github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3196] Running "firejail --join=" does not work #1998

New issue

Closed

opened 2026-05-05 08:40:11 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 08:40:11 -06:00

Owner

Originally created by @diepfote on GitHub (Jan 29, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3196

I mentioned it in https://github.com/netblue30/firejail/pull/3159#discussion_r372366986 after it was merged.

firejail version: 0.9.63
Distro: Arch Linux

Running $ firejail --join=gummi ls -aR after
$ firejail --name=gummi --ignore=private-bin --profile=/etc/firejail/gummi.profile --private /usr/bin/gummi does not work for me.

I just see the contents of the current directory.
Could you give me a hint?

Originally created by @diepfote on GitHub (Jan 29, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3196 I mentioned it in https://github.com/netblue30/firejail/pull/3159#discussion_r372366986 after it was merged. * firejail version: 0.9.63 * Distro: Arch Linux Running ```$ firejail --join=gummi ls -aR``` after ```$ firejail --name=gummi --ignore=private-bin --profile=/etc/firejail/gummi.profile --private /usr/bin/gummi``` does not work for me. I just see the contents of the current directory. Could you give me a hint?

gitea-mirror

2026-05-05 08:40:11 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:40:14 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 29, 2020):

So firejail --noprofile --private --name=test sleep 1m & sleep 5s ; firejail --join=test ls has the same output as ls?

@rusty-snake commented on GitHub (Jan 29, 2020): So `firejail --noprofile --private --name=test sleep 1m & sleep 5s ; firejail --join=test ls` has the same output as `ls`?

gitea-mirror commented

2026-05-05 08:40:15 -06:00

Author

Owner

@diepfote commented on GitHub (Jan 29, 2020):

No. That works. Funny.
I did not quit gummi when I was trying that earlier. Looks like it might be related to gummi or my custom profile.

@diepfote commented on GitHub (Jan 29, 2020): No. That works. Funny. I did not quit gummi when I was trying that earlier. Looks like it might be related to gummi or my custom profile.

gitea-mirror commented

2026-05-05 08:40:16 -06:00

Author

Owner

@diepfote commented on GitHub (Jan 29, 2020):

gummi.local had this:

# gummi.local
private-bin gummi
private-lib linux-vdso.so.1,libglib-2.0.so.0,libgthread-2.0.so.0,libgtk-x11-2.0.so.0,libgdk-x11-2.0.so.0,libcairo.so.2,libgdk_pixbuf-2.0.so.0,libgio-2.0.so.0,libpango-1.0.so.0,libgobject-2.0.so.0,libgtksourceview-2.0.so.0,libpoppler-glib.so.8,libgtkspell.so.0,libz.so.1,libpthread.so.0,libc.so.6,libpcre.so.1,libgmodule-2.0.so.0,libpangocairo-1.0.so.0,libX11.so.6,libXfixes.so.3,libatk-1.0.so.0,libpangoft2-1.0.so.0,libfontconfig.so.1,libm.so.6,libXrender.so.1,libXinerama.so.1,libXi.so.6,libXrandr.so.2,libXcursor.so.1,libXcomposite.so.1,libXdamage.so.1,libXext.so.6,libpixman-1.so.0,libfreetype.so.6,libpng16.so.16,libxcb-shm.so.0,libxcb.so.1,libxcb-render.so.0,librt.so.1,libmount.so.1,libresolv.so.2,libfribidi.so.0,libthai.so.0,libharfbuzz.so.0,libffi.so.6,libxml2.so.2,libpoppler.so.94,libstdc++.so.6,libenchant-2.so.2,/lib64/ld-linux-x86-64.so.2,libdl.so.2,libexpat.so.1,libbz2.so.1.0,libXau.so.6,libXdmcp.so.6,libblkid.so.1,libdatrie.so.1,libgraphite2.so.3,libicuuc.so.65,liblzma.so.5,libjpeg.so.8,libcurl.so.4,libopenjp2.so.7,liblcms2.so.2,libtiff.so.5,libsmime3.so,libnss3.so,libnspr4.so,libgcc_s.so.1,libicudata.so.65,libnghttp2.so.14,libidn2.so.0,libssh2.so.1,libpsl.so.5,libssl.so.1.1,libcrypto.so.1.1,libgssapi_krb5.so.2,libkrb5.so.3,libk5crypto.so.3,libcom_err.so.2,libzstd.so.1,libnssutil3.so,libplds4.so,libplc4.so,libunistring.so.2,libkrb5support.so.0,libkeyutils.so.1

# seccomp --> blacklist
# seccomp.keep --> whitelist
seccomp.keep access,arch_prctl,brk,chmod,clock_gettime,clone,close,connect,dup2,eventfd2,execve,exit,exit_group,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,futex,getcwd,getdents64,getegid,geteuid,getgid,getgroups,getpeername,getpid,getppid,getrandom,getresgid,getresuid,getsockname,getsockopt,getuid,ioctl,inotify_init1,inotify_add_watch,inotify_rm_watch,kill,lseek,lstat,madvise,mkdir,mmap,mprotect,munmap,openat,pipe2,poll,prctl,prlimit64,read,readlink,recvfrom,recvmsg,rename,restart_syscall,rt_sigaction,rt_sigprocmask,sendmsg,sendto,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmdt,shmget,socket,stat,statfs,times,umask,uname,unlink,wait4,write,writev

This prevents debugging:

$ firejail --join=test bash
Switching to pid 305453, the first child process inside the sandbox
Child process initialized in 19.15 ms
/usr/bin/fish: error while loading shared libraries: libncursesw.so.6: cannot open shared object file: No such file or directory

Disabling local configs fixed it though.

@diepfote commented on GitHub (Jan 29, 2020): gummi.local had this: ``` # gummi.local private-bin gummi private-lib linux-vdso.so.1,libglib-2.0.so.0,libgthread-2.0.so.0,libgtk-x11-2.0.so.0,libgdk-x11-2.0.so.0,libcairo.so.2,libgdk_pixbuf-2.0.so.0,libgio-2.0.so.0,libpango-1.0.so.0,libgobject-2.0.so.0,libgtksourceview-2.0.so.0,libpoppler-glib.so.8,libgtkspell.so.0,libz.so.1,libpthread.so.0,libc.so.6,libpcre.so.1,libgmodule-2.0.so.0,libpangocairo-1.0.so.0,libX11.so.6,libXfixes.so.3,libatk-1.0.so.0,libpangoft2-1.0.so.0,libfontconfig.so.1,libm.so.6,libXrender.so.1,libXinerama.so.1,libXi.so.6,libXrandr.so.2,libXcursor.so.1,libXcomposite.so.1,libXdamage.so.1,libXext.so.6,libpixman-1.so.0,libfreetype.so.6,libpng16.so.16,libxcb-shm.so.0,libxcb.so.1,libxcb-render.so.0,librt.so.1,libmount.so.1,libresolv.so.2,libfribidi.so.0,libthai.so.0,libharfbuzz.so.0,libffi.so.6,libxml2.so.2,libpoppler.so.94,libstdc++.so.6,libenchant-2.so.2,/lib64/ld-linux-x86-64.so.2,libdl.so.2,libexpat.so.1,libbz2.so.1.0,libXau.so.6,libXdmcp.so.6,libblkid.so.1,libdatrie.so.1,libgraphite2.so.3,libicuuc.so.65,liblzma.so.5,libjpeg.so.8,libcurl.so.4,libopenjp2.so.7,liblcms2.so.2,libtiff.so.5,libsmime3.so,libnss3.so,libnspr4.so,libgcc_s.so.1,libicudata.so.65,libnghttp2.so.14,libidn2.so.0,libssh2.so.1,libpsl.so.5,libssl.so.1.1,libcrypto.so.1.1,libgssapi_krb5.so.2,libkrb5.so.3,libk5crypto.so.3,libcom_err.so.2,libzstd.so.1,libnssutil3.so,libplds4.so,libplc4.so,libunistring.so.2,libkrb5support.so.0,libkeyutils.so.1 # seccomp --> blacklist # seccomp.keep --> whitelist seccomp.keep access,arch_prctl,brk,chmod,clock_gettime,clone,close,connect,dup2,eventfd2,execve,exit,exit_group,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,futex,getcwd,getdents64,getegid,geteuid,getgid,getgroups,getpeername,getpid,getppid,getrandom,getresgid,getresuid,getsockname,getsockopt,getuid,ioctl,inotify_init1,inotify_add_watch,inotify_rm_watch,kill,lseek,lstat,madvise,mkdir,mmap,mprotect,munmap,openat,pipe2,poll,prctl,prlimit64,read,readlink,recvfrom,recvmsg,rename,restart_syscall,rt_sigaction,rt_sigprocmask,sendmsg,sendto,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmdt,shmget,socket,stat,statfs,times,umask,uname,unlink,wait4,write,writev ``` This prevents debugging: ``` $ firejail --join=test bash Switching to pid 305453, the first child process inside the sandbox Child process initialized in 19.15 ms /usr/bin/fish: error while loading shared libraries: libncursesw.so.6: cannot open shared object file: No such file or directory ``` Disabling local configs fixed it though.

gitea-mirror referenced this issue

2026-05-05 10:14:35 -06:00

[PR #1998] [MERGED] Amend Wire profiles #4146

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1998

No description provided.

Rows
Columns