github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3113] fseccomp not found with private-bin+private-lib+seccomp #1953

New issue
Open
opened 2026-05-05 08:37:05 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 08:37:05 -06:00
Owner
Copy link

Originally created by @reinerh on GitHub (Jan 3, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3113

While looking through errors of the test suite I noticed that test/profiles/profiles.sh was failing while testing the ffmpegthumbnailer profile.

+ ./test-profile.exp /etc/firejail/ffmpegthumbnailer.profile
spawn /bin/bash
stty -echo
user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ stty -echo
user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ execvp: No such file or directory
Error: failed to run /run/firejail/lib/fseccomp
Error: proc 7936 cannot sync with peer: unexpected EOF
Peer 7937 unexpectedly exited with status 1
user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ TESTING ERROR 0

For some reason it is not able to execute /run/firejail/lib/fseccomp (No such file or directory) for generating the seccomp filter.
I am able to reproduce it inside a container/qemu (but not on the host). Just running firejail --profile=/etc/firejail/ffmpegthumbnailer.profile $ANYCOMMAND is failing, as it can't complete the seccomp setup.

I then reduced the profile to the following lines:

private-bin ffmpegthumbnailer
private-lib libffmpegthumbnailer.so.*
seccomp !set_mempolicy

All three of them are needed to trigger the issue (seccomp alone is not sufficient, it needs an argument so that a new filter actually has to be generated).

Does anyone have an idea what could go wrong? Or why it fails inside a container/VM, but not on my main system?

CC @netblue30

Here is the output without quiet and with --debug (where it fails because of fsec-print):

Autoselecting /bin/bash as shell
Building quoted command line: 'find' '/run/firejail' 
Command name #find#
Enabling IPC namespace
Using the local network stack
Autoselecting /bin/bash as shell
Building quoted command line: 'find' '/run/firejail' 
Command name #find#
Enabling IPC namespace
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating an empty /etc/ld.so.preload file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Copying files in the new bin directory
Checking /usr/local/bin/ffmpegthumbnailer
Checking /usr/bin/ffmpegthumbnailer
Checking /bin/ffmpegthumbnailer
Checking /usr/games/ffmpegthumbnailer
Checking /usr/local/games/ffmpegthumbnailer
Checking /usr/local/sbin/ffmpegthumbnailer
Checking /usr/sbin/ffmpegthumbnailer
Checking /sbin/ffmpegthumbnailer
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Reading profile /etc/firejail/ffmpegthumbnailer.profile
DISPLAY is not set
Parent pid 1801, child pid 1802
Warning: file ffmpegthumbnailer not found
0 programs installed in 0.57 ms
Starting private-lib processing: program find, shell /bin/bash
Installing standard C library
    copying /lib/x86_64-linux-gnu/libnss_dns.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_dns.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libapparmor.so.1.6.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libapparmor.so.1.6.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libmvec.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmvec.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_nis.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nis.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libthread_db.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libthread_db.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libcrypt.so.1.1.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libcrypt.so.1.1.0 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libanl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libanl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_compat.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_compat.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libcrypt.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libcrypt.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libdl.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libdl.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libresolv.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libresolv.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_hesiod.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_hesiod.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libutil.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libutil.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libpthread.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libpthread.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libc.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libc.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libapparmor.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libapparmor.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libmemusage.so to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmemusage.so /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/librt.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/librt.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_files.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_files.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnsl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnsl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_nisplus.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nisplus.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libselinux.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libselinux.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libm.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libm.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    fslib_copy_dir /usr/lib/locale
Installing sandboxed program libraries
    fslib_install_list  find
Installing shell libraries
    fslib_install_list  /bin/bash
    fslib_install_list  /bin/ls,/bin/cat,/bin/mv,/bin/rm
Processing private-lib files
    fslib_install_list  libffmpegthumbnailer.so.*
Installing system libraries
    fslib_install_list  /usr/bin/firejail,firejail
    fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail
    fslib_copy_dir /lib/x86_64-linux-gnu/firejail
    fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail
Mount-bind /run/firejail/mnt/lib on top of /lib /lib64 /usr/lib
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /boot
Disable /dev/port
Disable /run/user/0/gnupg
Disable /run/user/0/systemd
Disable /sys/fs
Disable /sys/module
/etc/pulse/client.conf not found
Create the new ld.so.preload file
Mount the new ld.so.preload file
Current directory: /tmp/autopkgtest.2Jyr1K/autopkgtest_tmp/test/profiles
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) 
The new log directory is /proc/1802/root/var/log
as root:
Standard C library installed in 44.15 ms
Program libraries installed in 0.52 ms
Installed 24 libraries and 2 directories
Post-exec seccomp protector enabled
DISPLAY is not set
execvp: No such file or directory
Error: failed to run /usr/lib/x86_64-linux-gnu/firejail/fsec-print
Error: proc 1801 cannot sync with peer: unexpected EOF
Peer 1802 unexpectedly exited with status 1
Originally created by @reinerh on GitHub (Jan 3, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3113 While looking through errors of the [test suite](https://ci.debian.net/packages/f/firejail/unstable/amd64/) I noticed that `test/profiles/profiles.sh` was failing while testing the ffmpegthumbnailer profile. ``` + ./test-profile.exp /etc/firejail/ffmpegthumbnailer.profile spawn /bin/bash stty -echo user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ stty -echo user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ execvp: No such file or directory Error: failed to run /run/firejail/lib/fseccomp Error: proc 7936 cannot sync with peer: unexpected EOF Peer 7937 unexpectedly exited with status 1 user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ TESTING ERROR 0 ``` For some reason it is not able to execute `/run/firejail/lib/fseccomp` (`No such file or directory`) for generating the seccomp filter. I am able to reproduce it inside a container/qemu (but not on the host). Just running `firejail --profile=/etc/firejail/ffmpegthumbnailer.profile $ANYCOMMAND` is failing, as it can't complete the seccomp setup. I then reduced the profile to the following lines: ``` private-bin ffmpegthumbnailer private-lib libffmpegthumbnailer.so.* seccomp !set_mempolicy ``` All three of them are needed to trigger the issue (`seccomp` alone is not sufficient, it needs an argument so that a new filter actually has to be generated). Does anyone have an idea what could go wrong? Or why it fails inside a container/VM, but not on my main system? CC @netblue30 Here is the output without `quiet` and with `--debug` (where it fails because of `fsec-print`): ``` Autoselecting /bin/bash as shell Building quoted command line: 'find' '/run/firejail' Command name #find# Enabling IPC namespace Using the local network stack Autoselecting /bin/bash as shell Building quoted command line: 'find' '/run/firejail' Command name #find# Enabling IPC namespace Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating an empty /etc/ld.so.preload file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc Mounting read-only /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Copying files in the new bin directory Checking /usr/local/bin/ffmpegthumbnailer Checking /usr/bin/ffmpegthumbnailer Checking /bin/ffmpegthumbnailer Checking /usr/games/ffmpegthumbnailer Checking /usr/local/games/ffmpegthumbnailer Checking /usr/local/sbin/ffmpegthumbnailer Checking /usr/sbin/ffmpegthumbnailer Checking /sbin/ffmpegthumbnailer Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin Reading profile /etc/firejail/ffmpegthumbnailer.profile DISPLAY is not set Parent pid 1801, child pid 1802 Warning: file ffmpegthumbnailer not found 0 programs installed in 0.57 ms Starting private-lib processing: program find, shell /bin/bash Installing standard C library copying /lib/x86_64-linux-gnu/libnss_dns.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_dns.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libapparmor.so.1.6.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libapparmor.so.1.6.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libmvec.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmvec.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libnss_nis.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nis.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libthread_db.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libthread_db.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libcrypt.so.1.1.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libcrypt.so.1.1.0 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libanl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libanl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libnss_compat.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_compat.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libcrypt.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libcrypt.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libdl.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libdl.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libresolv.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libresolv.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libnss_hesiod.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_hesiod.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libutil.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libutil.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libpthread.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libpthread.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libc.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libc.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libapparmor.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libapparmor.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libmemusage.so to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmemusage.so /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/librt.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/librt.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libnss_files.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_files.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libnsl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnsl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libnss_nisplus.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nisplus.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libselinux.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libselinux.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) copying /lib/x86_64-linux-gnu/libm.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libm.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu (null) fslib_copy_dir /usr/lib/locale Installing sandboxed program libraries fslib_install_list find Installing shell libraries fslib_install_list /bin/bash fslib_install_list /bin/ls,/bin/cat,/bin/mv,/bin/rm Processing private-lib files fslib_install_list libffmpegthumbnailer.so.* Installing system libraries fslib_install_list /usr/bin/firejail,firejail fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail fslib_copy_dir /lib/x86_64-linux-gnu/firejail fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail Mount-bind /run/firejail/mnt/lib on top of /lib /lib64 /usr/lib Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /boot Disable /dev/port Disable /run/user/0/gnupg Disable /run/user/0/systemd Disable /sys/fs Disable /sys/module /etc/pulse/client.conf not found Create the new ld.so.preload file Mount the new ld.so.preload file Current directory: /tmp/autopkgtest.2Jyr1K/autopkgtest_tmp/test/profiles configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) The new log directory is /proc/1802/root/var/log as root: Standard C library installed in 44.15 ms Program libraries installed in 0.52 ms Installed 24 libraries and 2 directories Post-exec seccomp protector enabled DISPLAY is not set execvp: No such file or directory Error: failed to run /usr/lib/x86_64-linux-gnu/firejail/fsec-print Error: proc 1801 cannot sync with peer: unexpected EOF Peer 1802 unexpectedly exited with status 1 ```
gitea-mirror commented 2026-05-05 08:37:07 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 10, 2020):

Warning: file ffmpegthumbnailer not found
0 programs installed in 0.57 ms

Looks like the binary is not installed on the VM.
What do you think @rusty-snake ?

<!-- gh-comment-id:611817571 --> @matu3ba commented on GitHub (Apr 10, 2020): ``` Warning: file ffmpegthumbnailer not found 0 programs installed in 0.57 ms ``` Looks like the binary is not installed on the VM. What do you think @rusty-snake ?
gitea-mirror commented 2026-05-05 08:37:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 10, 2020):

looks like the private-bin must have an invalid argument.

<!-- gh-comment-id:611941065 --> @rusty-snake commented on GitHub (Apr 10, 2020): looks like the private-bin must have an invalid argument.
gitea-mirror commented 2026-05-05 08:37:09 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Apr 10, 2020):

ffmpegthumbnailer is not needed, as the test script is running the echo binary ("echo done").
It checks either for the output of "done", or for the error message that "echo" has not been found.

But the error I posted above is not one of the expected ones.

<!-- gh-comment-id:611945121 --> @reinerh commented on GitHub (Apr 10, 2020): ffmpegthumbnailer is not needed, as the [test script](https://github.com/netblue30/firejail/blob/master/test/profiles/test-profile.exp) is running the echo binary ("echo done"). It checks either for the output of "done", or for the error message that "echo" has not been found. But the error I posted above is not one of the expected ones.
gitea-mirror commented 2026-05-05 08:37:10 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 10, 2020):

I get

/usr/lib64/firejail/fsec-print: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory
Error: failed to run /usr/lib64/firejail/fsec-print
Error: proc 46275 cannot sync with peer: unexpected EOF

It works with --private-lib=libpcre2-8.so.0.

OS: Fedora 31

<!-- gh-comment-id:611950466 --> @rusty-snake commented on GitHub (Apr 10, 2020): I get ``` /usr/lib64/firejail/fsec-print: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory Error: failed to run /usr/lib64/firejail/fsec-print Error: proc 46275 cannot sync with peer: unexpected EOF ``` It works with `--private-lib=libpcre2-8.so.0`. OS: Fedora 31
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1953
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?