github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3343] rambox: fails to start #2097

New issue
Closed
opened 2026-05-05 08:46:39 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 08:46:39 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Apr 10, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3343

Describe the bug
rambox application doesn't start, core dumped.

$ rambox
Reading profile /etc/firejail/rambox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 23792, child pid 23793
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 94.56 ms

Parent is shutting down, bye...
$ firejail --profile=rambox 
Reading profile /etc/firejail/rambox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 23832, child pid 23833
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 95.41 ms
$ rambox
Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features
`trap' para punto de parada/seguimiento (`core' generado)
$ exit
exit

Parent is shutting down, bye...

Behavior change on disabling firejail
rambox runs right with --noprofile:

$ firejail --noprofile rambox
Parent pid 23884, child pid 23885
Child process initialized in 6.85 ms
Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features
(electron) 'getName function' is deprecated and will be removed. Please use 'name property' instead.
(electron) 'setBadgeCount function' is deprecated and will be removed. Please use 'badgeCount property' instead.
(electron) 'setZoomLevel function' is deprecated and will be removed. Please use 'zoomLevel property' instead.

Parent is shutting down, bye...

To Reproduce
Just execute rambox or firejail rambox.

Expected behavior
Rambox application should start and not generate a core dumped. I think the problem is related with seccomp because if I ignore it, application starts:

$ firejail --ignore=seccomp rambox
Reading profile /etc/firejail/rambox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 24207, child pid 24208
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 97.11 ms
Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features
(electron) 'getName function' is deprecated and will be removed. Please use 'name property' instead.

(rambox:5): dconf-WARNING **: 13:37:45.444: Unable to open /var/lib/flatpak/exports/share/dconf/profile/user: Permiso denegado
(electron) 'setBadgeCount function' is deprecated and will be removed. Please use 'badgeCount property' instead.
(electron) 'setZoomLevel function' is deprecated and will be removed. Please use 'zoomLevel property' instead.
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0230

Parent is shutting down, bye...

Desktop (please complete the following information):

$ lsb_release -a
LSB Version:	1.4
Distributor ID:	Arch
Description:	Arch Linux
Release:	rolling
Codename:	n/a

$ firejail --version
firejail version 0.9.62

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
Originally created by @ghost on GitHub (Apr 10, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3343 **Describe the bug** rambox application doesn't start, core dumped. ```bash $ rambox Reading profile /etc/firejail/rambox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 23792, child pid 23793 Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 94.56 ms Parent is shutting down, bye... $ firejail --profile=rambox Reading profile /etc/firejail/rambox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 23832, child pid 23833 Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 95.41 ms $ rambox Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features `trap' para punto de parada/seguimiento (`core' generado) $ exit exit Parent is shutting down, bye... ``` **Behavior change on disabling firejail** rambox runs right with --noprofile: ```bash $ firejail --noprofile rambox Parent pid 23884, child pid 23885 Child process initialized in 6.85 ms Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features (electron) 'getName function' is deprecated and will be removed. Please use 'name property' instead. (electron) 'setBadgeCount function' is deprecated and will be removed. Please use 'badgeCount property' instead. (electron) 'setZoomLevel function' is deprecated and will be removed. Please use 'zoomLevel property' instead. Parent is shutting down, bye... ``` **To Reproduce** Just execute `rambox` or `firejail rambox`. **Expected behavior** Rambox application should start and not generate a core dumped. I think the problem is related with seccomp because if I ignore it, application starts: ```bash $ firejail --ignore=seccomp rambox Reading profile /etc/firejail/rambox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 24207, child pid 24208 Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 97.11 ms Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features (electron) 'getName function' is deprecated and will be removed. Please use 'name property' instead. (rambox:5): dconf-WARNING **: 13:37:45.444: Unable to open /var/lib/flatpak/exports/share/dconf/profile/user: Permiso denegado (electron) 'setBadgeCount function' is deprecated and will be removed. Please use 'badgeCount property' instead. (electron) 'setZoomLevel function' is deprecated and will be removed. Please use 'zoomLevel property' instead. ../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0230 Parent is shutting down, bye... ``` **Desktop (please complete the following information):** ```bash $ lsb_release -a LSB Version: 1.4 Distributor ID: Arch Description: Arch Linux Release: rolling Codename: n/a ``` ```bash $ firejail --version firejail version 0.9.62 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ```
gitea-mirror 2026-05-05 08:46:39 -06:00
gitea-mirror commented 2026-05-05 08:46:42 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features

The output you posted seems to suggest you're using firecfg to provide desktop integration for firejail, correct? In that case you will have to use the full path to the rambox executable, like firejail --profile=rambox /usr/bin/rambox to get reliable output.

That being said, electron-based applications (still) suffer from a bug and need some fixing related to seccomp, which is indeed part of the issue here apparently. Can you try with seccomp !chroot instead of seccomp please? It would be rather a big loss in the strength of our rambox profile if it would require the whole seccomp filter to be dropped. So if you could confirm it works once you feed it 'seccomp !chroot' we can fix the rambox profile accordingly and in a more secure way.

<!-- gh-comment-id:612002071 --> @ghost commented on GitHub (Apr 10, 2020): > Warning: an existing sandbox was detected. /usr/bin/rambox will run without any additional sandboxing features The output you posted seems to suggest you're using `firecfg` to provide desktop integration for firejail, correct? In that case you will have to use the full path to the rambox executable, like `firejail --profile=rambox /usr/bin/rambox` to get reliable output. That being said, electron-based applications (still) suffer from a bug and need some fixing related to seccomp, which is indeed part of the issue here apparently. Can you try with `seccomp !chroot` instead of seccomp please? It would be rather a big loss in the strength of our rambox profile if it would require the whole seccomp filter to be dropped. So if you could confirm it works once you feed it 'seccomp !chroot' we can fix the rambox profile accordingly and in a more secure way.
gitea-mirror commented 2026-05-05 08:46:43 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

I checked again the default profile provided for rambox in firejail 0.9.62 and the default rambox profile fails:

$ firejail --profile=rambox /usr/bin/rambox
Reading profile /etc/firejail/rambox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 30221, child pid 30222
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 70.32 ms

Parent is shutting down, bye...

However, it works with seccomp !chroot configured in my ~/.config/firejail/rambox.profile:

$ firejail --profile=rambox /usr/bin/rambox 
Reading profile /home/zako/.config/firejail/rambox.profile
Reading profile /etc/firejail/rambox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 30738, child pid 30739
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 80.29 ms
(electron) 'getName function' is deprecated and will be removed. Please use 'name property' instead.

(rambox:7): dconf-WARNING **: 15:52:06.156: Unable to open /var/lib/flatpak/exports/share/dconf/profile/user: Permiso denegado
(electron) 'setBadgeCount function' is deprecated and will be removed. Please use 'badgeCount property' instead.
(electron) 'setZoomLevel function' is deprecated and will be removed. Please use 'zoomLevel property' instead.

Parent is shutting down, bye...
<!-- gh-comment-id:612039233 --> @ghost commented on GitHub (Apr 10, 2020): I checked again the default profile provided for rambox in firejail 0.9.62 and the default rambox profile fails: ```bash $ firejail --profile=rambox /usr/bin/rambox Reading profile /etc/firejail/rambox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 30221, child pid 30222 Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 70.32 ms Parent is shutting down, bye... ``` However, it works with `seccomp !chroot` configured in my `~/.config/firejail/rambox.profile`: ```bash $ firejail --profile=rambox /usr/bin/rambox Reading profile /home/zako/.config/firejail/rambox.profile Reading profile /etc/firejail/rambox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 30738, child pid 30739 Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 80.29 ms (electron) 'getName function' is deprecated and will be removed. Please use 'name property' instead. (rambox:7): dconf-WARNING **: 15:52:06.156: Unable to open /var/lib/flatpak/exports/share/dconf/profile/user: Permiso denegado (electron) 'setBadgeCount function' is deprecated and will be removed. Please use 'badgeCount property' instead. (electron) 'setZoomLevel function' is deprecated and will be removed. Please use 'zoomLevel property' instead. Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 08:46:45 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

@chrpinedo Just installed rambox-bin from AUR and I can reproduce. It confirms my earlier posting and we have a fix in git master now. The rambox profile does indeed need 'seccomp !chroot' for it to work properly. Until the fix gets into a future release, you should be fine by adding that to your rambox.local. One other thing. If your rambox files are installed under /opt/rambox, you can further harden the profile by adding 'private-opt rambox', so it can't see anything else you might have installed under /opt. Feel free to re-open if you need anything else.

<!-- gh-comment-id:612046228 --> @ghost commented on GitHub (Apr 10, 2020): @chrpinedo Just installed rambox-bin from AUR and I can reproduce. It confirms my earlier posting and we have a fix in git master now. The rambox profile does indeed need 'seccomp !chroot' for it to work properly. Until the fix gets into a future release, you should be fine by adding that to your rambox.local. One other thing. If your rambox files are installed under /opt/rambox, you can further harden the profile by adding 'private-opt rambox', so it can't see anything else you might have installed under /opt. Feel free to re-open if you need anything else.
gitea-mirror commented 2026-05-05 08:46:46 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 10, 2020):

Thanks for the private-opt rambox, I am beginning with firejail and I appreciate it. Regards!

<!-- gh-comment-id:612052393 --> @ghost commented on GitHub (Apr 10, 2020): Thanks for the `private-opt rambox`, I am beginning with firejail and I appreciate it. Regards!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2097
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?