github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3423] seccomp is breaking wire-desktop #2149

New issue

Closed

opened 2026-05-05 08:49:32 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:49:32 -06:00

Owner

Originally created by @CodeArtisan00 on GitHub (May 19, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3423

specs- Manjaro (KDE), Kernel: 5.6.x, Firejail ver: 0.9.62 wire: 3.17.2924

output of firejail --debug : https://gist.github.com/Neo00001/a77cc18994863c41327e7e0fa45e3554

Originally created by @CodeArtisan00 on GitHub (May 19, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3423 specs- Manjaro (KDE), Kernel: 5.6.x, Firejail ver: 0.9.62 wire: 3.17.2924 output of firejail --debug : https://gist.github.com/Neo00001/a77cc18994863c41327e7e0fa45e3554

gitea-mirror closed this issue

2026-05-05 08:49:33 -06:00

gitea-mirror commented

2026-05-05 08:49:35 -06:00

Author

Owner

@ghost commented on GitHub (May 19, 2020):

Hi, looking at your debug log doesn't indicate conclusively this is a seccomp issue. It might be #2946 (which is fixed in git). There's an easy way to determine seccomp issues in firejail though, so if you can run the below after starting wire-desktop that would be helpful.

$ sudo journalctl | grep syscall

If you get output like ... syscall=123 ... you can determine which syscall is used although it was forbidden by the profile:

$ firejail --debug-syscalls | grep 123

If you don't get any output and you want to check if it's #2946, add the below in your wire-desktop.local:

ignore caps.drop all
caps.keep sys_admin,sys_chroot

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

BTW, can you post what's in your wire-desktop.local currently?

@ghost commented on GitHub (May 19, 2020): Hi, looking at your debug log doesn't indicate conclusively this is a seccomp issue. It might be #2946 (which is fixed in git). There's an easy way to determine seccomp issues in firejail though, so if you can run the below after starting wire-desktop that would be helpful. `$ sudo journalctl | grep syscall` If you get output like ... syscall=123 ... you can determine which syscall is used although it was forbidden by the profile: `$ firejail --debug-syscalls | grep 123` If you don't get any output and you want to check if it's #2946, add the below in your wire-desktop.local: ``` ignore caps.drop all caps.keep sys_admin,sys_chroot ignore seccomp seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice ``` BTW, can you post what's in your wire-desktop.local currently?

gitea-mirror commented

2026-05-05 08:49:35 -06:00

Author

Owner

@CodeArtisan00 commented on GitHub (May 19, 2020):

output of firejail --debug-syscalls shows personality

ignore caps.drop all
caps.keep sys_admin,sys_chroot

ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

it doesn't launch wire.

seccomp !chroot fixes the problem. using seccomp !chroot only fixes it.

BTW, can you post what's in your wire-desktop.local currently?

ignore net

whitelist ~/Downloads/Wire/

@CodeArtisan00 commented on GitHub (May 19, 2020): output of firejail --debug-syscalls shows personality > ignore caps.drop all > caps.keep sys_admin,sys_chroot > > ignore seccomp > seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice it doesn't launch wire. `seccomp !chroot` fixes the problem. using `seccomp !chroot` only fixes it. > BTW, can you post what's in your wire-desktop.local currently? `ignore net` `whitelist ~/Downloads/Wire/`

gitea-mirror commented

2026-05-05 08:49:36 -06:00

Author

Owner

@ghost commented on GitHub (May 19, 2020):

I forgot that the '!' syntax is actually supported in 0.9.62. As for your wire-desktop.local, I just wanted to make sure there wasn't anything there that might be interfering. The system-wide wire-desktop.profile already whitelists ${HOME}/Downloads, so the subdir reference shouldn't be strictly necessary. I'll fix the profile in git, so make a note that you can remove 'seccomp !chroot' from the .local on a future firejail upgrade. Thanks for reporting!

@ghost commented on GitHub (May 19, 2020): I forgot that the '!' syntax is actually supported in 0.9.62. As for your wire-desktop.local, I just wanted to make sure there wasn't anything there that might be interfering. The system-wide wire-desktop.profile already whitelists ${HOME}/Downloads, so the subdir reference shouldn't be strictly necessary. I'll fix the profile in git, so make a note that you can remove 'seccomp !chroot' from the .local on a future firejail upgrade. Thanks for reporting!

gitea-mirror commented

2026-05-05 08:49:37 -06:00

Author

Owner

@CodeArtisan00 commented on GitHub (May 20, 2020):

The system-wide wire-desktop.profile already whitelists ${HOME}/Downloads, so the subdir reference shouldn't be strictly necessary.

I have commented out that in profile. & I use different directory for different apps.

@CodeArtisan00 commented on GitHub (May 20, 2020): > The system-wide wire-desktop.profile already whitelists ${HOME}/Downloads, so the subdir reference shouldn't be strictly necessary. I have commented out that in profile. & I use different directory for different apps.

gitea-mirror commented

2026-05-05 08:49:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 21, 2020):

I have commented out that in profile. & I use different directory for different apps.

I do the same (for firefox) you can add nowhitelist ${HOME}/Downloads to wire-desktop.local so you don't need to comment this after every update of firejail. Also you can add blacklist ${HOME}/Downloads/Wire to disable-xdg.local or so to block some blacklisting profiles from accessing it (if you want).

@rusty-snake commented on GitHub (May 21, 2020): > I have commented out that in profile. & I use different directory for different apps. I do the same (for firefox) you can add `nowhitelist ${HOME}/Downloads` to wire-desktop.local so you don't need to comment this after every update of firejail. Also you can add `blacklist ${HOME}/Downloads/Wire` to `disable-xdg.local` or so to block some blacklisting profiles from accessing it (if you want).

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2149

No description provided.

Rows
Columns