github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3344] Warning: cannot open source file /usr/local/lib/firejail/seccomp, file not copied #2099

New issue
Closed
opened 2026-05-05 08:46:48 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 08:46:48 -06:00
Owner
Copy link

Originally created by @downystreet on GitHub (Apr 11, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3344

Describe the bug
When running the firejail firefox command in centos 8, I'm getting several errors that pertain to missing files and files that were not copied. After getting the error readout the command is not completed and terminates with no firefox window opening. I looked in the directories pertaining to the errors and indeed the files were missing. Here is the terminal readout:
$ firejail firefox
Reading profile /usr/local/etc/firejail/firefox.profile
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/firefox-common.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 17772, child pid 17773
Warning: cannot open source file /usr/local/lib/firejail/seccomp.32, file not copied
Warning: cannot open source file /usr/local/lib/firejail/seccomp, file not copied
Error: /run/firejail/lib/fseccomp does not exist
Error: failed to run /run/firejail/lib/fseccomp
Error: proc 17772 cannot sync with peer: unexpected EOF
Peer 17773 unexpectedly exited with status 1

Behavior change on disabling firejail
When run with the --noprofile option firefox opens and runs as expected.

To Reproduce
Steps to reproduce the behavior:

  1. Using a gnome terminal in centos 8:
    $ git clone https://github.com/netblue30/firejail.git
    $ cd firejail
    $ ./configure && make && sudo make install-strip
  2. After install is complete, type 'firejail firefox' in the terminal
  3. See error code and program terminates. No firefox window opens.

Expected behavior
Expected firefox to open and be sandboxed by firejail.

Desktop (please complete the following information):
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 8.1.1911 (Core)
Release: 8.1.1911
Codename: Core

  • firejail version 0.9.63

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Additional context
I have used this github repository with centos 7 several weeks ago and had no problems using 'firejail firefox.' The date of the firejail download for use in centos 8 was 04/11/20.

Originally created by @downystreet on GitHub (Apr 11, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3344 **Describe the bug** When running the firejail firefox command in centos 8, I'm getting several errors that pertain to missing files and files that were not copied. After getting the error readout the command is not completed and terminates with no firefox window opening. I looked in the directories pertaining to the errors and indeed the files were missing. Here is the terminal readout: $ firejail firefox Reading profile /usr/local/etc/firejail/firefox.profile Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc Reading profile /usr/local/etc/firejail/firefox-common.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-exec.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 17772, child pid 17773 Warning: cannot open source file /usr/local/lib/firejail/seccomp.32, file not copied Warning: cannot open source file /usr/local/lib/firejail/seccomp, file not copied Error: /run/firejail/lib/fseccomp does not exist Error: failed to run /run/firejail/lib/fseccomp Error: proc 17772 cannot sync with peer: unexpected EOF Peer 17773 unexpectedly exited with status 1 **Behavior change on disabling firejail** When run with the --noprofile option firefox opens and runs as expected. **To Reproduce** Steps to reproduce the behavior: 1. Using a gnome terminal in centos 8: $ git clone https://github.com/netblue30/firejail.git $ cd firejail $ ./configure && make && sudo make install-strip 2. After install is complete, type 'firejail firefox' in the terminal 3. See error code and program terminates. No firefox window opens. **Expected behavior** Expected firefox to open and be sandboxed by firejail. **Desktop (please complete the following information):** LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: CentOS Description: CentOS Linux release 8.1.1911 (Core) Release: 8.1.1911 Codename: Core - firejail version 0.9.63 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled **Additional context** I have used this github repository with centos 7 several weeks ago and had no problems using 'firejail firefox.' The date of the firejail download for use in centos 8 was 04/11/20.
gitea-mirror commented 2026-05-05 08:46:51 -06:00
Author
Owner
Copy link

@downystreet commented on GitHub (Apr 11, 2020):

Here is a debug readout:
$ firejail --debug firefox
Autoselecting /bin/bash as shell
Building quoted command line: 'firefox'
Command name #firefox#
Found firefox.profile profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/firefox.profile
Found whitelist-usr-share-common.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Found firefox-common.profile profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/firefox-common.profile
conditional BROWSER_ALLOW_DRM, ignore noexec ${HOME}
Found disable-common.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-common.inc
Found disable-devel.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Found disable-programs.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/disable-programs.inc
Found whitelist-common.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Found whitelist-var-common.inc profile in /usr/local/etc/firejail directory
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
conditional BROWSER_DISABLE_U2F, nou2f
conditional BROWSER_DISABLE_U2F, private-dev
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 20673, child pid 20674
Host network configured
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Warning: cannot open source file /usr/local/lib/firejail/seccomp.32, file not copied
Warning: cannot open source file /usr/local/lib/firejail/seccomp, file not copied
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
IBUS_ADDRESS=unix:abstract=/tmp/dbus-SxoG3UqF,guid=1054b6222180f195bd76c9ac5e9142ab
IBUS_DAEMON_PID=6980
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1
No supplementary groups
Error: /run/firejail/lib/fseccomp does not exist
Error: failed to run /run/firejail/lib/fseccomp
Error: proc 20673 cannot sync with peer: unexpected EOF
Peer 20674 unexpectedly exited with status 1

<!-- gh-comment-id:612334928 --> @downystreet commented on GitHub (Apr 11, 2020): Here is a debug readout: $ firejail --debug firefox Autoselecting /bin/bash as shell Building quoted command line: 'firefox' Command name #firefox# Found firefox.profile profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/firefox.profile Found whitelist-usr-share-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc Found firefox-common.profile profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/firefox-common.profile conditional BROWSER_ALLOW_DRM, ignore noexec ${HOME} Found disable-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-common.inc Found disable-devel.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-devel.inc Found disable-exec.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-exec.inc Found disable-interpreters.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-interpreters.inc Found disable-programs.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-programs.inc Found whitelist-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/whitelist-common.inc Found whitelist-var-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/whitelist-var-common.inc conditional BROWSER_DISABLE_U2F, nou2f conditional BROWSER_DISABLE_U2F, private-dev Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 20673, child pid 20674 Host network configured Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Warning: cannot open source file /usr/local/lib/firejail/seccomp.32, file not copied Warning: cannot open source file /usr/local/lib/firejail/seccomp, file not copied Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file IBUS_ADDRESS=unix:abstract=/tmp/dbus-SxoG3UqF,guid=1054b6222180f195bd76c9ac5e9142ab IBUS_DAEMON_PID=6980 Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1 No supplementary groups Error: /run/firejail/lib/fseccomp does not exist Error: failed to run /run/firejail/lib/fseccomp Error: proc 20673 cannot sync with peer: unexpected EOF Peer 20674 unexpectedly exited with status 1
gitea-mirror commented 2026-05-05 08:46:51 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 11, 2020):

Sounds like a duplicate of #3341. If you want to keep as close to git master as possible, you can use the below commands just before the './configure && make && sudo make install-strip' step. Or alternatively do a git checkout with the hash of the commit you prefer before breakage occurred.

## fix git master cfr. https://github.com/netblue30/firejail/issues/3341
hash_of() {
    git log --oneline --all | grep "$1" | tail -n 1 | awk '{print $1}'
}
git_cp_by_msg() {
    h_first="$(hash_of "$2")"
    if [ -n "$3" ]; then
        h_last="$(hash_of "$3")"
        echo "Found ${h_first}^${h_last} for ${1}"
        git cherry-pick -n -Xtheirs "$h_first"^.."$h_last"
    else
        echo "Found ${h_first} for ${1}"
        git cherry-pick -n -Xtheirs "$h_first"
    fi
}
git checkout 55e5cc5e698ef910f55d0ddaf08f86184af26734
git_cp_by_msg 'rambox description' 'add description to rambox.profile'
git_cp_by_msg 'rambox fix' 'fix #3343'
git_cp_by_msg 'strip all binaries' 'Strip all binaries'
git_cp_by_msg 'fix build with --enable-fatal-warnings' 'Fix build with --enable-fatal-warnings'
##
<!-- gh-comment-id:612356528 --> @ghost commented on GitHub (Apr 11, 2020): Sounds like a duplicate of #3341. If you want to keep as close to git master as possible, you can use the below commands just before the './configure && make && sudo make install-strip' step. Or alternatively do a git checkout with the hash of the commit you prefer before breakage occurred. ``` ## fix git master cfr. https://github.com/netblue30/firejail/issues/3341 hash_of() { git log --oneline --all | grep "$1" | tail -n 1 | awk '{print $1}' } git_cp_by_msg() { h_first="$(hash_of "$2")" if [ -n "$3" ]; then h_last="$(hash_of "$3")" echo "Found ${h_first}^${h_last} for ${1}" git cherry-pick -n -Xtheirs "$h_first"^.."$h_last" else echo "Found ${h_first} for ${1}" git cherry-pick -n -Xtheirs "$h_first" fi } git checkout 55e5cc5e698ef910f55d0ddaf08f86184af26734 git_cp_by_msg 'rambox description' 'add description to rambox.profile' git_cp_by_msg 'rambox fix' 'fix #3343' git_cp_by_msg 'strip all binaries' 'Strip all binaries' git_cp_by_msg 'fix build with --enable-fatal-warnings' 'Fix build with --enable-fatal-warnings' ## ```
gitea-mirror commented 2026-05-05 08:46:52 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Apr 12, 2020):

This should have been closed by d8fa95f, so closing manually.

<!-- gh-comment-id:612619073 --> @topimiettinen commented on GitHub (Apr 12, 2020): This should have been closed by d8fa95f, so closing manually.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2099
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?