[GH-ISSUE #2963] Apparmor integration, most applications crash. #1854

New issue

Closed

opened 2026-05-05 08:31:21 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 08:31:21 -06:00

Owner

Copy link

Originally created by @Netanel-M on GitHub (Sep 15, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2963

Running Ubuntu 18.04 I've installed firejail, along with apparmor from the official repositories. I used aa-enforce firejail-default to enable the apparmor profile, then proceeded to run a few programs with firejail --apparmor <program name>. almost all of them crash, except for chromium-browser, seems to work. Here is the output of firejail --debug --apparmor kate

Reading profile /etc/firejail/kate.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
DISPLAY=:0 parsed as 0
total 0
lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null
l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error
l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error
lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/14353/fd
Debug 393: new_name #/var/lib/dbus#, whitelist
Debug 393: new_name #/var/lib/menu-xdg#, whitelist
Autoselecting /bin/bash as shell
Building quoted command line: 'kate' 
Command name #kate#
Found kate profile in /etc/firejail directory
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp protocol build unix /run/firejail/mnt/seccomp.protocol (null) 
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Create /dev/shm directory
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
	expanded: /var/lib/menu-xdg
	real path: (null)
	realpath: No such file or directory
Debug 393: new_name #/var/cache/fontconfig#, whitelist
Debug 393: new_name #/var/tmp#, whitelist
Debug 393: new_name #/var/run#, whitelist
Debug 393: new_name #/var/lock#, whitelist
Debug 393: new_name #/tmp/xauth-1000-_0#, whitelist
Debug 393: new_name #/tmp/.X11-unix#, whitelist
Replaced whitelist path: whitelist /run
Replaced whitelist path: whitelist /run/lock
Mounting tmpfs on /tmp directory
Mounting tmpfs on /var directory
Whitelisting /var/lib/dbus
Whitelisting /var/cache/fontconfig
Whitelisting /var/tmp
Created symbolic link /var/run -> /run
Whitelisting /run/lock
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/xauth-1000-_0
Whitelisting /tmp/.X11-unix
Disable /home/user/.bash_history
Disable /home/user/.node_repl_history
Disable /home/user/.config/autostart
Disable /home/user/.config/autostart-scripts
Disable /home/user/.config/plasma-workspace
Disable /home/user/.config/startupconfig
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Disable /home/user/.config/khotkeysrc
Disable /home/user/.config/krunnerrc
Disable /home/user/.config/kwinrc
Disable /home/user/.config/kwinrulesrc
Disable /home/user/.config/plasma-org.kde.plasma.desktop-appletsrc
Disable /home/user/.config/plasmavaultrc
Disable /home/user/.local/share/konsole
Disable /home/user/.local/share/plasma
Mounting read-only /home/user/.config/kdeglobals
Mounting read-only /home/user/.kde/share/config/kdeglobals
Mounting read-only /home/user/.kde/share/config/kioslaverc
Mounting read-only /home/user/.kde/share/kde4/services
Disable /run/user/1000/kdeinit5__0
Disable /home/user/.config/VirtualBox
Disable /home/user/VirtualBox VMs
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /etc/anacrontab
Disable /etc/cron.hourly
Disable /etc/cron.daily
Disable /etc/cron.monthly
Disable /etc/crontab
Disable /etc/cron.weekly
Disable /etc/cron.d
Disable /etc/profile.d
Disable /etc/rc5.d
Disable /etc/rc1.d
Disable /etc/rc4.d
Disable /etc/rc3.d
Disable /etc/rc6.d
Disable /etc/rc2.d
Disable /etc/rcS.d
Disable /etc/rc0.d
Disable /etc/kernel-img.conf
Disable /etc/kerneloops.conf
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/dkms
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/selinux
Disable /etc/modules
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/adduser.conf
Mounting read-only /home/user/.bash_logout
Mounting read-only /home/user/.bashrc
Mounting read-only /home/user/.profile
Mounting read-only /home/user/.viminfo
Mounting read-only /home/user/.gem
Disable /home/user/.local/share/Trash
Mounting read-only /home/user/.local/share/applications
Disable /home/user/.gnupg
Disable /home/user/.kde/share/apps/kwallet
Disable /home/user/.local/share/keyrings
Disable /home/user/.local/share/kwalletd
Disable /home/user/.pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /sbin
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /bin/fusermount
Disable /usr/bin/gpasswd
Disable /bin/mount
Disable /bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/ncat
Disable /usr/bin/newgrp
Disable /bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/strace
Disable /bin/su
Disable /usr/bin/sudo
Disable /bin/umount
Disable /usr/bin/xev
Disable /usr/bin/xinput
Disable /usr/lib/virtualbox
Mounting noexec /tmp/.X11-unix
Disable /home/user/.atom
Disable /home/user/.config/Atom
Disable /home/user/.config/Signal
Disable /home/user/.config/Thunar
Disable /home/user/.config/VirtualBox
Disable /home/user/.config/akregatorrc
Disable /home/user/.config/arkrc
Disable /home/user/.config/baloofilerc
Disable /home/user/.config/chromium
Disable /home/user/.config/dolphinrc
Disable /home/user/.config/enchant
Disable /home/user/.config/evolution
Disable /home/user/.config/gajim
Disable /home/user/.config/gwenviewrc
Not blacklist /home/user/.config/katepartrc
Not blacklist /home/user/.config/katerc
Not blacklist /home/user/.config/kateschemarc
Not blacklist /home/user/.config/katesyntaxhighlightingrc
Not blacklist /home/user/.config/katevirc
Disable /home/user/.config/kdeconnect
Disable /home/user/.config/ktorrentrc
Disable /home/naDISPLAY=:0 parsed as 0
total 0
lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null
l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error
l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error
lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/7/fd
SECCOMP Filter
  VALIDATE_ARCHITECTURE_64
  EXAMINE_SYSCALL
  WHITELIST 41 socket
  UNKNOWN ENTRY 20!
  WHITELIST 1 write
  RETURN_ERRNO 95 EOPNOTSUPP
total 0
lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null
l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error
l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error
lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/10/fd
SECCOMP Filter
  VALIDATE_ARCHITECTURE_32
  EXAMINE_SYSCALL
  BLACKLIST 21 access
  BLACKLIST 52 getpeername
  BLACKLIST 26 msync
  BLACKLIST 283 timerfd_create
  BLACKLIST 341 unknown
  BLACKLIST 342 unknown
  BLACKLIST 127 rt_sigpending
  BLACKLIST 128 rt_sigtimedwait
  BLACKLIST 350 unknown
  BLACKLIST 129 rt_sigqueueinfo
  BLACKLIST 110 getppid
  BLACKLIST 101 ptrace
  BLACKLIST 289 signalfd4
  BLACKLIST 87 unlink
  BLACKLIST 115 getgroups
  BLACKLIST 103 syslog
  BLACKLIST 347 unknown
  BLACKLIST 348 unknown
  BLACKLIST 135 personality
  BLACKLIST 149 mlock
  BLACKLIST 124 getsid
  BLACKLIST 343 unknown
  BLACKLIST 253 inotify_init
  BLACKLIST 336 unknown
  BLACKLIST 338 unknown
  BLACKLIST 349 unknown
  BLACKLIST 286 timerfd_settime
  BLACKLIST 287 timerfd_gettime
  BLACKLIST 288 accept4
  BLACKLIST 86 link
  BLACKLIST 51 getsockname
  BLACKLIST 123 setfsgid
  BLACKLIST 217 getdents64
  BLACKLIST 245 mq_getsetattr
  BLACKLIST 246 kexec_load
  BLACKLIST 247 waitid
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 257 openat
  BLACKLIST 274 get_robust_list
  BLACKLIST 276 tee
  BLACKLIST 294 inotify_init1
  BLACKLIST 317 seccomp
  BLACKLIST 316 renameat2
  BLACKLIST 61 wait4
  BLACKLIST 88 symlink
  BLACKLIST 169 reboot
  BLACKLIST 130 rt_sigsuspend
  RETURN_ALLOW
total 0
lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null
l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error
l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error
lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/13/fd
SECCOMP Filter
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCALL
  HANDLE_X32
  BLACKLIST 154 modify_ldt
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 311 process_vm_writev
  BLACKLIST 156 _sysctl
  BLACKLIST 183 afs_syscall
  BLACKLIST 174 create_module
  BLACKLIST 177 get_kernel_syms
  BLACKLIST 181 getpmsg
  BLACKLIST 182 putpmsg
  BLACKLIST 178 query_module
  BLACKLIST 185 security
  BLACKLIST 139 sysfs
  BLACKLIST 184 tuxcall
  BLACKLIST 134 uselib
  BLACKLIST 136 ustat
  BLACKLIST 236 vserver
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 227 clock_settime
  BLACKLIST 164 settimeofday
  BLACKLIST 176 delete_module
  BLACKLIST 313 finit_module
  BLACKLIST 175 init_module
  BLACKLIST 173 ioperm
  BLACKLIST 172 iopl
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 169 reboot
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 163 acct
  BLACKLIST 321 bpf
  BLACKLIST 161 chroot
  BLACKLIST 165 mount
  BLACKLIST 180 nfsservctl
  BLACKLIST 155 pivot_root
  BLACKLIST 171 setdomainname
  BLACKLIST 170 sethostname
  BLACKLIST 166 umount2
  BLACKLIST 153 vhangup
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 237 mbind
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 251 ioprio_set
  BLACKLIST 103 syslog
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 135 personality
  BLACKLIST 323 userfaultfd
  BLACKLIST 101 ptrace
  BLACKLIST 310 process_vm_readv
  RETURN_ALLOW
-rw-r--r-- 1 user user 1104 Sep 15 19:46 /run/firejail/mnt/seccomp
-rw-r--r-- 1 user user  808 Sep 15 19:46 /run/firejail/mnt/seccomp.32
-rw-r--r-- 1 user user  824 Sep 15 19:46 /run/firejail/mnt/seccomp.64
-rw-r--r-- 1 user user    0 Sep 15 19:46 /run/firejail/mnt/seccomp.postexec
-rw-r--r-- 1 user user   80 Sep 15 19:46 /run/firejail/mnt/seccomp.protocol
nd/.config/libreoffice
Disable /home/user/.config/nautilus
Disable /home/user/.config/nemo
Disable /home/user/.config/okularrc
Disable /home/user/.config/psi+
Disable /home/user/.config/qBittorrent
Disable /home/user/.config/transmission
Disable /home/user/.config/vlc
Disable /home/user/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
Disable /home/user/.gimp-2.8
Disable /home/user/.gitconfig
Disable /home/user/.kde/share/config/kcookiejarrc
Disable /home/user/.local/lib/python2.7/site-packages
Disable /home/user/.local/share/baloo
Disable /home/user/.local/share/dolphin
Disable /home/user/.local/share/evolution
Disable /home/user/.local/share/gajim
Disable /home/user/.local/share/gwenview
Not blacklist /home/user/.local/share/kate
Disable /home/user/.local/share/ktorrent
Disable /home/user/.local/share/nautilus
Disable /home/user/.local/share/nemo
Disable /home/user/.local/share/okular
Disable /home/user/.local/share/psi+
Disable /home/user/.local/share/vlc
Disable /home/user/.local/share/vulkan
Disable /home/user/.mozilla
Disable /home/user/.steam
Disable /home/user/.cache/chromium
Disable /home/user/.cache/evolution
Disable /home/user/.cache/gajim
Disable /home/user/.cache/mozilla
Disable /home/user/.cache/qBittorrent
Disable /home/user/.cache/transmission
Disable /sys/fs
disable pulseaudio
Disable/home/user/.config/pulse
Disable/run/user/1000/pulse/native
Disable/run/user/1000/pulse/native
disable /dev/snd
disable /dev/dvb
disable /dev/sr0
disable /dev/video0
disable /dev/video1
disable /dev/video2
disable /dev/video3
disable /dev/video4
disable /dev/video5
disable /dev/video6
disable /dev/video7
disable /dev/video8
disable /dev/video9
Create the new ld.so.preload file
Blacklist violations are logged to syslog
Mount the new ld.so.preload file
Current directory: /home/user
Dropping all capabilities
Install protocol filter: unix
configuring 10 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null) 
configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) 
Dual 32/64 bit seccomp filter configured
configuring 138 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null) 
seccomp filter configured

Seccomp files:

noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
AppArmor enabled
]0;firejail kate dbus[16]: The last reference on a connection was dropped without closing the connection. This is a bug in an application. See dbus_connection_unref() documentation for details.
Most likely, the application was supposed to call dbus_connection_close(), since this is a private connection.
  D-Bus not built with -rdynamic so unable to print a backtrace
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = kate path = /usr/bin pid = 16
KCrash: Arguments: /usr/bin/kate 
KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi from kdeinit
Warning: connect() failed: : Permission denied
KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi directly
found lsb_release
Executable is: "/usr/bin/kate"
Executable exists: true
Enabling drkonqi crash catching
dbus[19]: The last reference on a connection was dropped without closing the connection. This is a bug in an application. See dbus_connection_unref() documentation for details.
Most likely, the application was supposed to call dbus_connection_close(), since this is a private connection.
  D-Bus not built with -rdynamic so unable to print a backtrace
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = drkonqi path = /usr/lib/x86_64-linux-gnu/libexec pid = 19
KCrash: Arguments: /usr/lib/x86_64-linux-gnu/libexec/drkonqi --appname kate --apppath /usr/bin --signal 6 --pid 16 --appversion 17.12.3 --programname Kate --bugaddress submit@bugs.kde.org --startupid 0 
KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi from kdeinit
Warning: connect() failed: : Permission denied
KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi directly
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='ANSI_X3.4-1968'>
BrokenPipeError: [Errno 32] Broken pipe
found lsb_release
Executable is: "/usr/lib/x86_64-linux-gnu/libexec/drkonqi"
Executable exists: true
dbus[23]: The last reference on a connection was dropped without closing the connection. This is a bug in an application. See dbus_connection_unref() documentation for details.
Most likely, the application was supposed to call dbus_connection_close(), since this is a private connection.
  D-Bus not built with -rdynamic so unable to print a backtrace
KCrash: crashing... crashRecursionCounter = 2
KCrash: Application Name = drkonqi path = /usr/lib/x86_64-linux-gnu/libexec pid = 23
KCrash: Arguments: /usr/lib/x86_64-linux-gnu/libexec/drkonqi --appname drkonqi --apppath /usr/lib/x86_64-linux-gnu/libexec --signal 6 --pid 19 --startupid 0 
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='ANSI_X3.4-1968'>
BrokenPipeError: [Errno 32] Broken pipe
Autoselecting /bin/bash as shell
Building quoted command line: 'kate' 
Command name #kate#
Found kate profile in /etc/firejail directory
Using the local network stack
Parent pid 14348, child pid 14349

Parent is shutting down, bye...

I assume firefox fails for similar reasons, but I opted for kate because it's a much simpler software.

Originally created by @Netanel-M on GitHub (Sep 15, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2963 Running Ubuntu 18.04 I've installed firejail, along with apparmor from the official repositories. I used `aa-enforce firejail-default` to enable the apparmor profile, then proceeded to run a few programs with `firejail --apparmor <program name>`. almost all of them crash, except for chromium-browser, seems to work. Here is the output of `firejail --debug --apparmor kate` ``` Reading profile /etc/firejail/kate.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc DISPLAY=:0 parsed as 0 total 0 lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/14353/fd Debug 393: new_name #/var/lib/dbus#, whitelist Debug 393: new_name #/var/lib/menu-xdg#, whitelist Autoselecting /bin/bash as shell Building quoted command line: 'kate' Command name #kate# Found kate profile in /etc/firejail directory Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Build protocol filter: unix sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp protocol build unix /run/firejail/mnt/seccomp.protocol (null) Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/dri directory Create /dev/shm directory Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg expanded: /var/lib/menu-xdg real path: (null) realpath: No such file or directory Debug 393: new_name #/var/cache/fontconfig#, whitelist Debug 393: new_name #/var/tmp#, whitelist Debug 393: new_name #/var/run#, whitelist Debug 393: new_name #/var/lock#, whitelist Debug 393: new_name #/tmp/xauth-1000-_0#, whitelist Debug 393: new_name #/tmp/.X11-unix#, whitelist Replaced whitelist path: whitelist /run Replaced whitelist path: whitelist /run/lock Mounting tmpfs on /tmp directory Mounting tmpfs on /var directory Whitelisting /var/lib/dbus Whitelisting /var/cache/fontconfig Whitelisting /var/tmp Created symbolic link /var/run -> /run Whitelisting /run/lock Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/xauth-1000-_0 Whitelisting /tmp/.X11-unix Disable /home/user/.bash_history Disable /home/user/.node_repl_history Disable /home/user/.config/autostart Disable /home/user/.config/autostart-scripts Disable /home/user/.config/plasma-workspace Disable /home/user/.config/startupconfig Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Disable /home/user/.config/khotkeysrc Disable /home/user/.config/krunnerrc Disable /home/user/.config/kwinrc Disable /home/user/.config/kwinrulesrc Disable /home/user/.config/plasma-org.kde.plasma.desktop-appletsrc Disable /home/user/.config/plasmavaultrc Disable /home/user/.local/share/konsole Disable /home/user/.local/share/plasma Mounting read-only /home/user/.config/kdeglobals Mounting read-only /home/user/.kde/share/config/kdeglobals Mounting read-only /home/user/.kde/share/config/kioslaverc Mounting read-only /home/user/.kde/share/kde4/services Disable /run/user/1000/kdeinit5__0 Disable /home/user/.config/VirtualBox Disable /home/user/VirtualBox VMs Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /etc/anacrontab Disable /etc/cron.hourly Disable /etc/cron.daily Disable /etc/cron.monthly Disable /etc/crontab Disable /etc/cron.weekly Disable /etc/cron.d Disable /etc/profile.d Disable /etc/rc5.d Disable /etc/rc1.d Disable /etc/rc4.d Disable /etc/rc3.d Disable /etc/rc6.d Disable /etc/rc2.d Disable /etc/rcS.d Disable /etc/rc0.d Disable /etc/kernel-img.conf Disable /etc/kerneloops.conf Disable /etc/kernel Disable /etc/grub.d Disable /etc/dkms Disable /etc/apparmor Disable /etc/apparmor.d Disable /etc/selinux Disable /etc/modules Disable /etc/modules-load.d Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/adduser.conf Mounting read-only /home/user/.bash_logout Mounting read-only /home/user/.bashrc Mounting read-only /home/user/.profile Mounting read-only /home/user/.viminfo Mounting read-only /home/user/.gem Disable /home/user/.local/share/Trash Mounting read-only /home/user/.local/share/applications Disable /home/user/.gnupg Disable /home/user/.kde/share/apps/kwallet Disable /home/user/.local/share/keyrings Disable /home/user/.local/share/kwalletd Disable /home/user/.pki Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /sbin Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/crontab Disable /usr/bin/expiry Disable /bin/fusermount Disable /usr/bin/gpasswd Disable /bin/mount Disable /bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/ncat Disable /usr/bin/newgrp Disable /bin/ntfs-3g Disable /usr/bin/pkexec Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/strace Disable /bin/su Disable /usr/bin/sudo Disable /bin/umount Disable /usr/bin/xev Disable /usr/bin/xinput Disable /usr/lib/virtualbox Mounting noexec /tmp/.X11-unix Disable /home/user/.atom Disable /home/user/.config/Atom Disable /home/user/.config/Signal Disable /home/user/.config/Thunar Disable /home/user/.config/VirtualBox Disable /home/user/.config/akregatorrc Disable /home/user/.config/arkrc Disable /home/user/.config/baloofilerc Disable /home/user/.config/chromium Disable /home/user/.config/dolphinrc Disable /home/user/.config/enchant Disable /home/user/.config/evolution Disable /home/user/.config/gajim Disable /home/user/.config/gwenviewrc Not blacklist /home/user/.config/katepartrc Not blacklist /home/user/.config/katerc Not blacklist /home/user/.config/kateschemarc Not blacklist /home/user/.config/katesyntaxhighlightingrc Not blacklist /home/user/.config/katevirc Disable /home/user/.config/kdeconnect Disable /home/user/.config/ktorrentrc Disable /home/naDISPLAY=:0 parsed as 0 total 0 lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/7/fd SECCOMP Filter VALIDATE_ARCHITECTURE_64 EXAMINE_SYSCALL WHITELIST 41 socket UNKNOWN ENTRY 20! WHITELIST 1 write RETURN_ERRNO 95 EOPNOTSUPP total 0 lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/10/fd SECCOMP Filter VALIDATE_ARCHITECTURE_32 EXAMINE_SYSCALL BLACKLIST 21 access BLACKLIST 52 getpeername BLACKLIST 26 msync BLACKLIST 283 timerfd_create BLACKLIST 341 unknown BLACKLIST 342 unknown BLACKLIST 127 rt_sigpending BLACKLIST 128 rt_sigtimedwait BLACKLIST 350 unknown BLACKLIST 129 rt_sigqueueinfo BLACKLIST 110 getppid BLACKLIST 101 ptrace BLACKLIST 289 signalfd4 BLACKLIST 87 unlink BLACKLIST 115 getgroups BLACKLIST 103 syslog BLACKLIST 347 unknown BLACKLIST 348 unknown BLACKLIST 135 personality BLACKLIST 149 mlock BLACKLIST 124 getsid BLACKLIST 343 unknown BLACKLIST 253 inotify_init BLACKLIST 336 unknown BLACKLIST 338 unknown BLACKLIST 349 unknown BLACKLIST 286 timerfd_settime BLACKLIST 287 timerfd_gettime BLACKLIST 288 accept4 BLACKLIST 86 link BLACKLIST 51 getsockname BLACKLIST 123 setfsgid BLACKLIST 217 getdents64 BLACKLIST 245 mq_getsetattr BLACKLIST 246 kexec_load BLACKLIST 247 waitid BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 257 openat BLACKLIST 274 get_robust_list BLACKLIST 276 tee BLACKLIST 294 inotify_init1 BLACKLIST 317 seccomp BLACKLIST 316 renameat2 BLACKLIST 61 wait4 BLACKLIST 88 symlink BLACKLIST 169 reboot BLACKLIST 130 rt_sigsuspend RETURN_ALLOW total 0 lrwx------ 1 user user 64 Sep 15 19:46 0 -> /dev/null l-wx------ 1 user user 64 Sep 15 19:46 1 -> /home/user/apparmor_firejail_error l-wx------ 1 user user 64 Sep 15 19:46 2 -> /home/user/apparmor_firejail_error lr-x------ 1 user user 64 Sep 15 19:46 3 -> /proc/13/fd SECCOMP Filter VALIDATE_ARCHITECTURE EXAMINE_SYSCALL HANDLE_X32 BLACKLIST 154 modify_ldt BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 311 process_vm_writev BLACKLIST 156 _sysctl BLACKLIST 183 afs_syscall BLACKLIST 174 create_module BLACKLIST 177 get_kernel_syms BLACKLIST 181 getpmsg BLACKLIST 182 putpmsg BLACKLIST 178 query_module BLACKLIST 185 security BLACKLIST 139 sysfs BLACKLIST 184 tuxcall BLACKLIST 134 uselib BLACKLIST 136 ustat BLACKLIST 236 vserver BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 227 clock_settime BLACKLIST 164 settimeofday BLACKLIST 176 delete_module BLACKLIST 313 finit_module BLACKLIST 175 init_module BLACKLIST 173 ioperm BLACKLIST 172 iopl BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 169 reboot BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 163 acct BLACKLIST 321 bpf BLACKLIST 161 chroot BLACKLIST 165 mount BLACKLIST 180 nfsservctl BLACKLIST 155 pivot_root BLACKLIST 171 setdomainname BLACKLIST 170 sethostname BLACKLIST 166 umount2 BLACKLIST 153 vhangup BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 237 mbind BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 251 ioprio_set BLACKLIST 103 syslog BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 278 vmsplice BLACKLIST 135 personality BLACKLIST 323 userfaultfd BLACKLIST 101 ptrace BLACKLIST 310 process_vm_readv RETURN_ALLOW -rw-r--r-- 1 user user 1104 Sep 15 19:46 /run/firejail/mnt/seccomp -rw-r--r-- 1 user user 808 Sep 15 19:46 /run/firejail/mnt/seccomp.32 -rw-r--r-- 1 user user 824 Sep 15 19:46 /run/firejail/mnt/seccomp.64 -rw-r--r-- 1 user user 0 Sep 15 19:46 /run/firejail/mnt/seccomp.postexec -rw-r--r-- 1 user user 80 Sep 15 19:46 /run/firejail/mnt/seccomp.protocol nd/.config/libreoffice Disable /home/user/.config/nautilus Disable /home/user/.config/nemo Disable /home/user/.config/okularrc Disable /home/user/.config/psi+ Disable /home/user/.config/qBittorrent Disable /home/user/.config/transmission Disable /home/user/.config/vlc Disable /home/user/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml Disable /home/user/.gimp-2.8 Disable /home/user/.gitconfig Disable /home/user/.kde/share/config/kcookiejarrc Disable /home/user/.local/lib/python2.7/site-packages Disable /home/user/.local/share/baloo Disable /home/user/.local/share/dolphin Disable /home/user/.local/share/evolution Disable /home/user/.local/share/gajim Disable /home/user/.local/share/gwenview Not blacklist /home/user/.local/share/kate Disable /home/user/.local/share/ktorrent Disable /home/user/.local/share/nautilus Disable /home/user/.local/share/nemo Disable /home/user/.local/share/okular Disable /home/user/.local/share/psi+ Disable /home/user/.local/share/vlc Disable /home/user/.local/share/vulkan Disable /home/user/.mozilla Disable /home/user/.steam Disable /home/user/.cache/chromium Disable /home/user/.cache/evolution Disable /home/user/.cache/gajim Disable /home/user/.cache/mozilla Disable /home/user/.cache/qBittorrent Disable /home/user/.cache/transmission Disable /sys/fs disable pulseaudio Disable/home/user/.config/pulse Disable/run/user/1000/pulse/native Disable/run/user/1000/pulse/native disable /dev/snd disable /dev/dvb disable /dev/sr0 disable /dev/video0 disable /dev/video1 disable /dev/video2 disable /dev/video3 disable /dev/video4 disable /dev/video5 disable /dev/video6 disable /dev/video7 disable /dev/video8 disable /dev/video9 Create the new ld.so.preload file Blacklist violations are logged to syslog Mount the new ld.so.preload file Current directory: /home/user Dropping all capabilities Install protocol filter: unix configuring 10 seccomp entries in /run/firejail/mnt/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null) configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) Dual 32/64 bit seccomp filter configured configuring 138 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null) seccomp filter configured Seccomp files: noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set AppArmor enabled ]0;firejail kate dbus[16]: The last reference on a connection was dropped without closing the connection. This is a bug in an application. See dbus_connection_unref() documentation for details. Most likely, the application was supposed to call dbus_connection_close(), since this is a private connection. D-Bus not built with -rdynamic so unable to print a backtrace KCrash: crashing... crashRecursionCounter = 2 KCrash: Application Name = kate path = /usr/bin pid = 16 KCrash: Arguments: /usr/bin/kate KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi from kdeinit Warning: connect() failed: : Permission denied KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi directly found lsb_release Executable is: "/usr/bin/kate" Executable exists: true Enabling drkonqi crash catching dbus[19]: The last reference on a connection was dropped without closing the connection. This is a bug in an application. See dbus_connection_unref() documentation for details. Most likely, the application was supposed to call dbus_connection_close(), since this is a private connection. D-Bus not built with -rdynamic so unable to print a backtrace KCrash: crashing... crashRecursionCounter = 2 KCrash: Application Name = drkonqi path = /usr/lib/x86_64-linux-gnu/libexec pid = 19 KCrash: Arguments: /usr/lib/x86_64-linux-gnu/libexec/drkonqi --appname kate --apppath /usr/bin --signal 6 --pid 16 --appversion 17.12.3 --programname Kate --bugaddress submit@bugs.kde.org --startupid 0 KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi from kdeinit Warning: connect() failed: : Permission denied KCrash: Attempting to start /usr/lib/x86_64-linux-gnu/libexec/drkonqi directly Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='ANSI_X3.4-1968'> BrokenPipeError: [Errno 32] Broken pipe found lsb_release Executable is: "/usr/lib/x86_64-linux-gnu/libexec/drkonqi" Executable exists: true dbus[23]: The last reference on a connection was dropped without closing the connection. This is a bug in an application. See dbus_connection_unref() documentation for details. Most likely, the application was supposed to call dbus_connection_close(), since this is a private connection. D-Bus not built with -rdynamic so unable to print a backtrace KCrash: crashing... crashRecursionCounter = 2 KCrash: Application Name = drkonqi path = /usr/lib/x86_64-linux-gnu/libexec pid = 23 KCrash: Arguments: /usr/lib/x86_64-linux-gnu/libexec/drkonqi --appname drkonqi --apppath /usr/lib/x86_64-linux-gnu/libexec --signal 6 --pid 19 --startupid 0 Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='ANSI_X3.4-1968'> BrokenPipeError: [Errno 32] Broken pipe Autoselecting /bin/bash as shell Building quoted command line: 'kate' Command name #kate# Found kate profile in /etc/firejail directory Using the local network stack Parent pid 14348, child pid 14349 Parent is shutting down, bye... ``` I assume firefox fails for similar reasons, but I opted for kate because it's a much simpler software.

gitea-mirror 2026-05-05 08:31:21 -06:00

• closed this issue
• added the
  question_old
  label

gitea-mirror commented 2026-05-05 08:31:24 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Sep 15, 2019):

Hmm, I've been running with apparmor enabled on Debian for a while now with no issues whatsoever (Firefox included). Does disabling the apparmor integration prevent the program from crashing?

<!-- gh-comment-id:531602811 --> @chiraag-nataraj commented on GitHub (Sep 15, 2019): Hmm, I've been running with apparmor enabled on Debian for a while now with no issues whatsoever (Firefox included). Does disabling the apparmor integration prevent the program from crashing?

gitea-mirror commented 2026-05-05 08:31:25 -06:00

Author

Owner

Copy link

@Netanel-M commented on GitHub (Sep 16, 2019):

Hi, yes when moving the firejail-default profile to complain mode firefox and kate do work.

Also a correction, firefox doesn't actually crash, but it doesn't work. it keeps asking to restart, and won't go to any url.
I installed a fresh Ubuntu 18.04 image on a virtual machine and confirmed this all happens there too, so it's not just my machine.

<!-- gh-comment-id:531658626 --> @Netanel-M commented on GitHub (Sep 16, 2019): Hi, yes when moving the `firejail-default` profile to `complain` mode firefox and kate do work. Also a correction, firefox doesn't actually crash, but it doesn't work. it keeps asking to restart, and won't go to any url. I installed a fresh Ubuntu 18.04 image on a virtual machine and confirmed this all happens there too, so it's not just my machine.

gitea-mirror commented 2026-05-05 08:31:26 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Sep 16, 2019):

Proper way for enabling firejail AppArmor profile after install is apparmor_parser -r /etc/apparmor.d/firejail-default as documented in manpage.

You may check output of journalctl -b |grep DENIED. I'm unable to reproduce crashes in Ubuntu 18.04. You may try installing latest version from PPA

<!-- gh-comment-id:531740561 --> @Vincent43 commented on GitHub (Sep 16, 2019): Proper way for enabling firejail AppArmor profile after install is `apparmor_parser -r /etc/apparmor.d/firejail-default` as documented in manpage. You may check output of `journalctl -b |grep DENIED`. I'm unable to reproduce crashes in Ubuntu 18.04. You may try installing latest version from [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail)

gitea-mirror commented 2026-05-05 08:31:27 -06:00

Author

Owner

Copy link

@Netanel-M commented on GitHub (Sep 16, 2019):

Thank you for the response, here is the output of journalctl -b | grep DENIED

Sep 16 14:57:47 laptop audit[3475]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3475 comm="kate" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.667:131): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3475 comm="kate" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.667:132): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3475 comm="kate" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop audit[3475]: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3475 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.671:133): apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3475 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 16 14:57:47 laptop dbus-daemon[1615]: apparmor="DENIED" operation="dbus_method_call"  bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=3475 label="firejail-default" peer_label="unconfined"
Sep 16 14:57:47 laptop audit[3478]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop audit[3478]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.803:134): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.803:135): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop audit[3478]: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3478 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.807:136): apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3478 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 16 14:57:47 laptop dbus-daemon[1615]: apparmor="DENIED" operation="dbus_method_call"  bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=3478 label="firejail-default" peer_label="unconfined"
Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.859:137): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.859:138): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3482 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.863:139): apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3482 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3482 comm="drkonqi" requested_mask="read" denied_mask="read" peer="firejail-default"
Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3482 comm="drkonqi" requested_mask="readby" denied_mask="readby" peer="firejail-default"
Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.871:140): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3482 comm="drkonqi" requested_mask="read" denied_mask="read" peer="firejail-default"
Sep 16 14:57:47 laptop dbus-daemon[1615]: apparmor="DENIED" operation="dbus_method_call"  bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=3482 label="firejail-default" peer_label="unconfined"

I'm not sure why you weren't able to replicate the issue. To replicate it in a vm all I had to do was install ubuntu, boot with security=apparmor and apparmor=1 kernel parameters, update the sources and upgrade the system, install firejail and enable the apparmor profile.

<!-- gh-comment-id:531749064 --> @Netanel-M commented on GitHub (Sep 16, 2019): Thank you for the response, here is the output of `journalctl -b | grep DENIED` ``` Sep 16 14:57:47 laptop audit[3475]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3475 comm="kate" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.667:131): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3475 comm="kate" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.667:132): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3475 comm="kate" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop audit[3475]: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3475 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.671:133): apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3475 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 16 14:57:47 laptop dbus-daemon[1615]: apparmor="DENIED" operation="dbus_method_call" bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=3475 label="firejail-default" peer_label="unconfined" Sep 16 14:57:47 laptop audit[3478]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop audit[3478]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.803:134): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.803:135): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3478 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop audit[3478]: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3478 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.807:136): apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3478 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 16 14:57:47 laptop dbus-daemon[1615]: apparmor="DENIED" operation="dbus_method_call" bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=3478 label="firejail-default" peer_label="unconfined" Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.859:137): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.859:138): apparmor="DENIED" operation="sendmsg" profile="firejail-default" name="/run/systemd/journal/dev-log" pid=3482 comm="drkonqi" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3482 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.863:139): apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/user/1000/bus" pid=3482 comm="QDBusConnection" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3482 comm="drkonqi" requested_mask="read" denied_mask="read" peer="firejail-default" Sep 16 14:57:47 laptop audit[3482]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3482 comm="drkonqi" requested_mask="readby" denied_mask="readby" peer="firejail-default" Sep 16 14:57:47 laptop kernel: audit: type=1400 audit(1568635067.871:140): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3482 comm="drkonqi" requested_mask="read" denied_mask="read" peer="firejail-default" Sep 16 14:57:47 laptop dbus-daemon[1615]: apparmor="DENIED" operation="dbus_method_call" bus="accessibility" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=3482 label="firejail-default" peer_label="unconfined" ``` I'm not sure why you weren't able to replicate the issue. To replicate it in a vm all I had to do was install ubuntu, boot with `security=apparmor` and `apparmor=1` kernel parameters, update the sources and upgrade the system, install firejail and enable the apparmor profile.

gitea-mirror commented 2026-05-05 08:31:28 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Sep 17, 2019):

Did you tried with latest version from PPA? firejail AppArmor profile doesn't block dbus access for some time.

<!-- gh-comment-id:532335074 --> @Vincent43 commented on GitHub (Sep 17, 2019): Did you tried with latest version from PPA? firejail AppArmor profile doesn't block dbus access for some time.

gitea-mirror commented 2026-05-05 08:31:29 -06:00

Author

Owner

Copy link

@Netanel-M commented on GitHub (Sep 18, 2019):

Hi, thank you very much for the suggestion. Installing firejail from PPA indeed solved the problem so I'm closing the issue, thank you again for the support.

<!-- gh-comment-id:532600565 --> @Netanel-M commented on GitHub (Sep 18, 2019): Hi, thank you very much for the suggestion. Installing firejail from PPA indeed solved the problem so I'm closing the issue, thank you again for the support.

gitea-mirror referenced this issue 2026-05-05 10:13:39 -06:00

[PR #1854] [MERGED] add --noautopulse arg for complex pulse setups #4094

gitea-mirror referenced this issue 2026-05-05 10:32:05 -06:00

[PR #4269] [CLOSED] profile.template: add missing noautopulse option #5090

gitea-mirror referenced this issue 2026-05-05 10:32:11 -06:00

[PR #4278] [MERGED] rename noautopulse to keep-config-pulse #5095

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1854

No description provided.