github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3333] Creating temporary filesystem from shell fails #2094

New issue
Closed
opened 2026-05-05 08:46:13 -06:00 by gitea-mirror · 35 comments
gitea-mirror commented 2026-05-05 08:46:13 -06:00
Owner
Copy link

Originally created by @matu3ba on GitHub (Apr 9, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3333

Describe the bug
Running firejail --private firefox or simply firejail firefox ie fails with

Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

To Reproduce

  1. Run in shell firejail firefox
  2. Get output:
    Reading profile /usr/local/etc/firejail/firefox.profile
    Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
    Reading profile /usr/local/etc/firejail/firefox-common.profile
    Reading profile /usr/local/etc/firejail/disable-common.inc
    Reading profile /usr/local/etc/firejail/disable-devel.inc
    Reading profile /usr/local/etc/firejail/disable-exec.inc
    Reading profile /usr/local/etc/firejail/disable-interpreters.inc
    Reading profile /usr/local/etc/firejail/disable-programs.inc
    Reading profile /usr/local/etc/firejail/whitelist-common.inc
    Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
    Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
    Parent pid 63204, child pid 63205
    Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
    Warning: cleaning all supplementary groups
    Warning: cleaning all supplementary groups
    Warning: cleaning all supplementary groups
    Warning: /sbin directory link was not blacklisted
    Warning: /usr/sbin directory link was not blacklisted
    Warning: not remounting /run/user/1000/gvfs
    Warning: cleaning all supplementary groups
    Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
    Child process initialized in 118.04 ms
    Error: execute permission denied for /usr/local/bin/firefox
    Error: no suitable firefox executable found

Parent is shutting down, bye...

Expected behavior
Firefox should start with a temporary filesystems.

Desktop (please complete the following information):

  • Linux distribution and version
    Manjaro Linux 19.0.2
  • Firejail version (output of firejail --version)
    firejail version 0.9.63

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
Additional context
Running firefox works as expected. Mounting of filesystem also works.
Last lines of firejail --debug --private firefox
Searching $PATH for firefox
trying #/home/misterspoon/.cargo/bin/firefox#
trying #/home/misterspoon/.local/bin/firefox#
trying #/usr/local/bin/firefox#
Error: execute permission denied for /usr/local/bin/firefox
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
Error: no suitable firefox executable found
monitoring pid 19

Sandbox monitor: waitpid 19 retval 19 status 256

If this is expected behavior:
What is the new recommended way to start --private or --private=DIR firejail instances?

Originally created by @matu3ba on GitHub (Apr 9, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3333 **Describe the bug** Running `firejail --private firefox` or simply `firejail firefox` ie fails with ``` Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found ``` **To Reproduce** 1. Run in shell `firejail firefox` 2. Get output: Reading profile /usr/local/etc/firejail/firefox.profile Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc Reading profile /usr/local/etc/firejail/firefox-common.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-exec.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 63204, child pid 63205 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/gvfs Warning: cleaning all supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 118.04 ms Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found Parent is shutting down, bye... **Expected behavior** Firefox should start with a temporary filesystems. **Desktop (please complete the following information):** - Linux distribution and version Manjaro Linux 19.0.2 - Firejail version (output of `firejail --version`) firejail version 0.9.63 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled **Additional context** Running `firefox` works as expected. Mounting of filesystem also works. Last lines of `firejail --debug --private firefox` Searching $PATH for firefox trying #/home/misterspoon/.cargo/bin/firefox# trying #/home/misterspoon/.local/bin/firefox# trying #/usr/local/bin/firefox# Error: execute permission denied for /usr/local/bin/firefox Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter Error: no suitable firefox executable found monitoring pid 19 Sandbox monitor: waitpid 19 retval 19 status 256 If this is expected behavior: What is the new recommended way to start `--private` or `--private=DIR` firejail instances?
gitea-mirror 2026-05-05 08:46:13 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:46:15 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 9, 2020):

firejail --noprofile firefox runs with the expected output

Parent pid 85355, child pid 85356
Child process initialized in 2.75 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
<!-- gh-comment-id:611297752 --> @matu3ba commented on GitHub (Apr 9, 2020): `firejail --noprofile firefox` runs with the expected output ``` Parent pid 85355, child pid 85356 Child process initialized in 2.75 ms Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features ```
gitea-mirror commented 2026-05-05 08:46:16 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Apr 9, 2020):

@matu3ba FWIW I have firefox-esr on Debian 10 and unfortunately can't reproduce - does this happen for other programs too or just firefox?

My output for comparison:

fred@theupsidedown  ~  firejail --private /usr/bin/firefox-esr
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 29221, child pid 29222
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: not remounting /run/user/1000/gvfs
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 102.95 ms

EDIT: a few more questions

  1. What's the output of whereis firefox?

  2. Have you run firecfg? If not sure, check the output of firecfg --list

I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here.

<!-- gh-comment-id:611302464 --> @Fred-Barclay commented on GitHub (Apr 9, 2020): @matu3ba FWIW I have firefox-esr on Debian 10 and unfortunately can't reproduce - does this happen for other programs too or just firefox? My output for comparison: ``` fred@theupsidedown  ~  firejail --private /usr/bin/firefox-esr Reading profile /etc/firejail/firefox-esr.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 29221, child pid 29222 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/gvfs Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 102.95 ms ``` EDIT: a few more questions 1. What's the output of `whereis firefox`? 2. Have you run `firecfg`? If not sure, check the output of `firecfg --list` I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to `/usr/local/bin` as seems to be the case here.
gitea-mirror commented 2026-05-05 08:46:17 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Apr 9, 2020):

Edit 2: try firejail --private /usr/bin/firefox

It looks like you have used firecfg so firefox would be starting in firejail automatically - so firejail --private firefox is calling firejail --private on an already-firejailed firefox (i.e. attempting to double-sandbox). Hence the issues.
Probably someone else can explain it better than me though..

<!-- gh-comment-id:611304018 --> @Fred-Barclay commented on GitHub (Apr 9, 2020): Edit 2: try `firejail --private /usr/bin/firefox` It looks like you have used `firecfg` so firefox would be starting in firejail automatically - so `firejail --private firefox` is calling `firejail --private` on an already-firejailed firefox (i.e. attempting to double-sandbox). Hence the issues. Probably someone else can explain it better than me though..
gitea-mirror commented 2026-05-05 08:46:19 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 9, 2020):

firejail --private /usr/bin/firefox works. Thanks.
Are double-sandboxes now forbidden?
Then the output (expecting users to give the absolute path) could be handled better for users than

Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found
<!-- gh-comment-id:611305882 --> @matu3ba commented on GitHub (Apr 9, 2020): `firejail --private /usr/bin/firefox` works. Thanks. Are double-sandboxes now forbidden? Then the output (expecting users to give the absolute path) could be handled better for users than ``` Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found ```
gitea-mirror commented 2026-05-05 08:46:20 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 9, 2020):

whereis firefox
firefox: /usr/bin/firefox /usr/lib/firefox /usr/local/bin/firefox
firecfg --list | grep firefox
/usr/local/bin/firefox

<!-- gh-comment-id:611306250 --> @matu3ba commented on GitHub (Apr 9, 2020): `whereis firefox` firefox: /usr/bin/firefox /usr/lib/firefox /usr/local/bin/firefox `firecfg --list | grep firefox` /usr/local/bin/firefox
gitea-mirror commented 2026-05-05 08:46:21 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 9, 2020):

Are double-sandboxes now forbidden?

Forbidden no, but it sure isn't advised to run firejail like that. If you do, either applications will fail to start, or end up being executed in a sandbox environment that isn't designed for them. In other words, expect breakage just about everywhere.

I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here.

@Fred-Barclay It sure looks that way. But that doesn't explain why all the firejail files ended up under /usr/local. @matu3ba Did you install firejail from git manually by any chance? I don't think there's an official Manjaro repository that carries firejail 0.9.63. If you show us your PKGBUILD, we can help to un-confuse your setup.

<!-- gh-comment-id:611334207 --> @ghost commented on GitHub (Apr 9, 2020): > Are double-sandboxes now forbidden? Forbidden no, but it sure isn't advised to run firejail like that. If you do, either applications will fail to start, or end up being executed in a sandbox environment that isn't designed for them. In other words, expect breakage just about everywhere. > I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here. @Fred-Barclay It sure looks that way. But that doesn't explain why all the firejail files ended up under /usr/local. @matu3ba Did you install firejail from git manually by any chance? I don't think there's an official Manjaro repository that carries firejail 0.9.63. If you show us your PKGBUILD, we can help to un-confuse your setup.
gitea-mirror commented 2026-05-05 08:46:22 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 9, 2020):

Are double-sandboxes now forbidden?

Forbidden no, but it sure isn't advised to run firejail like that. If you do, either applications will fail to start, or end up being executed in a sandbox environment that isn't designed for them. In other words, expect breakage just about everywhere.

This contradicts or is unclear regarding advisory from the usage section of the blog.

I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here.

@Fred-Barclay It sure looks that way. But that doesn't explain why all the firejail files ended up under /usr/local. @matu3ba Did you install firejail from git manually by any chance? I don't think there's an official Manjaro repository that carries firejail 0.9.63. If you show us your PKGBUILD, we can help to un-confuse your setup.

Yes, I do use the latest git master. The bug report template should ask this.

<!-- gh-comment-id:611510025 --> @matu3ba commented on GitHub (Apr 9, 2020): > > Are double-sandboxes now forbidden? > > Forbidden no, but it sure isn't advised to run firejail like that. If you do, either applications will fail to start, or end up being executed in a sandbox environment that isn't designed for them. In other words, expect breakage just about everywhere. This contradicts or is unclear regarding advisory from [the usage section of the blog](https://firejail.wordpress.com/documentation-2/firefox-guide/). > > I wonder if perhaps there's an issue/conflict with firejail and firecfg if firejail is installed to /usr/local/bin as seems to be the case here. > > @Fred-Barclay It sure looks that way. But that doesn't explain why all the firejail files ended up under /usr/local. @matu3ba Did you install firejail from git manually by any chance? I don't think there's an official Manjaro repository that carries firejail 0.9.63. If you show us your PKGBUILD, we can help to un-confuse your setup. Yes, I do use the latest git master. The bug report template should ask this.
gitea-mirror commented 2026-05-05 08:46:23 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 9, 2020):

Yes, I do use the latest git master.

Thanks for clearing that up. If you didn't use the ---prefix=/usr flag, I suggest you do ( see the firejail-git PKGBUILD on AUR for example). On a side-note, if you're going to use firejail from git, it is not uncommon to rebuild several times a day. A compiler cache like ccache can speed things up quite a bit for such a workflow, just a tip.

After taking care of all that and reinstalling firejail, you might as well reset all the symlinks firecfg has put in /usr/local/bin too:

$ sudo firecfg --clean
$ sudo firecfg

Or alternatively use the python script @rusty-snake offered in #2624. When all that is done you should now see expected behaviour when running firejail firefox from the command line and bring some regained sanity to your system.

<!-- gh-comment-id:611623863 --> @ghost commented on GitHub (Apr 9, 2020): > Yes, I do use the latest git master. Thanks for clearing that up. If you didn't use the `---prefix=/usr` flag, I suggest you do ( see the [firejail-git](https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=firejail-git#n26) PKGBUILD on AUR for example). On a side-note, if you're going to use firejail from git, it is not uncommon to rebuild several times a day. A compiler cache like [ccache](https://wiki.archlinux.org/index.php/Ccache) can speed things up quite a bit for such a workflow, just a tip. After taking care of all that and reinstalling firejail, you might as well reset all the symlinks firecfg has put in /usr/local/bin too: ``` $ sudo firecfg --clean $ sudo firecfg ``` Or alternatively use the python script @rusty-snake offered in #2624. When all that is done you _should_ now see expected behaviour when running `firejail firefox` from the command line and bring some regained sanity to your system.
gitea-mirror commented 2026-05-05 08:46:24 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 9, 2020):

FYI: I use a script to complie and install firejail. Customize as you want.

click me 
#!/bin/bash

# Copyright © 2020 rusty-snake
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

set -e
./configure --prefix=/usr \
#    --enable-selinux
#    --enable-apparmor \
#    --disable-chroot \
#    --disable-file-transfer \
#    --disable-firetunnel \
#    --disable-network \
#    --disable-overlayfs \
#    --disable-private-home \
#    --disable-seccomp \
#    --disable-userns \
#    --disable-whitelist \
#    --disable-x11 \
make
# sudo make install-strip -- broken for me
sudo make install
# Use pre/post-globals.local:
sudo awk -i inplace '
{ 
  if ($0 == "include globals.local") {
    has_globals = 1
    print "include pre-globals.local"
  } else {
    print
  }
}
ENDFILE { 
  if (has_globals)
    print "\ninclude post-globals.local"
  has_globals = 0
}
' /etc/firejail/*.profile
echo "Appending the following to /etc/firejail/firejail.config for hardening ..."
cat << EOF | sudo tee -a /etc/firejail/firejail.config

#############
# Hardening #
#############

# Deny apparmor
#apparmor no

# Deny bind
#bind no

# Deny cgroup
#cgroup no

# Deny chroot
#chroot no

# Force disable-mnt
#disable-mnt yes

# Disable file transfer
#file-transfer no

# Force nonewprivs
force-nonewprivs yes

# Deny join
#join no

# Deny name
#name-change no

# Deny net netfilter and interface
#network no

# Deny overlayfs
#overlayfs no

# Deny private-home
#private-home no

# Deny private-cache
#private-cache no

# Deny private-lib
#private-lib no

# Resrict network features to root only
restricted-network yes

# Deny seccomp
#seccomp no

# Deny noroot
#userns no

# Deny whitelist
#whitelist no

# Deny x11
#x11 no
EOF
<!-- gh-comment-id:611641833 --> @rusty-snake commented on GitHub (Apr 9, 2020): FYI: I use a script to complie and install firejail. Customize as you want. <details><summary> click me </summary> ```bash #!/bin/bash # Copyright © 2020 rusty-snake # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. set -e ./configure --prefix=/usr \ # --enable-selinux # --enable-apparmor \ # --disable-chroot \ # --disable-file-transfer \ # --disable-firetunnel \ # --disable-network \ # --disable-overlayfs \ # --disable-private-home \ # --disable-seccomp \ # --disable-userns \ # --disable-whitelist \ # --disable-x11 \ make # sudo make install-strip -- broken for me sudo make install # Use pre/post-globals.local: sudo awk -i inplace ' { if ($0 == "include globals.local") { has_globals = 1 print "include pre-globals.local" } else { print } } ENDFILE { if (has_globals) print "\ninclude post-globals.local" has_globals = 0 } ' /etc/firejail/*.profile echo "Appending the following to /etc/firejail/firejail.config for hardening ..." cat << EOF | sudo tee -a /etc/firejail/firejail.config ############# # Hardening # ############# # Deny apparmor #apparmor no # Deny bind #bind no # Deny cgroup #cgroup no # Deny chroot #chroot no # Force disable-mnt #disable-mnt yes # Disable file transfer #file-transfer no # Force nonewprivs force-nonewprivs yes # Deny join #join no # Deny name #name-change no # Deny net netfilter and interface #network no # Deny overlayfs #overlayfs no # Deny private-home #private-home no # Deny private-cache #private-cache no # Deny private-lib #private-lib no # Resrict network features to root only restricted-network yes # Deny seccomp #seccomp no # Deny noroot #userns no # Deny whitelist #whitelist no # Deny x11 #x11 no EOF ``` </summary>
gitea-mirror commented 2026-05-05 08:46:25 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 9, 2020):

Yes, I do use the latest git master.

Thanks for clearing that up. If you didn't use the ---prefix=/usr flag, I suggest you do ( see the firejail-git PKGBUILD on AUR for example). On a side-note, if you're going to use firejail from git, it is not uncommon to rebuild several times a day. A compiler cache like ccache can speed things up quite a bit for such a workflow, just a tip.

Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pkgversion='Arch Linux 9.3.0-1' --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --enable-shared --enable-threads=posix --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release --enable-default-pie --enable-default-ssp --enable-cet=auto gdc_include_dir=/usr/include/dlang/gdc

After taking care of all that and reinstalling firejail, you might as well reset all the symlinks firecfg has put in /usr/local/bin too:

$ sudo firecfg --clean
$ sudo firecfg

Or alternatively use the python script @rusty-snake offered in #2624. When all that is done you should now see expected behaviour when running firejail firefox from the command line and bring some regained sanity to your system.

Removing firejail with sudo make uninstall and building with AUR yields the exact same error on running firejail --private firefox.

Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 108.65 ms
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

Can you reproduce? If this is intended not to work, it should be documented or better an according user feedback should be given.

<!-- gh-comment-id:611805210 --> @matu3ba commented on GitHub (Apr 9, 2020): > > Yes, I do use the latest git master. > > Thanks for clearing that up. If you didn't use the `---prefix=/usr` flag, I suggest you do ( see the [firejail-git](https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=firejail-git#n26) PKGBUILD on AUR for example). On a side-note, if you're going to use firejail from git, it is not uncommon to rebuild several times a day. A compiler cache like [ccache](https://wiki.archlinux.org/index.php/Ccache) can speed things up quite a bit for such a workflow, just a tip. Configured with: /build/gcc/src/gcc/configure **--prefix=/usr** --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pkgversion='Arch Linux 9.3.0-1' --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --enable-shared --enable-threads=posix --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release --enable-default-pie --enable-default-ssp --enable-cet=auto gdc_include_dir=/usr/include/dlang/gdc > After taking care of all that and reinstalling firejail, you might as well reset all the symlinks firecfg has put in /usr/local/bin too: > > ``` > $ sudo firecfg --clean > $ sudo firecfg > ``` > > Or alternatively use the python script @rusty-snake offered in #2624. When all that is done you _should_ now see expected behaviour when running `firejail firefox` from the command line and bring some regained sanity to your system. Removing firejail with `sudo make uninstall` and building with AUR yields the exact same error on running `firejail --private firefox`. ``` Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 108.65 ms Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found ``` Can you reproduce? If this is intended not to work, it should be documented or better an according user feedback should be given.
gitea-mirror commented 2026-05-05 08:46:27 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 9, 2020):

@rusty-snake @glitsj16 Thanks for the build setup recommendations though. Since the AUR is more easily usable for me I tried that one and found no difference.
@rusty-snake Your script looks very nice for digging into options.

<!-- gh-comment-id:611806464 --> @matu3ba commented on GitHub (Apr 9, 2020): @rusty-snake @glitsj16 Thanks for the build setup recommendations though. Since the AUR is more easily usable for me I tried that one and found no difference. @rusty-snake Your script looks very nice for digging into options.
gitea-mirror commented 2026-05-05 08:46:28 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 10, 2020):

on debian stable:

$ firejail firefox
[...]
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

It works fine if I remove "shell none" from the profile or if provide a full path:

firejail --ignore=shell firefox
firejail /usr/bin/firefox
<!-- gh-comment-id:611819058 --> @netblue30 commented on GitHub (Apr 10, 2020): on debian stable: ````` $ firejail firefox [...] Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found `````` It works fine if I remove "shell none" from the profile or if provide a full path: ````` firejail --ignore=shell firefox firejail /usr/bin/firefox `````
gitea-mirror commented 2026-05-05 08:46:28 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 10, 2020):

@netblue30
Yes, but this behavior (of not allowing nested sandboxes) should be added to Desktop integration in the README.md.
And in the best case for users from distributions an according output should be given.

<!-- gh-comment-id:611832704 --> @matu3ba commented on GitHub (Apr 10, 2020): @netblue30 Yes, but this behavior (of not allowing nested sandboxes) should be added to *Desktop integration* in the README.md. And in the best case for users from distributions an according output should be given.
gitea-mirror commented 2026-05-05 08:46:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 10, 2020):

As a workaround you can remove /usr/local/bin from $PATH (in the sandbox).

<!-- gh-comment-id:611943576 --> @rusty-snake commented on GitHub (Apr 10, 2020): As a workaround you can remove /usr/local/bin from $PATH (in the sandbox).
gitea-mirror commented 2026-05-05 08:46:30 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 12, 2020):

Since this worked before and users may depend on this behavior, the solution options would be:

  1. force users updating their scripts
  2. checking and writing this inside firejails config file in etc/firejail/firejail.config
  3. writing something new for dynamic handling until next stable release
<!-- gh-comment-id:612547556 --> @matu3ba commented on GitHub (Apr 12, 2020): Since this worked before and users may depend on this behavior, the solution options would be: 1. force users updating their scripts 2. checking and writing this inside firejails config file in `etc/firejail/firejail.config` 3. writing something new for dynamic handling until next stable release
gitea-mirror commented 2026-05-05 08:46:31 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 12, 2020):

@matu3ba This was all a bit confusing at first, but this should fix the issue.

<!-- gh-comment-id:612550876 --> @ghost commented on GitHub (Apr 12, 2020): @matu3ba This was all a bit confusing at first, but this should fix the issue.
gitea-mirror commented 2026-05-05 08:46:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 12, 2020):

ca6eec7 can be reverted

In the past firejail has shows Warning: an existing sandbox was detected. /usr/bin/XXX will run without any additional sandboxing features when starting a firecfg symlink, but now it shows bash: /usr/local/bin/XXX: Permission denied. So I bisect this and found 0e85136b. The issue here is that gjs is in firecfg.config, therefore the first occurs of gjs in ${PATH} is /usr/local/bin/gjs, which is a symlinl to /usr/bin/firejail. The blacklist ${PATH}/gjs in 0e85136b will then blacklist /usr/bin/firejail.
As a workaround add noblacklist ${PATH}/gjs in firefox.local (and where else it is needed) or remove /usr/local/bin/gjs.

How do we want to fix this?

  1. drop gjs from firecfg
  2. drop blacklist gjs
  3. skip firecfg-symlinks while searching ${PATH}
<!-- gh-comment-id:612601102 --> @rusty-snake commented on GitHub (Apr 12, 2020): _ca6eec7 can be reverted_ In the past firejail has shows `Warning: an existing sandbox was detected. /usr/bin/XXX will run without any additional sandboxing features` when starting a firecfg symlink, but now it shows `bash: /usr/local/bin/XXX: Permission denied`. So I bisect this and found 0e85136b. The issue here is that gjs is in firecfg.config, therefore the first occurs of gjs in ${PATH} is /usr/local/bin/gjs, which is a symlinl to /usr/bin/firejail. The `blacklist ${PATH}/gjs` in 0e85136b will then blacklist /usr/bin/firejail. As a workaround add `noblacklist ${PATH}/gjs` in firefox.local (and where else it is needed) or remove /usr/local/bin/gjs. How do we want to fix this? 1. drop gjs from firecfg 2. drop blacklist gjs 3. skip firecfg-symlinks while searching ${PATH}
gitea-mirror commented 2026-05-05 08:46:32 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 12, 2020):

@rusty-snake Nice detective work. I didn't like taking out shell none in firefox-common.profile but wasn't aware at the time there was an alternative.

How do we want to fix this?

drop gjs from firecfg
drop blacklist gjs
skip firecfg-symlinks while searching ${PATH}

I would go with 1, drop gjs from firecfg. That seems to be the least invasive. I would prefer to keep Warning: an existing sandbox was detected. /usr/bin/XXX will run without any additional sandboxing features, as that is a valuable indication something is wrong in a user's firejail setup. Just me though...

<!-- gh-comment-id:612623710 --> @ghost commented on GitHub (Apr 12, 2020): @rusty-snake Nice detective work. I didn't like taking out `shell none` in firefox-common.profile but wasn't aware at the time there was an alternative. > How do we want to fix this? > > drop gjs from firecfg > drop blacklist gjs > skip firecfg-symlinks while searching ${PATH} I would go with 1, drop gjs from firecfg. That seems to be the least invasive. I would prefer to keep `Warning: an existing sandbox was detected. /usr/bin/XXX will run without any additional sandboxing features`, as that is a valuable indication something is wrong in a user's firejail setup. Just me though...
gitea-mirror commented 2026-05-05 08:46:32 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 12, 2020):

@glitsj16 @rusty-snake I would prefer not removing stuff that contains programs and thus the third option.
In the message the additional sandboxing features sound abit vague. Potential unsafe setting/option does sound better to me.
The warning could be adapted to:
Warning: Bypassing firecfg $firecfgPATH for loading $BINPATH with the according profile. See #issue

<!-- gh-comment-id:612686058 --> @matu3ba commented on GitHub (Apr 12, 2020): @glitsj16 @rusty-snake I would prefer not removing stuff that contains programs and thus the third option. In the message the `additional sandboxing features` sound abit vague. Potential unsafe setting/option does sound better to me. The warning could be adapted to: `Warning: Bypassing firecfg $firecfgPATH for loading $BINPATH with the according profile. See #issue`
gitea-mirror commented 2026-05-05 08:46:32 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 15, 2020):

Almost forgot, I reverted ca6eec7dcf. Can we close here?

<!-- gh-comment-id:614001252 --> @ghost commented on GitHub (Apr 15, 2020): Almost forgot, I reverted https://github.com/netblue30/firejail/commit/ca6eec7dcf388c3d0bf52f54c56f7c957b8b777b. Can we close here?
gitea-mirror commented 2026-05-05 08:46:32 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 15, 2020):

@glitsj16 Tested your revert c6e77685d4744321d7e0f39b1332c383991bade6.
firejail --ignore=shell firefox works as expected, but firejail firefox and firejail --private firefox still fail.
It is abit confusing that the naming in firefox-common.profile is different (shell none ).

I have a benchmark running for 1.5 days and would need to restart to definitely confirm though.

Would be nice, if the discussion starting with would be continued elsewhere or a decision be written.

<!-- gh-comment-id:614081048 --> @matu3ba commented on GitHub (Apr 15, 2020): @glitsj16 Tested your revert `c6e77685d4744321d7e0f39b1332c383991bade6`. `firejail --ignore=shell firefox` works as expected, but `firejail firefox` and `firejail --private firefox` still fail. It is abit confusing that the naming in firefox-common.profile is different (`shell none `). I have a benchmark running for 1.5 days and would need to restart to definitely confirm though. Would be nice, if the discussion starting [with](https://github.com/netblue30/firejail/issues/3333#issuecomment-612547556) would be continued elsewhere or a decision be written.
gitea-mirror commented 2026-05-05 08:46:33 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 15, 2020):

It is abit confusing that the naming in firefox-common.profile is different (shell none ).

Using --ignore="shell none" should work just the same if that's less confusing for you. All --ignore specifications can be double-quoted like this BTW.

@matu3ba Did you remove the gjs symlink in /usr/local/bin? @rusty-snake's alternative assumes that to be non-existing, which is why it is now dropped from firecfg via 2cbdc4399a. At least that's my understanding of the discussion here.

Would be nice, if the discussion starting with would be continued elsewhere or a decision be written.

Why move it? We're dealing with it right here :-)

<!-- gh-comment-id:614121498 --> @ghost commented on GitHub (Apr 15, 2020): > It is abit confusing that the naming in firefox-common.profile is different (shell none ). Using `--ignore="shell none"` should work just the same if that's less confusing for you. All --ignore specifications can be double-quoted like this BTW. @matu3ba Did you remove the `gjs` symlink in /usr/local/bin? @rusty-snake's alternative assumes that to be non-existing, which is why it is now dropped from firecfg via https://github.com/netblue30/firejail/commit/2cbdc4399a2a98ee6822ea2512eaaee0c39dac5b. At least that's my understanding of the discussion here. > Would be nice, if the discussion starting with would be continued elsewhere or a decision be written. Why move it? We're dealing with it right here :-)
gitea-mirror commented 2026-05-05 08:46:34 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 15, 2020):

@matu3ba Did you remove the gjs symlink in /usr/local/bin? @rusty-snake's alternative assumes that to be non-existing, which is why it is now dropped from firecfg via 2cbdc43. At least that's my understanding of the discussion here.

Yes. Also I did move gjs.profile from /usr/local/etc/firejail, but it still has the error in commit c6e77685d4744321d7e0f39b1332c383991bade6. However I still want to restart tomorrow (due to driver updates after Kernel update), to be sure.

firejail firefox
...
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found

Funnily the hash also ends in bade6.

Would be nice, if the discussion starting with would be continued elsewhere or a decision be written.

Why move it? We're dealing with it right here :-)

Ah. 👍

<!-- gh-comment-id:614168632 --> @matu3ba commented on GitHub (Apr 15, 2020): > @matu3ba Did you remove the `gjs` symlink in /usr/local/bin? @rusty-snake's alternative assumes that to be non-existing, which is why it is now dropped from firecfg via [2cbdc43](https://github.com/netblue30/firejail/commit/2cbdc4399a2a98ee6822ea2512eaaee0c39dac5b). At least that's my understanding of the discussion here. > Yes. Also I did move gjs.profile from `/usr/local/etc/firejail`, but it still has the error in `commit c6e77685d4744321d7e0f39b1332c383991bade6`. However I still want to restart tomorrow (due to driver updates after Kernel update), **to be sure**. ``` firejail firefox ... Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found ``` Funnily the hash also ends in `bade6`. > > Would be nice, if the discussion starting with would be continued elsewhere or a decision be written. > > Why move it? We're dealing with it right here :-) Ah. 👍
gitea-mirror commented 2026-05-05 08:46:34 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 17, 2020):

@glitsj16 Nope, still does not work on master (c6e77685d4).

<!-- gh-comment-id:615046041 --> @matu3ba commented on GitHub (Apr 17, 2020): @glitsj16 Nope, still does not work on master (c6e77685d4744321d7e0f39b1332c383991bade6).
gitea-mirror commented 2026-05-05 08:46:34 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 17, 2020):

firejail --profile=firefox bash -c 'ls -l $(which firefox)'

<!-- gh-comment-id:615375547 --> @rusty-snake commented on GitHub (Apr 17, 2020): `firejail --profile=firefox bash -c 'ls -l $(which firefox)'`
gitea-mirror commented 2026-05-05 08:46:35 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 17, 2020):

firejail --profile=firefox bash -c 'ls -l $(which firefox)'

Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 327.11 ms
-rwxr-xr-x 1 nobody nobody 45  6. Apr 13:43 /usr/bin/firefox
<!-- gh-comment-id:615394154 --> @matu3ba commented on GitHub (Apr 17, 2020): `firejail --profile=firefox bash -c 'ls -l $(which firefox)'` ``` Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/gvfs Warning: cleaning all supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 327.11 ms -rwxr-xr-x 1 nobody nobody 45 6. Apr 13:43 /usr/bin/firefox ```
gitea-mirror commented 2026-05-05 08:46:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 17, 2020):

If you use --debug, you get trying #/usr/local/bin/firefox# Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features ?

<!-- gh-comment-id:615403804 --> @rusty-snake commented on GitHub (Apr 17, 2020): If you use `--debug`, you get `trying #/usr/local/bin/firefox# Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features` ?
gitea-mirror commented 2026-05-05 08:46:35 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 17, 2020):

firejail --debug firefox from commit e467bf5be3

No supplementary groups
]0;firejail firefox Child process initialized in 331.74 ms
starting application
LD_PRELOAD=(null)
execvp argument 0: firefox
Error: execute permission denied for /usr/local/bin/firefox
Error: no suitable firefox executable found
Searching $PATH for firefox
trying #/home/user/.cargo/bin/firefox#
trying #/home/user/.local/bin/firefox#
trying #/usr/local/bin/firefox#
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter

Parent is shutting down, bye...

firejail --shell=none --debug firefox does not complain at all.

What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ?
Also I dont see any Disable /usr/bin/* or alike on running grep -rn "/usr/bin/*" etc.

<!-- gh-comment-id:615425473 --> @matu3ba commented on GitHub (Apr 17, 2020): `firejail --debug firefox` from commit e467bf5be33c8543cc20e9297ef09f878a68bb3a ``` No supplementary groups ]0;firejail firefox Child process initialized in 331.74 ms starting application LD_PRELOAD=(null) execvp argument 0: firefox Error: execute permission denied for /usr/local/bin/firefox Error: no suitable firefox executable found Searching $PATH for firefox trying #/home/user/.cargo/bin/firefox# trying #/home/user/.local/bin/firefox# trying #/usr/local/bin/firefox# Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter Parent is shutting down, bye... ``` `firejail --shell=none --debug firefox` does not complain at all. What I dont understand is why it does not emit `Disable /usr/bin/firefox` or similar. Should this not be emitted in `--debug` ? Also I dont see any `Disable /usr/bin/*` or alike on running `grep -rn "/usr/bin/*" etc`.
gitea-mirror commented 2026-05-05 08:46:36 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 24, 2020):

What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ?

Why should it disable firefox?

<!-- gh-comment-id:619209454 --> @rusty-snake commented on GitHub (Apr 24, 2020): >What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ? Why should it disable firefox?
gitea-mirror commented 2026-05-05 08:46:36 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 25, 2020):

What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ?

Why should it disable firefox?

Sorry, that was wrong. It should disable /usr/bin depending on the use case.

<!-- gh-comment-id:619422479 --> @matu3ba commented on GitHub (Apr 25, 2020): > > What I dont understand is why it does not emit Disable /usr/bin/firefox or similar. Should this not be emitted in --debug ? > > Why should it disable firefox? Sorry, that was wrong. It should disable `/usr/bin` depending on the use case.
gitea-mirror commented 2026-05-05 08:46:37 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 25, 2020):

Why do you want to blacklist /usr/bin?

<!-- gh-comment-id:619428343 --> @rusty-snake commented on GitHub (Apr 25, 2020): Why do you want to `blacklist /usr/bin`?
gitea-mirror commented 2026-05-05 08:46:37 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Apr 25, 2020):

I dont like the idea some other broken program may be altered to rsync my data over web.

<!-- gh-comment-id:619432122 --> @matu3ba commented on GitHub (Apr 25, 2020): I dont like the idea some other broken program may be altered to `rsync` my data over web.
gitea-mirror commented 2026-05-05 08:46:37 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 25, 2020):

You can use blacklist ${PATH}/rsync to blacklist rsync if you want. In addition you can use private-bin to restrict the available programs to a whitelisted minimum. (An attacker still can have its own rsync).

<!-- gh-comment-id:619434080 --> @rusty-snake commented on GitHub (Apr 25, 2020): You can use `blacklist ${PATH}/rsync` to blacklist rsync if you want. In addition you can use `private-bin` to restrict the available programs to a whitelisted minimum. (An attacker still can have its own rsync).
gitea-mirror commented 2026-05-05 08:46:38 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 1, 2020):

Fixed in e4249dec74 ?

<!-- gh-comment-id:684812340 --> @smitsohu commented on GitHub (Sep 1, 2020): Fixed in e4249dec74a83b6564d9dda19ed069ee438cf4b0 ?
gitea-mirror commented 2026-05-05 08:46:38 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Sep 2, 2020):

@smitsohu Indeed fixed with commit e4249de. Thanks for pointing that out.

<!-- gh-comment-id:685739953 --> @matu3ba commented on GitHub (Sep 2, 2020): @smitsohu Indeed fixed with commit e4249de. Thanks for pointing that out.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2094
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?