github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2809] firejail hanging when using strace, but ptrace is not allowed #1759

New issue

Open

opened 2026-05-05 08:25:55 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:25:55 -06:00

Owner

Originally created by @reinerh on GitHub (Jun 29, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2809

A Debian user reported the issue, that firejail is just hanging, when he was using strace ls with a profile that had the ptrace syscall dropped, even though --allow-debuggers has been specified.

/usr/bin/firejail --allow-debuggers --profile=firefox strace /bin/ls

So there seem to be two issues:

why does firejail just hang, instead of terminating when the program tries to ptrace something
should --allow-debuggers specified on the command line not override the dropped syscalls from the profile? According to the manpage this should be the case.

Originally created by @reinerh on GitHub (Jun 29, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2809 A Debian user [reported the issue](https://bugs.debian.org/931051), that firejail is just hanging, when he was using `strace ls` with a profile that had the ptrace syscall dropped, even though `--allow-debuggers` has been specified. > /usr/bin/firejail --allow-debuggers --profile=firefox strace /bin/ls So there seem to be two issues: * why does firejail just hang, instead of terminating when the program tries to ptrace something * should `--allow-debuggers` specified on the command line not override the dropped syscalls from the profile? According to the manpage this should be the case.

gitea-mirror added the

bug

label 2026-05-05 08:25:55 -06:00

gitea-mirror commented

2026-05-05 08:25:57 -06:00

Author

Owner

@smitsohu commented on GitHub (Jul 2, 2019):

firejail --allow-debuggers --seccomp -> works
firejail --allow-debuggers --seccomp.drop=ptrace -> is broken

It seems that strace pauses soon after starting up, before any ptrace syscalls are issued:

set_robust_list(0x762e4e55aa20, 24) = 0
pause(

(obtained with something like sudo strace -ff -o trace firejail --noprofile --allow-debuggers --seccomp.drop=ptrace strace ls)

@smitsohu commented on GitHub (Jul 2, 2019): `firejail --allow-debuggers --seccomp` -> works `firejail --allow-debuggers --seccomp.drop=ptrace` -> is broken It seems that strace pauses soon after starting up, before any `ptrace` syscalls are issued: ``` set_robust_list(0x762e4e55aa20, 24) = 0 pause( ``` (obtained with something like `sudo strace -ff -o trace firejail --noprofile --allow-debuggers --seccomp.drop=ptrace strace ls`)

gitea-mirror commented

2026-05-05 08:25:58 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 22, 2019):

allow-debuggers: Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.

seccomp: Enable seccomp filter and blacklist the syscalls in the default list (@default).

whats wrong?

seccomp doesn't use thes default list
allow-debuggers doesn't whitelist syscalls

whats realy happening?

seccomp blacklist the syscalls in @default-nodebuggers unless allow-debuggers is given, the it use @default

=> allow-debuggers switch the list used by seccomp

8dfe3eb565/src/fseccomp/seccomp.c (L29-L32)

(TODO: update manpage) [EDIT] #2940 [/EDIT]

whats the issue with `seccomp.drop`?

seccomp.drop: Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command.

seccomp.drop use always the given list of syscalls/groups and no group by default, so allow-debuggers can't swtich this. Here allow-debuggers would have to work like noblacklist in profiles, but this is not implemented.

8dfe3eb565/src/fseccomp/seccomp.c (L72)

@rusty-snake commented on GitHub (Aug 22, 2019): > `allow-debuggers`: Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. > `seccomp`: Enable seccomp filter and blacklist the syscalls in the default list (@default). #### whats wrong? - `seccomp` doesn't use thes default list - `allow-debuggers` doesn't whitelist syscalls #### whats realy happening? `seccomp` blacklist the syscalls in `@default-nodebuggers` unless `allow-debuggers` is given, the it use `@default` => `allow-debuggers` switch the list used by `seccomp` https://github.com/netblue30/firejail/blob/8dfe3eb5656e17af51d700038cb2bc29a9a53a0c/src/fseccomp/seccomp.c#L29-L32 (TODO: update manpage) [EDIT] #2940 [/EDIT] #### whats the issue with `seccomp.drop`? > `seccomp.drop`: Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command. `seccomp.drop` use always the given list of syscalls/groups and no group by default, so `allow-debuggers` can't swtich this. Here `allow-debuggers` would have to work like `noblacklist` in profiles, but this is not implemented. https://github.com/netblue30/firejail/blob/8dfe3eb5656e17af51d700038cb2bc29a9a53a0c/src/fseccomp/seccomp.c#L72

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1759

No description provided.

Rows
Columns

[GH-ISSUE #2809] firejail hanging when using strace, but ptrace is not allowed #1759

whats wrong?

whats realy happening?

whats the issue with seccomp.drop?

whats the issue with `seccomp.drop`?