[GH-ISSUE #3277] Pull request #3268 broke firejail

gitea-mirror commented

2026-05-05 08:43:38 -06:00

Owner

Originally created by @corecontingency on GitHub (Mar 14, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3277

Originally assigned to: @smitsohu on GitHub.

Running any program with firejail gives this error and exits:

[user@mycomputer ~]$ chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3388, child pid 3389
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Error fstat: fs.c:486 fs_remount_simple: Permission denied
Error: proc 3388 cannot sync with peer: unexpected EOF
Peer 3389 unexpectedly exited with status 1

Nothing is in the journal. Tested it with firejail built from commit b1d54b042f, the commit directly before pull request #3268 was merged, and everything works fine.

Running on Arch with GNOME on Xorg. Running on a btrfs filesystem on the built-in RAID1 support. Maybe it is getting confused about my btrfs subvolumes?

My fstab is here:
https://paste.ubuntu.com/p/XVpR38cHZy/

My root btrfs subvolume (subvolid=5):
https://paste.ubuntu.com/p/8nmpWw3NDK/

Originally created by @corecontingency on GitHub (Mar 14, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3277 Originally assigned to: @smitsohu on GitHub. Running any program with firejail gives this error and exits: ``` [user@mycomputer ~]$ chromium Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 3388, child pid 3389 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Error fstat: fs.c:486 fs_remount_simple: Permission denied Error: proc 3388 cannot sync with peer: unexpected EOF Peer 3389 unexpectedly exited with status 1 ``` Nothing is in the journal. Tested it with firejail built from commit b1d54b042fba798fd54037c403bc188c6ffd9240, the commit directly before pull request #3268 was merged, and everything works fine. Running on Arch with GNOME on Xorg. Running on a btrfs filesystem on the built-in RAID1 support. Maybe it is getting confused about my btrfs subvolumes? My fstab is here: https://paste.ubuntu.com/p/XVpR38cHZy/ My root btrfs subvolume (subvolid=5): https://paste.ubuntu.com/p/8nmpWw3NDK/

gitea-mirror

2026-05-05 08:43:38 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:43:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

Confirming with a much more simple setup (ext4 root + xfs home).

@rusty-snake commented on GitHub (Mar 14, 2020): Confirming with a much more simple setup (ext4 root + xfs home).

gitea-mirror commented

2026-05-05 08:43:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

Could break it down to noexec ${RUNUSER} in disable-exec.inc.
firejail '--ignore=noexec ${RUNUSER}' true works.

@rusty-snake commented on GitHub (Mar 14, 2020): Could break it down to `noexec ${RUNUSER}` in disable-exec.inc. `firejail '--ignore=noexec ${RUNUSER}' true` works.

gitea-mirror commented

2026-05-05 08:43:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

read-only ${RUNUSER} is also affected.

@rusty-snake commented on GitHub (Mar 14, 2020): `read-only ${RUNUSER}` is also affected.

gitea-mirror commented

2026-05-05 08:43:44 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2020):

Hm, that's an interesting error. Could you do me favor and run

firejail --noprofile --noexec='${RUNUSER}' --debug
findmnt -R /run

and paste the output here? Thanks!

@smitsohu commented on GitHub (Mar 14, 2020): Hm, that's an interesting error. Could you do me favor and run ``` firejail --noprofile --noexec='${RUNUSER}' --debug findmnt -R /run ``` and paste the output here? Thanks!

gitea-mirror commented

2026-05-05 08:43:45 -06:00

Author

Owner

@ghost commented on GitHub (Mar 14, 2020):

I don't seem to be affected (not sure whether that's a good thing). Running Arch on ext4 shows this for the commands @smitsohu suggested, perhaps it can help throw some light onto this.

@ghost commented on GitHub (Mar 14, 2020): I don't seem to be affected (not sure whether that's a good thing). Running Arch on ext4 shows [this](https://gist.github.com/glitsj16/6bb4b8b6537f056232890f78e1a22c82) for the commands @smitsohu suggested, perhaps it can help throw some light onto this.

gitea-mirror commented

2026-05-05 08:43:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

STR:

Download Fedora Workstadion 31 https://download.fedoraproject.org/pub/fedora/linux/releases/31/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-31-1.9.iso
Start it in e.g. gnome-boxes
sudo dnf install make
git clone --depth=1 https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make
sudo make install
firejail --profile=/etc/firejail/disable-exec.inc true

@rusty-snake commented on GitHub (Mar 14, 2020): STR: - Download Fedora Workstadion 31 https://download.fedoraproject.org/pub/fedora/linux/releases/31/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-31-1.9.iso - Start it in e.g. gnome-boxes - `sudo dnf install make` - `git clone --depth=1 https://github.com/netblue30/firejail.git` - `cd firejail` - `./configure --prefix=/usr` - `make` - `sudo make install` - `firejail --profile=/etc/firejail/disable-exec.inc true`

gitea-mirror commented

2026-05-05 08:43:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

firejail --noprofile --noexec='${RUNUSER}' --debug

Autoselecting /bin/bash as shell
Command name #/bin/bash#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 40918, child pid 40919
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-CcwCj4dw,guid=85cfdff6cbcb0cd610b20f635e6cc5b7
IBUS_DAEMON_PID=1677
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
572 405 253:0 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel
mountid=572 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
573 572 253:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel
mountid=573 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
576 574 0:37 / /var/tmp rw,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=576 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /var/lib/nfs/rpc_pipefs
577 575 0:29 / /var/lib/nfs/rpc_pipefs ro,relatime master:2 - rpc_pipefs rpc_pipefs rw
mountid=577 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /var/tmp
578 576 0:37 / /var/tmp ro,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=578 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var
583 582 0:37 / /var/tmp ro,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=583 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var/lib/nfs/rpc_pipefs
584 581 0:29 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:2 - rpc_pipefs rpc_pipefs rw
mountid=584 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var/tmp
585 583 0:37 / /var/tmp ro,nosuid,nodev,noexec,relatime master:45 - tmpfs vartmp rw,seclabel
mountid=585 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /usr
586 405 253:0 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel
mountid=586 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Mounting noexec /run/user/1000
679 676 0:25 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev master:13 - tmpfs tmpfs rw,seclabel,mode=755
mountid=679 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Error fstat: fs.c:486 fs_remount_simple: Permission denied
Error: proc 40918 cannot sync with peer: unexpected EOF
Peer 40919 unexpectedly exited with status 1

findmnt -R /run

TARGET                  SOURCE     FSTYPE          OPTIONS
/run                    tmpfs      tmpfs           rw,nosuid,nodev,seclabel,mode=755
├─/run/initramfs/live   /dev/sr0   iso9660         ro,relatime,nojoliet,check=s,map=n,blocksize=2048
└─/run/user/1000        tmpfs      tmpfs           rw,nosuid,nodev,relatime,seclabel,size=203348k,mode=700,uid=1000,gid=1000
  └─/run/user/1000/gvfs gvfsd-fuse fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000

@rusty-snake commented on GitHub (Mar 14, 2020): <details><summary>firejail --noprofile --noexec='${RUNUSER}' --debug</summary> ``` Autoselecting /bin/bash as shell Command name #/bin/bash# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 40918, child pid 40919 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-CcwCj4dw,guid=85cfdff6cbcb0cd610b20f635e6cc5b7 IBUS_DAEMON_PID=1677 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 572 405 253:0 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel mountid=572 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 573 572 253:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel mountid=573 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 576 574 0:37 / /var/tmp rw,relatime master:45 - tmpfs vartmp rw,seclabel mountid=576 fsname=/ dir=/var/tmp fstype=tmpfs Mounting read-only /var/lib/nfs/rpc_pipefs 577 575 0:29 / /var/lib/nfs/rpc_pipefs ro,relatime master:2 - rpc_pipefs rpc_pipefs rw mountid=577 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting read-only /var/tmp 578 576 0:37 / /var/tmp ro,relatime master:45 - tmpfs vartmp rw,seclabel mountid=578 fsname=/ dir=/var/tmp fstype=tmpfs Mounting noexec /var 583 582 0:37 / /var/tmp ro,relatime master:45 - tmpfs vartmp rw,seclabel mountid=583 fsname=/ dir=/var/tmp fstype=tmpfs Mounting noexec /var/lib/nfs/rpc_pipefs 584 581 0:29 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:2 - rpc_pipefs rpc_pipefs rw mountid=584 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting noexec /var/tmp 585 583 0:37 / /var/tmp ro,nosuid,nodev,noexec,relatime master:45 - tmpfs vartmp rw,seclabel mountid=585 fsname=/ dir=/var/tmp fstype=tmpfs Mounting read-only /usr 586 405 253:0 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/live-rw rw,seclabel mountid=586 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Mounting noexec /run/user/1000 679 676 0:25 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev master:13 - tmpfs tmpfs rw,seclabel,mode=755 mountid=679 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs Error fstat: fs.c:486 fs_remount_simple: Permission denied Error: proc 40918 cannot sync with peer: unexpected EOF Peer 40919 unexpectedly exited with status 1 ``` </details> <details><summary>findmnt -R /run</summary> ``` TARGET SOURCE FSTYPE OPTIONS /run tmpfs tmpfs rw,nosuid,nodev,seclabel,mode=755 ├─/run/initramfs/live /dev/sr0 iso9660 ro,relatime,nojoliet,check=s,map=n,blocksize=2048 └─/run/user/1000 tmpfs tmpfs rw,nosuid,nodev,relatime,seclabel,size=203348k,mode=700,uid=1000,gid=1000 └─/run/user/1000/gvfs gvfsd-fuse fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 ``` </details>

gitea-mirror commented

2026-05-05 08:43:48 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2020):

@glitsj16 Thanks for the confirmation, I've used this patch for a couple of weeks, it's been fine for me as well so far.

@rusty-snake Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

@smitsohu commented on GitHub (Mar 14, 2020): @glitsj16 Thanks for the confirmation, I've used this patch for a couple of weeks, it's been fine for me as well so far. @rusty-snake Does this work? `firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'`

gitea-mirror commented

2026-05-05 08:43:48 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2020):

Suspecting either FUSE or SELinux to be the culprit here. The problem is I'm temporarily in a situation where my machine is too weak to set up a VM 😢

I guess I need to revert the merge.

@smitsohu commented on GitHub (Mar 14, 2020): Suspecting either FUSE or SELinux to be the culprit here. The problem is I'm temporarily in a situation where my machine is too weak to set up a VM :cry: I guess I need to revert the merge.

gitea-mirror commented

2026-05-05 08:43:49 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

@rusty-snake Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

Yes.

Suspecting either FUSE or SELinux to be the culprit here.

SELinux would create some logs.

The problem is I'm temporarily in a situation where my machine is too weak to set up a VM

IDK if it is helpfull, but the live-system (e.g. over USB) is enough.

@rusty-snake commented on GitHub (Mar 14, 2020): > @rusty-snake Does this work? > `firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'` Yes. > Suspecting either FUSE or SELinux to be the culprit here. SELinux would create some logs. > The problem is I'm temporarily in a situation where my machine is too weak to set up a VM IDK if it is helpfull, but the live-system (e.g. over USB) is enough.

gitea-mirror commented

2026-05-05 08:43:49 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2020):

Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

Yes.

Thanks. This is FUSE. I'll try to add a workaround.

@smitsohu commented on GitHub (Mar 14, 2020): > > Does this work? > > firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}' > > Yes. Thanks. This is FUSE. I'll try to add a workaround.

gitea-mirror commented

2026-05-05 08:43:50 -06:00

Author

Owner

@corecontingency commented on GitHub (Mar 14, 2020):

Late to the party, but here you go:

firejail --noprofile --noexec='${RUNUSER}' --debug

findmnt -R /run

@rusty-snake Does this work?
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'

This does not work for me.

[user@mycomputer ~]$ firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}'
Parent pid 3125, child pid 3126
Error fstat: fs.c:486 fs_remount_simple: Permission denied
Error: proc 3125 cannot sync with peer: unexpected EOF
Peer 3126 unexpectedly exited with status 1

Suspecting either FUSE or SELinux to be the culprit here.

I do not have SELinux installed/enabled on my system, although Apparmor is.

@corecontingency commented on GitHub (Mar 14, 2020): Late to the party, but here you go: [firejail --noprofile --noexec='${RUNUSER}' --debug](https://paste.ubuntu.com/p/2NV6sksXBb/) [findmnt -R /run](https://paste.ubuntu.com/p/nwdSTTckNS/) > @rusty-snake Does this work? > firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}' This does not work for me. ``` [user@mycomputer ~]$ firejail --noprofile --blacklist='${RUNUSER}/gvfs' --noexec='${RUNUSER}' Parent pid 3125, child pid 3126 Error fstat: fs.c:486 fs_remount_simple: Permission denied Error: proc 3125 cannot sync with peer: unexpected EOF Peer 3126 unexpectedly exited with status 1 ``` > Suspecting either FUSE or SELinux to be the culprit here. I do not have SELinux installed/enabled on my system, although Apparmor is.

gitea-mirror commented

2026-05-05 08:43:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

Can you try this.
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}'

@rusty-snake commented on GitHub (Mar 14, 2020): Can you try this. `firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}'`

gitea-mirror commented

2026-05-05 08:43:50 -06:00

Author

Owner

@corecontingency commented on GitHub (Mar 14, 2020):

Can you try this.
firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}'

That worked.

[user@mycomputer ~]$ firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}'
Parent pid 3911, child pid 3912
Child process initialized in 10.54 ms

@corecontingency commented on GitHub (Mar 14, 2020): > Can you try this. firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}' That worked. ``` [user@mycomputer ~]$ firejail --noprofile --blacklist='${RUNUSER}/gvfs' --blacklist='${RUNUSER}/doc' --noexec='${RUNUSER}' Parent pid 3911, child pid 3912 Child process initialized in 10.54 ms ```

gitea-mirror commented

2026-05-05 08:43:51 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

temporary workarounds ATM:

git checkout b1d54b042fba798fd54037c403bc188c6ffd9240
disable-exec.local: ignore noexec ${RUNUSER}
disable-exec.local: blacklist ${RUNUSER}/gvfs and other fuse mounts in ${RUNUSER}
disable all fuse mounts in ${RUNUSER}

@rusty-snake commented on GitHub (Mar 14, 2020): temporary workarounds ATM: - `git checkout b1d54b042fba798fd54037c403bc188c6ffd9240` - disable-exec.local: `ignore noexec ${RUNUSER}` - disable-exec.local: `blacklist ${RUNUSER}/gvfs` and other fuse mounts in ${RUNUSER} - disable all fuse mounts in ${RUNUSER}

gitea-mirror commented

2026-05-05 08:43:52 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 14, 2020):

Can confirm this is an issue in Debian 10 (kernel 5.4 series from backports).

For my case, firejail --blacklist='${RUNUSER}/gvfs' <program_name> is good enough...

@Fred-Barclay commented on GitHub (Mar 14, 2020): Can confirm this is an issue in Debian 10 (kernel 5.4 series from backports). For my case, `firejail --blacklist='${RUNUSER}/gvfs' <program_name>` is good enough...

gitea-mirror commented

2026-05-05 08:43:53 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2020):

Could someone confirm it is fixed in 3d35c03907 ?

@smitsohu commented on GitHub (Mar 14, 2020): Could someone confirm it is fixed in 3d35c039074cc11fbacf8de5bc8cb1a0952ceae4 ?

gitea-mirror commented

2026-05-05 08:43:53 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2020):

For the record: We can always open FUSE mounts with O_PATH, but we are not always allowed to call fstat on the obtained file descriptor.

@smitsohu commented on GitHub (Mar 14, 2020): For the record: We can always open FUSE mounts with `O_PATH`, but we are not always allowed to call `fstat` on the obtained file descriptor.

gitea-mirror commented

2026-05-05 08:43:53 -06:00

Author

Owner

@corecontingency commented on GitHub (Mar 14, 2020):

Seems to work, at least so far! I opened up several programs, and even a steam game.

Thanks!

@corecontingency commented on GitHub (Mar 14, 2020): Seems to work, at least so far! I opened up several programs, and even a steam game. Thanks!

gitea-mirror commented

2026-05-05 08:43:54 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2020):

Thanks for the patience everyone, I'm going to improve the fix at a later timepoint (if not someone else does)

@smitsohu commented on GitHub (Mar 14, 2020): Thanks for the patience everyone, I'm going to improve the fix at a later timepoint (if not someone else does)

gitea-mirror referenced this issue

2026-05-05 10:14:56 -06:00

[PR #2057] [CLOSED] Make ktorrent actually work #4164

Rows
Columns

[GH-ISSUE #3277] Pull request #3268 broke firejail #2057