github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2983] SSH creates core dumps while using seccomp #1865

New issue

Closed

opened 2026-05-05 08:32:04 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 08:32:04 -06:00

Owner

Originally created by @Panzerfather on GitHub (Sep 30, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2983

When running ssh (authenticated as a domain user) it creates coredumps. Virsh and other programs using ssh are also affected and create core dumps while seccomp is enabled like this one:

systemd-coredump[4643]: Process 4641 (ssh) of user 853401112 dumped core.

                       Stack trace of thread 3:
                       #0  0x00007f22d44bf1fd syscall (libc.so.6)
                       #1  0x00007f22d41ea575 keyctl (libkeyutils.so.1)
                       #2  0x00007f22d4263094 n/a (libkrb5.so.3)
                       #3  0x00007f22d4264dae n/a (libkrb5.so.3)
                       #4  0x00007f22d4259788 krb5_cccol_cursor_next (libkrb5.so.3)
                       #5  0x00007f22d4259c88 krb5_cccol_have_content (libkrb5.so.3)
                       #6  0x00007f22d45b33b9 n/a (libgssapi_krb5.so.2)
                       #7  0x00007f22d45b3727 n/a (libgssapi_krb5.so.2)
                       #8  0x00007f22d45b3870 n/a (libgssapi_krb5.so.2)
                       #9  0x00007f22d45b6b37 n/a (libgssapi_krb5.so.2)
                       #10 0x00007f22d45bcb65 n/a (libgssapi_krb5.so.2)
                       #11 0x00007f22d45bccf6 n/a (libgssapi_krb5.so.2)
                       #12 0x00007f22d45a61ac gss_init_sec_context (libgssapi_krb5.so.2)
                       #13 0x0000564bebee294e n/a (ssh)
                       #14 0x0000564bebee2c5a n/a (ssh)
                       #15 0x0000564bebeaf053 n/a (ssh)
                       #16 0x0000564bebeb2745 n/a (ssh)
                       #17 0x0000564bebeb2d94 n/a (ssh)
                       #18 0x0000564bebedae2a n/a (ssh)
                       #19 0x0000564bebedaecd n/a (ssh)
                       #20 0x0000564bebeb2057 n/a (ssh)
                       #21 0x0000564bebeadb47 n/a (ssh)
                       #22 0x0000564bebe9e0a4 n/a (ssh)
                       #23 0x00007f22d43ebf43 __libc_start_main (libc.so.6)
                       #24 0x0000564bebe9fcee n/a (ssh)

All other programs which had seccomp enabled but doesn't use ssh at all had no problem.
To make a more detailed analysis worse, some USER/IP combinations work for ssh with seccomp enabled, while others always create a core dump. It doesn't depend if the remote host is inside or outside the local network, it doesn't depend which user is given. Either the combination work or it don't.

Originally created by @Panzerfather on GitHub (Sep 30, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2983 When running ssh (authenticated as a domain user) it creates coredumps. Virsh and other programs using ssh are also affected and create core dumps while seccomp is enabled like this one: > systemd-coredump[4643]: Process 4641 (ssh) of user 853401112 dumped core. > > Stack trace of thread 3: > #0 0x00007f22d44bf1fd syscall (libc.so.6) > #1 0x00007f22d41ea575 keyctl (libkeyutils.so.1) > #2 0x00007f22d4263094 n/a (libkrb5.so.3) > #3 0x00007f22d4264dae n/a (libkrb5.so.3) > #4 0x00007f22d4259788 krb5_cccol_cursor_next (libkrb5.so.3) > #5 0x00007f22d4259c88 krb5_cccol_have_content (libkrb5.so.3) > #6 0x00007f22d45b33b9 n/a (libgssapi_krb5.so.2) > #7 0x00007f22d45b3727 n/a (libgssapi_krb5.so.2) > #8 0x00007f22d45b3870 n/a (libgssapi_krb5.so.2) > #9 0x00007f22d45b6b37 n/a (libgssapi_krb5.so.2) > #10 0x00007f22d45bcb65 n/a (libgssapi_krb5.so.2) > #11 0x00007f22d45bccf6 n/a (libgssapi_krb5.so.2) > #12 0x00007f22d45a61ac gss_init_sec_context (libgssapi_krb5.so.2) > #13 0x0000564bebee294e n/a (ssh) > #14 0x0000564bebee2c5a n/a (ssh) > #15 0x0000564bebeaf053 n/a (ssh) > #16 0x0000564bebeb2745 n/a (ssh) > #17 0x0000564bebeb2d94 n/a (ssh) > #18 0x0000564bebedae2a n/a (ssh) > #19 0x0000564bebedaecd n/a (ssh) > #20 0x0000564bebeb2057 n/a (ssh) > #21 0x0000564bebeadb47 n/a (ssh) > #22 0x0000564bebe9e0a4 n/a (ssh) > #23 0x00007f22d43ebf43 __libc_start_main (libc.so.6) > #24 0x0000564bebe9fcee n/a (ssh) All other programs which had seccomp enabled but doesn't use ssh at all had no problem. To make a more detailed analysis worse, some USER/IP combinations work for ssh with seccomp enabled, while others always create a core dump. It doesn't depend if the remote host is inside or outside the local network, it doesn't depend which user is given. Either the combination work or it don't.

gitea-mirror closed this issue

2026-05-05 08:32:06 -06:00

gitea-mirror commented

2026-05-05 08:32:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 30, 2019):

Can you try to figure out which syscall is blocked.

Use https://github.com/netblue30/firejail/issues/2936#issuecomment-526850967 or
ee5ab63cfb/etc/templates/syscalls.txt (L90-L107)

Maybe it is keyctl (see backtrace). Try: firejail --seccomp="\!keyctl" ssh ….

@rusty-snake commented on GitHub (Sep 30, 2019): Can you try to figure out which syscall is blocked. Use https://github.com/netblue30/firejail/issues/2936#issuecomment-526850967 or https://github.com/netblue30/firejail/blob/ee5ab63cfb1b4e38db4bc83bd51678fa0f25284c/etc/templates/syscalls.txt#L90-L107 *** Maybe it is `keyctl` (see backtrace). Try: `firejail --seccomp="\!keyctl" ssh …`.

gitea-mirror commented

2026-05-05 08:32:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 30, 2019):

Found this: #1299

Or maybe more:
firejail --seccomp="!add_key,!keyctl,!request_key " ssh …

3b32edbe2f/etc/templates/syscalls.txt (L42)

For firejail before 0.9.61:

firejail --ignore=seccomp --seccomp.drop="@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice" ssh …

@rusty-snake commented on GitHub (Sep 30, 2019): Found this: #1299 *** Or maybe more: `firejail --seccomp="!add_key,!keyctl,!request_key " ssh …` https://github.com/netblue30/firejail/blob/3b32edbe2f282c4d4e5a56960085b725a8931b3c/etc/templates/syscalls.txt#L42 For firejail before 0.9.61: ``` firejail --ignore=seccomp --seccomp.drop="@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice" ssh … ```

gitea-mirror commented

2026-05-05 08:32:07 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 10, 2019):

@Panzerfather
I'm closing here due to inactivity, please fell free to request reopen if you still have this issue.

@rusty-snake commented on GitHub (Nov 10, 2019): @Panzerfather I'm closing here due to inactivity, please fell free to request reopen if you still have this issue.

gitea-mirror referenced this issue

2026-05-05 10:13:46 -06:00

[PR #1865] [CLOSED] Potential fixes for Firefox 60 #4100

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1865

No description provided.

Rows
Columns