originally created by @berezhinskiy on GitHub (May 14, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2695 Firejail version 0.9.52 ``` # firejail --noprofile --nogroups --seccomp --caps.drop=all --debug reboot ``` I expect that reboot will be denied due to --seccomp option. Nevertheless, reboot works. Here is output: ``` Autoselecting /bin/bash as shell Building quoted command line: 'reboot' Command name #reboot# DISPLAY is not set Enabling IPC namespace Using the local network stack Parent pid 1478, child pid 1479 The new log directory is /proc/1479/root/var/log Host network configured Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/sudo Mounting tmpfs on /var/cache/apache2 Create the new utmp file Mount the new utmp file Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /sys/fs Current directory: /home/ubuntu DISPLAY is not set Dropping all capabilities configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) sbox file descriptors: total 0 lrwx------ 1 root root 64 May 14 14:25 0 -> /dev/null lrwx------ 1 root root 64 May 14 14:25 1 -> /dev/pts/0 lrwx------ 1 root root 64 May 14 14:25 2 -> /dev/pts/0 lr-x------ 1 root root 64 May 14 14:25 3 -> /proc/4/fd Dropping all capabilities Username root, no supplementary groups SECCOMP Filter VALIDATE_ARCHITECTURE_32 EXAMINE_SYSCALL BLACKLIST 21 access BLACKLIST 52 getpeername BLACKLIST 26 msync BLACKLIST 283 timerfd_create BLACKLIST 341 unknown BLACKLIST 342 unknown BLACKLIST 127 rt_sigpending BLACKLIST 128 rt_sigtimedwait BLACKLIST 350 unknown BLACKLIST 129 rt_sigqueueinfo BLACKLIST 110 getppid BLACKLIST 101 ptrace BLACKLIST 289 signalfd4 BLACKLIST 87 unlink BLACKLIST 115 getgroups BLACKLIST 103 syslog BLACKLIST 347 unknown BLACKLIST 348 unknown BLACKLIST 135 personality BLACKLIST 149 mlock BLACKLIST 124 getsid BLACKLIST 343 unknown BLACKLIST 253 inotify_init BLACKLIST 336 unknown BLACKLIST 338 unknown BLACKLIST 349 unknown BLACKLIST 286 timerfd_settime BLACKLIST 287 timerfd_gettime BLACKLIST 288 accept4 BLACKLIST 86 link BLACKLIST 51 getsockname BLACKLIST 123 setfsgid BLACKLIST 217 getdents64 BLACKLIST 245 mq_getsetattr BLACKLIST 246 kexec_load BLACKLIST 247 waitid BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 257 openat BLACKLIST 274 get_robust_list BLACKLIST 276 tee BLACKLIST 294 inotify_init1 BLACKLIST 317 seccomp BLACKLIST 316 renameat2 BLACKLIST 61 wait4 BLACKLIST 88 symlink BLACKLIST 169 reboot BLACKLIST 130 rt_sigsuspend RETURN_ALLOW Dual 32/64 bit seccomp filter configured configuring 138 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null) sbox file descriptors: total 0 lrwx------ 1 root root 64 May 14 14:25 0 -> /dev/null lrwx------ 1 root root 64 May 14 14:25 1 -> /dev/pts/0 lrwx------ 1 root root 64 May 14 14:25 2 -> /dev/pts/0 lr-x------ 1 root root 64 May 14 14:25 3 -> /proc/7/fd Dropping all capabilities Username root, no supplementary groups SECCOMP Filter VALIDATE_ARCHITECTURE EXAMINE_SYSCALL HANDLE_X32 BLACKLIST 154 modify_ldt BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 311 process_vm_writev BLACKLIST 156 _sysctl BLACKLIST 183 afs_syscall BLACKLIST 174 create_module BLACKLIST 177 get_kernel_syms BLACKLIST 181 getpmsg BLACKLIST 182 putpmsg BLACKLIST 178 query_module BLACKLIST 185 security BLACKLIST 139 sysfs BLACKLIST 184 tuxcall BLACKLIST 134 uselib BLACKLIST 136 ustat BLACKLIST 236 vserver BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 227 clock_settime BLACKLIST 164 settimeofday BLACKLIST 176 delete_module BLACKLIST 313 finit_module BLACKLIST 175 init_module BLACKLIST 173 ioperm BLACKLIST 172 iopl BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 169 reboot BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 163 acct BLACKLIST 321 bpf BLACKLIST 161 chroot BLACKLIST 165 mount BLACKLIST 180 nfsservctl BLACKLIST 155 pivot_root BLACKLIST 171 setdomainname BLACKLIST 170 sethostname BLACKLIST 166 umount2 BLACKLIST 153 vhangup BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 237 mbind BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 251 ioprio_set BLACKLIST 103 syslog BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 278 vmsplice BLACKLIST 135 personality BLACKLIST 323 userfaultfd BLACKLIST 101 ptrace BLACKLIST 310 process_vm_readv RETURN_ALLOW seccomp filter configured Seccomp files: -rw-r--r-- 1 root root 1104 May 14 14:25 /run/firejail/mnt/seccomp -rw-r--r-- 1 root root 808 May 14 14:25 /run/firejail/mnt/seccomp.32 -rw-r--r-- 1 root root 824 May 14 14:25 /run/firejail/mnt/seccomp.64 -rw-r--r-- 1 root root 0 May 14 14:25 /run/firejail/mnt/seccomp.postexec -rw-r--r-- 1 root root 0 May 14 14:25 /run/firejail/mnt/seccomp.protocol Username root, no supplementary groups starting application LD_PRELOAD=(null) Running 'reboot' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'reboot' Child process initialized in 39.09 ms Installing /run/firejail/mnt/seccomp seccomp filter Installing /run/firejail/mnt/seccomp.32 seccomp filter Failed to connect to bus: No data available Connection to XXXXXX closed by remote host. Connection to XXXXXX closed. ```
gitea-mirror 2026-05-05 08:21:13 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:21:16 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (May 14, 2019):

Are you running systemd? those are probably invoked through dbus or the like.
Try with --nodbus --net=none

<!-- gh-comment-id:492296524 --> @SkewedZeppelin commented on GitHub (May 14, 2019): Are you running systemd? those are probably invoked through dbus or the like. Try with `--nodbus --net=none`
gitea-mirror commented 2026-05-05 08:21:17 -06:00
Author
Owner
Copy link

@berezhinskiy commented on GitHub (May 14, 2019):

9.52 has no --nodbus option. I compile latest (0.9.60~rc1), result is the same:

# firejail --noprofile --nogroups --seccomp --caps.drop=all --nodbus --net=none --debug reboot
Autoselecting /bin/bash as shell
Building quoted command line: 'reboot'
Command name #reboot#
DISPLAY is not set
Enabling IPC namespace
Parent pid 1542, child pid 1544
The new log directory is /proc/1544/root/var/log
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
sbox run: /run/firejail/lib/fnet ifup lo (null)
Set caps filter 3000
Network namespace enabled, only loopback interface available
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
blacklist /run/user/0/bus
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
446 373 0:51 /pulse /root/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=446 fsname=/pulse dir=/root/.config/pulse fstype=tmpfs
Current directory: /home/ubuntu
DISPLAY is not set
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/local/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null)
Dropping all capabilities
Drop privileges: pid 3, uid 0, gid 0, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00000000   ret KILL
Dual 32/64 bit seccomp filter configured
configuring 74 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/local/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null)
Dropping all capabilities
Drop privileges: pid 4, uid 0, gid 0, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
 0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
 0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
 000a: 15 3e 00 00000137   jeq process_vm_writev 0049 (false 000b)
 000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
 000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
 000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
 000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
 000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
 0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
 0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
 0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
 0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
 0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
 0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
 0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
 0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
 0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
 0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
 001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
 001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
 001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
 001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
 001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
 001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
 0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
 0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
 0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
 0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
 0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
 0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
 0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
 0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
 0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
 0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
 002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
 002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
 002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
 002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
 002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
 002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
 0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
 0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
 0034: 15 14 00 00000130   jeq open_by_handle_at 0049 (false 0035)
 0035: 15 13 00 0000012f   jeq name_to_handle_at 0049 (false 0036)
 0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
 0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
 0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
 0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
 003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
 003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
 003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
 003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
 003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
 003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
 0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
 0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
 0042: 15 06 00 000000d8   jeq remap_file_pages 0049 (false 0043)
 0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
 0044: 15 04 00 00000143   jeq userfaultfd 0049 (false 0045)
 0045: 15 03 00 00000065   jeq ptrace 0049 (false 0046)
 0046: 15 02 00 00000087   jeq personality 0049 (false 0047)
 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
 0048: 06 00 00 7fff0000   ret ALLOW
 0049: 06 00 01 00000000   ret KILL
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
Drop privileges: pid 1, uid 0, gid 0, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
Running 'reboot'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'reboot'
Child process initialized in 57.96 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Failed to connect to bus: No data available
monitoring pid 5

Sandbox monitor: waitpid 5 retval 5 status 0

Parent is shutting down, bye...
root@ip-10-50-20-66:~# Connection to XXXXX closed by remote host.
Connection to XXXXX closed.

I'm using clean Ubuntu 18.04.2

# uname -a
Linux ip-10-50-20-66 4.15.0-1037-aws #39-Ubuntu SMP Tue Apr 16 08:09:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@ip-10-50-20-66:~# uname -a
Linux ip-10-50-20-66 4.15.0-1037-aws #39-Ubuntu SMP Tue Apr 16 08:09:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Thank you.

<!-- gh-comment-id:492334121 --> @berezhinskiy commented on GitHub (May 14, 2019): 9.52 has no --nodbus option. I compile latest (0.9.60~rc1), result is the same: ``` # firejail --noprofile --nogroups --seccomp --caps.drop=all --nodbus --net=none --debug reboot Autoselecting /bin/bash as shell Building quoted command line: 'reboot' Command name #reboot# DISPLAY is not set Enabling IPC namespace Parent pid 1542, child pid 1544 The new log directory is /proc/1544/root/var/log Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file sbox run: /run/firejail/lib/fnet ifup lo (null) Set caps filter 3000 Network namespace enabled, only loopback interface available Basic read-only filesystem: Mounting read-only /etc Mounting read-only /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/sudo Mounting tmpfs on /var/cache/apache2 Create the new utmp file Mount the new utmp file blacklist /run/user/0/bus Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse 446 373 0:51 /pulse /root/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=446 fsname=/pulse dir=/root/.config/pulse fstype=tmpfs Current directory: /home/ubuntu DISPLAY is not set configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/local/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) Dropping all capabilities Drop privileges: pid 3, uid 0, gid 0, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00000000 ret KILL Dual 32/64 bit seccomp filter configured configuring 74 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/local/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) Dropping all capabilities Drop privileges: pid 4, uid 0, gid 0, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008) 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009) 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a) 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b) 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c) 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d) 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e) 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f) 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010) 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011) 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012) 0012: 15 36 00 000000b9 jeq security 0049 (false 0013) 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014) 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015) 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016) 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017) 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018) 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019) 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a) 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b) 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c) 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d) 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e) 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f) 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020) 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021) 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022) 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023) 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024) 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025) 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026) 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027) 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028) 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029) 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a) 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b) 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c) 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d) 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e) 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f) 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030) 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031) 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032) 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033) 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034) 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035) 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036) 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037) 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038) 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039) 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a) 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b) 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c) 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d) 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e) 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f) 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040) 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041) 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042) 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043) 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044) 0044: 15 04 00 00000143 jeq userfaultfd 0049 (false 0045) 0045: 15 03 00 00000065 jeq ptrace 0049 (false 0046) 0046: 15 02 00 00000087 jeq personality 0049 (false 0047) 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048) 0048: 06 00 00 7fff0000 ret ALLOW 0049: 06 00 01 00000000 ret KILL seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities Drop privileges: pid 1, uid 0, gid 0, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) Running 'reboot' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'reboot' Child process initialized in 57.96 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Failed to connect to bus: No data available monitoring pid 5 Sandbox monitor: waitpid 5 retval 5 status 0 Parent is shutting down, bye... root@ip-10-50-20-66:~# Connection to XXXXX closed by remote host. Connection to XXXXX closed. ``` I'm using clean Ubuntu 18.04.2 ``` # uname -a Linux ip-10-50-20-66 4.15.0-1037-aws #39-Ubuntu SMP Tue Apr 16 08:09:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/os-release NAME="Ubuntu" VERSION="18.04.2 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.2 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic root@ip-10-50-20-66:~# uname -a Linux ip-10-50-20-66 4.15.0-1037-aws #39-Ubuntu SMP Tue Apr 16 08:09:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux ``` Thank you.
gitea-mirror commented 2026-05-05 08:21:18 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (May 15, 2019):

--nodbus actually blocks access only to user session D-Bus (socket path /run/user/UID/dbus). reboot command under systemd connects to system D-Bus with different path (/run/dbus/system_bus_socket), so it is not blocked. Seccomp filters would block if reboot command attempted to use system call reboot(2) directly, which would happen with reboot -f -f but not in your case.

We could add a new option to block system d-bus, or make --nodbus block that also.

SysV reboot command talked to PID 1 via /dev/initctl pipe and also systemd has compatibility for that. Perhaps that path (and /run/initctl) should be blocked too in your case, but it's not related to d-bus anymore. IIRC rebooting was not possible for unprivileged users under SysV, so it may not be necessary.

<!-- gh-comment-id:492610112 --> @topimiettinen commented on GitHub (May 15, 2019): `--nodbus` actually blocks access only to user session D-Bus (socket path `/run/user/UID/dbus`). `reboot` command under systemd connects to system D-Bus with different path (`/run/dbus/system_bus_socket`), so it is not blocked. Seccomp filters would block if `reboot` command attempted to use system call `reboot(2)` directly, which would happen with `reboot -f -f` but not in your case. We could add a new option to block system d-bus, or make `--nodbus` block that also. SysV `reboot` command talked to PID 1 via `/dev/initctl` pipe and also systemd has compatibility for that. Perhaps that path (and `/run/initctl`) should be blocked too in your case, but it's not related to d-bus anymore. IIRC rebooting was not possible for unprivileged users under SysV, so it may not be necessary.
gitea-mirror commented 2026-05-05 08:21:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 15, 2019):

@topimiettinen you reminded me that if you use systemd, you can use polkit to define permissions for unpreveiled users to use reboot (halt, suspend, ...).

<!-- gh-comment-id:492623039 --> @rusty-snake commented on GitHub (May 15, 2019): @topimiettinen you reminded me that if you use systemd, you can use polkit to define permissions for unpreveiled users to use reboot (halt, suspend, ...).
gitea-mirror commented 2026-05-05 08:21:21 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (May 15, 2019):

I made PR #2697, which makes --nodbus block also system bus.

<!-- gh-comment-id:492649850 --> @topimiettinen commented on GitHub (May 15, 2019): I made PR #2697, which makes `--nodbus` block also system bus.
gitea-mirror commented 2026-05-05 08:21:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 15, 2019):

Just as an basic idea:
/etc/polkit-1/rules.d/50-deny-firejailed-reboots.rules

polkit.addRule(function(action, subject) {
        if (action.id == "org.freedesktop.login1.reboot") {
                // spawn a process which finds out if `subject.pid` is firejailed or not
                polkit.spawn([]);
                // if `subject.pid` is firejailed:
                        return polkit.Result.NO;
                // else:
                        return polkit.Result.YES;
        }
});
<!-- gh-comment-id:492655322 --> @rusty-snake commented on GitHub (May 15, 2019): Just as an basic idea: /etc/polkit-1/rules.d/50-deny-firejailed-reboots.rules ```js polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.login1.reboot") { // spawn a process which finds out if `subject.pid` is firejailed or not polkit.spawn([]); // if `subject.pid` is firejailed: return polkit.Result.NO; // else: return polkit.Result.YES; } }); ```
gitea-mirror commented 2026-05-05 08:21:23 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (May 15, 2019):

I think --nodbus should block all dbus without additional polkit hacks.

<!-- gh-comment-id:492680211 --> @Vincent43 commented on GitHub (May 15, 2019): I think `--nodbus` should block all dbus without additional polkit hacks.
gitea-mirror commented 2026-05-05 08:21:24 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (May 17, 2019):

I think we can count this as fixed by https://github.com/netblue30/firejail/pull/2697

<!-- gh-comment-id:493524969 --> @Vincent43 commented on GitHub (May 17, 2019): I think we can count this as fixed by https://github.com/netblue30/firejail/pull/2697
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1696
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?