[GH-ISSUE #3321] Bitwarden appimage not working with Bitwarden profile #2087

New issue

Closed

opened 2026-05-05 08:45:37 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented 2026-05-05 08:45:37 -06:00

Owner

Copy link

Originally created by @danielgul on GitHub (Apr 6, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3321

Hi,

I have an issue with starting Bitwarden appimage.
First I tried to use firejail --appimage as is and program not starting. Output:

$ firejail --appimage Bitwarden-1.17.2-x86_64.AppImage 

Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 1223873, child pid 1223876

**     Warning: dropping all Linux capabilities     **

Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 62.33 ms

Parent is shutting down, bye...
AppImage unmounted

Seeing its trying to load default.profile, I tried with --profile=bitwarden. Didn't work either. Output:

$ firejail --appimage --profile=bitwarden Bitwarden-1.17.2-x86_64.AppImage

Reading profile /etc/firejail/bitwarden.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Mounting appimage type 2
Parent pid 1223280, child pid 1223433

**     Warning: dropping all Linux capabilities     **

Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 26.39 ms
Warning: skipping Bitwarden for private /opt
Private /opt installed in 0.08 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 152.61 ms

Parent is shutting down, bye...
AppImage unmounted

Lunching with firejail --appimage --noprofile works tho...

Any idea why it's not working with it's own profile?
Using Manjaro 19.0.2 .

Thanks in advance.

Originally created by @danielgul on GitHub (Apr 6, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3321 Hi, I have an issue with starting Bitwarden appimage. First I tried to use `firejail --appimage` as is and program not starting. Output: $ firejail --appimage Bitwarden-1.17.2-x86_64.AppImage Mounting appimage type 2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 1223873, child pid 1223876 ** Warning: dropping all Linux capabilities ** Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 62.33 ms Parent is shutting down, bye... AppImage unmounted Seeing its trying to load `default.profile`, I tried with `--profile=bitwarden`. Didn't work either. Output: $ firejail --appimage --profile=bitwarden Bitwarden-1.17.2-x86_64.AppImage Reading profile /etc/firejail/bitwarden.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Mounting appimage type 2 Parent pid 1223280, child pid 1223433 ** Warning: dropping all Linux capabilities ** Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 26.39 ms Warning: skipping Bitwarden for private /opt Private /opt installed in 0.08 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 152.61 ms Parent is shutting down, bye... AppImage unmounted Lunching with `firejail --appimage --noprofile` works tho... Any idea why it's not working with it's own profile? Using Manjaro 19.0.2 . Thanks in advance.

gitea-mirror closed this issue 2026-05-05 08:45:38 -06:00

gitea-mirror commented 2026-05-05 08:45:40 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 6, 2020):

Is anything in the journal/syslog?

<!-- gh-comment-id:609612723 --> @rusty-snake commented on GitHub (Apr 6, 2020): Is anything in the journal/syslog?

gitea-mirror commented 2026-05-05 08:45:41 -06:00

Author

Owner

Copy link

@danielgul commented on GitHub (Apr 6, 2020):

Totally forgot to check the logs, you are right!
These are the logs after I tried to run firejail --appimage --profile=bitwarden Bitwarden-1.17.2-x86_64.AppImage again:

### systemd[2845]: run-firejail-appimage-.appimage\x2d1383067.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- The unit UNIT has successfully entered the 'dead' state.
### systemd[1]: run-firejail-appimage-.appimage\x2d1383067.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- 
-- The unit run-firejail-appimage-.appimage\x2d1383067.mount has successfully entered the 'dead' state.
### systemd-coredump[1383096]: Process 1383083 (bitwarden) of user 1000 dumped core.
                                                        
                                                        Stack trace of thread 12:
                                                        #0  0x000055ddcd89bf46 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48e0f46)
                                                        #1  0x000055ddcb90b058 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x2950058)
                                                        #2  0x000055ddcd89af4f n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48dff4f)
                                                        #3  0x000055ddcd8a0d51 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48e5d51)
                                                        #4  0x000055ddcb90a88c n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x294f88c)
                                                        #5  0x000055ddcd8a1454 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48e6454)
                                                        #6  0x000055ddcacb6dd1 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x1cfbdd1)
                                                        #7  0x000055ddca41e27b n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x146327b)
                                                        #8  0x00007ff096ef7023 __libc_start_main (libc.so.6 + 0x27023)
                                                        #9  0x000055ddca41e02a n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x146302a)
-- Subject: Process 1383083 (bitwarden) dumped core
-- Defined-By: systemd
-- Support: https://forum.manjaro.org/c/technical-issues-and-assistance
-- Documentation: man:core(5)
-- 
-- Process 1383083 (bitwarden) crashed and dumped core.
-- 
-- This usually indicates a programming error in the crashing program and
-- should be reported to its vendor as a bug.

<!-- gh-comment-id:609630993 --> @danielgul commented on GitHub (Apr 6, 2020): Totally forgot to check the logs, you are right! These are the logs after I tried to run `firejail --appimage --profile=bitwarden Bitwarden-1.17.2-x86_64.AppImage` again: ### systemd[2845]: run-firejail-appimage-.appimage\x2d1383067.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: https://forum.manjaro.org/c/technical-issues-and-assistance -- -- The unit UNIT has successfully entered the 'dead' state. ### systemd[1]: run-firejail-appimage-.appimage\x2d1383067.mount: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: https://forum.manjaro.org/c/technical-issues-and-assistance -- -- The unit run-firejail-appimage-.appimage\x2d1383067.mount has successfully entered the 'dead' state. ### systemd-coredump[1383096]: Process 1383083 (bitwarden) of user 1000 dumped core. Stack trace of thread 12: #0 0x000055ddcd89bf46 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48e0f46) #1 0x000055ddcb90b058 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x2950058) #2 0x000055ddcd89af4f n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48dff4f) #3 0x000055ddcd8a0d51 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48e5d51) #4 0x000055ddcb90a88c n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x294f88c) #5 0x000055ddcd8a1454 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x48e6454) #6 0x000055ddcacb6dd1 n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x1cfbdd1) #7 0x000055ddca41e27b n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x146327b) #8 0x00007ff096ef7023 __libc_start_main (libc.so.6 + 0x27023) #9 0x000055ddca41e02a n/a (/run/firejail/appimage/.appimage-1383067/bitwarden + 0x146302a) -- Subject: Process 1383083 (bitwarden) dumped core -- Defined-By: systemd -- Support: https://forum.manjaro.org/c/technical-issues-and-assistance -- Documentation: man:core(5) -- -- Process 1383083 (bitwarden) crashed and dumped core. -- -- This usually indicates a programming error in the crashing program and -- should be reported to its vendor as a bug.

gitea-mirror commented 2026-05-05 08:45:42 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 6, 2020):

Can you try firejail '--seccomp=!chroot' --profile=bitwarden --appimage Bitwarden-1.17.2-x86_64.AppImage

<!-- gh-comment-id:609638911 --> @rusty-snake commented on GitHub (Apr 6, 2020): Can you try `firejail '--seccomp=!chroot' --profile=bitwarden --appimage Bitwarden-1.17.2-x86_64.AppImage`

gitea-mirror commented 2026-05-05 08:45:42 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 6, 2020):

I just downloaded the Appimage, with the default profile I get seccomp violations and with the bitwarden profile the execve permission denied.

<!-- gh-comment-id:609639893 --> @rusty-snake commented on GitHub (Apr 6, 2020): I just downloaded the Appimage, with the default profile I get seccomp violations and with the bitwarden profile the execve permission denied.

gitea-mirror commented 2026-05-05 08:45:43 -06:00

Author

Owner

Copy link

@danielgul commented on GitHub (Apr 6, 2020):

Can you try firejail '--seccomp=!chroot' --profile=bitwarden --appimage Bitwarden-1.17.2-x86_64.AppImage

That did it. Works without error. Thank you my friend.
Could you please explain what --seccomp=!chroot does?
Thanks!

<!-- gh-comment-id:609640793 --> @danielgul commented on GitHub (Apr 6, 2020): > Can you try `firejail '--seccomp=!chroot' --profile=bitwarden --appimage Bitwarden-1.17.2-x86_64.AppImage` That did it. Works without error. Thank you my friend. Could you please explain what `--seccomp=!chroot` does? Thanks!

gitea-mirror commented 2026-05-05 08:45:44 -06:00

Author

Owner

Copy link

@danielgul commented on GitHub (Apr 6, 2020):

From /usr/share/doc/firejail/syscalls.txt:

Profile: seccomp -> seccomp !chroot

Start journalctl --grep=syscall --follow in a terminal, then start the broken
program. Now you see one or more long lines containing syscall=NUMBER somewhere.
Stop journalctl (^C) and execute firejail --debug-syscalls | grep NUMBER. You
will see something like NUMBER - NAME, because you now know the name of the
syscall, you can add an exception to seccomp by putting !NAME to seccomp.

This is beyond my level of understanding. My question leads toward would this is something you would have to patch from your side on next release or is --seccomp=!chroot had to be included when I start the program from my side?

<!-- gh-comment-id:609647194 --> @danielgul commented on GitHub (Apr 6, 2020): From /usr/share/doc/firejail/syscalls.txt: > Profile: `seccomp -> seccomp !chroot` > > Start `journalctl --grep=syscall --follow` in a terminal, then start the broken > program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. > Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You > will see something like `NUMBER - NAME`, because you now know the name of the > syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. This is beyond my level of understanding. My question leads toward would this is something you would have to patch from your side on next release or is `--seccomp=!chroot` had to be included when I start the program from my side?

gitea-mirror commented 2026-05-05 08:45:45 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 6, 2020):

Could you please explain what --seccomp=!chroot does?

It allows the chroot syscall. The chromium-sandbox is using it (in older version). looks like bitwarden has updated it chromium components.

My question leads toward would this is something you would have to patch from your side on next release or is --seccomp=!chroot had to be included when I start the program from my side?

Becomes part of the profile, for now you can add seccomp !chroot to your bitwarden.local.

<!-- gh-comment-id:609655351 --> @rusty-snake commented on GitHub (Apr 6, 2020): > Could you please explain what -`-seccomp=!chroot` does? It allows the [chroot syscall](https://linux.die.net/man/2/chroot). The chromium-sandbox is using it (in older version). looks like bitwarden has updated it chromium components. > My question leads toward would this is something you would have to patch from your side on next release or is --seccomp=!chroot had to be included when I start the program from my side? Becomes part of the profile, for now you can add `seccomp !chroot` to your bitwarden.local.

gitea-mirror commented 2026-05-05 08:45:45 -06:00

Author

Owner

Copy link

@danielgul commented on GitHub (Apr 6, 2020):

Alright, Thanks a lot for the help and the quick response!
Take care.

<!-- gh-comment-id:609656296 --> @danielgul commented on GitHub (Apr 6, 2020): Alright, Thanks a lot for the help and the quick response! Take care.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2087

No description provided.