github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3090] popcorn-time won't start with firejail (help needed) #1937

New issue

Closed

opened 2026-05-05 08:36:16 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 08:36:16 -06:00

Owner

Originally created by @flux242 on GitHub (Dec 21, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3090

Hello,

I'm executing the following command:

APP_NAME=popcorntime
appbin=~/Applications/PopcornTime-1.4.0-x86_64.AppImage
profilename='pathtotheprofile'
firejail --private=~/Applications/privatehome/"$APP_NAME" --profile="$profilename" --appimage "$appbin" $APP_ARGS

Profile content is here: https://pastebin.com/TPRyG889

Result is:

audit: type=1326 audit(1576939707.276:125): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=16316 comm="Chrome_IOThread" exe="/run/firejail/appimage/.appimage-16260/popcorntime" sig=31 arch=c000003e syscall=101 compat=0 ip=0x4f41796 code=0x0
traps: Chrome_IOThread[16310] trap invalid opcode ip:30982f6 sp:7ff84f5ea5b0 error:0 in popcorntime[1806000+374d000]

syscall 101 is ioperm. Is it something that I'm missing in my profile or the app or even the electron framework does something fishy?

oh, and

firejail version 0.9.52

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Thanks

Originally created by @flux242 on GitHub (Dec 21, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3090 Hello, I'm executing the following command: ``` APP_NAME=popcorntime appbin=~/Applications/PopcornTime-1.4.0-x86_64.AppImage profilename='pathtotheprofile' firejail --private=~/Applications/privatehome/"$APP_NAME" --profile="$profilename" --appimage "$appbin" $APP_ARGS ``` Profile content is here: https://pastebin.com/TPRyG889 Result is: ``` audit: type=1326 audit(1576939707.276:125): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=16316 comm="Chrome_IOThread" exe="/run/firejail/appimage/.appimage-16260/popcorntime" sig=31 arch=c000003e syscall=101 compat=0 ip=0x4f41796 code=0x0 traps: Chrome_IOThread[16310] trap invalid opcode ip:30982f6 sp:7ff84f5ea5b0 error:0 in popcorntime[1806000+374d000] ``` syscall 101 is ioperm. Is it something that I'm missing in my profile or the app or even the electron framework does something fishy? oh, and ``` firejail version 0.9.52 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` Thanks

gitea-mirror

2026-05-05 08:36:16 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:36:20 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 21, 2019):

What happens if you allow ioperm by replacing seccomp with

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,pivot_root,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

@rusty-snake commented on GitHub (Dec 21, 2019): What happens if you allow `ioperm` by replacing `seccomp` with ``` seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,pivot_root,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice ``` ?

gitea-mirror commented

2026-05-05 08:36:21 -06:00

Author

Owner

@flux242 commented on GitHub (Dec 21, 2019):

same error happens

@flux242 commented on GitHub (Dec 21, 2019): same error happens

gitea-mirror commented

2026-05-05 08:36:22 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 21, 2019):

firejail --debug-syscalls | grep 101 says ioperm, right? (For me: ptrace, but this is allowed in the seccomp.drop line. 32bit system?)
same error happens

wait, why is ioperm still blocked?

@rusty-snake commented on GitHub (Dec 21, 2019): 1. `firejail --debug-syscalls | grep 101` says ioperm, right? (For me: `ptrace`, but this is allowed in the `seccomp.drop` line. 32bit system?) 2. > same error happens wait, why is `ioperm` still blocked?

gitea-mirror commented

2026-05-05 08:36:23 -06:00

Author

Owner

@flux242 commented on GitHub (Dec 21, 2019):

oh, I looked here https://syscalls.kernelgrok.com/ for the syscall number
and it seems like I was simply providing a wrong profile. It works now. Just having seccomp is enough.

I'm sorry to bother you. Thank you for help anyway as I learned something new along the way!

@flux242 commented on GitHub (Dec 21, 2019): oh, I looked here https://syscalls.kernelgrok.com/ for the syscall number and it seems like I was simply providing a wrong profile. It works now. Just having seccomp is enough. I'm sorry to bother you. Thank you for help anyway as I learned something new along the way!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1937

No description provided.

Rows
Columns