[GH-ISSUE #3488] Seccomp error action not working #2195

New issue

Closed

opened 2026-05-05 08:52:32 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented 2026-05-05 08:52:32 -06:00

Owner

Copy link

Originally created by @sfc-gh-hyu on GitHub (Jul 3, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3488

I compiled with latest master and specified seccomp error action to be EPERM. However, it seems that firejail still kill the process.

firejail --noprofile --seccomp-error-action=EPERM --seccomp.drop=open --debug /tmp/file

And here is the log

 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 00000002   jeq open 0008 (false 0009)
 0008: 06 00 00 00000001   ret KILL
 0009: 06 00 00 7fff0000   ret ALLOW

Not sure what I am doing wrong.

Originally created by @sfc-gh-hyu on GitHub (Jul 3, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3488 I compiled with latest master and specified seccomp error action to be EPERM. However, it seems that firejail still kill the process. ``` firejail --noprofile --seccomp-error-action=EPERM --seccomp.drop=open --debug /tmp/file ``` And here is the log ``` line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 00000002 jeq open 0008 (false 0009) 0008: 06 00 00 00000001 ret KILL 0009: 06 00 00 7fff0000 ret ALLOW ``` Not sure what I am doing wrong.

gitea-mirror 2026-05-05 08:52:32 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 08:52:35 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Jul 3, 2020):

Please attach the entire log. Firejail is trying to execute /tmp/file, is this what you meant? What kind of application is it?

<!-- gh-comment-id:653661825 --> @topimiettinen commented on GitHub (Jul 3, 2020): Please attach the entire log. Firejail is trying to execute `/tmp/file`, is this what you meant? What kind of application is it?

gitea-mirror commented 2026-05-05 08:52:36 -06:00

Author

Owner

Copy link

@sfc-gh-hyu commented on GitHub (Jul 3, 2020):

Ah sorry. Should be more specific. It's my own test program, which just open and close a file. Here is the cpp source code.

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string>
#include <unistd.h>
#include <iostream>

int main()
{
  std::string a = "/tmp/test";

  int fd = ::open(a.c_str(), O_CREAT | O_APPEND);
  std::cout << "Open ret: " << fd << std::endl;
  
  int ret = ::close(fd);
  std::cout << "Close ret: " << ret << std::endl;
  return 0;
}

Here is the full log:

[hyu@DEVVM-hyu tmp]$ firejail --noprofile --seccomp-error-action=EPERM --seccomp.drop=open --debug /tmp/file  
Autoselecting /bin/bash as shell
Building quoted command line: '/tmp/file' 
Command name #file#
Seccomp list in: open, check list: @default-keep, prelist: open,
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 19530, child pid 19531
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
IBUS_ADDRESS=unix:abstract=/tmp/dbus-UcaAG4PI,guid=2fca8a0b54ed937ce2c640675e1fb413
IBUS_DAEMON_PID=3964
IBUS_ADDRESS=unix:abstract=/tmp/dbus-8Txghbdl,guid=c0da9b65348488441383d6775e214831
IBUS_DAEMON_PID=6729
IBUS_ADDRESS=unix:abstract=/tmp/dbus-HjxT9mNP,guid=27749b2190e0202bafa0a72c5e238bc1
IBUS_DAEMON_PID=7435
IBUS_ADDRESS=unix:abstract=/tmp/dbus-DfM1a0L7,guid=e961d418a591163c640f39175ea360c3
IBUS_DAEMON_PID=3304
IBUS_ADDRESS=unix:abstract=/tmp/dbus-VA1Ung0C,guid=e92eb16b37c14a8f11808d6a5eb893fa
IBUS_DAEMON_PID=3306
IBUS_ADDRESS=unix:abstract=/tmp/dbus-3AGwNwtg,guid=445be80cad45844e8eba58085ed168bf
IBUS_DAEMON_PID=2690
IBUS_ADDRESS=unix:abstract=/tmp/dbus-5DjpLrbH,guid=c904b9b917ac99e2290cc3635ee99cc6
IBUS_DAEMON_PID=2724
IBUS_ADDRESS=unix:abstract=/tmp/dbus-LUkQ8pC7,guid=c3f659f30d73a85e83c12eb15eea67ec
IBUS_DAEMON_PID=2718
IBUS_ADDRESS=unix:abstract=/tmp/dbus-V1pKepjx,guid=8cc7d9f605d3ed929076318d5ef2a377
IBUS_DAEMON_PID=2756
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
605 557 8:1 /etc /etc ro,relatime master:1 - ext4 /dev/sda1 rw,data=ordered
mountid=605 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
606 605 8:1 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda1 rw,data=ordered
mountid=606 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
617 607 0:35 / /var/lib/nfs/rpc_pipefs rw,relatime master:37 - rpc_pipefs sunrpc rw
mountid=617 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /var/lib/nfs/rpc_pipefs
618 617 0:35 / /var/lib/nfs/rpc_pipefs ro,relatime master:37 - rpc_pipefs sunrpc rw
mountid=618 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var
630 629 0:35 / /var/lib/nfs/rpc_pipefs ro,relatime master:37 - rpc_pipefs sunrpc rw
mountid=630 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var/lib/snapd/snap/core18/1754
631 620 7:1 / /var/lib/snapd/snap/core18/1754 ro,nosuid,nodev,noexec,relatime master:27 - squashfs /dev/loop1 ro
mountid=631 fsname=/ dir=/var/lib/snapd/snap/core18/1754 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/snapd/8140
632 621 7:0 / /var/lib/snapd/snap/snapd/8140 ro,nosuid,nodev,noexec,relatime master:28 - squashfs /dev/loop0 ro
mountid=632 fsname=/ dir=/var/lib/snapd/snap/snapd/8140 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/clion/114
633 622 7:2 / /var/lib/snapd/snap/clion/114 ro,nosuid,nodev,noexec,relatime master:29 - squashfs /dev/loop2 ro
mountid=633 fsname=/ dir=/var/lib/snapd/snap/clion/114 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/firefox/372
634 623 7:3 / /var/lib/snapd/snap/firefox/372 ro,nosuid,nodev,noexec,relatime master:30 - squashfs /dev/loop3 ro
mountid=634 fsname=/ dir=/var/lib/snapd/snap/firefox/372 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/intellij-idea-community/232
635 624 7:4 / /var/lib/snapd/snap/intellij-idea-community/232 ro,nosuid,nodev,noexec,relatime master:31 - squashfs /dev/loop4 ro
mountid=635 fsname=/ dir=/var/lib/snapd/snap/intellij-idea-community/232 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/chromium/1193
636 625 7:5 / /var/lib/snapd/snap/chromium/1193 ro,nosuid,nodev,noexec,relatime master:32 - squashfs /dev/loop5 ro
mountid=636 fsname=/ dir=/var/lib/snapd/snap/chromium/1193 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/core/9289
637 626 7:6 / /var/lib/snapd/snap/core/9289 ro,nosuid,nodev,noexec,relatime master:33 - squashfs /dev/loop6 ro
mountid=637 fsname=/ dir=/var/lib/snapd/snap/core/9289 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/gnome-3-34-1804/36
638 627 7:7 / /var/lib/snapd/snap/gnome-3-34-1804/36 ro,nosuid,nodev,noexec,relatime master:34 - squashfs /dev/loop7 ro
mountid=638 fsname=/ dir=/var/lib/snapd/snap/gnome-3-34-1804/36 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/gtk-common-themes/1506
639 628 7:8 / /var/lib/snapd/snap/gtk-common-themes/1506 ro,nosuid,nodev,noexec,relatime master:35 - squashfs /dev/loop8 ro
mountid=639 fsname=/ dir=/var/lib/snapd/snap/gtk-common-themes/1506 fstype=squashfs
Mounting noexec /var/lib/nfs/rpc_pipefs
640 630 0:35 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:37 - rpc_pipefs sunrpc rw
mountid=640 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /usr
641 557 8:1 /usr /usr ro,relatime master:1 - ext4 /dev/sda1 rw,data=ordered
mountid=641 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/nginx
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/timer_stats
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1970/gnupg
Disable /run/user/1970/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
680 602 0:48 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=680 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/hyu/.config/pulse
681 649 0:48 /pulse /home/hyu/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=681 fsname=/pulse dir=/home/hyu/.config/pulse fstype=tmpfs
Current directory: /tmp
Build drop seccomp filter
sbox run: /run/firejail/lib/fseccomp drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec open 
Dropping all capabilities
Drop privileges: pid 2, uid 1970, gid 1970, nogroups 1
No supplementary groups
Seccomp list in: open, check list: @default-keep, prelist: open,
sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 3, uid 1970, gid 1970, nogroups 1
No supplementary groups
configuring 10 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 4, uid 1970, gid 1970, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 00000002   jeq open 0008 (false 0009)
 0008: 06 00 00 00000001   ret KILL
 0009: 06 00 00 7fff0000   ret ALLOW
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
682 602 0:48 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=682 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Drop privileges: pid 5, uid 1970, gid 1970, nogroups 1
No supplementary groups
Seccomp directory:
total 12
-rw-r--r-- 1 hyu hyu  80 Jul  3 18:42 seccomp
-rw-r--r-- 1 hyu hyu 808 Jul  3 18:42 seccomp.32
-rw-r--r-- 1 hyu hyu  34 Jul  3 18:42 seccomp.list
-rw-r--r-- 1 hyu hyu   0 Jul  3 18:42 seccomp.postexec
-rw-r--r-- 1 hyu hyu   0 Jul  3 18:42 seccomp.postexec32
Active seccomp files:
/run/firejail/mnt/seccomp/seccomp
Drop privileges: pid 1, uid 1970, gid 1970, nogroups 0
starting application
LD_PRELOAD=(null)
Running '/tmp/file'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/tmp/file' 
Child process initialized in 27.74 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
monitoring pid 8

Sandbox monitor: waitpid 8 retval 8 status 159

Parent is shutting down, bye...

<!-- gh-comment-id:653662376 --> @sfc-gh-hyu commented on GitHub (Jul 3, 2020): Ah sorry. Should be more specific. It's my own test program, which just open and close a file. Here is the cpp source code. ``` #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <string> #include <unistd.h> #include <iostream> int main() { std::string a = "/tmp/test"; int fd = ::open(a.c_str(), O_CREAT | O_APPEND); std::cout << "Open ret: " << fd << std::endl; int ret = ::close(fd); std::cout << "Close ret: " << ret << std::endl; return 0; } ``` Here is the full log: ``` [hyu@DEVVM-hyu tmp]$ firejail --noprofile --seccomp-error-action=EPERM --seccomp.drop=open --debug /tmp/file Autoselecting /bin/bash as shell Building quoted command line: '/tmp/file' Command name #file# Seccomp list in: open, check list: @default-keep, prelist: open, DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 19530, child pid 19531 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file IBUS_ADDRESS=unix:abstract=/tmp/dbus-UcaAG4PI,guid=2fca8a0b54ed937ce2c640675e1fb413 IBUS_DAEMON_PID=3964 IBUS_ADDRESS=unix:abstract=/tmp/dbus-8Txghbdl,guid=c0da9b65348488441383d6775e214831 IBUS_DAEMON_PID=6729 IBUS_ADDRESS=unix:abstract=/tmp/dbus-HjxT9mNP,guid=27749b2190e0202bafa0a72c5e238bc1 IBUS_DAEMON_PID=7435 IBUS_ADDRESS=unix:abstract=/tmp/dbus-DfM1a0L7,guid=e961d418a591163c640f39175ea360c3 IBUS_DAEMON_PID=3304 IBUS_ADDRESS=unix:abstract=/tmp/dbus-VA1Ung0C,guid=e92eb16b37c14a8f11808d6a5eb893fa IBUS_DAEMON_PID=3306 IBUS_ADDRESS=unix:abstract=/tmp/dbus-3AGwNwtg,guid=445be80cad45844e8eba58085ed168bf IBUS_DAEMON_PID=2690 IBUS_ADDRESS=unix:abstract=/tmp/dbus-5DjpLrbH,guid=c904b9b917ac99e2290cc3635ee99cc6 IBUS_DAEMON_PID=2724 IBUS_ADDRESS=unix:abstract=/tmp/dbus-LUkQ8pC7,guid=c3f659f30d73a85e83c12eb15eea67ec IBUS_DAEMON_PID=2718 IBUS_ADDRESS=unix:abstract=/tmp/dbus-V1pKepjx,guid=8cc7d9f605d3ed929076318d5ef2a377 IBUS_DAEMON_PID=2756 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 605 557 8:1 /etc /etc ro,relatime master:1 - ext4 /dev/sda1 rw,data=ordered mountid=605 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 606 605 8:1 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda1 rw,data=ordered mountid=606 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 617 607 0:35 / /var/lib/nfs/rpc_pipefs rw,relatime master:37 - rpc_pipefs sunrpc rw mountid=617 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting read-only /var/lib/nfs/rpc_pipefs 618 617 0:35 / /var/lib/nfs/rpc_pipefs ro,relatime master:37 - rpc_pipefs sunrpc rw mountid=618 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting noexec /var 630 629 0:35 / /var/lib/nfs/rpc_pipefs ro,relatime master:37 - rpc_pipefs sunrpc rw mountid=630 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting noexec /var/lib/snapd/snap/core18/1754 631 620 7:1 / /var/lib/snapd/snap/core18/1754 ro,nosuid,nodev,noexec,relatime master:27 - squashfs /dev/loop1 ro mountid=631 fsname=/ dir=/var/lib/snapd/snap/core18/1754 fstype=squashfs Mounting noexec /var/lib/snapd/snap/snapd/8140 632 621 7:0 / /var/lib/snapd/snap/snapd/8140 ro,nosuid,nodev,noexec,relatime master:28 - squashfs /dev/loop0 ro mountid=632 fsname=/ dir=/var/lib/snapd/snap/snapd/8140 fstype=squashfs Mounting noexec /var/lib/snapd/snap/clion/114 633 622 7:2 / /var/lib/snapd/snap/clion/114 ro,nosuid,nodev,noexec,relatime master:29 - squashfs /dev/loop2 ro mountid=633 fsname=/ dir=/var/lib/snapd/snap/clion/114 fstype=squashfs Mounting noexec /var/lib/snapd/snap/firefox/372 634 623 7:3 / /var/lib/snapd/snap/firefox/372 ro,nosuid,nodev,noexec,relatime master:30 - squashfs /dev/loop3 ro mountid=634 fsname=/ dir=/var/lib/snapd/snap/firefox/372 fstype=squashfs Mounting noexec /var/lib/snapd/snap/intellij-idea-community/232 635 624 7:4 / /var/lib/snapd/snap/intellij-idea-community/232 ro,nosuid,nodev,noexec,relatime master:31 - squashfs /dev/loop4 ro mountid=635 fsname=/ dir=/var/lib/snapd/snap/intellij-idea-community/232 fstype=squashfs Mounting noexec /var/lib/snapd/snap/chromium/1193 636 625 7:5 / /var/lib/snapd/snap/chromium/1193 ro,nosuid,nodev,noexec,relatime master:32 - squashfs /dev/loop5 ro mountid=636 fsname=/ dir=/var/lib/snapd/snap/chromium/1193 fstype=squashfs Mounting noexec /var/lib/snapd/snap/core/9289 637 626 7:6 / /var/lib/snapd/snap/core/9289 ro,nosuid,nodev,noexec,relatime master:33 - squashfs /dev/loop6 ro mountid=637 fsname=/ dir=/var/lib/snapd/snap/core/9289 fstype=squashfs Mounting noexec /var/lib/snapd/snap/gnome-3-34-1804/36 638 627 7:7 / /var/lib/snapd/snap/gnome-3-34-1804/36 ro,nosuid,nodev,noexec,relatime master:34 - squashfs /dev/loop7 ro mountid=638 fsname=/ dir=/var/lib/snapd/snap/gnome-3-34-1804/36 fstype=squashfs Mounting noexec /var/lib/snapd/snap/gtk-common-themes/1506 639 628 7:8 / /var/lib/snapd/snap/gtk-common-themes/1506 ro,nosuid,nodev,noexec,relatime master:35 - squashfs /dev/loop8 ro mountid=639 fsname=/ dir=/var/lib/snapd/snap/gtk-common-themes/1506 fstype=squashfs Mounting noexec /var/lib/nfs/rpc_pipefs 640 630 0:35 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:37 - rpc_pipefs sunrpc rw mountid=640 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs Mounting read-only /usr 641 557 8:1 /usr /usr ro,relatime master:1 - ext4 /dev/sda1 rw,data=ordered mountid=641 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/nginx Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/timer_stats Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1970/gnupg Disable /run/user/1970/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse 680 602 0:48 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=680 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Mounting /run/firejail/mnt/pulse on /home/hyu/.config/pulse 681 649 0:48 /pulse /home/hyu/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=681 fsname=/pulse dir=/home/hyu/.config/pulse fstype=tmpfs Current directory: /tmp Build drop seccomp filter sbox run: /run/firejail/lib/fseccomp drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec open Dropping all capabilities Drop privileges: pid 2, uid 1970, gid 1970, nogroups 1 No supplementary groups Seccomp list in: open, check list: @default-keep, prelist: open, sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 3, uid 1970, gid 1970, nogroups 1 No supplementary groups configuring 10 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 4, uid 1970, gid 1970, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 00000002 jeq open 0008 (false 0009) 0008: 06 00 00 00000001 ret KILL 0009: 06 00 00 7fff0000 ret ALLOW seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 682 602 0:48 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=682 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Drop privileges: pid 5, uid 1970, gid 1970, nogroups 1 No supplementary groups Seccomp directory: total 12 -rw-r--r-- 1 hyu hyu 80 Jul 3 18:42 seccomp -rw-r--r-- 1 hyu hyu 808 Jul 3 18:42 seccomp.32 -rw-r--r-- 1 hyu hyu 34 Jul 3 18:42 seccomp.list -rw-r--r-- 1 hyu hyu 0 Jul 3 18:42 seccomp.postexec -rw-r--r-- 1 hyu hyu 0 Jul 3 18:42 seccomp.postexec32 Active seccomp files: /run/firejail/mnt/seccomp/seccomp Drop privileges: pid 1, uid 1970, gid 1970, nogroups 0 starting application LD_PRELOAD=(null) Running '/tmp/file' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/tmp/file' Child process initialized in 27.74 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter monitoring pid 8 Sandbox monitor: waitpid 8 retval 8 status 159 Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 08:52:37 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Jul 3, 2020):

The program works for me:

Child process initialized in 109.47 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Open ret: 3
Close ret: 0
monitoring pid 10

Sandbox monitor: waitpid 10 retval 10 status 0

Parent is shutting down, bye...

But using strace as root user from another terminal shows that the program doesn't use open() but openat():

18849 openat(AT_FDCWD, "/tmp/test", O_RDONLY|O_CREAT|O_APPEND, 011) = 3

This is because a modern libc will translate calls to open() to openat(). Changing the filter to --seccomp.drop=openat, stracing shows:

18929 execve("/bin/bash", ["/bin/bash", "-c", "'/tmp/file' "], 0x627dbbd85280 /* 71 vars */) = 0
18929 brk(NULL)                         = 0x585eea97d000
18929 access("/etc/ld.so.preload", R_OK) = 0
18929 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = ?
18929 +++ killed by SIGSYS +++

So there is a bug.

<!-- gh-comment-id:653675181 --> @topimiettinen commented on GitHub (Jul 3, 2020): The program works for me: ``` Child process initialized in 109.47 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Open ret: 3 Close ret: 0 monitoring pid 10 Sandbox monitor: waitpid 10 retval 10 status 0 Parent is shutting down, bye... ``` But using strace as root user from another terminal shows that the program doesn't use `open()` but `openat()`: `18849 openat(AT_FDCWD, "/tmp/test", O_RDONLY|O_CREAT|O_APPEND, 011) = 3` This is because a modern libc will translate calls to `open()` to `openat()`. Changing the filter to `--seccomp.drop=openat`, stracing shows: ``` 18929 execve("/bin/bash", ["/bin/bash", "-c", "'/tmp/file' "], 0x627dbbd85280 /* 71 vars */) = 0 18929 brk(NULL) = 0x585eea97d000 18929 access("/etc/ld.so.preload", R_OK) = 0 18929 openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = ? 18929 +++ killed by SIGSYS +++ ``` So there is a bug.

gitea-mirror commented 2026-05-05 08:52:38 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Jul 3, 2020):

2345cc4c7 broke the environment variable passing for error action for fseccomp.

<!-- gh-comment-id:653678515 --> @topimiettinen commented on GitHub (Jul 3, 2020): 2345cc4c7 broke the environment variable passing for error action for fseccomp.

gitea-mirror commented 2026-05-05 08:52:39 -06:00

Author

Owner

Copy link

@topimiettinen commented on GitHub (Jul 3, 2020):

Fixed in master, please check.

<!-- gh-comment-id:653679581 --> @topimiettinen commented on GitHub (Jul 3, 2020): Fixed in master, please check.

gitea-mirror commented 2026-05-05 08:52:40 -06:00

Author

Owner

Copy link

@sfc-gh-hyu commented on GitHub (Jul 3, 2020):

Confirmed fix. Thanks for that!

<!-- gh-comment-id:653695623 --> @sfc-gh-hyu commented on GitHub (Jul 3, 2020): Confirmed fix. Thanks for that!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2195

No description provided.