github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2936] Firefox and Thunderbird profiles broken #1833

New issue
Closed
opened 2026-05-05 08:29:53 -06:00 by gitea-mirror · 23 comments
gitea-mirror commented 2026-05-05 08:29:53 -06:00
Owner
Copy link

Originally created by @curiosity-seeker on GitHub (Aug 30, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2936

Sorry - I haven't had the time to investigate the details.

But commenting seccomp.drop in firefox-common.profile fixed the problem. So it seems that it is caused by the recent seccomp commits.

Originally created by @curiosity-seeker on GitHub (Aug 30, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2936 Sorry - I haven't had the time to investigate the details. But commenting `seccomp.drop` in `firefox-common.profile` fixed the problem. So it seems that it is caused by the recent seccomp commits.
gitea-mirror 2026-05-05 08:29:53 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:29:56 -06:00
Author
Owner
Copy link

@veloute commented on GitHub (Aug 30, 2019):

can confirm the recent sccomp commits are causing issues with a lot of other profiles than just firefox and thunderbird.

<!-- gh-comment-id:526577589 --> @veloute commented on GitHub (Aug 30, 2019): can confirm the recent sccomp commits are causing issues with a lot of other profiles than just firefox and thunderbird.
gitea-mirror commented 2026-05-05 08:29:56 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Aug 30, 2019):

Yes, indeed: kate, quiterss, ...

<!-- gh-comment-id:526625691 --> @curiosity-seeker commented on GitHub (Aug 30, 2019): Yes, indeed: kate, quiterss, ...
gitea-mirror commented 2026-05-05 08:29:58 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

It is weird, because at least for me it is intermittent. When I first boot up, it doesn't work, however, tor-browser profile works just fine, and then once that is opened, the firefox profile works fine too, even if tor-browser is closed first!

Teamspeak is broken anytime you try to change the options though...

Both problems are fixed by commenting out the seccomp lines.

<!-- gh-comment-id:526638795 --> @corecontingency commented on GitHub (Aug 30, 2019): It is weird, because at least for me it is intermittent. When I first boot up, it doesn't work, however, tor-browser profile works just fine, and then once that is opened, the firefox profile works fine too, even if tor-browser is closed first! Teamspeak is broken anytime you try to change the options though... Both problems are fixed by commenting out the seccomp lines.
gitea-mirror commented 2026-05-05 08:29:59 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

Looks like the problem is @resources, if I replace @resources with what is supposed to be equal to (mbind,migrate_pages,move_pages,set_mempolicy), then both firefox and teamspeak work.

<!-- gh-comment-id:526653708 --> @corecontingency commented on GitHub (Aug 30, 2019): Looks like the problem is @resources, if I replace @resources with what is [supposed to be equal to](https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt) (mbind,migrate_pages,move_pages,set_mempolicy), then both firefox and teamspeak work.
gitea-mirror commented 2026-05-05 08:30:00 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Aug 30, 2019):

Looks like the problem is @resources, if I replace @resources with what is supposed to be equal to (mbind,migrate_pages,move_pages,set_mempolicy), then both firefox and teamspeak work.

I don't think that this explains the problem completely. The 2 other examples mentioned earlier (quiterss and kate) only contain the seccomp line in their profiles.

<!-- gh-comment-id:526679139 --> @curiosity-seeker commented on GitHub (Aug 30, 2019): > Looks like the problem is @resources, if I replace @resources with what is [supposed to be equal to](https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt) (mbind,migrate_pages,move_pages,set_mempolicy), then both firefox and teamspeak work. I don't think that this explains the problem completely. The 2 other examples mentioned earlier (quiterss and kate) only contain the `seccomp` line in their profiles.
gitea-mirror commented 2026-05-05 08:30:01 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

Sorry, don't think I was being clear. Writing seccomp in a profile is exactly the same as writing

seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice

in a profile. So I found that @resources is the problem. Writing mbind,migrate_pages,move_pages,set_mempolicy is supposed to be the same as writing @resources, but it seems that something in the most recent commits messed this up, and replacing @resources with the constituent parts fixes the problem.

So replace seccomp with

seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,mbind,migrate_pages,move_pages,set_mempolicy,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice

in your profiles and everything works fine. Just tested it with kate and quiterss and they work too.

EDIT: the guide for writing seccomp is here.

<!-- gh-comment-id:526705952 --> @corecontingency commented on GitHub (Aug 30, 2019): Sorry, don't think I was being clear. Writing `seccomp` in a profile is exactly the same as writing seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice in a profile. So I found that `@resources` is the problem. Writing `mbind,migrate_pages,move_pages,set_mempolicy` is supposed to be the same as writing `@resources`, but it seems that something in the most recent commits messed this up, and replacing `@resources` with the constituent parts fixes the problem. So replace `seccomp` with seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,mbind,migrate_pages,move_pages,set_mempolicy,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice in your profiles and everything works fine. Just tested it with kate and quiterss and they work too. EDIT: the guide for writing `seccomp` is [here.](https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt)
gitea-mirror commented 2026-05-05 08:30:02 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 30, 2019):

Diff of @resources in Add further seccomp groups: ce4a323147 (diff-d36eaba912802a78468359b7b05c8c2dL358-R1053)

New syscalls in @resources:
ioprio_set, nice, sched_setaffinity, sched_setattr, sched_setparam, sched_setscheduler

@curiosity-seeker @corecontingency can you look in your joural with syscall is the issue.

BTW: syscalls.txt is now outdated, I will update it this weekend.

<!-- gh-comment-id:526706742 --> @rusty-snake commented on GitHub (Aug 30, 2019): Diff of `@resources` in `Add further seccomp groups`: https://github.com/netblue30/firejail/commit/ce4a3231479a29aa3dff44722b15bc315f68141d#diff-d36eaba912802a78468359b7b05c8c2dL358-R1053 New syscalls in `@resources`: `ioprio_set`, `nice`, `sched_setaffinity`, `sched_setattr`, `sched_setparam`, `sched_setscheduler` @curiosity-seeker @corecontingency can you look in your `joural` with syscall is the issue. BTW: syscalls.txt is now outdated, I will update it this weekend.
gitea-mirror commented 2026-05-05 08:30:03 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 30, 2019):

I just start firefox and close it (nothing tested, nothing broken). From my journal, the following should work. Can you guys confirm.
seccomp !chroot,!sched_setaffinity,!sched_setscheduler

<!-- gh-comment-id:526722374 --> @rusty-snake commented on GitHub (Aug 30, 2019): I just start firefox and close it (nothing tested, nothing broken). From my journal, the following should work. Can you guys confirm. `seccomp !chroot,!sched_setaffinity,!sched_setscheduler`
gitea-mirror commented 2026-05-05 08:30:04 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

Yup, although I don't think you need to remove sched_setaffinity. Firefox (and the other three programs) can work with it, at least on my system. Tried kate, teamspeak, and quiterss with their normal seccomp values but replaced @resources with

mbind,migrate_pages,move_pages,set_mempolicy,ioprio_set,nice,sched_setaffinity,sched_setattr,sched_setparam

and they worked fine. So, seems like sched_setscheduler is the culprit, at least for those three programs.

Also, will syntax like

seccomp !chroot,!sched_setaffinity,!sched_setscheduler

be implemented in the future? Seems like a much better way of doing things.

<!-- gh-comment-id:526727024 --> @corecontingency commented on GitHub (Aug 30, 2019): Yup, although I don't think you need to remove sched_setaffinity. Firefox (and the other three programs) can work with it, at least on my system. Tried kate, teamspeak, and quiterss with their normal `seccomp` values but replaced `@resources` with mbind,migrate_pages,move_pages,set_mempolicy,ioprio_set,nice,sched_setaffinity,sched_setattr,sched_setparam and they worked fine. So, seems like `sched_setscheduler` is the culprit, at least for those three programs. Also, will syntax like seccomp !chroot,!sched_setaffinity,!sched_setscheduler be implemented in the future? Seems like a much better way of doing things.
gitea-mirror commented 2026-05-05 08:30:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 30, 2019):

I don't think you need to remove sched_setaffinity

It was logged in the journal.

Also, will syntax like be implemented in the future?

It is implemented. Implementation in firejail: #2926, use in profiles: #2927.

<!-- gh-comment-id:526729177 --> @rusty-snake commented on GitHub (Aug 30, 2019): > I don't think you need to remove sched_setaffinity It was logged in the journal. > Also, will syntax like be implemented in the future? It is implemented. Implementation in firejail: #2926, use in profiles: #2927.
gitea-mirror commented 2026-05-05 08:30:07 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

It is implemented. Implementation in firejail: #2926, use in profiles: #2927.

Oh. Looks like I need to recompile firejail. I'll try it out!

<!-- gh-comment-id:526729959 --> @corecontingency commented on GitHub (Aug 30, 2019): > It is implemented. Implementation in firejail: #2926, use in profiles: #2927. Oh. Looks like I need to recompile firejail. I'll try it out!
gitea-mirror commented 2026-05-05 08:30:08 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

So getting a weird error here. seccomp !chroot,!sched_setaffinity,!sched_setscheduler doesn't seem to work after recompiling firejail with firefox, the process just hangs after reporting monitoring pid 12, and nothing show up in sudo journalctl -f except for

Aug 30 13:43:34 ccarch firejail[1884]: firejail --debug firefox
Aug 30 13:43:34 ccarch firejail[1885]: monitoring pid 12

Tried running seccomp !sched_setscheduler with Kate, and seccomp !chroot,!sched_setscheduler with teamspeak and it works fine, no errors or messages in journalctl, so it seems to be just a problem with firefox.

Weirdly, I ran the exact same thing for firefox, except using seccomp.drop with defaults excluding chroot,sched_setaffinity,sched_setscheduler before recompiling and firefox worked fine. Now, whether I write it using the new syntax or the old, firefox doesn't work.

<!-- gh-comment-id:526748736 --> @corecontingency commented on GitHub (Aug 30, 2019): So getting a weird error here. `seccomp !chroot,!sched_setaffinity,!sched_setscheduler` doesn't seem to work after recompiling firejail with firefox, the process just hangs after reporting `monitoring pid 12`, and nothing show up in `sudo journalctl -f` except for Aug 30 13:43:34 ccarch firejail[1884]: firejail --debug firefox Aug 30 13:43:34 ccarch firejail[1885]: monitoring pid 12 Tried running `seccomp !sched_setscheduler` with Kate, and `seccomp !chroot,!sched_setscheduler` with teamspeak and it works fine, no errors or messages in journalctl, so it seems to be just a problem with firefox. Weirdly, I ran the exact same thing for firefox, except using `seccomp.drop` with defaults excluding `chroot,sched_setaffinity,sched_setscheduler` before recompiling and firefox worked fine. Now, whether I write it using the new syntax or the old, firefox doesn't work.
gitea-mirror commented 2026-05-05 08:30:09 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

Okay, so I think something new added to @privileged is causing me trouble. Tried running firefox with

@cpu-emulation,@debug,@clock,@module,@raw-io,@reboot,@swap,acct,bpf,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,@obsolete,mbind,migrate_pages,move_pages,set_mempolicy,ioprio_set,nice,sched_setaffinity,sched_setattr,sched_setparam,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice

which is @default (including new version of @resources) with chroot, and sched_setscheduler removed, and @privileged replaced with

@clock,@module,@raw-io,@reboot,@swap,acct,bpf,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup

which is what it used to be equal to (except chroot). This seemed to run firefox fine, and no errors were logged in sudo journalctl -f.

Going to take a look at what was added to @privileged to try and narrow this down. For reference, am running Arch/KDE with wayland.

<!-- gh-comment-id:526765527 --> @corecontingency commented on GitHub (Aug 30, 2019): Okay, so I think something new added to `@privileged` is causing me trouble. Tried running firefox with @cpu-emulation,@debug,@clock,@module,@raw-io,@reboot,@swap,acct,bpf,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,@obsolete,mbind,migrate_pages,move_pages,set_mempolicy,ioprio_set,nice,sched_setaffinity,sched_setattr,sched_setparam,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice which is `@default` (including new version of `@resources`) with `chroot`, and `sched_setscheduler` removed, and `@privileged` replaced with @clock,@module,@raw-io,@reboot,@swap,acct,bpf,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup which is what it used to be equal to (except `chroot`). This seemed to run firefox fine, and no errors were logged in `sudo journalctl -f`. Going to take a look at what was added to `@privileged` to try and narrow this down. For reference, am running Arch/KDE with wayland.
gitea-mirror commented 2026-05-05 08:30:10 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Aug 30, 2019):

Got firefox to work with no errors in sudo journalctl -f, and played around with the settings and went to some websites, so I think it is working. Used

seccomp !chroot,!sched_setscheduler,!capset,!quotactl,!setuid,!setuid32

With capset enabled, it would start, but always thought it needed to reboot because of an update. With quotactl, setuid, and setuid32 enabled, it would just hang, and fail to start.

EDIT: Maybe we also want to disable sched_setaffinity if you were having trouble with it. What distro are you running?

<!-- gh-comment-id:526777584 --> @corecontingency commented on GitHub (Aug 30, 2019): Got firefox to work with no errors in `sudo journalctl -f`, and played around with the settings and went to some websites, so I think it is working. Used seccomp !chroot,!sched_setscheduler,!capset,!quotactl,!setuid,!setuid32 With capset enabled, it would start, but always thought it needed to reboot because of an update. With quotactl, setuid, and setuid32 enabled, it would just hang, and fail to start. EDIT: Maybe we also want to disable sched_setaffinity if you were having trouble with it. What distro are you running?
gitea-mirror commented 2026-05-05 08:30:11 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Aug 31, 2019):

There is the more generic issue that firejail firejail does not work because it wants to drop privileges (should be setresuid on most systems).

<!-- gh-comment-id:526847232 --> @smitsohu commented on GitHub (Aug 31, 2019): There is the more generic issue that `firejail firejail` does not work because it wants to drop privileges (should be `setresuid` on most systems).
gitea-mirror commented 2026-05-05 08:30:12 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 31, 2019):

@corecontingency sched_setscheduler,sched_setaffinity are the only blocked syscalls on my system (fedora + firefox esr 60), but I see no breakage when they are blocked.

For better debuging I modify my script from #433

#!/usr/bin/env bash

# Copyright © 2019 rusty-snake
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

usage() {
    echo "Usage:"
        echo "        NOTIFY_TOOL=\"<ZENITY|KDIALOG|NOTIFY-SEND>\" bash $0"
}

if [ "$1" == "--help" ] || [ "$1" == "-h" ] || [ "$1" == "-?" ]; then
    usage "$@"
        exit 0
fi

if [ ! -v "NOTIFY_TOOL" ]; then
    printf "Error: \"NOTIFY_TOOL\" not set.\n"
    usage "$@"
    exit 1
fi

if [ "$NOTIFY_TOOL" == "ZENITY" ]; then
    notify_cmd="zenity"
    notify_args=(--title "Syscall violation" --warning --text)
elif [ "$NOTIFY_TOOL" == "KDIALOG" ]; then
    notify_cmd="kdialog"
    notify_args=(--title "Syscall violation" --sorry)
elif [ "$NOTIFY_TOOL" == "NOTIFY-SEND" ]; then
    notify_cmd="notify-send"
    notify_args=(--icon "dialog-warning" "Syscall violation")
else
    printf "Error: Invalid value for NOTIFY_TOOL.\n"
    usage "$@"
    exit 1
fi

tmpdir=$(mktemp -d)
cleanup() {
    kill %journalctl
    rm -rf "$tmpdir"
}
trap cleanup EXIT

FIREJAIL_DEBUG_SYSCALLS=$tmpdir/firejail_debug-syscalls
firejail --debug-syscalls > "$FIREJAIL_DEBUG_SYSCALLS"

SHOW_SYSCALL_PIPE=$tmpdir/pipe
mkfifo "$SHOW_SYSCALL_PIPE"

show_syscall() {
    grep --line-buffered -oE "syscall=[[:digit:]]{1,3}" | sed --unbuffered "s/syscall=//g" | xargs -L1 -I{} grep -E "^{}[[:space:]]" "$FIREJAIL_DEBUG_SYSCALLS" | sed --unbuffered -E "s/^[[:digit:]]{1,3}[[:space:]]+-[[:space:]]/syscall: /g"
}

journalctl --grep="SECCOMP" --output=json --follow | jq --unbuffered ".MESSAGE" | tee "$SHOW_SYSCALL_PIPE" | xargs -L1 -P0 --delimiter="\n" "$notify_cmd" "${notify_args[@]}" & show_syscall < "$SHOW_SYSCALL_PIPE"
<!-- gh-comment-id:526850967 --> @rusty-snake commented on GitHub (Aug 31, 2019): @corecontingency `sched_setscheduler,sched_setaffinity` are the only blocked syscalls on my system (fedora + firefox esr 60), but I see no breakage when they are blocked. *** For better debuging I modify my script from #433 ```bash #!/usr/bin/env bash # Copyright © 2019 rusty-snake # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. usage() { echo "Usage:" echo " NOTIFY_TOOL=\"<ZENITY|KDIALOG|NOTIFY-SEND>\" bash $0" } if [ "$1" == "--help" ] || [ "$1" == "-h" ] || [ "$1" == "-?" ]; then usage "$@" exit 0 fi if [ ! -v "NOTIFY_TOOL" ]; then printf "Error: \"NOTIFY_TOOL\" not set.\n" usage "$@" exit 1 fi if [ "$NOTIFY_TOOL" == "ZENITY" ]; then notify_cmd="zenity" notify_args=(--title "Syscall violation" --warning --text) elif [ "$NOTIFY_TOOL" == "KDIALOG" ]; then notify_cmd="kdialog" notify_args=(--title "Syscall violation" --sorry) elif [ "$NOTIFY_TOOL" == "NOTIFY-SEND" ]; then notify_cmd="notify-send" notify_args=(--icon "dialog-warning" "Syscall violation") else printf "Error: Invalid value for NOTIFY_TOOL.\n" usage "$@" exit 1 fi tmpdir=$(mktemp -d) cleanup() { kill %journalctl rm -rf "$tmpdir" } trap cleanup EXIT FIREJAIL_DEBUG_SYSCALLS=$tmpdir/firejail_debug-syscalls firejail --debug-syscalls > "$FIREJAIL_DEBUG_SYSCALLS" SHOW_SYSCALL_PIPE=$tmpdir/pipe mkfifo "$SHOW_SYSCALL_PIPE" show_syscall() { grep --line-buffered -oE "syscall=[[:digit:]]{1,3}" | sed --unbuffered "s/syscall=//g" | xargs -L1 -I{} grep -E "^{}[[:space:]]" "$FIREJAIL_DEBUG_SYSCALLS" | sed --unbuffered -E "s/^[[:digit:]]{1,3}[[:space:]]+-[[:space:]]/syscall: /g" } journalctl --grep="SECCOMP" --output=json --follow | jq --unbuffered ".MESSAGE" | tee "$SHOW_SYSCALL_PIPE" | xargs -L1 -P0 --delimiter="\n" "$notify_cmd" "${notify_args[@]}" & show_syscall < "$SHOW_SYSCALL_PIPE" ```
gitea-mirror commented 2026-05-05 08:30:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 1, 2019):

mpv: seccomp !sched_setscheduler,!sched_setaffinity

<!-- gh-comment-id:526891213 --> @rusty-snake commented on GitHub (Sep 1, 2019): mpv: `seccomp !sched_setscheduler,!sched_setaffinity`
gitea-mirror commented 2026-05-05 08:30:13 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Sep 1, 2019):

mpv: seccomp !sched_setscheduler,!sched_setaffinity

Just tried it out and it is broken by default, but works fine with just seccomp !sched_setscheduler.

For some reason nothing was printed to sudo journalctl at all about firejail, or mpv when it failed to open using just seccomp. Now I am worried that my kernel isn't logging for some reason. I know it is logging some stuff, b/c sudo journalctl is constantly printing these messages every 5 or so seconds:

Sep 01 00:00:03 ccarch plasmashell[1159]: qt.qpa.wayland.backingstore: Delivering update request through fallback timer, may not be in sync with display
Sep 01 00:00:09 ccarch plasmashell[1159]: qt.qpa.wayland.backingstore: Delivering update request through fallback timer, may not be in sync with display
Sep 01 00:00:10 ccarch plasmashell[1159]: qt.qpa.wayland: Wayland does not support QWindow::requestActivate()

This might explain why I can run seccomp !sched_setscheduler and not include !sched_setaffinity for some stuff and not see any errors to sudo journalctl, b/c my journal isn't working. Alternatively, it could be some distro difference, and I actually don't need !sched_setaffinity.

I need to figure out what is going on with my kernel log levels.

Do you want me to add mpv to my pull request, or are you going to add it directly to the repository?

<!-- gh-comment-id:526893481 --> @corecontingency commented on GitHub (Sep 1, 2019): > mpv: seccomp !sched_setscheduler,!sched_setaffinity Just tried it out and it is broken by default, but works fine with just `seccomp !sched_setscheduler`. For some reason nothing was printed to `sudo journalctl` at all about firejail, or mpv when it failed to open using just `seccomp`. Now I am worried that my kernel isn't logging for some reason. I know it is logging some stuff, b/c `sudo journalctl` is constantly printing these messages every 5 or so seconds: Sep 01 00:00:03 ccarch plasmashell[1159]: qt.qpa.wayland.backingstore: Delivering update request through fallback timer, may not be in sync with display Sep 01 00:00:09 ccarch plasmashell[1159]: qt.qpa.wayland.backingstore: Delivering update request through fallback timer, may not be in sync with display Sep 01 00:00:10 ccarch plasmashell[1159]: qt.qpa.wayland: Wayland does not support QWindow::requestActivate() This might explain why I can run `seccomp !sched_setscheduler` and not include `!sched_setaffinity` for some stuff and not see any errors to `sudo journalctl`, b/c my journal isn't working. Alternatively, it could be some distro difference, and I actually don't need `!sched_setaffinity`. I need to figure out what is going on with my kernel log levels. Do you want me to add mpv to my pull request, or are you going to add it directly to the repository?
gitea-mirror commented 2026-05-05 08:30:13 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Sep 1, 2019):

I think amount of breaks is too big and it's just tip of the iceberg as nobody tested most of the apps yet. If the new default seccomp filter needs so much exceptions then it's not suitable default and should be reverted.

<!-- gh-comment-id:526911286 --> @Vincent43 commented on GitHub (Sep 1, 2019): I think amount of breaks is too big and it's just tip of the iceberg as nobody tested most of the apps yet. If the new default seccomp filter needs so much exceptions then it's not suitable default and should be reverted.
gitea-mirror commented 2026-05-05 08:30:14 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 1, 2019):

@corecontingency,
Same for feedreader [EDIT] !sched_setaffinity,!sched_setscheduler,!fchown [/EDIT]

Do you want me to add mpv to my pull request, or are you going to add it directly to the repository?

Go ahead, but as @Vincent43 say: probably it is the best to revert some of the changes in seccomp.

I need to figure out what is going on with my kernel log levels.

Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag).

Draft for syscalls.txt update: https://gist.github.com/rusty-snake/3dd58fb2f0087c8b64dc306beadd612f
I will commit it until the double include (see #2928) and the potential partial-revert are clarified.

<!-- gh-comment-id:526918778 --> @rusty-snake commented on GitHub (Sep 1, 2019): @corecontingency, Same for feedreader **[EDIT]** `!sched_setaffinity,!sched_setscheduler,!fchown` **[/EDIT]** > Do you want me to add mpv to my pull request, or are you going to add it directly to the repository? Go ahead, but as @Vincent43 say: probably it is the best to revert some of the changes in seccomp. > I need to figure out what is going on with my kernel log levels. > Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag). *** Draft for syscalls.txt update: https://gist.github.com/rusty-snake/3dd58fb2f0087c8b64dc306beadd612f I will commit it until the double include (see #2928) and the potential partial-revert are clarified.
gitea-mirror commented 2026-05-05 08:30:14 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Sep 1, 2019):

At minimum !sched_setscheduler,!sched_setaffinity should be removed from @resources, as that seems to be necessary for most programs to both actually work, and run with no errors to journalctl, respectively.

I am going to be leaving my pull request up until seccomp is fixed, for reference, in case someone is using a version compiled from github and wants to get some programs working again.

<!-- gh-comment-id:526951203 --> @corecontingency commented on GitHub (Sep 1, 2019): At minimum `!sched_setscheduler,!sched_setaffinity` should be removed from `@resources`, as that seems to be necessary for most programs to both actually work, and run with no errors to `journalctl`, respectively. I am going to be leaving my pull request up until `seccomp` is fixed, for reference, in case someone is using a version compiled from github and wants to get some programs working again.
gitea-mirror commented 2026-05-05 08:30:15 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Sep 6, 2019):

I think we are good to close this one, unless anyone else has problems. Firefox and thunderbird are fixed for me!

<!-- gh-comment-id:529049895 --> @corecontingency commented on GitHub (Sep 6, 2019): I think we are good to close this one, unless anyone else has problems. Firefox and thunderbird are fixed for me!
gitea-mirror commented 2026-05-05 08:30:15 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 7, 2019):

@corecontingency yes, should be fixed with #2939.

<!-- gh-comment-id:529090085 --> @rusty-snake commented on GitHub (Sep 7, 2019): @corecontingency yes, should be fixed with #2939.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1833
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?