github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3078] Firejail and the reboot command #1930

New issue
Closed
opened 2026-05-05 08:35:50 -06:00 by gitea-mirror · 31 comments
gitea-mirror commented 2026-05-05 08:35:50 -06:00
Owner
Copy link

Originally created by @ShellCode33 on GitHub (Dec 12, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3078

Hey ! Thanks to you all for that amazing tool, became a huge fan immediately.
I'm trying to use firejail to retrieve execution traces of all the binaries available in my /usr/bin folder, my script works really well, multiprocessed and all, but this morning I checked out my computer and it had been shutdown...

So I tried the following :

firejail --x11=xvfb --allow-debuggers --overlay-tmpfs strace -qq -ff -xx -s 1000 /usr/bin/reboot

(This is the command I use to exec all my /usr/bin binaries... If you have some advice to give me about some parameters I could add/change/remove, please tell me)

And boom my computer reboots... Which was kind of expected. But now my question is how can I prevent that ? Is there a specific syscall I could block using seccomp to prevent that from happening ? Or maybe a magical parameter ?

Hope to hear from you soon :)

Linux laptop 4.19.81-1-MANJARO #1 SMP PREEMPT Tue Oct 29 12:49:04 UTC 2019 x86_64 GNU/Linux

firejail version 0.9.60

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

strace -- version 5.3
Copyright (c) 1991-2019 The strace developers <https://strace.io>.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Optional features enabled: stack-trace=libunwind stack-demangle m32-mpers mx32-mpers
Originally created by @ShellCode33 on GitHub (Dec 12, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3078 Hey ! Thanks to you all for that amazing tool, became a huge fan immediately. I'm trying to use firejail to retrieve execution traces of all the binaries available in my `/usr/bin` folder, my script works really well, multiprocessed and all, but this morning I checked out my computer and it had been shutdown... So I tried the following : ``` firejail --x11=xvfb --allow-debuggers --overlay-tmpfs strace -qq -ff -xx -s 1000 /usr/bin/reboot ``` (This is the command I use to exec all my /usr/bin binaries... If you have some advice to give me about some parameters I could add/change/remove, please tell me) And boom my computer reboots... Which was kind of expected. But now my question is how can I prevent that ? Is there a specific syscall I could block using seccomp to prevent that from happening ? Or maybe a magical parameter ? Hope to hear from you soon :) ``` Linux laptop 4.19.81-1-MANJARO #1 SMP PREEMPT Tue Oct 29 12:49:04 UTC 2019 x86_64 GNU/Linux ``` ``` firejail version 0.9.60 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ``` strace -- version 5.3 Copyright (c) 1991-2019 The strace developers <https://strace.io>. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Optional features enabled: stack-trace=libunwind stack-demangle m32-mpers mx32-mpers ```
gitea-mirror 2026-05-05 08:35:50 -06:00
gitea-mirror commented 2026-05-05 08:35:52 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 12, 2019):

What happend if you add --seccomp or at least --seccomp.drop=@reboot?
1a1543f356/etc/templates/syscalls.txt (L51)

Maybe this doesn't work with systemd?

<!-- gh-comment-id:565013427 --> @rusty-snake commented on GitHub (Dec 12, 2019): What happend if you add `--seccomp` or at least `--seccomp.drop=@reboot`? https://github.com/netblue30/firejail/blob/1a1543f356440383d017a3f9ac975bcbc6e6459d/etc/templates/syscalls.txt#L51 Maybe this doesn't work with systemd?
gitea-mirror commented 2026-05-05 08:35:53 -06:00
Author
Owner
Copy link

@ShellCode33 commented on GitHub (Dec 12, 2019):

None of the two worked :(

I don't know if it's relevant at all but on my computer /usr/bin/reboot is a symlink to /usr/bin/systemctl. I might be wrong but I think systemctl communicates (through sockets/dbus stuff like that) with systemd therefore the seccomp filters are not applied and systemd is still able to reboot the system. As a workaround I will simply blacklist reboot, halt, poweroff and systemctl for now, but it would be great to find something better !

Also, I've read in firejail's manpage the following :

--allow-debuggers
    Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. This option is only available when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full bypass of the seccomp filter.

ptrace system call allows a full bypass of the seccomp filter

I am using that option for strace, could it be that --seccomp doesn't prevent reboot because of that issue ?

Side question, I was reading about http://man7.org/linux/man-pages/man7/pid_namespaces.7.html does firejail implements such mecanism ? It sounds really great in order to provide more isolation between processes, it would probably prevent the whole system from rebooting ?

From man 2 reboot :

Behavior inside PID namespaces
       Since Linux 3.4, if reboot() is called from a PID namespace other
       than the initial PID namespace with one of the cmd values listed
       below, it performs a "reboot" of that namespace: the "init" process
       of the PID namespace is immediately terminated, with the effects
       described in pid_namespaces(7).
<!-- gh-comment-id:565048357 --> @ShellCode33 commented on GitHub (Dec 12, 2019): None of the two worked :( I don't know if it's relevant at all but on my computer `/usr/bin/reboot` is a symlink to `/usr/bin/systemctl`. I might be wrong but I think systemctl communicates (through sockets/dbus stuff like that) with systemd therefore the seccomp filters are not applied and systemd is still able to reboot the system. As a workaround I will simply blacklist `reboot`, `halt`, `poweroff` and `systemctl` for now, but it would be great to find something better ! Also, I've read in firejail's manpage the following : ``` --allow-debuggers Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. This option is only available when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full bypass of the seccomp filter. ``` > **ptrace system call allows a full bypass of the seccomp filter** I am using that option for strace, could it be that `--seccomp` doesn't prevent reboot because of that issue ? Side question, I was reading about http://man7.org/linux/man-pages/man7/pid_namespaces.7.html does firejail implements such mecanism ? It sounds really great in order to provide more isolation between processes, it would probably prevent the whole system from rebooting ? From `man 2 reboot` : ``` Behavior inside PID namespaces Since Linux 3.4, if reboot() is called from a PID namespace other than the initial PID namespace with one of the cmd values listed below, it performs a "reboot" of that namespace: the "init" process of the PID namespace is immediately terminated, with the effects described in pid_namespaces(7). ```
gitea-mirror commented 2026-05-05 08:35:53 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Dec 12, 2019):

DBus can be blocked with --nodbus.

<!-- gh-comment-id:565228666 --> @topimiettinen commented on GitHub (Dec 12, 2019): DBus can be blocked with `--nodbus`.
gitea-mirror commented 2026-05-05 08:35:54 -06:00
Author
Owner
Copy link

@ShellCode33 commented on GitHub (Dec 12, 2019):

Thank you very much ! It was indeed that simple...

<!-- gh-comment-id:565234926 --> @ShellCode33 commented on GitHub (Dec 12, 2019): Thank you very much ! It was indeed that simple...
gitea-mirror commented 2026-05-05 08:35:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 13, 2019):

--allow-debuggers
Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. This option is only available when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full bypass of the seccomp filter.

ptrace system call allows a full bypass of the seccomp filter

I am using that option for strace, could it be that --seccomp doesn't prevent reboot because of that issue?

No, because the bug is before the 4.8 Verison of the kernel. Therefore there is no allow-debuggers option.

However, nodbus is the solution.

<!-- gh-comment-id:565442291 --> @rusty-snake commented on GitHub (Dec 13, 2019): > > **--allow-debuggers** > Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. _This option is only available when running on Linux kernels 4.8 or newer - a kernel bug in ptrace system call allows a full bypass of the seccomp filter._ > > > **ptrace system call allows a full bypass of the seccomp filter** > > I am using that option for strace, could it be that `--seccomp` doesn't prevent reboot because of that issue? No, because the bug is before the 4.8 Verison of the kernel. Therefore there is no `allow-debuggers` option. However, `nodbus` is the solution.
gitea-mirror commented 2026-05-05 08:35:57 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 24, 2020):

I have run into a similar issue and nodbus does not work for me. Specifically, from what I believed to be an extremely restrictive firejail profile (below), I can still issue systemctl commands (the host is running systemd). This is in Debian 10 Buster with its standard firejail version 0.9.58.2. The profile in question is:

private /home/jil/jailedhomes/common-wm
caps.drop all
netfilter
nodvd
no3d
nogroups
nonewprivs
noroot
notv
seccomp
nodbus
nou2f
novideo
protocol unix
net none
x11 xephyr
private-dev
private-cache
read-only /
read-only /media
read-only /mnt
private-tmp
name common-wm
hostname prison

The profile has nodbus, caps.drop all and seccomp. But I can still issue various systemctl commands (including suspend, shutdown, reboot) from within the firejailed xephyr session with this profile. They emit warnings, but still cause the host to obey to various degrees. For instance, systemctl reboot causes a shutdown with no reboot. That probably indicates a very partial interference by the above profile with systemd's systemctl, but certainly not enough.

One question is whether this is because 0.9.58.2, even though current in Buster, is out of date. If so I will try to upgrade first. If not, what is the fix?

Also, if the issue is fixed after 0.9.58.2, should this be considered a major security bug, considering how restrictive the above profile is supposed to be, and how widely used Buster (Debian stable) is? In that case, even if the problem is due to the version being 0.9.58.2, should a newer version with a fix be pushed to Buster?

<!-- gh-comment-id:578343028 --> @jonleivent commented on GitHub (Jan 24, 2020): I have run into a similar issue and nodbus does not work for me. Specifically, from what I believed to be an extremely restrictive firejail profile (below), I can still issue systemctl commands (the host is running systemd). This is in Debian 10 Buster with its standard firejail version 0.9.58.2. The profile in question is: ``` private /home/jil/jailedhomes/common-wm caps.drop all netfilter nodvd no3d nogroups nonewprivs noroot notv seccomp nodbus nou2f novideo protocol unix net none x11 xephyr private-dev private-cache read-only / read-only /media read-only /mnt private-tmp name common-wm hostname prison ``` The profile has nodbus, caps.drop all and seccomp. But I can still issue various systemctl commands (including suspend, shutdown, reboot) from within the firejailed xephyr session with this profile. They emit warnings, but still cause the host to obey to various degrees. For instance, systemctl reboot causes a shutdown with no reboot. That probably indicates a very partial interference by the above profile with systemd's systemctl, but certainly not enough. One question is whether this is because 0.9.58.2, even though current in Buster, is out of date. If so I will try to upgrade first. If not, what is the fix? Also, if the issue is fixed after 0.9.58.2, should this be considered a major security bug, considering how restrictive the above profile is supposed to be, and how widely used Buster (Debian stable) is? In that case, even if the problem is due to the version being 0.9.58.2, should a newer version with a fix be pushed to Buster?
gitea-mirror commented 2026-05-05 08:35:57 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 25, 2020):

blacklist /run/systemd seems to prevent all systemctl calls. I suggest adding that to disable-common.inc

<!-- gh-comment-id:578367961 --> @jonleivent commented on GitHub (Jan 25, 2020): `blacklist /run/systemd` seems to prevent all systemctl calls. I suggest adding that to disable-common.inc
gitea-mirror commented 2026-05-05 08:35:58 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 25, 2020):

Also, if the issue is fixed after 0.9.58.2, should this be considered a major security bug, considering how restrictive the above profile is supposed to be, and how widely used Buster (Debian stable) is? In that case, even if the problem is due to the version being 0.9.58.2, should a newer version with a fix be pushed to Buster?

IMHO this is not a security bug. Although the profile you showed above is indeed more restrictive, that doesn't mean it is restricting usage of systemctl.

blacklist /run/systemd seems to prevent all systemctl calls. I suggest adding that to disable-common.inc

Apparently that breaks on Arch when systemd-resolved is used. See the comments in disable-common.inc on line 151-152. We could add another comment clarifying this behaviour, and advise users who DON'T use systemd-resolved to add it to their disable-common.local.

<!-- gh-comment-id:578370456 --> @ghost commented on GitHub (Jan 25, 2020): > Also, if the issue is fixed after 0.9.58.2, should this be considered a major security bug, considering how restrictive the above profile is supposed to be, and how widely used Buster (Debian stable) is? In that case, even if the problem is due to the version being 0.9.58.2, should a newer version with a fix be pushed to Buster? IMHO this is **not** a security bug. Although the profile you showed above is indeed more restrictive, that doesn't mean it is restricting usage of systemctl. > `blacklist /run/systemd` seems to prevent all systemctl calls. I suggest adding that to disable-common.inc Apparently that breaks on Arch when systemd-resolved is used. See the comments in [disable-common.inc](https://github.com/netblue30/firejail/blob/master/etc/disable-common.inc) on line 151-152. We could add another comment clarifying this behaviour, and advise users who DON'T use systemd-resolved to add it to their `disable-common.local`.
gitea-mirror commented 2026-05-05 08:35:59 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 25, 2020):

Is there a difference between blacklisting /var/run/systemd and /run/systemd?
It would be nice to have a portable way to disable powerful systemd calls in all cases, though. I'm using suspend/shutdown/reboot to illustrate the hole, but I'm not at all confident those are the only cases that could cause security problems. Could malicious software use a systemd call from within a jail to schedule arbitrary code for later execution outside the jail, for instance?

<!-- gh-comment-id:578373060 --> @jonleivent commented on GitHub (Jan 25, 2020): Is there a difference between blacklisting /var/run/systemd and /run/systemd? It would be nice to have a portable way to disable powerful systemd calls in all cases, though. I'm using suspend/shutdown/reboot to illustrate the hole, but I'm not at all confident those are the only cases that could cause security problems. Could malicious software use a systemd call from within a jail to schedule arbitrary code for later execution outside the jail, for instance?
gitea-mirror commented 2026-05-05 08:36:00 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 25, 2020):

@jonleivent

Is there a difference between blacklisting /var/run/systemd and /run/systemd?

No, /var/run is symlinked to /run. Is that not the case on Debian 10 Buster?

It would be nice to have a portable way to disable powerful systemd calls in all cases, though.

If you know upfront which commands/files you need inside the sandbox, you can use private-bin and/or create a whitelist profile. If you don't, you can always block systemd by adding:

blacklist ${PATH}/*ctl
blacklist ${PATH}/kernel-install
blacklist ${PATH}/systemd-*
blacklist ${PATH}/udevadm
blacklist /etc/systemd
blacklist /usr/lib/systemd
blacklist /usr/share/systemd
blacklist /var/lib/systemd
blacklist /var/run/systemd

I left out the systemd directories under ${HOME} because you use private /home/jil/jailedhomes/common-wm in your profile, so those would already be non-existing (unless you recreated them
in /home/jil/jailedhomes/common-wm).

I'm using suspend/shutdown/reboot to illustrate the hole, but I'm not at all confident those are the only cases that could cause security problems.

If by the hole you mean you can run any command that is not explicitly blacklisted inside a sandbox, sure, there's always potential risk. To minimize such potential risks firejail uses security profiles per application. Do you use your common-wm profile like a 'prison' to run all kinds of applications in?

<!-- gh-comment-id:578382566 --> @ghost commented on GitHub (Jan 25, 2020): @jonleivent > Is there a difference between blacklisting /var/run/systemd and /run/systemd? No, /var/run is symlinked to /run. Is that not the case on Debian 10 Buster? > It would be nice to have a portable way to disable powerful systemd calls in all cases, though. If you know upfront which commands/files you need inside the sandbox, you can use `private-bin` and/or create a _whitelist_ profile. If you don't, you can always block systemd by adding: ``` blacklist ${PATH}/*ctl blacklist ${PATH}/kernel-install blacklist ${PATH}/systemd-* blacklist ${PATH}/udevadm blacklist /etc/systemd blacklist /usr/lib/systemd blacklist /usr/share/systemd blacklist /var/lib/systemd blacklist /var/run/systemd ``` I left out the systemd directories under ${HOME} because you use private /home/jil/jailedhomes/common-wm in your profile, so those would already be non-existing (unless you recreated them in /home/jil/jailedhomes/common-wm). > I'm using suspend/shutdown/reboot to illustrate the hole, but I'm not at all confident those are the only cases that could cause security problems. If by `the hole` you mean you can run any command that is not explicitly blacklisted inside a sandbox, sure, there's always potential risk. To minimize such potential risks firejail uses security profiles per application. Do you use your common-wm profile like a 'prison' to run all kinds of applications in?
gitea-mirror commented 2026-05-05 08:36:00 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 25, 2020):

It doesn't look like /run/systemd and /var/run/systemd are symlinked, but they are identical on Debian. Perhaps they are just two mountpoints for the same virtual fs.

That common-wm profile is my first attempt at running a small WM (note xephyr in the profile) session entirely within a very restrictive firejail that will run several apps together. I am much more familiar with customizing firejail profiles for particular apps, but need this one general case where many apps run together and can't get out (or observe the outside) using the X11 socket or anything else - something which I had previously been using a virtual machine to accomplish. That's the reason for calling it a "prison" - high walls, no way out, multiple occupants.

I admit a bit of surprise and panic because I thought it wouldn't need more restrictions than I initially gave this profile to prevent systemctl shutdown/suspend/reboot. And worried further when I read this issue had previously been resolved by nodbus. Obviously, systemctl is managing to get a signal out of this firejail somehow. What stops some other app which I may use in this particular jail from using the same hole to signal out, even if every systemd app is blacklisted?

I will be adding either private-bin or a whitelist profile. I know there's a way to prevent any particular app from executing. The issue is those things which I do need to execute within the "prison" and whether any could get a signal out using the same technique as systemctl.

<!-- gh-comment-id:578384364 --> @jonleivent commented on GitHub (Jan 25, 2020): It doesn't look like /run/systemd and /var/run/systemd are symlinked, but they are identical on Debian. Perhaps they are just two mountpoints for the same virtual fs. That common-wm profile is my first attempt at running a small WM (note xephyr in the profile) session entirely within a very restrictive firejail that will run several apps together. I am much more familiar with customizing firejail profiles for particular apps, but need this one general case where many apps run together and can't get out (or observe the outside) using the X11 socket or anything else - something which I had previously been using a virtual machine to accomplish. That's the reason for calling it a "prison" - high walls, no way out, multiple occupants. I admit a bit of surprise and panic because I thought it wouldn't need more restrictions than I initially gave this profile to prevent systemctl shutdown/suspend/reboot. And worried further when I read this issue had previously been resolved by nodbus. Obviously, systemctl is managing to get a signal out of this firejail somehow. What stops some other app which I may use in this particular jail from using the same hole to signal out, even if every systemd app is blacklisted? I will be adding either private-bin or a whitelist profile. I know there's a way to prevent any particular app from executing. The issue is those things which I do need to execute within the "prison" and whether any could get a signal out using the same technique as systemctl.
gitea-mirror commented 2026-05-05 08:36:01 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 25, 2020):

One question is whether this is because 0.9.58.2

@jonleivent yes, firejail 0.9.60 relnotes:
8b930734d2/RELNOTES (L42)
0.9.60/0.9.62 should be in the backports:
sudo apt -t buster-backports install firejail firejail-profiles

<!-- gh-comment-id:578387800 --> @rusty-snake commented on GitHub (Jan 25, 2020): > One question is whether this is because 0.9.58.2 @jonleivent yes, firejail 0.9.60 relnotes: https://github.com/netblue30/firejail/blob/8b930734d27d864193825e968d981444e9a18337/RELNOTES#L42 0.9.60/0.9.62 should be in the backports: `sudo apt -t buster-backports install firejail firejail-profiles`
gitea-mirror commented 2026-05-05 08:36:01 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 25, 2020):

what I believed to be an extremely restrictive firejail profile

restrictive against a lot of things, but not against the filesystem.

<!-- gh-comment-id:578387940 --> @rusty-snake commented on GitHub (Jan 25, 2020): > what I believed to be an extremely restrictive firejail profile restrictive against a lot of things, but not against the filesystem.
gitea-mirror commented 2026-05-05 08:36:02 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 25, 2020):

@jonleivent Thanks for further clarifying what you want to achieve. I'd recommend opening a new issue, as this one has been closed and not many users actively follow those. You can always refer to this thread for problem clarification/potential attack vectors etc., but I think you will get more feedback doing so.

You're probably already familiar with a few basic tips, but let me repeat them here nonetheless. There's an (older) X11 Guide that might be of interest. Besides that, both /etc/firejail/default.profile and /etc/firejail/Xephyr.profile offer good starting points for building/hardening your WM profile. There are also a few xephyr-specific configuration options in /etc/firejail/firejail.config. One thing to keep in mind is that in a jail like this, all started applications will inherit the options of the original WM profile. So you will need to arrange access to config files, settings etcetera as you see fit.

Obviously, systemctl is managing to get a signal out of this firejail somehow.

Personally I tend to disagree. The fact that one can shutdown/suspend/reboot a machine from within a custom sandbox is not the same as a security hole. If you don't want applications to perform such actions, you will need to explicitly prohibit them to do so. If you did prohibit them and it still is possible to esacpe the sandbox and shutdown/suspend/reboot/... that would be a different story.

Please don't read my remarks as dismissive of your basic idea itself. It's more a matter of design and security is a matter of degree(s) IMHO. There are much more experienced and knowledgeable collaborators here that will be happy to share info on this - crucial - aspect of your setup. Again, by opening a new issue and being as clear as you can (including code examples) I do believe you will get more valuable information on a topic like yours.

HTH

<!-- gh-comment-id:578388525 --> @ghost commented on GitHub (Jan 25, 2020): @jonleivent Thanks for further clarifying what you want to achieve. I'd recommend opening a new issue, as this one has been closed and not many users actively follow those. You can always refer to this thread for problem clarification/potential attack vectors etc., but I think you will get more feedback doing so. You're probably already familiar with a few basic tips, but let me repeat them here nonetheless. There's an (older) [X11 Guide](https://firejail.wordpress.com/documentation-2/x11-guide/) that might be of interest. Besides that, both `/etc/firejail/default.profile` and `/etc/firejail/Xephyr.profile` offer good starting points for building/hardening your WM profile. There are also a few xephyr-specific configuration options in `/etc/firejail/firejail.config`. One thing to keep in mind is that in a jail like this, all started applications will inherit the options of the original WM profile. So you will need to arrange access to config files, settings etcetera as you see fit. > Obviously, systemctl is managing to get a signal out of this firejail somehow. Personally I tend to disagree. The fact that one can shutdown/suspend/reboot a machine from within a custom sandbox is not the same as a security hole. If you don't want applications to perform such actions, you will need to explicitly prohibit them to do so. If you did prohibit them and it still is possible to esacpe the sandbox and shutdown/suspend/reboot/... that would be a different story. Please don't read my remarks as dismissive of your basic idea itself. It's more a matter of design and security is a matter of degree(s) IMHO. There are much more experienced and knowledgeable collaborators here that will be happy to share info on this - crucial - aspect of your setup. Again, by opening a new issue and being as clear as you can (including code examples) I do believe you will get more valuable information on a topic like yours. HTH
gitea-mirror commented 2026-05-05 08:36:02 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Jan 25, 2020):

systemctl reboot talks to DBus via /run/dbus/system_bus_socket, not something under /run/systemd. If in your system /var/run does not point to /run (as it should), Firejail probably isn't blocking the other path to the DBus socket.

<!-- gh-comment-id:578389451 --> @topimiettinen commented on GitHub (Jan 25, 2020): `systemctl reboot` talks to DBus via `/run/dbus/system_bus_socket`, not something under `/run/systemd`. If in your system `/var/run` does not point to `/run` (as it should), Firejail probably isn't blocking the other path to the DBus socket.
gitea-mirror commented 2026-05-05 08:36:02 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 25, 2020):

I was mistaken about Debian - it does symlink /var/run -> /run. Sorry for the confusion about that.

@rusty-snake
I will try 0.9.62-2, which is in Debian backports, to see if I can use systemctl there even with nodbus set - but need to prepare for that upgrade as I have many existing firejails working in 0.9.58-2, so that will take some time.

I noticed that:

firejail --blacklist=/run/dbus --noprofile systemctl suspend

prevents the suspend even though --nodbus instead of blacklisting /run/dbus did not. I would have thought the two were equivalent before. It is too bad I can't blacklist all of /run (xephyr fails to connect to any clients when I try that), or create a private /run - that would be a better option.

@glitsj16
I know that all apps running in the same jail inherit the original profile - and that is precisely my intention here. Thanks for the pointers - yes I am familiar with them. I did alter /etc/firejail/firejail.config with respect to xephyr, but mostly to give xephyr some other command-line options, like '-s 0' to prevent screenblanking. It would be nice if there was a way to pass xephyr command line options through the firejail command line or user profile somehow instead of editing /etc/firejail/firejail.config.

Unfortunately, AFAICT the firejail documentation is not comprehensive. I posted elsewhere that the documentation does not explain how or even whether certain combinations of options work. Another is in what cases command line options override profile options. There are a few others that one must use trial-and-error to determine - but since they are not documented, one wonders about their stability across releases. Which is a reason it will take me a bit of time to upgrade to 0.9.62-2.

<!-- gh-comment-id:578427163 --> @jonleivent commented on GitHub (Jan 25, 2020): I was mistaken about Debian - it does symlink /var/run -> /run. Sorry for the confusion about that. @rusty-snake I will try 0.9.62-2, which is in Debian backports, to see if I can use systemctl there even with nodbus set - but need to prepare for that upgrade as I have many existing firejails working in 0.9.58-2, so that will take some time. I noticed that: ``` firejail --blacklist=/run/dbus --noprofile systemctl suspend ``` prevents the suspend even though --nodbus instead of blacklisting /run/dbus did not. I would have thought the two were equivalent before. It is too bad I can't blacklist all of /run (xephyr fails to connect to any clients when I try that), or create a private /run - that would be a better option. @glitsj16 I know that all apps running in the same jail inherit the original profile - and that is precisely my intention here. Thanks for the pointers - yes I am familiar with them. I did alter /etc/firejail/firejail.config with respect to xephyr, but mostly to give xephyr some other command-line options, like '-s 0' to prevent screenblanking. It would be nice if there was a way to pass xephyr command line options through the firejail command line or user profile somehow instead of editing /etc/firejail/firejail.config. Unfortunately, AFAICT the firejail documentation is not comprehensive. I posted elsewhere that the documentation does not explain how or even whether certain combinations of options work. Another is in what cases command line options override profile options. There are a few others that one must use trial-and-error to determine - but since they are not documented, one wonders about their stability across releases. Which is a reason it will take me a bit of time to upgrade to 0.9.62-2.
gitea-mirror commented 2026-05-05 08:36:03 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 25, 2020):

I noticed that:

firejail --blacklist=/run/dbus --noprofile systemctl suspend

prevents the suspend even though --nodbus instead of blacklisting /run/dbus did not.

This is the case since firejail 0.9.60, see 4814096e10.

To get the firejail 0.9.60 behaviour in 0.9.58, you can add ?HAS_NODBUS: blacklist /run/dbus/system_bus_socket to your globals.local.

<!-- gh-comment-id:578428257 --> @rusty-snake commented on GitHub (Jan 25, 2020): > I noticed that: > >``` >firejail --blacklist=/run/dbus --noprofile systemctl suspend >``` > >prevents the suspend even though --nodbus instead of blacklisting /run/dbus did not. This is the case since firejail 0.9.60, see https://github.com/netblue30/firejail/commit/4814096e104f70f4a899894e2aa3e68b33753002. To get the firejail 0.9.60 behaviour in 0.9.58, you can add `?HAS_NODBUS: blacklist /run/dbus/system_bus_socket` to your globals.local.
gitea-mirror commented 2026-05-05 08:36:03 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 25, 2020):

Even with all of these mitigations against dbus usage, if I --join the jail, I can again do systemctl syspend from the joining app. In fact, many - perhaps all - blacklisted items are visible from the joining app. I thought that would only happen if I joined as root, which I am not doing.

<!-- gh-comment-id:578443795 --> @jonleivent commented on GitHub (Jan 25, 2020): Even with all of these mitigations against dbus usage, if I --join the jail, I can again do `systemctl syspend` from the joining app. In fact, many - perhaps all - blacklisted items are visible from the joining app. I thought that would only happen if I joined as root, which I am not doing.
gitea-mirror commented 2026-05-05 08:36:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 25, 2020):

🤦‍♂️ abstract unix sockets sudo ss -x.

To disable the abstract sockets you would need to request a new network namespace using --net command. Another option is to remove unix from --protocol set.

<!-- gh-comment-id:578444362 --> @rusty-snake commented on GitHub (Jan 25, 2020): ~~:man_facepalming: abstract unix sockets `sudo ss -x`.~~ > ~~To disable the abstract sockets you would need to request a new network namespace using --net command. Another option is to remove unix from --protocol set.~~
gitea-mirror commented 2026-05-05 08:36:04 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 25, 2020):

Even with all of these mitigations against dbus usage, if I --join the jail, I can again do systemctl syspend from the joining app. In fact, many - perhaps all - blacklisted items are visible from the joining app. I thought that would only happen if I joined as root, which I am not doing.

Please share your complete profile and exact commands here so we can try to reproduce.

<!-- gh-comment-id:578444688 --> @ghost commented on GitHub (Jan 25, 2020): > Even with all of these mitigations against dbus usage, if I --join the jail, I can again do systemctl syspend from the joining app. In fact, many - perhaps all - blacklisted items are visible from the joining app. I thought that would only happen if I joined as root, which I am not doing. Please share your complete profile and exact commands here so we can try to reproduce.
gitea-mirror commented 2026-05-05 08:36:04 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 25, 2020):

Profile:

private /home/jil/jailedhomes/common-wm
include disable-common.inc
caps.drop all
netfilter
nodvd
no3d
nogroups
nonewprivs
noroot
notv
seccomp
nodbus
nou2f
novideo
ipc-namespace
protocol unix
net none
x11 xephyr
private-dev
private-cache
read-only /
read-only /media
read-only /mnt
private-tmp
private-etc group,hostname,passwd,login.defs,fonts
name common-wm
blacklist /run/systemd
blacklist ${PATH}/*ctl
blacklist ${PATH}/kernel-install
blacklist ${PATH}/systemd-*
blacklist ${PATH}/udevadm
blacklist /etc/systemd
blacklist /usr/lib/systemd
blacklist /usr/share/systemd
blacklist /var/lib/systemd
blacklist /var/run/systemd
blacklist /run/dbus
blacklist /var/run/dbus

Obviously you will need to change the private directory location. And, yes, lots of blacklist redundancy.

Commands:

firejail --profile=<the above profile> icewm
firejail --join=common-wm urxvt

I first noticed the issue because I started a toolbar app (tint2) by doing a --join, then launched apps (such as urxvt) from the toolbar. I can work around this by using icewm-session instead and launching a toolbar from the session startup file, or having icewm use its own (not so great and somewhat buggy) toolbar.

firejail is 0.9.58.2, host OS is Debian 10.2 stable (Buster), MX 19 with systemd.

From within that urxvt (or any term you want), you can do systemctl commands and see into all blacklisted items. In that term, do an ls on /usr/share/systemd (blacklisted) for an example.

<!-- gh-comment-id:578447477 --> @jonleivent commented on GitHub (Jan 25, 2020): Profile: ``` private /home/jil/jailedhomes/common-wm include disable-common.inc caps.drop all netfilter nodvd no3d nogroups nonewprivs noroot notv seccomp nodbus nou2f novideo ipc-namespace protocol unix net none x11 xephyr private-dev private-cache read-only / read-only /media read-only /mnt private-tmp private-etc group,hostname,passwd,login.defs,fonts name common-wm blacklist /run/systemd blacklist ${PATH}/*ctl blacklist ${PATH}/kernel-install blacklist ${PATH}/systemd-* blacklist ${PATH}/udevadm blacklist /etc/systemd blacklist /usr/lib/systemd blacklist /usr/share/systemd blacklist /var/lib/systemd blacklist /var/run/systemd blacklist /run/dbus blacklist /var/run/dbus ``` Obviously you will need to change the private directory location. And, yes, lots of blacklist redundancy. Commands: ``` firejail --profile=<the above profile> icewm firejail --join=common-wm urxvt ``` I first noticed the issue because I started a toolbar app (tint2) by doing a --join, then launched apps (such as urxvt) from the toolbar. I can work around this by using icewm-session instead and launching a toolbar from the session startup file, or having icewm use its own (not so great and somewhat buggy) toolbar. firejail is 0.9.58.2, host OS is Debian 10.2 stable (Buster), MX 19 with systemd. From within that urxvt (or any term you want), you can do systemctl commands and see into all blacklisted items. In that term, do an ls on /usr/share/systemd (blacklisted) for an example.
gitea-mirror commented 2026-05-05 08:36:05 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 25, 2020):

Remove read-only /, more infos will follow.

<!-- gh-comment-id:578448667 --> @rusty-snake commented on GitHub (Jan 25, 2020): Remove `read-only /`, more infos will follow.
gitea-mirror commented 2026-05-05 08:36:05 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 25, 2020):

read-only / does not work any more (dba9dff, 0.9.62).

<!-- gh-comment-id:578449793 --> @rusty-snake commented on GitHub (Jan 25, 2020): `read-only /` does not work any more (dba9dff, 0.9.62).
gitea-mirror commented 2026-05-05 08:36:06 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 25, 2020):

Can I read-only all real dirs under / ?

<!-- gh-comment-id:578450078 --> @jonleivent commented on GitHub (Jan 25, 2020): Can I `read-only` all real dirs under / ?
gitea-mirror commented 2026-05-05 08:36:06 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 26, 2020):

@jonleivent I installed icewm and uxrvt and did some testing. I only changed the private item to something that exists on my system. And I left out the now broken read-only /. Here are my observations.

  • from OUTSIDE the sandbox
[glitsj16@lab ~]$ stat /usr/bin/systemctl
  File: /usr/bin/systemctl
  Size: 219192    	Blocks: 432        IO Block: 4096   regular file
Device: 804h/2052d	Inode: 3149910     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-01-25 22:11:25.116470224 +0100
Modify: 2019-12-15 20:33:11.000000000 +0100
Change: 2019-12-17 09:53:42.458002993 +0100
 Birth: 2019-12-17 09:53:42.438003508 +0100
  • from INSIDE the sandbox
[glitsj16@lab ~]$ stat /usr/bin/systemctl
  File: /usr/bin/systemctl
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 17h/23d	Inode: 26609       Links: 1
Access: (0400/-r--------)  Uid: (65534/ UNKNOWN)   Gid: (65534/ UNKNOWN)
Access: 2020-01-25 03:10:25.060021355 +0000
Modify: 2020-01-25 03:10:25.060021355 +0000
Change: 2020-01-25 03:10:25.060021355 +0000
 Birth: -

[glitsj16@lab ~]$ systemctl list-units
bash: /usr/bin/systemctl: Permission denied

[glitsj16@lab ~]$ sudo systemctl list-units
bash: /usr/bin/sudo: Permission denied

[glitsj16@lab ~]$ ls -lA /run/dbus/
ls: cannot open directory '/run/dbus/': Permission denied

[glitsj16@lab ~]$ sudo ls -lA /run/dbus/
bash: /usr/bin/sudo: Permission denied

[glitsj16@lab16 ~]$ ls -lA /var/run/dbus/
ls: cannot open directory '/var/run/dbus/': Permission denied

[glitsj16@lab16 ~]$ sudo ls -lA /var/run/dbus/
bash: /usr/bin/sudo: Permission denied

[glitsj16@lab16 ~]$ systemctl reboot
bash: /usr/bin/systemctl: Permission denied

[glitsj16@lab16 ~]$ sudo systemctl reboot
bash: /usr/bin/sudo: Permission denied

To me that looks just fine. The jail works OK. You can indeed see /usr/bin/systemctl inside the jail but it is an empty file with perms 0400.

<!-- gh-comment-id:578455357 --> @ghost commented on GitHub (Jan 26, 2020): @jonleivent I installed icewm and uxrvt and did some testing. I only changed the private item to something that exists on my system. And I left out the now broken read-only /. Here are my observations. - from OUTSIDE the sandbox ``` [glitsj16@lab ~]$ stat /usr/bin/systemctl File: /usr/bin/systemctl Size: 219192 Blocks: 432 IO Block: 4096 regular file Device: 804h/2052d Inode: 3149910 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2020-01-25 22:11:25.116470224 +0100 Modify: 2019-12-15 20:33:11.000000000 +0100 Change: 2019-12-17 09:53:42.458002993 +0100 Birth: 2019-12-17 09:53:42.438003508 +0100 ``` - from INSIDE the sandbox ``` [glitsj16@lab ~]$ stat /usr/bin/systemctl File: /usr/bin/systemctl Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 17h/23d Inode: 26609 Links: 1 Access: (0400/-r--------) Uid: (65534/ UNKNOWN) Gid: (65534/ UNKNOWN) Access: 2020-01-25 03:10:25.060021355 +0000 Modify: 2020-01-25 03:10:25.060021355 +0000 Change: 2020-01-25 03:10:25.060021355 +0000 Birth: - [glitsj16@lab ~]$ systemctl list-units bash: /usr/bin/systemctl: Permission denied [glitsj16@lab ~]$ sudo systemctl list-units bash: /usr/bin/sudo: Permission denied [glitsj16@lab ~]$ ls -lA /run/dbus/ ls: cannot open directory '/run/dbus/': Permission denied [glitsj16@lab ~]$ sudo ls -lA /run/dbus/ bash: /usr/bin/sudo: Permission denied [glitsj16@lab16 ~]$ ls -lA /var/run/dbus/ ls: cannot open directory '/var/run/dbus/': Permission denied [glitsj16@lab16 ~]$ sudo ls -lA /var/run/dbus/ bash: /usr/bin/sudo: Permission denied [glitsj16@lab16 ~]$ systemctl reboot bash: /usr/bin/systemctl: Permission denied [glitsj16@lab16 ~]$ sudo systemctl reboot bash: /usr/bin/sudo: Permission denied ``` To me that looks just fine. The jail works OK. You can indeed see /usr/bin/systemctl inside the jail but it is an empty file with perms 0400.
gitea-mirror commented 2026-05-05 08:36:06 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 26, 2020):

@glitsj16
I am finding similar with testing. And read-only on subdirs of / doesn't appear to interfere.

Perhaps read-only / should emit an error? Or maybe just read-only all real subdirs of /. I doubt I'm the only one dumb enough to think read-only / enhances security.

<!-- gh-comment-id:578456340 --> @jonleivent commented on GitHub (Jan 26, 2020): @glitsj16 I am finding similar with testing. And read-only on subdirs of / doesn't appear to interfere. Perhaps `read-only /` should emit an error? Or maybe just read-only all real subdirs of /. I doubt I'm the only one dumb enough to think `read-only /` enhances security.
gitea-mirror commented 2026-05-05 08:36:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 26, 2020):

@jonleivent it does it in 0.9.62

$ firejail --noprofile --read-only=/
Parent pid 113741, child pid 113742
Access error: uid 1000, last mount name:/firejail/firejail.ro.file dir:/sys/kernel/vmcoreinfo type:tmpfs - invalid read-only mount
Error: proc 113741 cannot sync with peer: unexpected EOF
Peer 113742 unexpectedly exited with status 1
zsh: exit 1     firejail --noprofile --read-only=/

@glitsj16 if you use firejail <=0.9.60 you will be able to reproduce.

<!-- gh-comment-id:578486033 --> @rusty-snake commented on GitHub (Jan 26, 2020): @jonleivent it does it in 0.9.62 ``` $ firejail --noprofile --read-only=/ Parent pid 113741, child pid 113742 Access error: uid 1000, last mount name:/firejail/firejail.ro.file dir:/sys/kernel/vmcoreinfo type:tmpfs - invalid read-only mount Error: proc 113741 cannot sync with peer: unexpected EOF Peer 113742 unexpectedly exited with status 1 zsh: exit 1 firejail --noprofile --read-only=/ ``` @glitsj16 if you use firejail <=0.9.60 you will be able to reproduce.
gitea-mirror commented 2026-05-05 08:36:07 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jan 26, 2020):

read-only / does not work any more

It is a regression, I'll put a fix in.

<!-- gh-comment-id:578490009 --> @smitsohu commented on GitHub (Jan 26, 2020): > read-only / does not work any more It is a regression, I'll put a fix in.
gitea-mirror commented 2026-05-05 08:36:07 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jan 26, 2020):

read-only / does not work any more

Fixed in afb7e0363b.

@jonleivent Note that the root directory is still a special case: Unlike all other remounts, read-only=/ is not fully recursive. If you try to create a new file /foo, it fails as expected in such a sandbox, but you can still write in some places, for example in /run/user/$UID. And actually we need some kind of special treatment, because Firejail expects some paths to be writable and cannot run otherwise.

If you want a fully recursive read-only remount, you need to do read-only=/etc, read-only=/usr, ... and so on on top of read-only=/. But also note that Firejail does most of this already out of the box. From the manual:

The default Firejail filesystem is based on the host filesys‐
tem with the main system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32
and /lib64. Only /home and /tmp are writable.

Probably we should document this exception though and drop a sentence in the man pages.

<!-- gh-comment-id:578500943 --> @smitsohu commented on GitHub (Jan 26, 2020): > read-only / does not work any more Fixed in afb7e0363bd630f12773876d486afed4ad485ad7. @jonleivent Note that the root directory is still a special case: Unlike all other remounts, `read-only=/` is not fully recursive. If you try to create a new file `/foo`, it fails as expected in such a sandbox, but you can still write in some places, for example in `/run/user/$UID`. And actually we need some kind of special treatment, because Firejail expects some paths to be writable and cannot run otherwise. If you want a fully recursive read-only remount, you need to do `read-only=/etc`, `read-only=/usr`, ... and so on _on top of_ `read-only=/`. But also note that Firejail does most of this already out of the box. From the manual: > The default Firejail filesystem is based on the host filesys‐ > tem with the main system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 > and /lib64. Only /home and /tmp are writable. Probably we should document this exception though and drop a sentence in the man pages.
gitea-mirror commented 2026-05-05 08:36:08 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 27, 2020):

@smitsohu
I was never clear what "default" meant in "The default Firejail filesystem". I had always though it meant what firejail did if run without a profile (so using the default profile), but that once a profile was used, the profile writer was in control. But, yeah, everything I've been trying to do above was based on that mistake. I've never bothered to look at default.profile before, and now that I am, I can see how mistaken I was about that.

Perhaps to clarify things for the semantically confused such as myself, it would be better if the man page said "Firejail always starts, prior to any additional command-line options or profile settings, with a filesystem that is based on the host filesystem with main system directories mounted read-only".

<!-- gh-comment-id:578574072 --> @jonleivent commented on GitHub (Jan 27, 2020): @smitsohu I was never clear what "default" meant in "The default Firejail filesystem". I had always though it meant what firejail did if run without a profile (so using the default profile), but that once a profile was used, the profile writer was in control. But, yeah, everything I've been trying to do above was based on that mistake. I've never bothered to look at default.profile before, and now that I am, I can see how mistaken I was about that. Perhaps to clarify things for the semantically confused such as myself, it would be better if the man page said "Firejail always starts, prior to any additional command-line options or profile settings, with a filesystem that is based on the host filesystem with main system directories mounted read-only".
gitea-mirror commented 2026-05-05 08:36:08 -06:00
Author
Owner
Copy link

@jonleivent commented on GitHub (Jan 27, 2020):

It might also be helpful if firejail, when it sees an option like read-only /etc that can't possibly add any new protections beyond what is always present, issues some warning to users, and then ignored the useless option.

<!-- gh-comment-id:578575188 --> @jonleivent commented on GitHub (Jan 27, 2020): It might also be helpful if firejail, when it sees an option like `read-only /etc` that can't possibly add any new protections beyond what is always present, issues some warning to users, and then ignored the useless option.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1930
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?