github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3302] Tor Browser exits during startup #2072

New issue
Closed
opened 2026-05-05 08:44:27 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 08:44:27 -06:00
Owner
Copy link

Originally created by @kmotoko on GitHub (Mar 27, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3302

Summary
On Debian 10, the recommended way to install Tor Browser Bundle (TBB) is via torbrowser-launcher in backports (see https://wiki.debian.org/TorBrowser). Upon first run, it downloads the Tor Browser, no problem in there (when running under firejail). However, when I try to start TBB, it says "Tor unexpectedly exited". Running TBB with firejail --noprofile torbrowser-launcher works.

Firejail version

xxx@xxx:~$ firejail --version
firejail version 0.9.58.2

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Firejail Profile
The default profile (plus torbrowser-launcher.local does not exist). I have a globals.local but 2 entries there are just blacklisting private folders, which are completely irrelevant with the issue.

OS Version

xxx@xxx:~$ uname --all
Linux xxx 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

Tor Browser Launcher Version

xxx@xxx:~$ dpkg --list | grep torbrowser
ii  torbrowser-launcher                     0.3.2-7~bpo10+1                              amd64        helps download and run the Tor Browser Bundle

Firejail Debug Output

xxx@xxx:~$ firejail --debug torbrowser-launcher
Autoselecting /bin/bash as shell
Building quoted command line: 'torbrowser-launcher' 
Command name #torbrowser-launcher#
Found torbrowser-launcher.profile profile in /etc/firejail directory
Reading profile /etc/firejail/torbrowser-launcher.profile
Found globals.local profile in /etc/firejail directory
Reading profile /etc/firejail/globals.local
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-xdg.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-xdg.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 23532, child pid 23533
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1
No supplementary groups
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Copying files in the new /etc directory:
copying /etc/fonts to private /etc
Creating empty /run/firejail/mnt/etc/fonts directory
sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts (null) 
copying /etc/hostname to private /etc
sbox run: /run/firejail/lib/fcopy /etc/hostname /run/firejail/mnt/etc (null) 
copying /etc/hosts to private /etc
sbox run: /run/firejail/lib/fcopy /etc/hosts /run/firejail/mnt/etc (null) 
copying /etc/resolv.conf to private /etc
sbox run: /run/firejail/lib/fcopy /etc/resolv.conf /run/firejail/mnt/etc (null) 
copying /etc/pki to private /etc
Creating empty /run/firejail/mnt/etc/pki directory
sbox run: /run/firejail/lib/fcopy /etc/pki /run/firejail/mnt/etc/pki (null) 
copying /etc/ssl to private /etc
Creating empty /run/firejail/mnt/etc/ssl directory
sbox run: /run/firejail/lib/fcopy /etc/ssl /run/firejail/mnt/etc/ssl (null) 
copying /etc/ca-certificates to private /etc
Creating empty /run/firejail/mnt/etc/ca-certificates directory
sbox run: /run/firejail/lib/fcopy /etc/ca-certificates /run/firejail/mnt/etc/ca-certificates (null) 
Warning: file /etc/crypto-policies not found.
Warning: skipping crypto-policies for private /etc
copying /etc/alsa to private /etc
Creating empty /run/firejail/mnt/etc/alsa directory
sbox run: /run/firejail/lib/fcopy /etc/alsa /run/firejail/mnt/etc/alsa (null) 
Warning: file /etc/asound.conf not found.
Warning: skipping asound.conf for private /etc
copying /etc/pulse to private /etc
Creating empty /run/firejail/mnt/etc/pulse directory
sbox run: /run/firejail/lib/fcopy /etc/pulse /run/firejail/mnt/etc/pulse (null) 
copying /etc/machine-id to private /etc
sbox run: /run/firejail/lib/fcopy /etc/machine-id /run/firejail/mnt/etc (null) 
copying /etc/ld.so.cache to private /etc
sbox run: /run/firejail/lib/fcopy /etc/ld.so.cache /run/firejail/mnt/etc (null) 
Mount-bind /run/firejail/mnt/etc on top of /etc
Private /etc installed in 21.13 ms
Creating an empty /etc/ld.so.preload file
Copying files in the new bin directory
Checking /usr/local/bin/bash
Checking /usr/bin/bash
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/cp
Checking /usr/bin/cp
sbox run: /run/firejail/lib/fcopy /usr/bin/cp /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/dirname
Checking /usr/bin/dirname
sbox run: /run/firejail/lib/fcopy /usr/bin/dirname /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/env
Checking /usr/bin/env
sbox run: /run/firejail/lib/fcopy /usr/bin/env /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/expr
Checking /usr/bin/expr
sbox run: /run/firejail/lib/fcopy /usr/bin/expr /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/file
Checking /usr/bin/file
sbox run: /run/firejail/lib/fcopy /usr/bin/file /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/getconf
Checking /usr/bin/getconf
sbox run: /run/firejail/lib/fcopy /usr/bin/getconf /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/gpg
Checking /usr/bin/gpg
sbox run: /run/firejail/lib/fcopy /usr/bin/gpg /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/grep
Checking /usr/bin/grep
sbox run: /run/firejail/lib/fcopy /usr/bin/grep /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/id
Checking /usr/bin/id
sbox run: /run/firejail/lib/fcopy /usr/bin/id /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/ln
Checking /usr/bin/ln
sbox run: /run/firejail/lib/fcopy /usr/bin/ln /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/mkdir
Checking /usr/bin/mkdir
sbox run: /run/firejail/lib/fcopy /usr/bin/mkdir /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python2 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3m /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3.7m /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python2 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3m /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python2.7 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3.7-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3.7m-config /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /bin/python3.7 /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/readlink
Checking /usr/bin/readlink
sbox run: /run/firejail/lib/fcopy /usr/bin/readlink /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/rm
Checking /usr/bin/rm
sbox run: /run/firejail/lib/fcopy /usr/bin/rm /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/sed
Checking /usr/bin/sed
sbox run: /run/firejail/lib/fcopy /usr/bin/sed /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/sh
Checking /usr/bin/sh
sbox run: /run/firejail/lib/fcopy /usr/bin/dash /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/tail
Checking /usr/bin/tail
sbox run: /run/firejail/lib/fcopy /usr/bin/tail /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/tar
Checking /usr/bin/tar
sbox run: /run/firejail/lib/fcopy /usr/bin/tar /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/tclsh
Checking /usr/bin/tclsh
sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh8.6 /run/firejail/mnt/bin (null) 
sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/test
Checking /usr/bin/test
sbox run: /run/firejail/lib/fcopy /usr/bin/test /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/tor-browser-en
Checking /usr/bin/tor-browser-en
Checking /bin/tor-browser-en
Checking /usr/games/tor-browser-en
Checking /usr/local/games/tor-browser-en
Checking /usr/local/sbin/tor-browser-en
Checking /usr/sbin/tor-browser-en
Checking /sbin/tor-browser-en
Warning: file tor-browser-en not found
Checking /usr/local/bin/torbrowser-launcher
firejail exec symlink detected
Checking /usr/bin/torbrowser-launcher
sbox run: /run/firejail/lib/fcopy /usr/bin/torbrowser-launcher /run/firejail/mnt/bin (null) 
Checking /usr/local/bin/xz
Checking /usr/bin/xz
sbox run: /run/firejail/lib/fcopy /usr/bin/xz /run/firejail/mnt/bin (null) 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
62 programs installed in 89.91 ms
blacklist /run/user/1000/bus
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 398: new_name #/home/xxx/Documents/private#, nowhitelist
Storing nowhitelist /home/xxx/Documents/private
Directory ${DOWNLOADS} resolved as Downloads
Debug 398: new_name #/home/xxx/Downloads#, whitelist
Debug 504: fname #/home/xxx/Downloads#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/Downloads
Debug 398: new_name #/home/xxx/.config/torbrowser#, whitelist
Debug 504: fname #/home/xxx/.config/torbrowser#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.config/torbrowser
Debug 398: new_name #/home/xxx/.local/share/torbrowser#, whitelist
Debug 504: fname #/home/xxx/.local/share/torbrowser#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.local/share/torbrowser
Debug 398: new_name #/home/xxx/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
	expanded: /home/xxx/.XCompose
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
	expanded: /home/xxx/.asoundrc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/ibus#, whitelist
Debug 504: fname #/home/xxx/.config/ibus#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.config/ibus
Debug 398: new_name #/home/xxx/.config/mimeapps.list#, whitelist
Debug 504: fname #/home/xxx/.config/mimeapps.list#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.config/mimeapps.list
Debug 398: new_name #/home/xxx/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
	expanded: /home/xxx/.config/pkcs11
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/user-dirs.dirs#, whitelist
Debug 504: fname #/home/xxx/.config/user-dirs.dirs#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.config/user-dirs.dirs
Debug 398: new_name #/home/xxx/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
	expanded: /home/xxx/.drirc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
	expanded: /home/xxx/.icons
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.local/share/applications#, whitelist
Debug 504: fname #/home/xxx/.local/share/applications#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.local/share/applications
Debug 398: new_name #/home/xxx/.local/share/icons#, whitelist
Debug 504: fname #/home/xxx/.local/share/icons#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.local/share/icons
Debug 398: new_name #/home/xxx/.local/share/mime#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/mime
	expanded: /home/xxx/.local/share/mime
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.mime.types#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types
	expanded: /home/xxx/.mime.types
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/dconf#, whitelist
Debug 504: fname #/home/xxx/.config/dconf#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.config/dconf
Debug 398: new_name #/home/xxx/.cache/fontconfig#, whitelist
Debug 504: fname #/home/xxx/.cache/fontconfig#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.cache/fontconfig
Debug 398: new_name #/home/xxx/.config/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/fontconfig
	expanded: /home/xxx/.config/fontconfig
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig
	expanded: /home/xxx/.fontconfig
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.fonts#, whitelist
Debug 504: fname #/home/xxx/.fonts#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.fonts
Debug 398: new_name #/home/xxx/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
	expanded: /home/xxx/.fonts.conf
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
	expanded: /home/xxx/.fonts.conf.d
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
	expanded: /home/xxx/.fonts.d
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.local/share/fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts
	expanded: /home/xxx/.local/share/fonts
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
	expanded: /home/xxx/.pangorc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/gtk-2.0#, whitelist
Debug 504: fname #/home/xxx/.config/gtk-2.0#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.config/gtk-2.0
Debug 398: new_name #/home/xxx/.config/gtk-3.0#, whitelist
Debug 504: fname #/home/xxx/.config/gtk-3.0#, cfg.homedir #/home/xxx#
Replaced whitelist path: whitelist /home/xxx/.config/gtk-3.0
Debug 398: new_name #/home/xxx/.config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc
	expanded: /home/xxx/.config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0
	expanded: /home/xxx/.config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.gnome2#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2
	expanded: /home/xxx/.gnome2
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
	expanded: /home/xxx/.gnome2-private
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
	expanded: /home/xxx/.gtk-2.0
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
	expanded: /home/xxx/.gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0
	expanded: /home/xxx/.gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
	expanded: /home/xxx/.kde/share/config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
	expanded: /home/xxx/.kde/share/config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
	expanded: /home/xxx/.kde4/share/config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
	expanded: /home/xxx/.kde4/share/config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
	expanded: /home/xxx/.local/share/themes
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes
	expanded: /home/xxx/.themes
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.cache/kioexec/krun#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
	expanded: /home/xxx/.cache/kioexec/krun
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
	expanded: /home/xxx/.config/Kvantum
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/Trolltech.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf
	expanded: /home/xxx/.config/Trolltech.conf
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kdeglobals
	expanded: /home/xxx/.config/kdeglobals
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
	expanded: /home/xxx/.config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc
	expanded: /home/xxx/.config/kioslaverc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
	expanded: /home/xxx/.config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.config/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct
	expanded: /home/xxx/.config/qt5ct
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals
	expanded: /home/xxx/.kde/share/config/kdeglobals
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
	expanded: /home/xxx/.kde/share/config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
	expanded: /home/xxx/.kde/share/config/kioslaverc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
	expanded: /home/xxx/.kde/share/config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
	expanded: /home/xxx/.kde/share/config/oxygenrc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
	expanded: /home/xxx/.kde/share/icons
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals
	expanded: /home/xxx/.kde4/share/config/kdeglobals
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc
	expanded: /home/xxx/.kde4/share/config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc
	expanded: /home/xxx/.kde4/share/config/kioslaverc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
	expanded: /home/xxx/.kde4/share/config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
	expanded: /home/xxx/.kde4/share/config/oxygenrc
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
	expanded: /home/xxx/.kde4/share/icons
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/home/xxx/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
	expanded: /home/xxx/.local/share/qt5ct
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/var/lib/dbus#, whitelist
Debug 398: new_name #/var/lib/menu-xdg#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
	expanded: /var/lib/menu-xdg
	real path: (null)
	realpath: No such file or directory
Debug 398: new_name #/var/cache/fontconfig#, whitelist
Debug 398: new_name #/var/tmp#, whitelist
Debug 398: new_name #/var/run#, whitelist
Replaced whitelist path: whitelist /run
Debug 398: new_name #/var/lock#, whitelist
Replaced whitelist path: whitelist /run/lock
Debug 398: new_name #/tmp/.X11-unix#, whitelist
Debug 398: new_name #/tmp/pulse-PKdhtXMmr18n#, whitelist
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Mounting tmpfs on /tmp directory
Mounting tmpfs on /var directory
Whitelisting /home/xxx/Downloads
1744 1731 254:7 /xxx/Downloads /home/xxx/Downloads rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1744 fsname=/xxx/Downloads dir=/home/xxx/Downloads fstype=ext4
Whitelisting /home/xxx/.config/torbrowser
1745 1731 254:7 /xxx/.config/torbrowser /home/xxx/.config/torbrowser rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1745 fsname=/xxx/.config/torbrowser dir=/home/xxx/.config/torbrowser fstype=ext4
Whitelisting /home/xxx/.local/share/torbrowser
1746 1731 254:7 /xxx/.local/share/torbrowser /home/xxx/.local/share/torbrowser rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1746 fsname=/xxx/.local/share/torbrowser dir=/home/xxx/.local/share/torbrowser fstype=ext4
Whitelisting /home/xxx/.config/ibus
1747 1731 254:7 /xxx/.config/ibus /home/xxx/.config/ibus rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1747 fsname=/xxx/.config/ibus dir=/home/xxx/.config/ibus fstype=ext4
Whitelisting /home/xxx/.config/mimeapps.list
1748 1731 254:7 /xxx/.config/mimeapps.list /home/xxx/.config/mimeapps.list rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1748 fsname=/xxx/.config/mimeapps.list dir=/home/xxx/.config/mimeapps.list fstype=ext4
Whitelisting /home/xxx/.config/user-dirs.dirs
1749 1731 254:7 /xxx/.config/user-dirs.dirs /home/xxx/.config/user-dirs.dirs rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1749 fsname=/xxx/.config/user-dirs.dirs dir=/home/xxx/.config/user-dirs.dirs fstype=ext4
Whitelisting /home/xxx/.local/share/applications
1750 1731 254:7 /xxx/.local/share/applications /home/xxx/.local/share/applications rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1750 fsname=/xxx/.local/share/applications dir=/home/xxx/.local/share/applications fstype=ext4
Whitelisting /home/xxx/.local/share/icons
1751 1731 254:7 /xxx/.local/share/icons /home/xxx/.local/share/icons rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1751 fsname=/xxx/.local/share/icons dir=/home/xxx/.local/share/icons fstype=ext4
Whitelisting /home/xxx/.config/dconf
1752 1731 254:7 /xxx/.config/dconf /home/xxx/.config/dconf rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1752 fsname=/xxx/.config/dconf dir=/home/xxx/.config/dconf fstype=ext4
Whitelisting /home/xxx/.cache/fontconfig
1753 1731 254:7 /xxx/.cache/fontconfig /home/xxx/.cache/fontconfig rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1753 fsname=/xxx/.cache/fontconfig dir=/home/xxx/.cache/fontconfig fstype=ext4
Whitelisting /home/xxx/.fonts
1754 1731 254:7 /xxx/.fonts /home/xxx/.fonts rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1754 fsname=/xxx/.fonts dir=/home/xxx/.fonts fstype=ext4
Whitelisting /home/xxx/.config/gtk-2.0
1755 1731 254:7 /xxx/.config/gtk-2.0 /home/xxx/.config/gtk-2.0 rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1755 fsname=/xxx/.config/gtk-2.0 dir=/home/xxx/.config/gtk-2.0 fstype=ext4
Whitelisting /home/xxx/.config/gtk-3.0
1756 1731 254:7 /xxx/.config/gtk-3.0 /home/xxx/.config/gtk-3.0 rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw
mountid=1756 fsname=/xxx/.config/gtk-3.0 dir=/home/xxx/.config/gtk-3.0 fstype=ext4
Whitelisting /var/lib/dbus
1757 1743 254:3 /lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:65 - ext4 /dev/mapper/xxx-var rw
mountid=1757 fsname=/lib/dbus dir=/var/lib/dbus fstype=ext4
Whitelisting /var/cache/fontconfig
1758 1743 254:3 /cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:65 - ext4 /dev/mapper/xxx-var rw
mountid=1758 fsname=/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4
Whitelisting /var/tmp
1759 1743 0:90 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw
mountid=1759 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/.X11-unix
1760 1734 254:2 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:59 - ext4 /dev/mapper/xxx-tmp rw
mountid=1760 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Whitelisting /tmp/pulse-PKdhtXMmr18n
1761 1734 254:2 /pulse-PKdhtXMmr18n /tmp/pulse-PKdhtXMmr18n rw,nosuid,nodev,relatime master:59 - ext4 /dev/mapper/xxx-tmp rw
mountid=1761 fsname=/pulse-PKdhtXMmr18n dir=/tmp/pulse-PKdhtXMmr18n fstype=ext4
Mounting read-only /home/xxx/.local/share/applications
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/include
Disable /usr/share/java
Disable /usr/lib/valgrind
Disable /usr/share/lua
Disable /usr/share/perl-openssl-defaults
Disable /usr/share/perl
Disable /usr/share/perl5
Disable /usr/lib/ruby
Not blacklist /home/xxx/gems/bin/python2*
Not blacklist /home/xxx/bin/python2*
Not blacklist /usr/local/bin/python2
Not blacklist /usr/local/bin/python2.7
Not blacklist /usr/bin/python2
Not blacklist /usr/bin/python2.7
Not blacklist /bin/python2
Not blacklist /bin/python2.7
Not blacklist /usr/local/games/python2
Not blacklist /usr/local/games/python2.7
Not blacklist /usr/games/python2
Not blacklist /usr/games/python2.7
Not blacklist /usr/lib/python2.7
Disable /usr/local/lib/python2.7
Not blacklist /home/xxx/gems/bin/python3*
Not blacklist /home/xxx/bin/python3*
Not blacklist /usr/local/bin/python3.7m-config
Not blacklist /usr/local/bin/python3.7-config
Not blacklist /usr/local/bin/python3m
Not blacklist /usr/local/bin/python3
Not blacklist /usr/local/bin/python3.7
Not blacklist /usr/local/bin/python3m-config
Not blacklist /usr/local/bin/python3-config
Not blacklist /usr/local/bin/python3.7m
Not blacklist /usr/bin/python3.7m-config
Not blacklist /usr/bin/python3.7-config
Not blacklist /usr/bin/python3m
Not blacklist /usr/bin/python3
Not blacklist /usr/bin/python3.7
Not blacklist /usr/bin/python3m-config
Not blacklist /usr/bin/python3-config
Not blacklist /usr/bin/python3.7m
Not blacklist /bin/python3.7m-config
Not blacklist /bin/python3.7-config
Not blacklist /bin/python3m
Not blacklist /bin/python3
Not blacklist /bin/python3.7
Not blacklist /bin/python3m-config
Not blacklist /bin/python3-config
Not blacklist /bin/python3.7m
Not blacklist /usr/local/games/python3.7m-config
Not blacklist /usr/local/games/python3.7-config
Not blacklist /usr/local/games/python3m
Not blacklist /usr/local/games/python3
Not blacklist /usr/local/games/python3.7
Not blacklist /usr/local/games/python3m-config
Not blacklist /usr/local/games/python3-config
Not blacklist /usr/local/games/python3.7m
Not blacklist /usr/games/python3.7m-config
Not blacklist /usr/games/python3.7-config
Not blacklist /usr/games/python3m
Not blacklist /usr/games/python3
Not blacklist /usr/games/python3.7
Not blacklist /usr/games/python3m-config
Not blacklist /usr/games/python3-config
Not blacklist /usr/games/python3.7m
Not blacklist /usr/lib/python3
Not blacklist /usr/lib/python3.7
Disable /usr/local/lib/python3.7
Disable /usr/share/python3
Not blacklist /home/xxx/.config/torbrowser
Not blacklist /home/xxx/.local/share/torbrowser
Mounting read-only /home/xxx/.config/user-dirs.dirs
Mounting noexec /tmp
Mounting noexec /tmp/.X11-unix
Mounting noexec /tmp/pulse-PKdhtXMmr18n
Disable /sys/fs
Disable /sys/module
Disable /mnt
Disable /media
Disable /run/mount
Mounting noexec /run/firejail/mnt/pulse
Creating empty /home/xxx/.config/pulse directory
Drop privileges: pid 76, uid 1000, gid 1000, nogroups 0
Warning: cleaning all supplementary groups
1792 1731 0:88 /pulse /home/xxx/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1792 fsname=/pulse dir=/home/xxx/.config/pulse fstype=tmpfs
blacklist /dev/dvb
blacklist /dev/sr0
blacklist /dev/hidraw0
blacklist /dev/hidraw1
blacklist /dev/hidraw2
blacklist /dev/hidraw3
blacklist /dev/hidraw4
blacklist /dev/hidraw5
blacklist /dev/hidraw6
blacklist /dev/hidraw7
blacklist /dev/hidraw8
blacklist /dev/hidraw9
blacklist /dev/usb
blacklist /dev/video0
blacklist /dev/video1
blacklist /dev/video2
blacklist /dev/video3
blacklist /dev/video4
blacklist /dev/video5
blacklist /dev/video6
blacklist /dev/video7
blacklist /dev/video8
blacklist /dev/video9
Create the new ld.so.preload file
Post-exec seccomp protector enabled
Mount the new ld.so.preload file
Current directory: /home/xxx
DISPLAY=:0 parsed as 0
Install protocol filter: unix,inet,inet6
configuring 14 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 77, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 06 00 00 0005005f   ret ERRNO(95)
Build drop seccomp filter
sbox run: /run/firejail/lib/fseccomp drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice (null) 
Dropping all capabilities
Drop privileges: pid 78, uid 1000, gid 1000, nogroups 1
No supplementary groups
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 79, uid 1000, gid 1000, nogroups 1
No supplementary groups
configuring 73 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 80, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 40 00 0000009f   jeq adjtimex 0048 (false 0008)
 0008: 15 3f 00 00000131   jeq clock_adjtime 0048 (false 0009)
 0009: 15 3e 00 000000e3   jeq clock_settime 0048 (false 000a)
 000a: 15 3d 00 000000a4   jeq settimeofday 0048 (false 000b)
 000b: 15 3c 00 0000009a   jeq modify_ldt 0048 (false 000c)
 000c: 15 3b 00 000000d4   jeq lookup_dcookie 0048 (false 000d)
 000d: 15 3a 00 0000012a   jeq perf_event_open 0048 (false 000e)
 000e: 15 39 00 00000137   jeq process_vm_writev 0048 (false 000f)
 000f: 15 38 00 000000b0   jeq delete_module 0048 (false 0010)
 0010: 15 37 00 00000139   jeq finit_module 0048 (false 0011)
 0011: 15 36 00 000000af   jeq init_module 0048 (false 0012)
 0012: 15 35 00 0000009c   jeq _sysctl 0048 (false 0013)
 0013: 15 34 00 000000b7   jeq afs_syscall 0048 (false 0014)
 0014: 15 33 00 000000ae   jeq create_module 0048 (false 0015)
 0015: 15 32 00 000000b1   jeq get_kernel_syms 0048 (false 0016)
 0016: 15 31 00 000000b5   jeq getpmsg 0048 (false 0017)
 0017: 15 30 00 000000b6   jeq putpmsg 0048 (false 0018)
 0018: 15 2f 00 000000b2   jeq query_module 0048 (false 0019)
 0019: 15 2e 00 000000b9   jeq security 0048 (false 001a)
 001a: 15 2d 00 0000008b   jeq sysfs 0048 (false 001b)
 001b: 15 2c 00 000000b8   jeq tuxcall 0048 (false 001c)
 001c: 15 2b 00 00000086   jeq uselib 0048 (false 001d)
 001d: 15 2a 00 00000088   jeq ustat 0048 (false 001e)
 001e: 15 29 00 000000ec   jeq vserver 0048 (false 001f)
 001f: 15 28 00 000000ad   jeq ioperm 0048 (false 0020)
 0020: 15 27 00 000000ac   jeq iopl 0048 (false 0021)
 0021: 15 26 00 000000f6   jeq kexec_load 0048 (false 0022)
 0022: 15 25 00 00000140   jeq kexec_file_load 0048 (false 0023)
 0023: 15 24 00 000000a9   jeq reboot 0048 (false 0024)
 0024: 15 23 00 000000ee   jeq set_mempolicy 0048 (false 0025)
 0025: 15 22 00 00000100   jeq migrate_pages 0048 (false 0026)
 0026: 15 21 00 00000117   jeq move_pages 0048 (false 0027)
 0027: 15 20 00 000000ed   jeq mbind 0048 (false 0028)
 0028: 15 1f 00 000000a7   jeq swapon 0048 (false 0029)
 0029: 15 1e 00 000000a8   jeq swapoff 0048 (false 002a)
 002a: 15 1d 00 000000a3   jeq acct 0048 (false 002b)
 002b: 15 1c 00 000000f8   jeq add_key 0048 (false 002c)
 002c: 15 1b 00 00000141   jeq bpf 0048 (false 002d)
 002d: 15 1a 00 0000012c   jeq fanotify_init 0048 (false 002e)
 002e: 15 19 00 000000d2   jeq io_cancel 0048 (false 002f)
 002f: 15 18 00 000000cf   jeq io_destroy 0048 (false 0030)
 0030: 15 17 00 000000d0   jeq io_getevents 0048 (false 0031)
 0031: 15 16 00 000000ce   jeq io_setup 0048 (false 0032)
 0032: 15 15 00 000000d1   jeq io_submit 0048 (false 0033)
 0033: 15 14 00 000000fb   jeq ioprio_set 0048 (false 0034)
 0034: 15 13 00 00000138   jeq kcmp 0048 (false 0035)
 0035: 15 12 00 000000fa   jeq keyctl 0048 (false 0036)
 0036: 15 11 00 000000a5   jeq mount 0048 (false 0037)
 0037: 15 10 00 0000012f   jeq name_to_handle_at 0048 (false 0038)
 0038: 15 0f 00 000000b4   jeq nfsservctl 0048 (false 0039)
 0039: 15 0e 00 00000130   jeq open_by_handle_at 0048 (false 003a)
 003a: 15 0d 00 00000087   jeq personality 0048 (false 003b)
 003b: 15 0c 00 0000009b   jeq pivot_root 0048 (false 003c)
 003c: 15 0b 00 00000136   jeq process_vm_readv 0048 (false 003d)
 003d: 15 0a 00 00000065   jeq ptrace 0048 (false 003e)
 003e: 15 09 00 000000d8   jeq remap_file_pages 0048 (false 003f)
 003f: 15 08 00 000000f9   jeq request_key 0048 (false 0040)
 0040: 15 07 00 000000ab   jeq setdomainname 0048 (false 0041)
 0041: 15 06 00 000000aa   jeq sethostname 0048 (false 0042)
 0042: 15 05 00 00000067   jeq syslog 0048 (false 0043)
 0043: 15 04 00 000000a6   jeq umount2 0048 (false 0044)
 0044: 15 03 00 00000143   jeq userfaultfd 0048 (false 0045)
 0045: 15 02 00 00000099   jeq vhangup 0048 (false 0046)
 0046: 15 01 00 00000116   jeq vmsplice 0048 (false 0047)
 0047: 06 00 00 7fff0000   ret ALLOW
 0048: 06 00 00 00000000   ret KILL
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: torbrowser-launcher
Child process initialized in 206.03 ms
Searching $PATH for torbrowser-launcher
trying #/home/xxx/gems/bin/torbrowser-launcher#
trying #/home/xxx/bin/torbrowser-launcher#
trying #/usr/local/bin/torbrowser-launcher#
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 81

Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.3.2
https://github.com/micahflee/torbrowser-launcher
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
Qt: Session management error: None of the authentication protocols specified are supported
Launching Tor Browser.
Running /home/xxx/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...
Sandbox monitor: waitpid 81 retval 81 status 0
Sandbox monitor: monitoring 113
monitoring pid 113
Originally created by @kmotoko on GitHub (Mar 27, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3302 **Summary** On Debian 10, the recommended way to install Tor Browser Bundle (TBB) is via `torbrowser-launcher` in backports (see https://wiki.debian.org/TorBrowser). Upon first run, it downloads the Tor Browser, no problem in there (when running under `firejail`). However, when I try to start TBB, it says "Tor unexpectedly exited". Running TBB with `firejail --noprofile torbrowser-launcher` works. **Firejail version** ```shell xxx@xxx:~$ firejail --version firejail version 0.9.58.2 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Firejail Profile** The default profile (plus `torbrowser-launcher.local` does not exist). I have a `globals.local` but 2 entries there are just blacklisting private folders, which are completely irrelevant with the issue. **OS Version** ``` xxx@xxx:~$ uname --all Linux xxx 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux ``` **Tor Browser Launcher Version** ```shell xxx@xxx:~$ dpkg --list | grep torbrowser ii torbrowser-launcher 0.3.2-7~bpo10+1 amd64 helps download and run the Tor Browser Bundle ``` **Firejail Debug Output** ```shell xxx@xxx:~$ firejail --debug torbrowser-launcher Autoselecting /bin/bash as shell Building quoted command line: 'torbrowser-launcher' Command name #torbrowser-launcher# Found torbrowser-launcher.profile profile in /etc/firejail directory Reading profile /etc/firejail/torbrowser-launcher.profile Found globals.local profile in /etc/firejail directory Reading profile /etc/firejail/globals.local Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found disable-xdg.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-xdg.inc Found whitelist-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-common.inc Found whitelist-var-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 23532, child pid 23533 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1 No supplementary groups Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory Process /dev/shm directory Copying files in the new /etc directory: copying /etc/fonts to private /etc Creating empty /run/firejail/mnt/etc/fonts directory sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts (null) copying /etc/hostname to private /etc sbox run: /run/firejail/lib/fcopy /etc/hostname /run/firejail/mnt/etc (null) copying /etc/hosts to private /etc sbox run: /run/firejail/lib/fcopy /etc/hosts /run/firejail/mnt/etc (null) copying /etc/resolv.conf to private /etc sbox run: /run/firejail/lib/fcopy /etc/resolv.conf /run/firejail/mnt/etc (null) copying /etc/pki to private /etc Creating empty /run/firejail/mnt/etc/pki directory sbox run: /run/firejail/lib/fcopy /etc/pki /run/firejail/mnt/etc/pki (null) copying /etc/ssl to private /etc Creating empty /run/firejail/mnt/etc/ssl directory sbox run: /run/firejail/lib/fcopy /etc/ssl /run/firejail/mnt/etc/ssl (null) copying /etc/ca-certificates to private /etc Creating empty /run/firejail/mnt/etc/ca-certificates directory sbox run: /run/firejail/lib/fcopy /etc/ca-certificates /run/firejail/mnt/etc/ca-certificates (null) Warning: file /etc/crypto-policies not found. Warning: skipping crypto-policies for private /etc copying /etc/alsa to private /etc Creating empty /run/firejail/mnt/etc/alsa directory sbox run: /run/firejail/lib/fcopy /etc/alsa /run/firejail/mnt/etc/alsa (null) Warning: file /etc/asound.conf not found. Warning: skipping asound.conf for private /etc copying /etc/pulse to private /etc Creating empty /run/firejail/mnt/etc/pulse directory sbox run: /run/firejail/lib/fcopy /etc/pulse /run/firejail/mnt/etc/pulse (null) copying /etc/machine-id to private /etc sbox run: /run/firejail/lib/fcopy /etc/machine-id /run/firejail/mnt/etc (null) copying /etc/ld.so.cache to private /etc sbox run: /run/firejail/lib/fcopy /etc/ld.so.cache /run/firejail/mnt/etc (null) Mount-bind /run/firejail/mnt/etc on top of /etc Private /etc installed in 21.13 ms Creating an empty /etc/ld.so.preload file Copying files in the new bin directory Checking /usr/local/bin/bash Checking /usr/bin/bash sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin (null) Checking /usr/local/bin/cp Checking /usr/bin/cp sbox run: /run/firejail/lib/fcopy /usr/bin/cp /run/firejail/mnt/bin (null) Checking /usr/local/bin/dirname Checking /usr/bin/dirname sbox run: /run/firejail/lib/fcopy /usr/bin/dirname /run/firejail/mnt/bin (null) Checking /usr/local/bin/env Checking /usr/bin/env sbox run: /run/firejail/lib/fcopy /usr/bin/env /run/firejail/mnt/bin (null) Checking /usr/local/bin/expr Checking /usr/bin/expr sbox run: /run/firejail/lib/fcopy /usr/bin/expr /run/firejail/mnt/bin (null) Checking /usr/local/bin/file Checking /usr/bin/file sbox run: /run/firejail/lib/fcopy /usr/bin/file /run/firejail/mnt/bin (null) Checking /usr/local/bin/getconf Checking /usr/bin/getconf sbox run: /run/firejail/lib/fcopy /usr/bin/getconf /run/firejail/mnt/bin (null) Checking /usr/local/bin/gpg Checking /usr/bin/gpg sbox run: /run/firejail/lib/fcopy /usr/bin/gpg /run/firejail/mnt/bin (null) Checking /usr/local/bin/grep Checking /usr/bin/grep sbox run: /run/firejail/lib/fcopy /usr/bin/grep /run/firejail/mnt/bin (null) Checking /usr/local/bin/id Checking /usr/bin/id sbox run: /run/firejail/lib/fcopy /usr/bin/id /run/firejail/mnt/bin (null) Checking /usr/local/bin/ln Checking /usr/bin/ln sbox run: /run/firejail/lib/fcopy /usr/bin/ln /run/firejail/mnt/bin (null) Checking /usr/local/bin/mkdir Checking /usr/bin/mkdir sbox run: /run/firejail/lib/fcopy /usr/bin/mkdir /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python2 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3m /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3.7m /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python2.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python2 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/python3.7m /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3m /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python2.7 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3.7-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/x86_64-linux-gnu-python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3.7m-config /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /bin/python3.7 /run/firejail/mnt/bin (null) Checking /usr/local/bin/readlink Checking /usr/bin/readlink sbox run: /run/firejail/lib/fcopy /usr/bin/readlink /run/firejail/mnt/bin (null) Checking /usr/local/bin/rm Checking /usr/bin/rm sbox run: /run/firejail/lib/fcopy /usr/bin/rm /run/firejail/mnt/bin (null) Checking /usr/local/bin/sed Checking /usr/bin/sed sbox run: /run/firejail/lib/fcopy /usr/bin/sed /run/firejail/mnt/bin (null) Checking /usr/local/bin/sh Checking /usr/bin/sh sbox run: /run/firejail/lib/fcopy /usr/bin/dash /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin (null) Checking /usr/local/bin/tail Checking /usr/bin/tail sbox run: /run/firejail/lib/fcopy /usr/bin/tail /run/firejail/mnt/bin (null) Checking /usr/local/bin/tar Checking /usr/bin/tar sbox run: /run/firejail/lib/fcopy /usr/bin/tar /run/firejail/mnt/bin (null) Checking /usr/local/bin/tclsh Checking /usr/bin/tclsh sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh8.6 /run/firejail/mnt/bin (null) sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh /run/firejail/mnt/bin (null) Checking /usr/local/bin/test Checking /usr/bin/test sbox run: /run/firejail/lib/fcopy /usr/bin/test /run/firejail/mnt/bin (null) Checking /usr/local/bin/tor-browser-en Checking /usr/bin/tor-browser-en Checking /bin/tor-browser-en Checking /usr/games/tor-browser-en Checking /usr/local/games/tor-browser-en Checking /usr/local/sbin/tor-browser-en Checking /usr/sbin/tor-browser-en Checking /sbin/tor-browser-en Warning: file tor-browser-en not found Checking /usr/local/bin/torbrowser-launcher firejail exec symlink detected Checking /usr/bin/torbrowser-launcher sbox run: /run/firejail/lib/fcopy /usr/bin/torbrowser-launcher /run/firejail/mnt/bin (null) Checking /usr/local/bin/xz Checking /usr/bin/xz sbox run: /run/firejail/lib/fcopy /usr/bin/xz /run/firejail/mnt/bin (null) Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin 62 programs installed in 89.91 ms blacklist /run/user/1000/bus Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 398: new_name #/home/xxx/Documents/private#, nowhitelist Storing nowhitelist /home/xxx/Documents/private Directory ${DOWNLOADS} resolved as Downloads Debug 398: new_name #/home/xxx/Downloads#, whitelist Debug 504: fname #/home/xxx/Downloads#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/Downloads Debug 398: new_name #/home/xxx/.config/torbrowser#, whitelist Debug 504: fname #/home/xxx/.config/torbrowser#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.config/torbrowser Debug 398: new_name #/home/xxx/.local/share/torbrowser#, whitelist Debug 504: fname #/home/xxx/.local/share/torbrowser#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.local/share/torbrowser Debug 398: new_name #/home/xxx/.XCompose#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose expanded: /home/xxx/.XCompose real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.asoundrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc expanded: /home/xxx/.asoundrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/ibus#, whitelist Debug 504: fname #/home/xxx/.config/ibus#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.config/ibus Debug 398: new_name #/home/xxx/.config/mimeapps.list#, whitelist Debug 504: fname #/home/xxx/.config/mimeapps.list#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.config/mimeapps.list Debug 398: new_name #/home/xxx/.config/pkcs11#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11 expanded: /home/xxx/.config/pkcs11 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/user-dirs.dirs#, whitelist Debug 504: fname #/home/xxx/.config/user-dirs.dirs#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.config/user-dirs.dirs Debug 398: new_name #/home/xxx/.drirc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc expanded: /home/xxx/.drirc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons expanded: /home/xxx/.icons real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.local/share/applications#, whitelist Debug 504: fname #/home/xxx/.local/share/applications#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.local/share/applications Debug 398: new_name #/home/xxx/.local/share/icons#, whitelist Debug 504: fname #/home/xxx/.local/share/icons#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.local/share/icons Debug 398: new_name #/home/xxx/.local/share/mime#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/mime expanded: /home/xxx/.local/share/mime real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.mime.types#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types expanded: /home/xxx/.mime.types real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/dconf#, whitelist Debug 504: fname #/home/xxx/.config/dconf#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.config/dconf Debug 398: new_name #/home/xxx/.cache/fontconfig#, whitelist Debug 504: fname #/home/xxx/.cache/fontconfig#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.cache/fontconfig Debug 398: new_name #/home/xxx/.config/fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/fontconfig expanded: /home/xxx/.config/fontconfig real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig expanded: /home/xxx/.fontconfig real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.fonts#, whitelist Debug 504: fname #/home/xxx/.fonts#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.fonts Debug 398: new_name #/home/xxx/.fonts.conf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf expanded: /home/xxx/.fonts.conf real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.fonts.conf.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d expanded: /home/xxx/.fonts.conf.d real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.fonts.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d expanded: /home/xxx/.fonts.d real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.local/share/fonts#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts expanded: /home/xxx/.local/share/fonts real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.pangorc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc expanded: /home/xxx/.pangorc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/gtk-2.0#, whitelist Debug 504: fname #/home/xxx/.config/gtk-2.0#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.config/gtk-2.0 Debug 398: new_name #/home/xxx/.config/gtk-3.0#, whitelist Debug 504: fname #/home/xxx/.config/gtk-3.0#, cfg.homedir #/home/xxx# Replaced whitelist path: whitelist /home/xxx/.config/gtk-3.0 Debug 398: new_name #/home/xxx/.config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc expanded: /home/xxx/.config/gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0 expanded: /home/xxx/.config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.gnome2#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2 expanded: /home/xxx/.gnome2 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.gnome2-private#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private expanded: /home/xxx/.gnome2-private real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.gtk-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0 expanded: /home/xxx/.gtk-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc expanded: /home/xxx/.gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0 expanded: /home/xxx/.gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc expanded: /home/xxx/.kde/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 expanded: /home/xxx/.kde/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc expanded: /home/xxx/.kde4/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 expanded: /home/xxx/.kde4/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.local/share/themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes expanded: /home/xxx/.local/share/themes real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes expanded: /home/xxx/.themes real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.cache/kioexec/krun#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun expanded: /home/xxx/.cache/kioexec/krun real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/Kvantum#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum expanded: /home/xxx/.config/Kvantum real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/Trolltech.conf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf expanded: /home/xxx/.config/Trolltech.conf real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kdeglobals expanded: /home/xxx/.config/kdeglobals real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc expanded: /home/xxx/.config/kio_httprc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc expanded: /home/xxx/.config/kioslaverc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist expanded: /home/xxx/.config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.config/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct expanded: /home/xxx/.config/qt5ct real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals expanded: /home/xxx/.kde/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc expanded: /home/xxx/.kde/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc expanded: /home/xxx/.kde/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist expanded: /home/xxx/.kde/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc expanded: /home/xxx/.kde/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons expanded: /home/xxx/.kde/share/icons real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals expanded: /home/xxx/.kde4/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc expanded: /home/xxx/.kde4/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc expanded: /home/xxx/.kde4/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist expanded: /home/xxx/.kde4/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc expanded: /home/xxx/.kde4/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.kde4/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons expanded: /home/xxx/.kde4/share/icons real path: (null) realpath: No such file or directory Debug 398: new_name #/home/xxx/.local/share/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct expanded: /home/xxx/.local/share/qt5ct real path: (null) realpath: No such file or directory Debug 398: new_name #/var/lib/dbus#, whitelist Debug 398: new_name #/var/lib/menu-xdg#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg expanded: /var/lib/menu-xdg real path: (null) realpath: No such file or directory Debug 398: new_name #/var/cache/fontconfig#, whitelist Debug 398: new_name #/var/tmp#, whitelist Debug 398: new_name #/var/run#, whitelist Replaced whitelist path: whitelist /run Debug 398: new_name #/var/lock#, whitelist Replaced whitelist path: whitelist /run/lock Debug 398: new_name #/tmp/.X11-unix#, whitelist Debug 398: new_name #/tmp/pulse-PKdhtXMmr18n#, whitelist Mounting a new /home directory Mounting a new /root directory Create a new user directory Mounting tmpfs on /tmp directory Mounting tmpfs on /var directory Whitelisting /home/xxx/Downloads 1744 1731 254:7 /xxx/Downloads /home/xxx/Downloads rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1744 fsname=/xxx/Downloads dir=/home/xxx/Downloads fstype=ext4 Whitelisting /home/xxx/.config/torbrowser 1745 1731 254:7 /xxx/.config/torbrowser /home/xxx/.config/torbrowser rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1745 fsname=/xxx/.config/torbrowser dir=/home/xxx/.config/torbrowser fstype=ext4 Whitelisting /home/xxx/.local/share/torbrowser 1746 1731 254:7 /xxx/.local/share/torbrowser /home/xxx/.local/share/torbrowser rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1746 fsname=/xxx/.local/share/torbrowser dir=/home/xxx/.local/share/torbrowser fstype=ext4 Whitelisting /home/xxx/.config/ibus 1747 1731 254:7 /xxx/.config/ibus /home/xxx/.config/ibus rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1747 fsname=/xxx/.config/ibus dir=/home/xxx/.config/ibus fstype=ext4 Whitelisting /home/xxx/.config/mimeapps.list 1748 1731 254:7 /xxx/.config/mimeapps.list /home/xxx/.config/mimeapps.list rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1748 fsname=/xxx/.config/mimeapps.list dir=/home/xxx/.config/mimeapps.list fstype=ext4 Whitelisting /home/xxx/.config/user-dirs.dirs 1749 1731 254:7 /xxx/.config/user-dirs.dirs /home/xxx/.config/user-dirs.dirs rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1749 fsname=/xxx/.config/user-dirs.dirs dir=/home/xxx/.config/user-dirs.dirs fstype=ext4 Whitelisting /home/xxx/.local/share/applications 1750 1731 254:7 /xxx/.local/share/applications /home/xxx/.local/share/applications rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1750 fsname=/xxx/.local/share/applications dir=/home/xxx/.local/share/applications fstype=ext4 Whitelisting /home/xxx/.local/share/icons 1751 1731 254:7 /xxx/.local/share/icons /home/xxx/.local/share/icons rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1751 fsname=/xxx/.local/share/icons dir=/home/xxx/.local/share/icons fstype=ext4 Whitelisting /home/xxx/.config/dconf 1752 1731 254:7 /xxx/.config/dconf /home/xxx/.config/dconf rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1752 fsname=/xxx/.config/dconf dir=/home/xxx/.config/dconf fstype=ext4 Whitelisting /home/xxx/.cache/fontconfig 1753 1731 254:7 /xxx/.cache/fontconfig /home/xxx/.cache/fontconfig rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1753 fsname=/xxx/.cache/fontconfig dir=/home/xxx/.cache/fontconfig fstype=ext4 Whitelisting /home/xxx/.fonts 1754 1731 254:7 /xxx/.fonts /home/xxx/.fonts rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1754 fsname=/xxx/.fonts dir=/home/xxx/.fonts fstype=ext4 Whitelisting /home/xxx/.config/gtk-2.0 1755 1731 254:7 /xxx/.config/gtk-2.0 /home/xxx/.config/gtk-2.0 rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1755 fsname=/xxx/.config/gtk-2.0 dir=/home/xxx/.config/gtk-2.0 fstype=ext4 Whitelisting /home/xxx/.config/gtk-3.0 1756 1731 254:7 /xxx/.config/gtk-3.0 /home/xxx/.config/gtk-3.0 rw,nosuid,nodev,relatime master:63 - ext4 /dev/mapper/xxx-home rw mountid=1756 fsname=/xxx/.config/gtk-3.0 dir=/home/xxx/.config/gtk-3.0 fstype=ext4 Whitelisting /var/lib/dbus 1757 1743 254:3 /lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:65 - ext4 /dev/mapper/xxx-var rw mountid=1757 fsname=/lib/dbus dir=/var/lib/dbus fstype=ext4 Whitelisting /var/cache/fontconfig 1758 1743 254:3 /cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:65 - ext4 /dev/mapper/xxx-var rw mountid=1758 fsname=/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4 Whitelisting /var/tmp 1759 1743 0:90 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw mountid=1759 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/.X11-unix 1760 1734 254:2 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:59 - ext4 /dev/mapper/xxx-tmp rw mountid=1760 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Whitelisting /tmp/pulse-PKdhtXMmr18n 1761 1734 254:2 /pulse-PKdhtXMmr18n /tmp/pulse-PKdhtXMmr18n rw,nosuid,nodev,relatime master:59 - ext4 /dev/mapper/xxx-tmp rw mountid=1761 fsname=/pulse-PKdhtXMmr18n dir=/tmp/pulse-PKdhtXMmr18n fstype=ext4 Mounting read-only /home/xxx/.local/share/applications Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/include Disable /usr/share/java Disable /usr/lib/valgrind Disable /usr/share/lua Disable /usr/share/perl-openssl-defaults Disable /usr/share/perl Disable /usr/share/perl5 Disable /usr/lib/ruby Not blacklist /home/xxx/gems/bin/python2* Not blacklist /home/xxx/bin/python2* Not blacklist /usr/local/bin/python2 Not blacklist /usr/local/bin/python2.7 Not blacklist /usr/bin/python2 Not blacklist /usr/bin/python2.7 Not blacklist /bin/python2 Not blacklist /bin/python2.7 Not blacklist /usr/local/games/python2 Not blacklist /usr/local/games/python2.7 Not blacklist /usr/games/python2 Not blacklist /usr/games/python2.7 Not blacklist /usr/lib/python2.7 Disable /usr/local/lib/python2.7 Not blacklist /home/xxx/gems/bin/python3* Not blacklist /home/xxx/bin/python3* Not blacklist /usr/local/bin/python3.7m-config Not blacklist /usr/local/bin/python3.7-config Not blacklist /usr/local/bin/python3m Not blacklist /usr/local/bin/python3 Not blacklist /usr/local/bin/python3.7 Not blacklist /usr/local/bin/python3m-config Not blacklist /usr/local/bin/python3-config Not blacklist /usr/local/bin/python3.7m Not blacklist /usr/bin/python3.7m-config Not blacklist /usr/bin/python3.7-config Not blacklist /usr/bin/python3m Not blacklist /usr/bin/python3 Not blacklist /usr/bin/python3.7 Not blacklist /usr/bin/python3m-config Not blacklist /usr/bin/python3-config Not blacklist /usr/bin/python3.7m Not blacklist /bin/python3.7m-config Not blacklist /bin/python3.7-config Not blacklist /bin/python3m Not blacklist /bin/python3 Not blacklist /bin/python3.7 Not blacklist /bin/python3m-config Not blacklist /bin/python3-config Not blacklist /bin/python3.7m Not blacklist /usr/local/games/python3.7m-config Not blacklist /usr/local/games/python3.7-config Not blacklist /usr/local/games/python3m Not blacklist /usr/local/games/python3 Not blacklist /usr/local/games/python3.7 Not blacklist /usr/local/games/python3m-config Not blacklist /usr/local/games/python3-config Not blacklist /usr/local/games/python3.7m Not blacklist /usr/games/python3.7m-config Not blacklist /usr/games/python3.7-config Not blacklist /usr/games/python3m Not blacklist /usr/games/python3 Not blacklist /usr/games/python3.7 Not blacklist /usr/games/python3m-config Not blacklist /usr/games/python3-config Not blacklist /usr/games/python3.7m Not blacklist /usr/lib/python3 Not blacklist /usr/lib/python3.7 Disable /usr/local/lib/python3.7 Disable /usr/share/python3 Not blacklist /home/xxx/.config/torbrowser Not blacklist /home/xxx/.local/share/torbrowser Mounting read-only /home/xxx/.config/user-dirs.dirs Mounting noexec /tmp Mounting noexec /tmp/.X11-unix Mounting noexec /tmp/pulse-PKdhtXMmr18n Disable /sys/fs Disable /sys/module Disable /mnt Disable /media Disable /run/mount Mounting noexec /run/firejail/mnt/pulse Creating empty /home/xxx/.config/pulse directory Drop privileges: pid 76, uid 1000, gid 1000, nogroups 0 Warning: cleaning all supplementary groups 1792 1731 0:88 /pulse /home/xxx/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1792 fsname=/pulse dir=/home/xxx/.config/pulse fstype=tmpfs blacklist /dev/dvb blacklist /dev/sr0 blacklist /dev/hidraw0 blacklist /dev/hidraw1 blacklist /dev/hidraw2 blacklist /dev/hidraw3 blacklist /dev/hidraw4 blacklist /dev/hidraw5 blacklist /dev/hidraw6 blacklist /dev/hidraw7 blacklist /dev/hidraw8 blacklist /dev/hidraw9 blacklist /dev/usb blacklist /dev/video0 blacklist /dev/video1 blacklist /dev/video2 blacklist /dev/video3 blacklist /dev/video4 blacklist /dev/video5 blacklist /dev/video6 blacklist /dev/video7 blacklist /dev/video8 blacklist /dev/video9 Create the new ld.so.preload file Post-exec seccomp protector enabled Mount the new ld.so.preload file Current directory: /home/xxx DISPLAY=:0 parsed as 0 Install protocol filter: unix,inet,inet6 configuring 14 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 77, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 06 00 00 0005005f ret ERRNO(95) Build drop seccomp filter sbox run: /run/firejail/lib/fseccomp drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice (null) Dropping all capabilities Drop privileges: pid 78, uid 1000, gid 1000, nogroups 1 No supplementary groups Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp (null) Dropping all capabilities Drop privileges: pid 79, uid 1000, gid 1000, nogroups 1 No supplementary groups configuring 73 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) Dropping all capabilities Drop privileges: pid 80, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 40 00 0000009f jeq adjtimex 0048 (false 0008) 0008: 15 3f 00 00000131 jeq clock_adjtime 0048 (false 0009) 0009: 15 3e 00 000000e3 jeq clock_settime 0048 (false 000a) 000a: 15 3d 00 000000a4 jeq settimeofday 0048 (false 000b) 000b: 15 3c 00 0000009a jeq modify_ldt 0048 (false 000c) 000c: 15 3b 00 000000d4 jeq lookup_dcookie 0048 (false 000d) 000d: 15 3a 00 0000012a jeq perf_event_open 0048 (false 000e) 000e: 15 39 00 00000137 jeq process_vm_writev 0048 (false 000f) 000f: 15 38 00 000000b0 jeq delete_module 0048 (false 0010) 0010: 15 37 00 00000139 jeq finit_module 0048 (false 0011) 0011: 15 36 00 000000af jeq init_module 0048 (false 0012) 0012: 15 35 00 0000009c jeq _sysctl 0048 (false 0013) 0013: 15 34 00 000000b7 jeq afs_syscall 0048 (false 0014) 0014: 15 33 00 000000ae jeq create_module 0048 (false 0015) 0015: 15 32 00 000000b1 jeq get_kernel_syms 0048 (false 0016) 0016: 15 31 00 000000b5 jeq getpmsg 0048 (false 0017) 0017: 15 30 00 000000b6 jeq putpmsg 0048 (false 0018) 0018: 15 2f 00 000000b2 jeq query_module 0048 (false 0019) 0019: 15 2e 00 000000b9 jeq security 0048 (false 001a) 001a: 15 2d 00 0000008b jeq sysfs 0048 (false 001b) 001b: 15 2c 00 000000b8 jeq tuxcall 0048 (false 001c) 001c: 15 2b 00 00000086 jeq uselib 0048 (false 001d) 001d: 15 2a 00 00000088 jeq ustat 0048 (false 001e) 001e: 15 29 00 000000ec jeq vserver 0048 (false 001f) 001f: 15 28 00 000000ad jeq ioperm 0048 (false 0020) 0020: 15 27 00 000000ac jeq iopl 0048 (false 0021) 0021: 15 26 00 000000f6 jeq kexec_load 0048 (false 0022) 0022: 15 25 00 00000140 jeq kexec_file_load 0048 (false 0023) 0023: 15 24 00 000000a9 jeq reboot 0048 (false 0024) 0024: 15 23 00 000000ee jeq set_mempolicy 0048 (false 0025) 0025: 15 22 00 00000100 jeq migrate_pages 0048 (false 0026) 0026: 15 21 00 00000117 jeq move_pages 0048 (false 0027) 0027: 15 20 00 000000ed jeq mbind 0048 (false 0028) 0028: 15 1f 00 000000a7 jeq swapon 0048 (false 0029) 0029: 15 1e 00 000000a8 jeq swapoff 0048 (false 002a) 002a: 15 1d 00 000000a3 jeq acct 0048 (false 002b) 002b: 15 1c 00 000000f8 jeq add_key 0048 (false 002c) 002c: 15 1b 00 00000141 jeq bpf 0048 (false 002d) 002d: 15 1a 00 0000012c jeq fanotify_init 0048 (false 002e) 002e: 15 19 00 000000d2 jeq io_cancel 0048 (false 002f) 002f: 15 18 00 000000cf jeq io_destroy 0048 (false 0030) 0030: 15 17 00 000000d0 jeq io_getevents 0048 (false 0031) 0031: 15 16 00 000000ce jeq io_setup 0048 (false 0032) 0032: 15 15 00 000000d1 jeq io_submit 0048 (false 0033) 0033: 15 14 00 000000fb jeq ioprio_set 0048 (false 0034) 0034: 15 13 00 00000138 jeq kcmp 0048 (false 0035) 0035: 15 12 00 000000fa jeq keyctl 0048 (false 0036) 0036: 15 11 00 000000a5 jeq mount 0048 (false 0037) 0037: 15 10 00 0000012f jeq name_to_handle_at 0048 (false 0038) 0038: 15 0f 00 000000b4 jeq nfsservctl 0048 (false 0039) 0039: 15 0e 00 00000130 jeq open_by_handle_at 0048 (false 003a) 003a: 15 0d 00 00000087 jeq personality 0048 (false 003b) 003b: 15 0c 00 0000009b jeq pivot_root 0048 (false 003c) 003c: 15 0b 00 00000136 jeq process_vm_readv 0048 (false 003d) 003d: 15 0a 00 00000065 jeq ptrace 0048 (false 003e) 003e: 15 09 00 000000d8 jeq remap_file_pages 0048 (false 003f) 003f: 15 08 00 000000f9 jeq request_key 0048 (false 0040) 0040: 15 07 00 000000ab jeq setdomainname 0048 (false 0041) 0041: 15 06 00 000000aa jeq sethostname 0048 (false 0042) 0042: 15 05 00 00000067 jeq syslog 0048 (false 0043) 0043: 15 04 00 000000a6 jeq umount2 0048 (false 0044) 0044: 15 03 00 00000143 jeq userfaultfd 0048 (false 0045) 0045: 15 02 00 00000099 jeq vhangup 0048 (false 0046) 0046: 15 01 00 00000116 jeq vmsplice 0048 (false 0047) 0047: 06 00 00 7fff0000 ret ALLOW 0048: 06 00 00 00000000 ret KILL seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) execvp argument 0: torbrowser-launcher Child process initialized in 206.03 ms Searching $PATH for torbrowser-launcher trying #/home/xxx/gems/bin/torbrowser-launcher# trying #/home/xxx/bin/torbrowser-launcher# trying #/usr/local/bin/torbrowser-launcher# Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 81 Tor Browser Launcher By Micah Lee, licensed under MIT version 0.3.2 https://github.com/micahflee/torbrowser-launcher Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway. Qt: Session management error: None of the authentication protocols specified are supported Launching Tor Browser. Running /home/xxx/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop Launching './Browser/start-tor-browser --detach'... Sandbox monitor: waitpid 81 retval 81 status 0 Sandbox monitor: monitoring 113 monitoring pid 113 ```
gitea-mirror 2026-05-05 08:44:27 -06:00
gitea-mirror commented 2026-05-05 08:44:30 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 29, 2020):

Is anything in the journal? What happens if you skip torbrowser-launcher and start the tbb direct (firejail --profile=torbrowser-launcher --private-cwd=~/.local/share/torbrowser/tbb/x86-64/tor-browser_en-US ./start-tor-browser.desktop cd ~/.local/share/torbrowser/tbb/x86-64/tor-browser_en-US && firejail --profile=torbrowser-launcher ./start-tor-browser.desktop )?

<!-- gh-comment-id:605643317 --> @rusty-snake commented on GitHub (Mar 29, 2020): Is anything in the journal? What happens if you skip torbrowser-launcher and start the tbb direct (~`firejail --profile=torbrowser-launcher --private-cwd=~/.local/share/torbrowser/tbb/x86-64/tor-browser_en-US ./start-tor-browser.desktop`~ `cd ~/.local/share/torbrowser/tbb/x86-64/tor-browser_en-US && firejail --profile=torbrowser-launcher ./start-tor-browser.desktop` )?
gitea-mirror commented 2026-05-05 08:44:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 6, 2020):

I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

<!-- gh-comment-id:624732735 --> @rusty-snake commented on GitHub (May 6, 2020): I'm closing here due to inactivity, please fell free to reopen if you still have this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2072
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?