[GH-ISSUE #3480] PyCharm requires ${HOME}/.cache/ mounted exec #2188

New issue

Closed

opened 2026-05-05 08:52:10 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 08:52:10 -06:00

Owner

Copy link

Originally created by @k3an3 on GitHub (Jun 27, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3480

Write clear, concise and in textual form.

Bug and expected behavior

• Describe the bug.
  When PyCharm Professional starts, it runs a test script in /home/user/.cache. If the script isn't able to be executed, it will refuse to start. The default profile for PyCharm includes mounting /home as noexec, so this will prevent the IDE from starting.

Invalid Temp Directory: The IDE cannot execute a test script in the directory.
Possible reason: the partition is mounted with 'no exec' option.

If you have modified the 'idea.system.path' property, please make sure it is correct,
otherwise, please re-install the IDE.

-----
Location: /home/user/.cache/JetBrains/PyCharm2020.1/tmp
java.io.IOException: Cannot run program "/home/user/.cache/JetBrains/PyCharm2020.1/tmp/ij1604757870.tmp": error=13, Permission denied

• What did you expect to happen?
  PyCharm should start.

No profile or disabling firejail

• What changed calling firejail --noprofile PROGRAM in a shell?
  Appears to work as expected.
• What changed calling the program by path=without firejail (check whereis PROGRAM, firejail --list, stat $programpath)?
  Works as expected.

Reproduce
Steps to reproduce the behavior:

1. Run in bash firejail --profile=pycharm-professional ~/.local/share/JetBrains/Toolbox/apps/PyCharm-P/ch-0/201.7846.77/bin/pycharm.sh
2. See error posted above
3. IDE does not start

Environment

• Linux distribution and version (ie output of lsb_release -a)
  Distributor ID: Debian
  Description: Debian GNU/Linux bullseye/sid
  Release: testing
  Codename: bullseye
• Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
  firejail version 0.9.62 from Debian package
• What other programs interact with the affected program for the functionality?
  N/A
• Are these listed in the profile?
  N/A

Checklist

• The upstream profile (and redirect profile if exists) have no changes fixing it.
• The upstream profile exists (find / -name 'firejail' 2>/dev/null/fd firejail to locate profiles ie in /usr/local/etc/firejail/PROGRAM.profile)
• Programs needed for interaction are listed.
• Error was checked in search engine and on issue list without success.

debug output

Reading profile /etc/firejail/pycharm-professional.profile
Reading profile /etc/firejail/pycharm-community.profile
Reading profile /home/user/.config/firejail/pycharm-community.local
Reading profile /etc/firejail/allow-java.inc
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /home/user/.config/firejail/disable-programs.inc
Building quoted command line: '/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P/ch-0/201.7846.77/bin/pycharm.sh' 
Command name #pycharm.sh#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 57617, child pid 57618
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Generating a new machine-id
installing a new /etc/machine-id
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/user/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Generate private-tmp whitelist commands
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 423: new_name #/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P#, whitelist
Debug 531: fname #/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P#, cfg.homedir #/home/user#
Replaced whitelist path: whitelist /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P
Debug 423: new_name #/home/user/dev#, whitelist
Debug 531: fname #/home/user/dev#, cfg.homedir #/home/user#
Replaced whitelist path: whitelist /home/user/dev
Debug 423: new_name #/home/user/src#, whitelist
Debug 531: fname #/home/user/src#, cfg.homedir #/home/user#
Replaced whitelist path: whitelist /home/user/src
Debug 423: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 0
Whitelisting /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P
1209 1207 254:1 /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro
mountid=1209 fsname=/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P dir=/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P fstype=ext4
Whitelisting /home/user/dev
1210 1207 254:1 /home/user/dev /home/user/dev rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro
mountid=1210 fsname=/home/user/dev dir=/home/user/dev fstype=ext4
Whitelisting /home/user/src
1211 1207 254:1 /home/user/src /home/user/src rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro
mountid=1211 fsname=/home/user/src dir=/home/user/src fstype=ext4
Whitelisting /tmp/.X11-unix
1212 1200 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro
mountid=1212 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Not blacklist /home/user/.python-history
Not blacklist /home/user/.python_history
Not blacklist /home/user/.pythonhist
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Disable /var/lib/systemd
Disable /usr/bin/zuluCrypt-cli
Disable /usr/bin/zuluCrypt-cli (requested /bin/zuluCrypt-cli)
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/dkms
Disable /var/lib/upower
Disable /var/mail
Disable /var/opt
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/mail (requested /var/spool/mail)
Disable /etc/anacrontab
Disable /etc/cron.weekly
Disable /etc/cron.daily
Disable /etc/cron.d
Disable /etc/crontab
Disable /etc/cron.hourly
Disable /etc/cron.monthly
Disable /etc/profile.d
Disable /etc/rc6.d
Disable /etc/rcS.d
Disable /etc/rc2.d
Disable /etc/rc3.d
Disable /etc/rc5.d
Disable /etc/rc4.d
Disable /etc/rc1.d
Disable /etc/rc0.d
Disable /etc/kernel-img.conf
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/dkms
Disable /etc/apparmor.d
Disable /etc/apparmor
Disable /etc/selinux
Disable /etc/modules
Disable /etc/modules-load.d
Disable /etc/logrotate.d
Disable /etc/logrotate.conf
Disable /etc/adduser.conf
Mounting read-only /home/user/.bashrc
1356 1207 0:96 /user/.bashrc /home/user/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1356 fsname=/user/.bashrc dir=/home/user/.bashrc fstype=tmpfs
Not blacklist /home/user/.git-credentials
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/crontab
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/fusermount3 (requested /usr/bin/fusermount)
Disable /usr/bin/fusermount3 (requested /bin/fusermount)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/ksu
Disable /usr/bin/ksu (requested /bin/ksu)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/nc.openbsd (requested /usr/bin/nc)
Disable /usr/bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g)
Disable /usr/bin/pkexec
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/strace
Disable /usr/bin/strace (requested /bin/strace)
Disable /usr/bin/su
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/gnome-terminal
Disable /usr/bin/gnome-terminal (requested /bin/gnome-terminal)
Disable /usr/bin/gnome-terminal.wrapper
Disable /usr/bin/gnome-terminal.wrapper (requested /bin/gnome-terminal.wrapper)
Disable /usr/bin/bwrap
Disable /usr/bin/bwrap (requested /bin/bwrap)
Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as)
Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/cc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/cc)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/c++)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/c++)
Disable /usr/bin/c89-gcc
Disable /usr/bin/c89-gcc (requested /usr/bin/c89)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/c89-gcc (requested /bin/c89)
Disable /usr/bin/c99-gcc
Disable /usr/bin/c99-gcc (requested /usr/bin/c99)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/c99-gcc (requested /bin/c99)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp-9)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /usr/bin/cpp-8)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp-9)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /bin/cpp-8)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /usr/bin/gcc-ranlib-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /usr/bin/gcc-nm-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /usr/bin/gcc-ar-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /usr/bin/gcc-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/gcc-ranlib-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/gcc-nm-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/gcc-ar-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/gcc-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8
Disable /usr/bin/x86_64-linux-gnu-gcc-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-8
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-g++-9
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8
Disable /usr/bin/x86_64-linux-gnu-gcc-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-8
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc-8)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-g++-9
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/include
Disable /usr/lib/go-1.14/bin/go (requested /usr/bin/go)
Disable /usr/lib/go-1.14/bin/go (requested /bin/go)
Disable /usr/lib/go-1.14/bin/gofmt (requested /usr/bin/gofmt)
Disable /usr/lib/go-1.14/bin/gofmt (requested /bin/gofmt)
Not blacklist /usr/local/bin/java
Not blacklist /usr/bin/java
Not blacklist /bin/java
Not blacklist /usr/local/games/java
Not blacklist /usr/games/java
Not blacklist /home/user/.local/bin/java
Not blacklist /etc/java
Not blacklist /usr/lib/java
Not blacklist /usr/share/java
Disable /usr/bin/openssl
Disable /usr/bin/openssl (requested /bin/openssl)
Disable /usr/lib/valgrind
Mounting noexec /tmp
1540 1539 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro
mountid=1540 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Mounting noexec /tmp/.X11-unix
1541 1540 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro
mountid=1541 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Mounting read-only /tmp/.X11-unix
1543 1541 254:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro
mountid=1543 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /sys/fs
Disable /sys/module
disable pulseaudio
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse/native
Create the new ld.so.preload file
Blacklist violations are logged to syslog
Mount the new ld.so.preload file
Current directory: /home/user
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P/ch-0/201.7846.77/bin/pycharm.sh
Child process initialized in 46.81 ms
monitoring pid 3

OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.

Invalid Temp Directory: The IDE cannot execute a test script in the directory.
Possible reason: the partition is mounted with 'no exec' option.

If you have modified the 'idea.system.path' property, please make sure it is correct,
otherwise, please re-install the IDE.

-----
Location: /home/user/.cache/JetBrains/PyCharm2020.1/tmp
java.io.IOException: Cannot run program "/home/user/.cache/JetBrains/PyCharm2020.1/tmp/ij251418173.tmp": error=13, Permission denied
Jun 27, 2020 3:19:10 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Jun 27, 2020 3:19:10 PM java.util.prefs.FileSystemPreferences$6 run
WARNING: Prefs file removed in background /home/user/.java/.userPrefs/prefs.xml
Sandbox monitor: waitpid 3 retval 3 status 1280

Parent is shutting down, bye...

Originally created by @k3an3 on GitHub (Jun 27, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3480 Write clear, concise and in textual form. **Bug and expected behavior** - Describe the bug. When PyCharm Professional starts, it runs a test script in /home/user/.cache. If the script isn't able to be executed, it will refuse to start. The default profile for PyCharm includes mounting /home as noexec, so this will prevent the IDE from starting. ``` Invalid Temp Directory: The IDE cannot execute a test script in the directory. Possible reason: the partition is mounted with 'no exec' option. If you have modified the 'idea.system.path' property, please make sure it is correct, otherwise, please re-install the IDE. ----- Location: /home/user/.cache/JetBrains/PyCharm2020.1/tmp java.io.IOException: Cannot run program "/home/user/.cache/JetBrains/PyCharm2020.1/tmp/ij1604757870.tmp": error=13, Permission denied ``` - What did you expect to happen? PyCharm should start. **No profile or disabling firejail** - What changed calling `firejail --noprofile PROGRAM` in a shell? Appears to work as expected. - What changed calling the program *by path*=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)? Works as expected. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail --profile=pycharm-professional ~/.local/share/JetBrains/Toolbox/apps/PyCharm-P/ch-0/201.7846.77/bin/pycharm.sh` 2. See error posted above 3. IDE does not start **Environment** - Linux distribution and version (ie output of `lsb_release -a`) Distributor ID: Debian Description: Debian GNU/Linux bullseye/sid Release: testing Codename: bullseye - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) firejail version 0.9.62 from Debian package - What other programs interact with the affected program for the functionality? N/A - Are these listed in the profile? N/A **Checklist** - [x] The upstream profile (and redirect profile if exists) have no changes fixing it. - [x] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`) - [x] Programs needed for interaction are listed. - [x] Error was checked in search engine and on issue list without success. <details><summary> debug output </summary> ``` Reading profile /etc/firejail/pycharm-professional.profile Reading profile /etc/firejail/pycharm-community.profile Reading profile /home/user/.config/firejail/pycharm-community.local Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /home/user/.config/firejail/disable-programs.inc Building quoted command line: '/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P/ch-0/201.7846.77/bin/pycharm.sh' Command name #pycharm.sh# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 57617, child pid 57618 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Generating a new machine-id installing a new /etc/machine-id Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/user/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/dri directory Process /dev/shm directory Generate private-tmp whitelist commands Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 423: new_name #/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P#, whitelist Debug 531: fname #/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P#, cfg.homedir #/home/user# Replaced whitelist path: whitelist /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P Debug 423: new_name #/home/user/dev#, whitelist Debug 531: fname #/home/user/dev#, cfg.homedir #/home/user# Replaced whitelist path: whitelist /home/user/dev Debug 423: new_name #/home/user/src#, whitelist Debug 531: fname #/home/user/src#, cfg.homedir #/home/user# Replaced whitelist path: whitelist /home/user/src Debug 423: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Mounting a new /home directory Mounting a new /root directory Create a new user directory Drop privileges: pid 2, uid 1000, gid 1000, nogroups 0 Whitelisting /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P 1209 1207 254:1 /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro mountid=1209 fsname=/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P dir=/home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P fstype=ext4 Whitelisting /home/user/dev 1210 1207 254:1 /home/user/dev /home/user/dev rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro mountid=1210 fsname=/home/user/dev dir=/home/user/dev fstype=ext4 Whitelisting /home/user/src 1211 1207 254:1 /home/user/src /home/user/src rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro mountid=1211 fsname=/home/user/src dir=/home/user/src fstype=ext4 Whitelisting /tmp/.X11-unix 1212 1200 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro mountid=1212 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Not blacklist /home/user/.python-history Not blacklist /home/user/.python_history Not blacklist /home/user/.pythonhist Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Disable /var/lib/systemd Disable /usr/bin/zuluCrypt-cli Disable /usr/bin/zuluCrypt-cli (requested /bin/zuluCrypt-cli) Disable /var/cache/apt Disable /var/lib/apt Disable /var/lib/dkms Disable /var/lib/upower Disable /var/mail Disable /var/opt Disable /var/spool/anacron Disable /var/spool/cron Disable /var/mail (requested /var/spool/mail) Disable /etc/anacrontab Disable /etc/cron.weekly Disable /etc/cron.daily Disable /etc/cron.d Disable /etc/crontab Disable /etc/cron.hourly Disable /etc/cron.monthly Disable /etc/profile.d Disable /etc/rc6.d Disable /etc/rcS.d Disable /etc/rc2.d Disable /etc/rc3.d Disable /etc/rc5.d Disable /etc/rc4.d Disable /etc/rc1.d Disable /etc/rc0.d Disable /etc/kernel-img.conf Disable /etc/kernel Disable /etc/grub.d Disable /etc/dkms Disable /etc/apparmor.d Disable /etc/apparmor Disable /etc/selinux Disable /etc/modules Disable /etc/modules-load.d Disable /etc/logrotate.d Disable /etc/logrotate.conf Disable /etc/adduser.conf Mounting read-only /home/user/.bashrc 1356 1207 0:96 /user/.bashrc /home/user/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1356 fsname=/user/.bashrc dir=/home/user/.bashrc fstype=tmpfs Not blacklist /home/user/.git-credentials Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/crontab Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/fusermount3 (requested /usr/bin/fusermount) Disable /usr/bin/fusermount3 (requested /bin/fusermount) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/ksu Disable /usr/bin/ksu (requested /bin/ksu) Disable /usr/bin/mount Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/nc.openbsd (requested /usr/bin/nc) Disable /usr/bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/newgidmap Disable /usr/bin/newgidmap (requested /bin/newgidmap) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/newuidmap Disable /usr/bin/newuidmap (requested /bin/newuidmap) Disable /usr/bin/ntfs-3g Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g) Disable /usr/bin/pkexec Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/strace Disable /usr/bin/strace (requested /bin/strace) Disable /usr/bin/su Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/umount Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/xev Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/gnome-terminal Disable /usr/bin/gnome-terminal (requested /bin/gnome-terminal) Disable /usr/bin/gnome-terminal.wrapper Disable /usr/bin/gnome-terminal.wrapper (requested /bin/gnome-terminal.wrapper) Disable /usr/bin/bwrap Disable /usr/bin/bwrap (requested /bin/bwrap) Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as) Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/cc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/cc) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/c++) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/c++) Disable /usr/bin/c89-gcc Disable /usr/bin/c89-gcc (requested /usr/bin/c89) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/c89-gcc (requested /bin/c89) Disable /usr/bin/c99-gcc Disable /usr/bin/c99-gcc (requested /usr/bin/c99) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp-9) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /usr/bin/cpp-8) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp-9) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /bin/cpp-8) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /usr/bin/gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /usr/bin/gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /usr/bin/gcc-ar-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /usr/bin/gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/gcc-ar-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 Disable /usr/bin/x86_64-linux-gnu-gcc-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-8 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-g++-9 Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 Disable /usr/bin/x86_64-linux-gnu-gcc-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-8 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-g++-9 Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/include Disable /usr/lib/go-1.14/bin/go (requested /usr/bin/go) Disable /usr/lib/go-1.14/bin/go (requested /bin/go) Disable /usr/lib/go-1.14/bin/gofmt (requested /usr/bin/gofmt) Disable /usr/lib/go-1.14/bin/gofmt (requested /bin/gofmt) Not blacklist /usr/local/bin/java Not blacklist /usr/bin/java Not blacklist /bin/java Not blacklist /usr/local/games/java Not blacklist /usr/games/java Not blacklist /home/user/.local/bin/java Not blacklist /etc/java Not blacklist /usr/lib/java Not blacklist /usr/share/java Disable /usr/bin/openssl Disable /usr/bin/openssl (requested /bin/openssl) Disable /usr/lib/valgrind Mounting noexec /tmp 1540 1539 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro mountid=1540 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Mounting noexec /tmp/.X11-unix 1541 1540 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro mountid=1541 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Mounting read-only /tmp/.X11-unix 1543 1541 254:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/user--vg-root rw,errors=remount-ro mountid=1543 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /sys/fs Disable /sys/module disable pulseaudio blacklist /run/user/1000/pulse/native blacklist /run/user/1000/pulse/native Create the new ld.so.preload file Blacklist violations are logged to syslog Mount the new ld.so.preload file Current directory: /home/user DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) execvp argument 0: /home/user/.local/share/JetBrains/Toolbox/apps/PyCharm-P/ch-0/201.7846.77/bin/pycharm.sh Child process initialized in 46.81 ms monitoring pid 3 OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release. Invalid Temp Directory: The IDE cannot execute a test script in the directory. Possible reason: the partition is mounted with 'no exec' option. If you have modified the 'idea.system.path' property, please make sure it is correct, otherwise, please re-install the IDE. ----- Location: /home/user/.cache/JetBrains/PyCharm2020.1/tmp java.io.IOException: Cannot run program "/home/user/.cache/JetBrains/PyCharm2020.1/tmp/ij251418173.tmp": error=13, Permission denied Jun 27, 2020 3:19:10 PM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Jun 27, 2020 3:19:10 PM java.util.prefs.FileSystemPreferences$6 run WARNING: Prefs file removed in background /home/user/.java/.userPrefs/prefs.xml Sandbox monitor: waitpid 3 retval 3 status 1280 Parent is shutting down, bye... ``` </details>

gitea-mirror closed this issue 2026-05-05 08:52:11 -06:00

gitea-mirror commented 2026-05-05 08:52:13 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 27, 2020):

Can you try to ignore private-cache.

Are any relevant things in your pycharm-community.local?

TODO: We need to add blacklist ${HOME}/.cache/JetBrains.

<!-- gh-comment-id:650612922 --> @rusty-snake commented on GitHub (Jun 27, 2020): Can you try to `ignore private-cache`. Are any relevant things in your pycharm-community.local? TODO: We need to add `blacklist ${HOME}/.cache/JetBrains`.

gitea-mirror commented 2026-05-05 08:52:14 -06:00

Author

Owner

Copy link

@k3an3 commented on GitHub (Jun 28, 2020):

Here's the things I tried in my pycharm-community.local:

# Needed to get it to run from the Jetbrains Toolbox. Also added noblacklist to disable-programs.inc
whitelist ${HOME}/.local/share/JetBrains/Toolbox/apps/PyCharm-P
# dev directory
whitelist ${HOME}/work
# attempts at fixing issue
ignore private-cache
ignore noexec ${HOME}
ignore include disable-exec.inc

<!-- gh-comment-id:650811995 --> @k3an3 commented on GitHub (Jun 28, 2020): Here's the things I tried in my `pycharm-community.local`: ```sh # Needed to get it to run from the Jetbrains Toolbox. Also added noblacklist to disable-programs.inc whitelist ${HOME}/.local/share/JetBrains/Toolbox/apps/PyCharm-P # dev directory whitelist ${HOME}/work # attempts at fixing issue ignore private-cache ignore noexec ${HOME} ignore include disable-exec.inc ```

gitea-mirror commented 2026-05-05 08:52:14 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 28, 2020):

Also added noblacklist to disable-programs.inc

Adding a noblacklist to disable-programs.inc is usually wrong

whitelist ${HOME}/.local/share/JetBrains/Toolbox/apps/PyCharm-P
whitelist ${HOME}/work

pycharm-community isn't a whitelisting profile, this will break things. (Try without it)

ignore noexec ${HOME}

No need, disable-exec.inc isn't included

ignore include disable-exec.inc

does not work

<!-- gh-comment-id:650816051 --> @rusty-snake commented on GitHub (Jun 28, 2020): > Also added noblacklist to disable-programs.inc Adding a `noblacklist` to disable-programs.inc is usually wrong > whitelist ${HOME}/.local/share/JetBrains/Toolbox/apps/PyCharm-P whitelist ${HOME}/work pycharm-community isn't a whitelisting profile, this will break things. (Try without it) > ignore noexec ${HOME} No need, disable-exec.inc isn't included > ignore include disable-exec.inc does not work

gitea-mirror commented 2026-05-05 08:52:15 -06:00

Author

Owner

Copy link

@k3an3 commented on GitHub (Jun 28, 2020):

Sorry, I meant I added this to disable-programs.inc:

noblacklist ${HOME}/.local/share/JetBrains/Toolbox/apps/PyCharm-P

I removed my changes from pycharm-community.local and now it works. The above didn't help or hurt. The problem, as you mentioned, was that I tried to add whitelisting to a blacklisting profile.

Unrelated question, apologies as I am new to this tool, what if I want to blacklist all of ${HOME} except ${HOME}/work and a few other required places? Or is that not possible with the blacklisting model?

<!-- gh-comment-id:650817440 --> @k3an3 commented on GitHub (Jun 28, 2020): Sorry, I meant I added this to disable-programs.inc: ``` noblacklist ${HOME}/.local/share/JetBrains/Toolbox/apps/PyCharm-P ``` I removed my changes from pycharm-community.local and now it works. The above didn't help or hurt. The problem, as you mentioned, was that I tried to add whitelisting to a blacklisting profile. Unrelated question, apologies as I am new to this tool, what if I want to blacklist all of ${HOME} except ${HOME}/work and a few other required places? Or is that not possible with the blacklisting model?

gitea-mirror commented 2026-05-05 08:52:16 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 28, 2020):

Unrelated question, apologies as I am new to this tool, what if I want to blacklist all of ${HOME} except ${HOME}/work and a few other required places? Or is that not possible with the blacklisting model?

If you want that a program has only access to explicit mentioned paths, you need to use whitelisting. If you miss some paths, the program fails.

two tipps:

1. include whitelist-common.inc, which whitelist (and make some of the read-only) commonly needed files/dirs.
2. Use the output of firejail --build /usr/bin/program.

<!-- gh-comment-id:650821273 --> @rusty-snake commented on GitHub (Jun 28, 2020): > Unrelated question, apologies as I am new to this tool, what if I want to blacklist all of ${HOME} except ${HOME}/work and a few other required places? Or is that not possible with the blacklisting model? If you want that a program has only access to explicit mentioned paths, you need to use whitelisting. If you miss some paths, the program fails. two tipps: 1. `include whitelist-common.inc`, which whitelist (and make some of the read-only) commonly needed files/dirs. 2. Use the output of `firejail --build /usr/bin/program`.

gitea-mirror commented 2026-05-05 08:52:17 -06:00

Author

Owner

Copy link

@k3an3 commented on GitHub (Jun 28, 2020):

Thanks. Looks like the issue was on my end, so I'll close this.

<!-- gh-comment-id:650828666 --> @k3an3 commented on GitHub (Jun 28, 2020): Thanks. Looks like the issue was on my end, so I'll close this.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2188

No description provided.