github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3478] evolution: cannot modify/create lock file on Unix mbox spool files #2186

New issue
Closed
opened 2026-05-05 08:51:59 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 08:51:59 -06:00
Owner
Copy link

Originally created by @kmotoko on GitHub (Jun 25, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3478

Evolution mail client can be used to read local mails (Standard Unix mbox spool file). Most commonly, these files are stored in /var/mail/.

Bug and expected behavior

  • Describe the bug.
    When you try to open the local mailbox in /var/mail/<USERNAME>, it shows the following under the toolbar (not the message specific part of the window):
Failed to refresh folder “<USERNAME>@localhost : INBOX”.
The reported error was “Could not open file: /var/mail/<USERNAME>: Read-only file system”.

If you try to open a message from the problematic mailbox, it shows the following instead of the message contents.

Unable to retrieve message.
Cannot create folder lock on /var/mail/<USERNAME>: Read-only file system

Please pay attention that it does not show the message contents at all.

Note: There is no evolution.local, and there is nothing related in globals.local.

  • What did you expect to happen?
    To be able to read Unix mbox spool files that belongs to the current user, without any error.

No profile or disabling firejail

  • What changed calling firejail --noprofile PROGRAM in a shell?
    The error did not change.

  • What changed calling the program by path=without firejail (check whereis PROGRAM, firejail --list, stat $programpath)?
    Evolution works as expected.

Reproduce
Steps to reproduce the behavior:

  1. Run in bash firejail evolution
  2. See error:
Failed to refresh folder “<USERNAME>@localhost : INBOX”.
The reported error was “Could not open file: /var/mail/<USERNAME>: Read-only file system”.

And

Unable to retrieve message.
Cannot create folder lock on /var/mail/<USERNAME>: Read-only file system

Environment

  • Linux distribution and version (ie output of lsb_release -a)
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04 LTS
Release:	20.04
Codename:	focal
  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
firejail version 0.9.62

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

  • What other programs interact with the affected program for the functionality?
    None.

  • Are these listed in the profile?
    N/A

Additional context
Other context about the problem like related errors to understand the problem.

Checklist

  • [ x] The upstream profile (and redirect profile if exists) have no changes fixing it.
  • [ x] The upstream profile exists (find / -name 'firejail' 2>/dev/null/fd firejail to locate profiles ie in /usr/local/etc/firejail/PROGRAM.profile)
  • [ x] Programs needed for interaction are listed.
  • [ x] Error was checked in search engine and on issue list without success.
debug output 
Autoselecting /bin/bash as shell
Building quoted command line: 'evolution' 
Command name #evolution#
Found evolution.profile profile in /etc/firejail directory
Reading profile /etc/firejail/evolution.profile
Found globals.local profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 4754, child pid 4755
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/home/<USERNAME>/.cache/ibus/dbus-cr0HGqtN,guid=9477ce0faa446173f68c34b95ee65c1c
IBUS_DAEMON_PID=6816
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Generate private-tmp whitelist commands
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 423: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
1161 1160 253:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1161 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /home/<USERNAME>/.local/share/Trash
Disable /home/<USERNAME>/.bash_history
Disable /home/<USERNAME>/.lesshst
Disable /home/<USERNAME>/.config/autostart
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Disable /home/<USERNAME>/.local/share/gnome-shell
Mounting read-only /home/<USERNAME>/.config/dconf
1170 1129 253:1 /home/<USERNAME>/.config/dconf /home/<USERNAME>/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1170 fsname=/home/<USERNAME>/.config/dconf dir=/home/<USERNAME>/.config/dconf fstype=ext4
Disable /var/lib/systemd
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/upower
Not blacklist /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /var/spool/anacron
Disable /var/spool/cron
Not blacklist /var/spool/mail
Disable /etc/anacrontab
Disable /etc/cron.weekly
Disable /etc/cron.monthly
Disable /etc/cron.daily
Disable /etc/cron.d
Disable /etc/cron.hourly
Disable /etc/crontab
Disable /etc/profile.d
Disable /etc/rc2.d
Disable /etc/rc4.d
Disable /etc/rc5.d
Disable /etc/rc3.d
Disable /etc/rc6.d
Disable /etc/rc0.d
Disable /etc/rc1.d
Disable /etc/rcS.d
Disable /etc/kernel
Disable /etc/kerneloops.conf
Disable /etc/kernel-img.conf
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/selinux
Disable /etc/modules-load.d
Disable /etc/modules
Disable /etc/logrotate.d
Disable /etc/logrotate.conf
Disable /etc/adduser.conf
Mounting read-only /home/<USERNAME>/.bash_logout
1208 1129 253:1 /home/<USERNAME>/.bash_logout /home/<USERNAME>/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1208 fsname=/home/<USERNAME>/.bash_logout dir=/home/<USERNAME>/.bash_logout fstype=ext4
Mounting read-only /home/<USERNAME>/.bashrc
1209 1129 253:1 /home/<USERNAME>/.bashrc /home/<USERNAME>/.bashrc ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1209 fsname=/home/<USERNAME>/.bashrc dir=/home/<USERNAME>/.bashrc fstype=ext4
Mounting read-only /home/<USERNAME>/.pam_environment
1210 1129 253:1 /home/<USERNAME>/.pam_environment /home/<USERNAME>/.pam_environment ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1210 fsname=/home/<USERNAME>/.pam_environment dir=/home/<USERNAME>/.pam_environment fstype=ext4
Mounting read-only /home/<USERNAME>/.profile
1211 1129 253:1 /home/<USERNAME>/.profile /home/<USERNAME>/.profile ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1211 fsname=/home/<USERNAME>/.profile dir=/home/<USERNAME>/.profile fstype=ext4
Mounting read-only /home/<USERNAME>/.gem
1212 1129 253:1 /home/<USERNAME>/.gem /home/<USERNAME>/.gem ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1212 fsname=/home/<USERNAME>/.gem dir=/home/<USERNAME>/.gem fstype=ext4
Mounting read-only /home/<USERNAME>/bin
1213 1129 253:1 /home/<USERNAME>/bin /home/<USERNAME>/bin ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1213 fsname=/home/<USERNAME>/bin dir=/home/<USERNAME>/bin fstype=ext4
Mounting read-only /home/<USERNAME>/.local/share/applications
1214 1129 253:1 /home/<USERNAME>/.local/share/applications /home/<USERNAME>/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1214 fsname=/home/<USERNAME>/.local/share/applications dir=/home/<USERNAME>/.local/share/applications fstype=ext4
Not blacklist /home/<USERNAME>/.gnupg
Disable /home/<USERNAME>/.local/share/keyrings
Not blacklist /home/<USERNAME>/.pki
Not blacklist /home/<USERNAME>/.local/share/pki
Disable /home/<USERNAME>/.ssh
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/crontab
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/nc.openbsd (requested /usr/bin/nc)
Disable /usr/bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g)
Disable /usr/bin/pkexec
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/strace
Disable /usr/bin/strace (requested /bin/strace)
Disable /usr/bin/su
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/gnome-terminal
Disable /usr/bin/gnome-terminal (requested /bin/gnome-terminal)
Disable /usr/bin/gnome-terminal.wrapper
Disable /usr/bin/gnome-terminal.wrapper (requested /bin/gnome-terminal.wrapper)
Disable /home/<USERNAME>/.local/share/flatpak
Disable /usr/bin/bwrap
Disable /usr/bin/bwrap (requested /bin/bwrap)
Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as)
Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/cc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/cc)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/c++)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/c++)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt)
Disable /usr/bin/c89-gcc
Disable /usr/bin/c89-gcc (requested /usr/bin/c89)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/c89-gcc (requested /bin/c89)
Disable /usr/bin/c99-gcc (requested /usr/bin/c99)
Disable /usr/bin/c99-gcc
Disable /usr/bin/c99-gcc (requested /bin/c99)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp-9)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar-9)
Disable /usr/bin/gdb
Disable /usr/bin/gdb (requested /bin/gdb)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld)
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9)
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9)
Disable /usr/include
Disable /usr/share/java
Disable /usr/bin/openssl
Disable /usr/bin/openssl (requested /bin/openssl)
Disable /usr/lib/valgrind
Mounting noexec /home/<USERNAME>
1891 1875 0:24 /firejail/firejail.ro.dir /home/<USERNAME>/.local/share/flatpak rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=1624152k,mode=755
mountid=1891 fsname=/firejail/firejail.ro.dir dir=/home/<USERNAME>/.local/share/flatpak fstype=tmpfs
Mounting noexec /home/<USERNAME>/.config/dconf
1892 1881 253:1 /home/<USERNAME>/.config/dconf /home/<USERNAME>/.config/dconf ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1892 fsname=/home/<USERNAME>/.config/dconf dir=/home/<USERNAME>/.config/dconf fstype=ext4
Mounting noexec /home/<USERNAME>/.bash_logout
1893 1882 253:1 /home/<USERNAME>/.bash_logout /home/<USERNAME>/.bash_logout ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1893 fsname=/home/<USERNAME>/.bash_logout dir=/home/<USERNAME>/.bash_logout fstype=ext4
Mounting noexec /home/<USERNAME>/.bashrc
1894 1883 253:1 /home/<USERNAME>/.bashrc /home/<USERNAME>/.bashrc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1894 fsname=/home/<USERNAME>/.bashrc dir=/home/<USERNAME>/.bashrc fstype=ext4
Mounting noexec /home/<USERNAME>/.pam_environment
1895 1884 253:1 /home/<USERNAME>/.pam_environment /home/<USERNAME>/.pam_environment ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1895 fsname=/home/<USERNAME>/.pam_environment dir=/home/<USERNAME>/.pam_environment fstype=ext4
Mounting noexec /home/<USERNAME>/.profile
1896 1885 253:1 /home/<USERNAME>/.profile /home/<USERNAME>/.profile ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1896 fsname=/home/<USERNAME>/.profile dir=/home/<USERNAME>/.profile fstype=ext4
Mounting noexec /home/<USERNAME>/.gem
1897 1886 253:1 /home/<USERNAME>/.gem /home/<USERNAME>/.gem ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1897 fsname=/home/<USERNAME>/.gem dir=/home/<USERNAME>/.gem fstype=ext4
Mounting noexec /home/<USERNAME>/bin
1898 1887 253:1 /home/<USERNAME>/bin /home/<USERNAME>/bin ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1898 fsname=/home/<USERNAME>/bin dir=/home/<USERNAME>/bin fstype=ext4
Mounting noexec /home/<USERNAME>/.local/share/applications
1899 1888 253:1 /home/<USERNAME>/.local/share/applications /home/<USERNAME>/.local/share/applications ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1899 fsname=/home/<USERNAME>/.local/share/applications dir=/home/<USERNAME>/.local/share/applications fstype=ext4
Mounting noexec /run/user/1000
1903 1900 0:24 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=1624152k,mode=755
mountid=1903 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Mounting noexec /dev/shm
1904 1150 0:92 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1904 fsname=/shm dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1906 1905 253:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1906 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Mounting noexec /tmp/.X11-unix
1907 1906 253:1 /tmp/.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1907 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /usr/bin/luajittex
Disable /usr/bin/luatex
Disable /usr/bin/luatex (requested /usr/bin/lualatex)
Disable /usr/bin/luajittex (requested /bin/luajittex)
Disable /usr/bin/luatex (requested /bin/luatex)
Disable /usr/bin/luatex (requested /bin/lualatex)
Disable /usr/share/lua
Disable /usr/bin/node
Disable /usr/bin/node (requested /bin/node)
Disable /usr/bin/cpan
Disable /usr/bin/cpan5.30-x86_64-linux-gnu
Disable /usr/bin/cpan (requested /bin/cpan)
Disable /usr/bin/cpan5.30-x86_64-linux-gnu (requested /bin/cpan5.30-x86_64-linux-gnu)
Disable /usr/bin/perl
Disable /usr/bin/perl (requested /bin/perl)
Disable /usr/share/perl
Disable /usr/share/perl5
Disable /usr/share/perl-openssl-defaults
Disable /usr/bin/ruby2.7 (requested /usr/bin/ruby)
Disable /usr/bin/ruby2.7 (requested /bin/ruby)
Disable /usr/lib/ruby
Disable /usr/bin/python2.7 (requested /usr/bin/python2)
Disable /usr/bin/python2.7
Disable /usr/bin/python2.7 (requested /bin/python2)
Disable /usr/bin/python2.7 (requested /bin/python2.7)
Disable /usr/lib/python2.7
Disable /usr/local/lib/python2.7
Disable /usr/bin/python3.8
Disable /usr/bin/python3.8 (requested /usr/bin/python3)
Disable /usr/bin/python3.8 (requested /bin/python3.8)
Disable /usr/bin/python3.8 (requested /bin/python3)
Disable /usr/lib/python3.8
Disable /usr/lib/python3
Disable /usr/local/lib/python3.8
Disable /usr/share/python3
Disable /home/<USERNAME>/.config/keepassxc
Disable /home/<USERNAME>/.atom
Not blacklist /home/<USERNAME>/.bogofilter
Disable /home/<USERNAME>/.config/Atom
Disable /home/<USERNAME>/.config/enchant
Not blacklist /home/<USERNAME>/.config/evolution
Disable /home/<USERNAME>/.config/gedit
Disable /home/<USERNAME>/.config/google-chrome
Disable /home/<USERNAME>/.config/libreoffice
Disable /home/<USERNAME>/.config/nautilus
Disable /home/<USERNAME>/.config/yelp
Disable /home/<USERNAME>/.local/share/TelegramDesktop
Not blacklist /home/<USERNAME>/.local/share/evolution
Disable /home/<USERNAME>/.local/share/nautilus
Disable /home/<USERNAME>/.mozilla
Disable /home/<USERNAME>/.wget-hsts
Disable /home/<USERNAME>/.cache/babl
Not blacklist /home/<USERNAME>/.cache/evolution
Disable /home/<USERNAME>/.cache/gegl-0.4
Disable /home/<USERNAME>/.cache/google-chrome
Disable /home/<USERNAME>/.cache/libgweather
Disable /home/<USERNAME>/.cache/mozilla
Mounting read-only /tmp/.X11-unix
1961 1907 253:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro
mountid=1961 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /sys/fs
Disable /sys/module
disable pulseaudio
blacklist /home/<USERNAME>/.config/pulse
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse/native
Current directory: /home/<USERNAME>
DISPLAY=:0 parsed as 0
Install protocol filter: unix,inet,inet6
configuring 14 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 06 00 00 0005005f   ret ERRNO(95)
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) 
Dropping all capabilities
Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00000000   ret KILL
Dual 32/64 bit seccomp filter configured
configuring 72 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 3f 00 0000009f   jeq adjtimex 0047 (false 0008)
 0008: 15 3e 00 00000131   jeq clock_adjtime 0047 (false 0009)
 0009: 15 3d 00 000000e3   jeq clock_settime 0047 (false 000a)
 000a: 15 3c 00 000000a4   jeq settimeofday 0047 (false 000b)
 000b: 15 3b 00 0000009a   jeq modify_ldt 0047 (false 000c)
 000c: 15 3a 00 000000d4   jeq lookup_dcookie 0047 (false 000d)
 000d: 15 39 00 0000012a   jeq perf_event_open 0047 (false 000e)
 000e: 15 38 00 00000137   jeq process_vm_writev 0047 (false 000f)
 000f: 15 37 00 000000b0   jeq delete_module 0047 (false 0010)
 0010: 15 36 00 00000139   jeq finit_module 0047 (false 0011)
 0011: 15 35 00 000000af   jeq init_module 0047 (false 0012)
 0012: 15 34 00 0000009c   jeq _sysctl 0047 (false 0013)
 0013: 15 33 00 000000b7   jeq afs_syscall 0047 (false 0014)
 0014: 15 32 00 000000ae   jeq create_module 0047 (false 0015)
 0015: 15 31 00 000000b1   jeq get_kernel_syms 0047 (false 0016)
 0016: 15 30 00 000000b5   jeq getpmsg 0047 (false 0017)
 0017: 15 2f 00 000000b6   jeq putpmsg 0047 (false 0018)
 0018: 15 2e 00 000000b2   jeq query_module 0047 (false 0019)
 0019: 15 2d 00 000000b9   jeq security 0047 (false 001a)
 001a: 15 2c 00 0000008b   jeq sysfs 0047 (false 001b)
 001b: 15 2b 00 000000b8   jeq tuxcall 0047 (false 001c)
 001c: 15 2a 00 00000086   jeq uselib 0047 (false 001d)
 001d: 15 29 00 00000088   jeq ustat 0047 (false 001e)
 001e: 15 28 00 000000ec   jeq vserver 0047 (false 001f)
 001f: 15 27 00 000000ad   jeq ioperm 0047 (false 0020)
 0020: 15 26 00 000000ac   jeq iopl 0047 (false 0021)
 0021: 15 25 00 000000f6   jeq kexec_load 0047 (false 0022)
 0022: 15 24 00 00000140   jeq kexec_file_load 0047 (false 0023)
 0023: 15 23 00 000000a9   jeq reboot 0047 (false 0024)
 0024: 15 22 00 000000a7   jeq swapon 0047 (false 0025)
 0025: 15 21 00 000000a8   jeq swapoff 0047 (false 0026)
 0026: 15 20 00 00000130   jeq open_by_handle_at 0047 (false 0027)
 0027: 15 1f 00 0000012f   jeq name_to_handle_at 0047 (false 0028)
 0028: 15 1e 00 000000fb   jeq ioprio_set 0047 (false 0029)
 0029: 15 1d 00 00000067   jeq syslog 0047 (false 002a)
 002a: 15 1c 00 0000012c   jeq fanotify_init 0047 (false 002b)
 002b: 15 1b 00 00000138   jeq kcmp 0047 (false 002c)
 002c: 15 1a 00 000000f8   jeq add_key 0047 (false 002d)
 002d: 15 19 00 000000f9   jeq request_key 0047 (false 002e)
 002e: 15 18 00 000000ed   jeq mbind 0047 (false 002f)
 002f: 15 17 00 00000100   jeq migrate_pages 0047 (false 0030)
 0030: 15 16 00 00000117   jeq move_pages 0047 (false 0031)
 0031: 15 15 00 000000fa   jeq keyctl 0047 (false 0032)
 0032: 15 14 00 000000ce   jeq io_setup 0047 (false 0033)
 0033: 15 13 00 000000cf   jeq io_destroy 0047 (false 0034)
 0034: 15 12 00 000000d0   jeq io_getevents 0047 (false 0035)
 0035: 15 11 00 000000d1   jeq io_submit 0047 (false 0036)
 0036: 15 10 00 000000d2   jeq io_cancel 0047 (false 0037)
 0037: 15 0f 00 000000d8   jeq remap_file_pages 0047 (false 0038)
 0038: 15 0e 00 00000143   jeq userfaultfd 0047 (false 0039)
 0039: 15 0d 00 000000a3   jeq acct 0047 (false 003a)
 003a: 15 0c 00 00000141   jeq bpf 0047 (false 003b)
 003b: 15 0b 00 000000a1   jeq chroot 0047 (false 003c)
 003c: 15 0a 00 000000a5   jeq mount 0047 (false 003d)
 003d: 15 09 00 000000b4   jeq nfsservctl 0047 (false 003e)
 003e: 15 08 00 0000009b   jeq pivot_root 0047 (false 003f)
 003f: 15 07 00 000000ab   jeq setdomainname 0047 (false 0040)
 0040: 15 06 00 000000aa   jeq sethostname 0047 (false 0041)
 0041: 15 05 00 000000a6   jeq umount2 0047 (false 0042)
 0042: 15 04 00 00000099   jeq vhangup 0047 (false 0043)
 0043: 15 03 00 00000065   jeq ptrace 0047 (false 0044)
 0044: 15 02 00 00000087   jeq personality 0047 (false 0045)
 0045: 15 01 00 00000136   jeq process_vm_readv 0047 (false 0046)
 0046: 06 00 00 7fff0000   ret ALLOW
 0047: 06 00 01 00000000   ret KILL
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: evolution
Child process initialized in 164.53 ms
Searching $PATH for evolution
trying #/home/<USERNAME>/gems/bin/evolution#
trying #/home/<USERNAME>/bin/evolution#
trying #/usr/local/sbin/evolution#
trying #/usr/local/bin/evolution#
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
Warning: an existing sandbox was detected. /usr/bin/evolution will run without any additional sandboxing features
monitoring pid 6


(evolution-alarm-notify:18): GLib-GIO-WARNING **: 13:39:57.415: Your application did not unregister from D-Bus before destruction. Consider using g_application_run().

(evolution:6): camel-WARNING **: 13:39:57.618: CamelSpoolStore::get_folder_sync() set its GError but then reported success

(evolution:6): camel-WARNING **: 13:39:57.618: Error message was: Could not open file: /var/mail/<USERNAME>: Read-only file system

(evolution:6): GLib-WARNING **: 13:39:57.625: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Cannot create folder lock on /var/mail/<USERNAME>: Read-only file system

(evolution:6): GLib-GIO-WARNING **: 13:40:12.875: Your application did not unregister from D-Bus before destruction. Consider using g_application_run().
Sandbox monitor: waitpid 6 retval 6 status 0

Parent is shutting down, bye...
Originally created by @kmotoko on GitHub (Jun 25, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3478 Evolution mail client can be used to read local mails (Standard Unix mbox spool file). Most commonly, these files are stored in /var/mail/<USERNAME>. **Bug and expected behavior** - Describe the bug. When you try to open the local mailbox in `/var/mail/<USERNAME>`, it shows the following under the toolbar (not the message specific part of the window): ``` Failed to refresh folder “<USERNAME>@localhost : INBOX”. The reported error was “Could not open file: /var/mail/<USERNAME>: Read-only file system”. ``` If you try to open a message from the problematic mailbox, it shows the following instead of the message contents. ``` Unable to retrieve message. Cannot create folder lock on /var/mail/<USERNAME>: Read-only file system ``` Please pay attention that **it does not show the message contents at all**. **Note:** There is no `evolution.local`, and there is nothing related in `globals.local`. - What did you expect to happen? To be able to read Unix mbox spool files that belongs to the current user, without any error. **No profile or disabling firejail** - What changed calling `firejail --noprofile PROGRAM` in a shell? The error did not change. - What changed calling the program *by path*=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)? Evolution works as expected. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail evolution` 2. See error: ``` Failed to refresh folder “<USERNAME>@localhost : INBOX”. The reported error was “Could not open file: /var/mail/<USERNAME>: Read-only file system”. ``` And ``` Unable to retrieve message. Cannot create folder lock on /var/mail/<USERNAME>: Read-only file system ``` **Environment** - Linux distribution and version (ie output of `lsb_release -a`) ``` No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal ``` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` firejail version 0.9.62 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` - What other programs interact with the affected program for the functionality? None. - Are these listed in the profile? N/A **Additional context** Other context about the problem like related errors to understand the problem. **Checklist** - [ x] The upstream profile (and redirect profile if exists) have no changes fixing it. - [ x] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`) - [ x] Programs needed for interaction are listed. - [ x] Error was checked in search engine and on issue list without success. <details><summary> debug output </summary> ``` Autoselecting /bin/bash as shell Building quoted command line: 'evolution' Command name #evolution# Found evolution.profile profile in /etc/firejail directory Reading profile /etc/firejail/evolution.profile Found globals.local profile in /etc/firejail directory Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 4754, child pid 4755 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/home/<USERNAME>/.cache/ibus/dbus-cr0HGqtN,guid=9477ce0faa446173f68c34b95ee65c1c IBUS_DAEMON_PID=6816 Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/dri directory Process /dev/shm directory Generate private-tmp whitelist commands Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 423: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Whitelisting /tmp/.X11-unix 1161 1160 253:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1161 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /home/<USERNAME>/.local/share/Trash Disable /home/<USERNAME>/.bash_history Disable /home/<USERNAME>/.lesshst Disable /home/<USERNAME>/.config/autostart Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Disable /home/<USERNAME>/.local/share/gnome-shell Mounting read-only /home/<USERNAME>/.config/dconf 1170 1129 253:1 /home/<USERNAME>/.config/dconf /home/<USERNAME>/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1170 fsname=/home/<USERNAME>/.config/dconf dir=/home/<USERNAME>/.config/dconf fstype=ext4 Disable /var/lib/systemd Disable /var/cache/apt Disable /var/lib/apt Disable /var/lib/upower Not blacklist /var/mail Disable /var/opt Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /var/spool/anacron Disable /var/spool/cron Not blacklist /var/spool/mail Disable /etc/anacrontab Disable /etc/cron.weekly Disable /etc/cron.monthly Disable /etc/cron.daily Disable /etc/cron.d Disable /etc/cron.hourly Disable /etc/crontab Disable /etc/profile.d Disable /etc/rc2.d Disable /etc/rc4.d Disable /etc/rc5.d Disable /etc/rc3.d Disable /etc/rc6.d Disable /etc/rc0.d Disable /etc/rc1.d Disable /etc/rcS.d Disable /etc/kernel Disable /etc/kerneloops.conf Disable /etc/kernel-img.conf Disable /etc/grub.d Disable /etc/apparmor Disable /etc/apparmor.d Disable /etc/selinux Disable /etc/modules-load.d Disable /etc/modules Disable /etc/logrotate.d Disable /etc/logrotate.conf Disable /etc/adduser.conf Mounting read-only /home/<USERNAME>/.bash_logout 1208 1129 253:1 /home/<USERNAME>/.bash_logout /home/<USERNAME>/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1208 fsname=/home/<USERNAME>/.bash_logout dir=/home/<USERNAME>/.bash_logout fstype=ext4 Mounting read-only /home/<USERNAME>/.bashrc 1209 1129 253:1 /home/<USERNAME>/.bashrc /home/<USERNAME>/.bashrc ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1209 fsname=/home/<USERNAME>/.bashrc dir=/home/<USERNAME>/.bashrc fstype=ext4 Mounting read-only /home/<USERNAME>/.pam_environment 1210 1129 253:1 /home/<USERNAME>/.pam_environment /home/<USERNAME>/.pam_environment ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1210 fsname=/home/<USERNAME>/.pam_environment dir=/home/<USERNAME>/.pam_environment fstype=ext4 Mounting read-only /home/<USERNAME>/.profile 1211 1129 253:1 /home/<USERNAME>/.profile /home/<USERNAME>/.profile ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1211 fsname=/home/<USERNAME>/.profile dir=/home/<USERNAME>/.profile fstype=ext4 Mounting read-only /home/<USERNAME>/.gem 1212 1129 253:1 /home/<USERNAME>/.gem /home/<USERNAME>/.gem ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1212 fsname=/home/<USERNAME>/.gem dir=/home/<USERNAME>/.gem fstype=ext4 Mounting read-only /home/<USERNAME>/bin 1213 1129 253:1 /home/<USERNAME>/bin /home/<USERNAME>/bin ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1213 fsname=/home/<USERNAME>/bin dir=/home/<USERNAME>/bin fstype=ext4 Mounting read-only /home/<USERNAME>/.local/share/applications 1214 1129 253:1 /home/<USERNAME>/.local/share/applications /home/<USERNAME>/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1214 fsname=/home/<USERNAME>/.local/share/applications dir=/home/<USERNAME>/.local/share/applications fstype=ext4 Not blacklist /home/<USERNAME>/.gnupg Disable /home/<USERNAME>/.local/share/keyrings Not blacklist /home/<USERNAME>/.pki Not blacklist /home/<USERNAME>/.local/share/pki Disable /home/<USERNAME>/.ssh Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/crontab Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/fusermount Disable /usr/bin/fusermount (requested /bin/fusermount) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/mount Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/nc.openbsd (requested /usr/bin/nc) Disable /usr/bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/ntfs-3g Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g) Disable /usr/bin/pkexec Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/strace Disable /usr/bin/strace (requested /bin/strace) Disable /usr/bin/su Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/umount Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/xev Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/xinput Disable /usr/bin/xinput (requested /bin/xinput) Disable /usr/bin/gnome-terminal Disable /usr/bin/gnome-terminal (requested /bin/gnome-terminal) Disable /usr/bin/gnome-terminal.wrapper Disable /usr/bin/gnome-terminal.wrapper (requested /bin/gnome-terminal.wrapper) Disable /home/<USERNAME>/.local/share/flatpak Disable /usr/bin/bwrap Disable /usr/bin/bwrap (requested /bin/bwrap) Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as) Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/cc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/cc) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/c++) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/c++) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt) Disable /usr/bin/c89-gcc Disable /usr/bin/c89-gcc (requested /usr/bin/c89) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/c89-gcc (requested /bin/c89) Disable /usr/bin/c99-gcc (requested /usr/bin/c99) Disable /usr/bin/c99-gcc Disable /usr/bin/c99-gcc (requested /bin/c99) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp-9) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar-9) Disable /usr/bin/gdb Disable /usr/bin/gdb (requested /bin/gdb) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld) Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9) Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9) Disable /usr/include Disable /usr/share/java Disable /usr/bin/openssl Disable /usr/bin/openssl (requested /bin/openssl) Disable /usr/lib/valgrind Mounting noexec /home/<USERNAME> 1891 1875 0:24 /firejail/firejail.ro.dir /home/<USERNAME>/.local/share/flatpak rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=1624152k,mode=755 mountid=1891 fsname=/firejail/firejail.ro.dir dir=/home/<USERNAME>/.local/share/flatpak fstype=tmpfs Mounting noexec /home/<USERNAME>/.config/dconf 1892 1881 253:1 /home/<USERNAME>/.config/dconf /home/<USERNAME>/.config/dconf ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1892 fsname=/home/<USERNAME>/.config/dconf dir=/home/<USERNAME>/.config/dconf fstype=ext4 Mounting noexec /home/<USERNAME>/.bash_logout 1893 1882 253:1 /home/<USERNAME>/.bash_logout /home/<USERNAME>/.bash_logout ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1893 fsname=/home/<USERNAME>/.bash_logout dir=/home/<USERNAME>/.bash_logout fstype=ext4 Mounting noexec /home/<USERNAME>/.bashrc 1894 1883 253:1 /home/<USERNAME>/.bashrc /home/<USERNAME>/.bashrc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1894 fsname=/home/<USERNAME>/.bashrc dir=/home/<USERNAME>/.bashrc fstype=ext4 Mounting noexec /home/<USERNAME>/.pam_environment 1895 1884 253:1 /home/<USERNAME>/.pam_environment /home/<USERNAME>/.pam_environment ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1895 fsname=/home/<USERNAME>/.pam_environment dir=/home/<USERNAME>/.pam_environment fstype=ext4 Mounting noexec /home/<USERNAME>/.profile 1896 1885 253:1 /home/<USERNAME>/.profile /home/<USERNAME>/.profile ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1896 fsname=/home/<USERNAME>/.profile dir=/home/<USERNAME>/.profile fstype=ext4 Mounting noexec /home/<USERNAME>/.gem 1897 1886 253:1 /home/<USERNAME>/.gem /home/<USERNAME>/.gem ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1897 fsname=/home/<USERNAME>/.gem dir=/home/<USERNAME>/.gem fstype=ext4 Mounting noexec /home/<USERNAME>/bin 1898 1887 253:1 /home/<USERNAME>/bin /home/<USERNAME>/bin ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1898 fsname=/home/<USERNAME>/bin dir=/home/<USERNAME>/bin fstype=ext4 Mounting noexec /home/<USERNAME>/.local/share/applications 1899 1888 253:1 /home/<USERNAME>/.local/share/applications /home/<USERNAME>/.local/share/applications ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1899 fsname=/home/<USERNAME>/.local/share/applications dir=/home/<USERNAME>/.local/share/applications fstype=ext4 Mounting noexec /run/user/1000 1903 1900 0:24 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=1624152k,mode=755 mountid=1903 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs Mounting noexec /dev/shm 1904 1150 0:92 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1904 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 1906 1905 253:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1906 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Mounting noexec /tmp/.X11-unix 1907 1906 253:1 /tmp/.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1907 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /usr/bin/luajittex Disable /usr/bin/luatex Disable /usr/bin/luatex (requested /usr/bin/lualatex) Disable /usr/bin/luajittex (requested /bin/luajittex) Disable /usr/bin/luatex (requested /bin/luatex) Disable /usr/bin/luatex (requested /bin/lualatex) Disable /usr/share/lua Disable /usr/bin/node Disable /usr/bin/node (requested /bin/node) Disable /usr/bin/cpan Disable /usr/bin/cpan5.30-x86_64-linux-gnu Disable /usr/bin/cpan (requested /bin/cpan) Disable /usr/bin/cpan5.30-x86_64-linux-gnu (requested /bin/cpan5.30-x86_64-linux-gnu) Disable /usr/bin/perl Disable /usr/bin/perl (requested /bin/perl) Disable /usr/share/perl Disable /usr/share/perl5 Disable /usr/share/perl-openssl-defaults Disable /usr/bin/ruby2.7 (requested /usr/bin/ruby) Disable /usr/bin/ruby2.7 (requested /bin/ruby) Disable /usr/lib/ruby Disable /usr/bin/python2.7 (requested /usr/bin/python2) Disable /usr/bin/python2.7 Disable /usr/bin/python2.7 (requested /bin/python2) Disable /usr/bin/python2.7 (requested /bin/python2.7) Disable /usr/lib/python2.7 Disable /usr/local/lib/python2.7 Disable /usr/bin/python3.8 Disable /usr/bin/python3.8 (requested /usr/bin/python3) Disable /usr/bin/python3.8 (requested /bin/python3.8) Disable /usr/bin/python3.8 (requested /bin/python3) Disable /usr/lib/python3.8 Disable /usr/lib/python3 Disable /usr/local/lib/python3.8 Disable /usr/share/python3 Disable /home/<USERNAME>/.config/keepassxc Disable /home/<USERNAME>/.atom Not blacklist /home/<USERNAME>/.bogofilter Disable /home/<USERNAME>/.config/Atom Disable /home/<USERNAME>/.config/enchant Not blacklist /home/<USERNAME>/.config/evolution Disable /home/<USERNAME>/.config/gedit Disable /home/<USERNAME>/.config/google-chrome Disable /home/<USERNAME>/.config/libreoffice Disable /home/<USERNAME>/.config/nautilus Disable /home/<USERNAME>/.config/yelp Disable /home/<USERNAME>/.local/share/TelegramDesktop Not blacklist /home/<USERNAME>/.local/share/evolution Disable /home/<USERNAME>/.local/share/nautilus Disable /home/<USERNAME>/.mozilla Disable /home/<USERNAME>/.wget-hsts Disable /home/<USERNAME>/.cache/babl Not blacklist /home/<USERNAME>/.cache/evolution Disable /home/<USERNAME>/.cache/gegl-0.4 Disable /home/<USERNAME>/.cache/google-chrome Disable /home/<USERNAME>/.cache/libgweather Disable /home/<USERNAME>/.cache/mozilla Mounting read-only /tmp/.X11-unix 1961 1907 253:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/vgubuntu-root rw,errors=remount-ro mountid=1961 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /sys/fs Disable /sys/module disable pulseaudio blacklist /home/<USERNAME>/.config/pulse blacklist /run/user/1000/pulse/native blacklist /run/user/1000/pulse/native Current directory: /home/<USERNAME> DISPLAY=:0 parsed as 0 Install protocol filter: unix,inet,inet6 configuring 14 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 06 00 00 0005005f ret ERRNO(95) configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) Dropping all capabilities Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00000000 ret KILL Dual 32/64 bit seccomp filter configured configuring 72 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) Dropping all capabilities Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 3f 00 0000009f jeq adjtimex 0047 (false 0008) 0008: 15 3e 00 00000131 jeq clock_adjtime 0047 (false 0009) 0009: 15 3d 00 000000e3 jeq clock_settime 0047 (false 000a) 000a: 15 3c 00 000000a4 jeq settimeofday 0047 (false 000b) 000b: 15 3b 00 0000009a jeq modify_ldt 0047 (false 000c) 000c: 15 3a 00 000000d4 jeq lookup_dcookie 0047 (false 000d) 000d: 15 39 00 0000012a jeq perf_event_open 0047 (false 000e) 000e: 15 38 00 00000137 jeq process_vm_writev 0047 (false 000f) 000f: 15 37 00 000000b0 jeq delete_module 0047 (false 0010) 0010: 15 36 00 00000139 jeq finit_module 0047 (false 0011) 0011: 15 35 00 000000af jeq init_module 0047 (false 0012) 0012: 15 34 00 0000009c jeq _sysctl 0047 (false 0013) 0013: 15 33 00 000000b7 jeq afs_syscall 0047 (false 0014) 0014: 15 32 00 000000ae jeq create_module 0047 (false 0015) 0015: 15 31 00 000000b1 jeq get_kernel_syms 0047 (false 0016) 0016: 15 30 00 000000b5 jeq getpmsg 0047 (false 0017) 0017: 15 2f 00 000000b6 jeq putpmsg 0047 (false 0018) 0018: 15 2e 00 000000b2 jeq query_module 0047 (false 0019) 0019: 15 2d 00 000000b9 jeq security 0047 (false 001a) 001a: 15 2c 00 0000008b jeq sysfs 0047 (false 001b) 001b: 15 2b 00 000000b8 jeq tuxcall 0047 (false 001c) 001c: 15 2a 00 00000086 jeq uselib 0047 (false 001d) 001d: 15 29 00 00000088 jeq ustat 0047 (false 001e) 001e: 15 28 00 000000ec jeq vserver 0047 (false 001f) 001f: 15 27 00 000000ad jeq ioperm 0047 (false 0020) 0020: 15 26 00 000000ac jeq iopl 0047 (false 0021) 0021: 15 25 00 000000f6 jeq kexec_load 0047 (false 0022) 0022: 15 24 00 00000140 jeq kexec_file_load 0047 (false 0023) 0023: 15 23 00 000000a9 jeq reboot 0047 (false 0024) 0024: 15 22 00 000000a7 jeq swapon 0047 (false 0025) 0025: 15 21 00 000000a8 jeq swapoff 0047 (false 0026) 0026: 15 20 00 00000130 jeq open_by_handle_at 0047 (false 0027) 0027: 15 1f 00 0000012f jeq name_to_handle_at 0047 (false 0028) 0028: 15 1e 00 000000fb jeq ioprio_set 0047 (false 0029) 0029: 15 1d 00 00000067 jeq syslog 0047 (false 002a) 002a: 15 1c 00 0000012c jeq fanotify_init 0047 (false 002b) 002b: 15 1b 00 00000138 jeq kcmp 0047 (false 002c) 002c: 15 1a 00 000000f8 jeq add_key 0047 (false 002d) 002d: 15 19 00 000000f9 jeq request_key 0047 (false 002e) 002e: 15 18 00 000000ed jeq mbind 0047 (false 002f) 002f: 15 17 00 00000100 jeq migrate_pages 0047 (false 0030) 0030: 15 16 00 00000117 jeq move_pages 0047 (false 0031) 0031: 15 15 00 000000fa jeq keyctl 0047 (false 0032) 0032: 15 14 00 000000ce jeq io_setup 0047 (false 0033) 0033: 15 13 00 000000cf jeq io_destroy 0047 (false 0034) 0034: 15 12 00 000000d0 jeq io_getevents 0047 (false 0035) 0035: 15 11 00 000000d1 jeq io_submit 0047 (false 0036) 0036: 15 10 00 000000d2 jeq io_cancel 0047 (false 0037) 0037: 15 0f 00 000000d8 jeq remap_file_pages 0047 (false 0038) 0038: 15 0e 00 00000143 jeq userfaultfd 0047 (false 0039) 0039: 15 0d 00 000000a3 jeq acct 0047 (false 003a) 003a: 15 0c 00 00000141 jeq bpf 0047 (false 003b) 003b: 15 0b 00 000000a1 jeq chroot 0047 (false 003c) 003c: 15 0a 00 000000a5 jeq mount 0047 (false 003d) 003d: 15 09 00 000000b4 jeq nfsservctl 0047 (false 003e) 003e: 15 08 00 0000009b jeq pivot_root 0047 (false 003f) 003f: 15 07 00 000000ab jeq setdomainname 0047 (false 0040) 0040: 15 06 00 000000aa jeq sethostname 0047 (false 0041) 0041: 15 05 00 000000a6 jeq umount2 0047 (false 0042) 0042: 15 04 00 00000099 jeq vhangup 0047 (false 0043) 0043: 15 03 00 00000065 jeq ptrace 0047 (false 0044) 0044: 15 02 00 00000087 jeq personality 0047 (false 0045) 0045: 15 01 00 00000136 jeq process_vm_readv 0047 (false 0046) 0046: 06 00 00 7fff0000 ret ALLOW 0047: 06 00 01 00000000 ret KILL seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) execvp argument 0: evolution Child process initialized in 164.53 ms Searching $PATH for evolution trying #/home/<USERNAME>/gems/bin/evolution# trying #/home/<USERNAME>/bin/evolution# trying #/usr/local/sbin/evolution# trying #/usr/local/bin/evolution# Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter Warning: an existing sandbox was detected. /usr/bin/evolution will run without any additional sandboxing features monitoring pid 6 (evolution-alarm-notify:18): GLib-GIO-WARNING **: 13:39:57.415: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). (evolution:6): camel-WARNING **: 13:39:57.618: CamelSpoolStore::get_folder_sync() set its GError but then reported success (evolution:6): camel-WARNING **: 13:39:57.618: Error message was: Could not open file: /var/mail/<USERNAME>: Read-only file system (evolution:6): GLib-WARNING **: 13:39:57.625: GError set over the top of a previous GError or uninitialized memory. This indicates a bug in someone's code. You must ensure an error is NULL before it's set. The overwriting error message was: Cannot create folder lock on /var/mail/<USERNAME>: Read-only file system (evolution:6): GLib-GIO-WARNING **: 13:40:12.875: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). Sandbox monitor: waitpid 6 retval 6 status 0 Parent is shutting down, bye... ``` </details>
gitea-mirror 2026-05-05 08:51:59 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:52:02 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 25, 2020):

Hi, thanks for reporting this. Looks like a bug in the profile. Can you try adding writable-var and report back if that fixes things on your side please?

<!-- gh-comment-id:649476281 --> @ghost commented on GitHub (Jun 25, 2020): Hi, thanks for reporting this. Looks like a bug in the profile. Can you try adding `writable-var` and report back if that fixes things on your side please?
gitea-mirror commented 2026-05-05 08:52:03 -06:00
Author
Owner
Copy link

@kmotoko commented on GitHub (Jun 25, 2020):

@glitsj16 that does not solve it. Is /var restricted to read-only even with --noprofile, because the error is still present with that flag. Could it be related to firejail apparmor profile?

<!-- gh-comment-id:649563497 --> @kmotoko commented on GitHub (Jun 25, 2020): @glitsj16 that does not solve it. Is `/var` restricted to read-only even with `--noprofile`, because the error is still present with that flag. Could it be related to firejail apparmor profile?
gitea-mirror commented 2026-05-05 08:52:04 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 25, 2020):

Could it be related to firejail apparmor profile?

That's possible. To test if AppArmor is involved you can either use the --ignore=apparmor flag or add the below to /etc/apparmor.d/local/firejail-local

#+ mail clients :: allow writing to /var/mail
# /var/mail is a symlink to /var/spool/mail on Arch Linux
owner /{,var/}{mail,spool/mail}/** w,
<!-- gh-comment-id:649590608 --> @ghost commented on GitHub (Jun 25, 2020): > Could it be related to firejail apparmor profile? That's possible. To test if AppArmor is involved you can either use the `--ignore=apparmor` flag or add the below to /etc/apparmor.d/local/firejail-local ``` #+ mail clients :: allow writing to /var/mail # /var/mail is a symlink to /var/spool/mail on Arch Linux owner /{,var/}{mail,spool/mail}/** w, ```
gitea-mirror commented 2026-05-05 08:52:05 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 25, 2020):

Is /var restricted to read-only even with --noprofile

Yes, try with both --noprofile and --writeble-var.

Referring to thunderbird and mutt, you need to noblacklist and whitelist (if include whitelist-var-common.inc).

<!-- gh-comment-id:649656281 --> @rusty-snake commented on GitHub (Jun 25, 2020): > Is `/var` restricted to read-only even with `--noprofile` Yes, try with both `--noprofile` and `--writeble-var`. Referring to thunderbird and mutt, you need to `noblacklist` and `whitelist` (if `include whitelist-var-common.inc`).
gitea-mirror commented 2026-05-05 08:52:06 -06:00
Author
Owner
Copy link

@kmotoko commented on GitHub (Jun 26, 2020):

@rusty-snake , running with both --noprofile --writable-var worked! But the weird thing is that if I put writable-var into the local config, it did not. Then I checked --debug, and saw: Mounting read-only /var. It seems like it does not obey the local profile for some reason, to be sure I commented out everything (except noblacklist stuff) in the default profile and it did not change anything.

Edit: I also tried the local profile with @glitsj16 's apparmor rule, nothing changed.

<!-- gh-comment-id:650433911 --> @kmotoko commented on GitHub (Jun 26, 2020): @rusty-snake , running with both `--noprofile --writable-var` worked! But the weird thing is that if I put `writable-var` into the local config, it did not. Then I checked `--debug`, and saw: `Mounting read-only /var`. It seems like it does not obey the `local` profile for some reason, to be sure I commented out everything (except `noblacklist` stuff) in the `default` profile and it did not change anything. Edit: I also tried the `local` profile with @glitsj16 's apparmor rule, nothing changed.
gitea-mirror commented 2026-05-05 08:52:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 27, 2020):

in the default profile

If you run firejail evolution, firejail will use evolution.profile and not the default profile. You need to add it there and try to comment there if it does not work. You see the profiles loaded by firejail in the terminal.

<!-- gh-comment-id:650508253 --> @rusty-snake commented on GitHub (Jun 27, 2020): > in the default profile If you run `firejail evolution`, firejail will use evolution.profile and not the default profile. You need to add it there and try to comment there if it does not work. You see the profiles loaded by firejail in the terminal.
gitea-mirror commented 2026-05-05 08:52:07 -06:00
Author
Owner
Copy link

@kmotoko commented on GitHub (Jun 27, 2020):

@rusty-snake you got me wrong, I meant the default profile for evolution i.e. evolution.profile. So in detail here is the thing:

  • Running firejail --debug --noprofile --writable-var /usr/bin/evolution results in evolution to read local mail without any problems. Also, in the debug output, I don't see that /var is mounted read-only.
debug output

Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/evolution'
Command name #evolution#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 627185, child pid 627186
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/home//.cache/ibus/dbus-cr0HGqtN,guid=9477ce0faa446173f68c34b95ee65c1c
IBUS_DAEMON_PID=6816
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
Mounting /run/firejail/mnt/pulse on /home//.config/pulse
2067 2042 0:103 /pulse /home//.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=2067 fsname=/pulse dir=/home//.config/pulse fstype=tmpfs
Current directory: /home/
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0
starting application
LD_PRELOAD=(null)
Running '/usr/bin/evolution' command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/usr/bin/evolution'
Child process initialized in 14.78 ms
monitoring pid 2

  • However with the following evolution.profile and evolution.local, although writable-var is present, running firejail --debug /usr/bin/evolution still gives the error, and in the debug output I can see that /var is still mounted read-only for some reason.

evolution.profile:

# Firejail profile for evolution
# Description: Groupware suite with mail client and organizer
# This file is overwritten after every install/update
# Persistent local customizations
include evolution.local
# Persistent global definitions
include globals.local

noblacklist /var/mail
noblacklist /var/spool/mail
noblacklist ${HOME}/.bogofilter
noblacklist ${HOME}/.cache/evolution
noblacklist ${HOME}/.config/evolution
noblacklist ${HOME}/.gnupg
noblacklist ${HOME}/.local/share/evolution
noblacklist ${HOME}/.pki
noblacklist ${HOME}/.local/share/pki

#include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
#include disable-passwdmgr.inc
#include disable-programs.inc

#caps.drop all
#netfilter
# no3d breaks under wayland
#no3d
#nodvd
#nogroups
#nonewprivs
#noroot
#nosound
#notv
#nou2f
#novideo
#protocol unix,inet,inet6
#seccomp
#shell none

#private-dev
#private-tmp

evolution.local:

noblacklist /var/mail
noblacklist /var/spool/mail
whitelist /var/mail
whitelist /var/spool/mail

writable-var
debug output

Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/evolution'
Command name #evolution#
Found evolution.profile profile in /etc/firejail directory
Reading profile /etc/firejail/evolution.profile
Found evolution.local profile in /etc/firejail directory
Found globals.local profile in /etc/firejail directory
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 627510, child pid 627511
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/home//.cache/ibus/dbus-cr0HGqtN,guid=9477ce0faa446173f68c34b95ee65c1c
IBUS_DAEMON_PID=6816
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
Mounting /run/firejail/mnt/pulse on /home//.config/pulse
2069 2044 0:103 /pulse /home//.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=2069 fsname=/pulse dir=/home//.config/pulse fstype=tmpfs
Current directory: /home/
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0
starting application
LD_PRELOAD=(null)
Running '/usr/bin/evolution' command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/usr/bin/evolution'
Child process initialized in 13.16 ms
monitoring pid 2

<!-- gh-comment-id:650581484 --> @kmotoko commented on GitHub (Jun 27, 2020): @rusty-snake you got me wrong, I meant the default profile for evolution i.e. `evolution.profile`. So in detail here is the thing: + Running `firejail --debug --noprofile --writable-var /usr/bin/evolution` results in evolution to read local mail without any problems. Also, in the debug output, I don't see that `/var` is mounted read-only. <details><summary> debug output </summary> Autoselecting /bin/bash as shell Building quoted command line: '/usr/bin/evolution' Command name #evolution# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 627185, child pid 627186 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/home/<USERNAME>/.cache/ibus/dbus-cr0HGqtN,guid=9477ce0faa446173f68c34b95ee65c1c IBUS_DAEMON_PID=6816 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse Mounting /run/firejail/mnt/pulse on /home/<USERNAME>/.config/pulse 2067 2042 0:103 /pulse /home/<USERNAME>/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=2067 fsname=/pulse dir=/home/<USERNAME>/.config/pulse fstype=tmpfs Current directory: /home/<USERNAME> DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 starting application LD_PRELOAD=(null) Running '/usr/bin/evolution' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/usr/bin/evolution' Child process initialized in 14.78 ms monitoring pid 2 </details> + However with the following `evolution.profile` and `evolution.local`, although `writable-var` is present, running `firejail --debug /usr/bin/evolution` still gives the error, and in the `debug` output I can see that `/var` is still mounted read-only for some reason. `evolution.profile`: ``` # Firejail profile for evolution # Description: Groupware suite with mail client and organizer # This file is overwritten after every install/update # Persistent local customizations include evolution.local # Persistent global definitions include globals.local noblacklist /var/mail noblacklist /var/spool/mail noblacklist ${HOME}/.bogofilter noblacklist ${HOME}/.cache/evolution noblacklist ${HOME}/.config/evolution noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.local/share/evolution noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki #include disable-common.inc #include disable-devel.inc #include disable-exec.inc #include disable-interpreters.inc #include disable-passwdmgr.inc #include disable-programs.inc #caps.drop all #netfilter # no3d breaks under wayland #no3d #nodvd #nogroups #nonewprivs #noroot #nosound #notv #nou2f #novideo #protocol unix,inet,inet6 #seccomp #shell none #private-dev #private-tmp ``` `evolution.local`: ``` noblacklist /var/mail noblacklist /var/spool/mail whitelist /var/mail whitelist /var/spool/mail writable-var ``` <details><summary> debug output </summary> Autoselecting /bin/bash as shell Building quoted command line: '/usr/bin/evolution' Command name #evolution# Found evolution.profile profile in /etc/firejail directory Reading profile /etc/firejail/evolution.profile Found evolution.local profile in /etc/firejail directory Found globals.local profile in /etc/firejail directory DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 627510, child pid 627511 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/home/<USERNAME>/.cache/ibus/dbus-cr0HGqtN,guid=9477ce0faa446173f68c34b95ee65c1c IBUS_DAEMON_PID=6816 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse Mounting /run/firejail/mnt/pulse on /home/<USERNAME>/.config/pulse 2069 2044 0:103 /pulse /home/<USERNAME>/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=2069 fsname=/pulse dir=/home/<USERNAME>/.config/pulse fstype=tmpfs Current directory: /home/<USERNAME> DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 starting application LD_PRELOAD=(null) Running '/usr/bin/evolution' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/usr/bin/evolution' Child process initialized in 13.16 ms monitoring pid 2 </details>
gitea-mirror commented 2026-05-05 08:52:08 -06:00
Author
Owner
Copy link

@kmotoko commented on GitHub (Jun 27, 2020):

Hmm, I think I accidentality found something out. I realized that I could cat evolution.profile without sudo, but not cat evolution.profile.

ls -l /etc/firejail/evolution.local gives -rw-r----- 1 root root 110 Jun 27 01:41 /etc/firejail/evolution.local but ls -l /etc/firejail/evolution.profile gives -rw-r--r-- 1 root root 932 Jun 27 19:13 /etc/firejail/evolution.profile. Then, I changed the local profile to 644 and it worked!

So I assume that firejail cannot read the local profile with these permissions, but why? Should not it belong to root, why the others' permission affect it? Also, firejail debug tells nothing about the local profile not being readable.

FYI, in my system DIR_MODE=0750 in /etc/adduser.conf and UMASK 027 in /etc/login.defs. These are not super strict, and I assume not uncommon among security-conscious people.

<!-- gh-comment-id:650584693 --> @kmotoko commented on GitHub (Jun 27, 2020): Hmm, I think I accidentality found something out. I realized that I could `cat evolution.profile` without `sudo`, but not `cat evolution.profile`. `ls -l /etc/firejail/evolution.local` gives `-rw-r----- 1 root root 110 Jun 27 01:41 /etc/firejail/evolution.local` but `ls -l /etc/firejail/evolution.profile` gives `-rw-r--r-- 1 root root 932 Jun 27 19:13 /etc/firejail/evolution.profile`. Then, I changed the local profile to `644` and it worked! So I assume that firejail cannot read the local profile with these permissions, but why? Should not it belong to root, why the `others`' permission affect it? Also, firejail debug tells nothing about the local profile not being readable. FYI, in my system `DIR_MODE=0750` in `/etc/adduser.conf` and `UMASK 027` in `/etc/login.defs`. These are not super strict, and I assume not uncommon among security-conscious people.
gitea-mirror commented 2026-05-05 08:52:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 27, 2020):

A file with 640 root:root can not be readed by a user (as you expect). So if you start firejail as user (not root or sudo) it can not read this profile. If you now wonder why firejail can not read it although it is a SUID, firejail drops it EUID to non-root for things like profile-parsing, ... . (Or better: it has only a EUID=0 for things which need it).

<!-- gh-comment-id:650594416 --> @rusty-snake commented on GitHub (Jun 27, 2020): A file with 640 root:root can not be readed by a user (as you expect). So if you start firejail as user (not root or sudo) it can not read this profile. If you now wonder why firejail can not read it although it is a SUID, firejail drops it EUID to non-root for things like profile-parsing, ... . (Or better: it has only a EUID=0 for things which need it).
gitea-mirror commented 2026-05-05 08:52:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 27, 2020):

Also, firejail debug tells nothing about the local profile not being readable.

include foobar.inc
include foobaz.local

If foobar.inc can not be included (don't exist, permission, ...) firejail will fail.
If foobaz.local can not be included it is ignored.

Changing the later one to emit warnings for e.g. EPERM sounds reasonable.

<!-- gh-comment-id:650595429 --> @rusty-snake commented on GitHub (Jun 27, 2020): > Also, firejail debug tells nothing about the local profile not being readable. ``` include foobar.inc include foobaz.local ``` If `foobar.inc` can not be included (don't exist, permission, ...) firejail will fail. If `foobaz.local` can not be included it is ignored. Changing the later one to emit warnings for e.g. EPERM sounds reasonable.
gitea-mirror commented 2026-05-05 08:52:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 27, 2020):

Maybe something like this:

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a8722282..81534809 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1620,11 +1620,15 @@ void profile_read(const char *fname) {
                exit(1);
        }
        if (access(fname, R_OK)) {
+               int errsv = errno;
                // if the file ends in ".local", do not exit
                const char *base = gnu_basename(fname);
                char *ptr = strstr(base, ".local");
-               if (ptr && strlen(ptr) == 6)
+               if (ptr && strlen(ptr) == 6) {
+                       if (errsv == EACCES)
+                               fprintf(stderr, "Warn: %s permission denied\n", base);
                        return;
+               }
 
                fprintf(stderr, "Error: cannot access profile file: %s\n", fname);
                exit(1);
<!-- gh-comment-id:650600160 --> @rusty-snake commented on GitHub (Jun 27, 2020): Maybe something like this: ```patch diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a8722282..81534809 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1620,11 +1620,15 @@ void profile_read(const char *fname) { exit(1); } if (access(fname, R_OK)) { + int errsv = errno; // if the file ends in ".local", do not exit const char *base = gnu_basename(fname); char *ptr = strstr(base, ".local"); - if (ptr && strlen(ptr) == 6) + if (ptr && strlen(ptr) == 6) { + if (errsv == EACCES) + fprintf(stderr, "Warn: %s permission denied\n", base); return; + } fprintf(stderr, "Error: cannot access profile file: %s\n", fname); exit(1); ```
gitea-mirror commented 2026-05-05 08:52:09 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Sep 12, 2020):

@rusty-snake If I can see it correctly, everytime an error message is printed, firejail exits afterwards.
The reason is probably because of "quiet", as we don't want to print something if firejail can start normally.
I think if a .local file exists but has wrong permissions, we should also exit, so the user can fix it.
I would suggest something like this:

--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1626,10 +1626,11 @@ void profile_read(const char *fname) {
                exit(1);
        }
        if (access(fname, R_OK)) {
+               int errsv = errno;
                // if the file ends in ".local", do not exit
                const char *base = gnu_basename(fname);
                char *ptr = strstr(base, ".local");
-               if (ptr && strlen(ptr) == 6)
+               if (ptr && strlen(ptr) == 6 && errsv != EACCES)
                        return;
 
                fprintf(stderr, "Error: cannot access profile file: %s\n", fname);
<!-- gh-comment-id:691478435 --> @reinerh commented on GitHub (Sep 12, 2020): @rusty-snake If I can see it correctly, everytime an error message is printed, firejail exits afterwards. The reason is probably because of "quiet", as we don't want to print something if firejail can start normally. I think if a .local file exists but has wrong permissions, we should also exit, so the user can fix it. I would suggest something like this: ```diff --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1626,10 +1626,11 @@ void profile_read(const char *fname) { exit(1); } if (access(fname, R_OK)) { + int errsv = errno; // if the file ends in ".local", do not exit const char *base = gnu_basename(fname); char *ptr = strstr(base, ".local"); - if (ptr && strlen(ptr) == 6) + if (ptr && strlen(ptr) == 6 && errsv != EACCES) return; fprintf(stderr, "Error: cannot access profile file: %s\n", fname); ```
gitea-mirror commented 2026-05-05 08:52:10 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 19, 2020):

Went with @reinerh code above, thanks.

<!-- gh-comment-id:712126098 --> @netblue30 commented on GitHub (Oct 19, 2020): Went with @reinerh code above, thanks.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2186
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?