github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3530] disable-shell.inc breaks AppImages #2220

New issue
Closed
opened 2026-05-05 08:54:15 -06:00 by gitea-mirror · 27 comments
gitea-mirror commented 2026-05-05 08:54:15 -06:00
Owner
Copy link

Originally created by @svc88 on GitHub (Jul 20, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3530

Bug and expected behavior
When i upgraded to 0.9.63 from 0.9.62, i started having issues with keepassxc appimage.
The appimage didnt open up keepassxc, instead i saw an error in the log saying:

Reading profile /usr/local/etc/firejail/keepassxc.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-shell.inc
Reading profile /usr/local/etc/firejail/disable-xdg.inc
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Mounting appimage type 2
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.talk com.canonical.Unity.Session" and 6 other dbus-user filter rules.
Parent pid 6966, child pid 6969

**     Warning: dropping all Linux capabilities     **

Private /etc installed in 8.27 ms
Warning: not remounting /home/user/.gvfs
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 173.00 ms
execvp: Permission denied

Parent is shutting down, bye...

No profile or disabling firejail

  • What changed calling firejail --noprofile PROGRAM in a shell?
    It runs

Environment

Additional context
This didnt happen with 0.9.62

Originally created by @svc88 on GitHub (Jul 20, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3530 **Bug and expected behavior** When i upgraded to 0.9.63 from 0.9.62, i started having issues with keepassxc appimage. The appimage didnt open up keepassxc, instead i saw an error in the log saying: ``` Reading profile /usr/local/etc/firejail/keepassxc.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-exec.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/disable-shell.inc Reading profile /usr/local/etc/firejail/disable-xdg.inc Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Mounting appimage type 2 Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.talk com.canonical.Unity.Session" and 6 other dbus-user filter rules. Parent pid 6966, child pid 6969 ** Warning: dropping all Linux capabilities ** Private /etc installed in 8.27 ms Warning: not remounting /home/user/.gvfs Warning: not remounting /run/user/1000/gvfs Blacklist violations are logged to syslog Child process initialized in 173.00 ms execvp: Permission denied Parent is shutting down, bye... ``` **No profile or disabling firejail** - What changed calling `firejail --noprofile PROGRAM` in a shell? It runs **Environment** - Xubuntu 18.04 - Firejail version a9aabada2f61dcdc9ee9272c69f24991776767a6 **Additional context** This didnt happen with 0.9.62
gitea-mirror 2026-05-05 08:54:15 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:54:18 -06:00
Author
Owner
Copy link

@svc88 commented on GitHub (Jul 20, 2020):

If i run the appimage like so:
firejail ./KeePassXC-2.5.4-x86_64.AppImage
i get this error (if it helps) not sure what execv is?
execv error: No such file or directory

Possibly related to https://github.com/netblue30/firejail/issues/2690 ?

<!-- gh-comment-id:660939584 --> @svc88 commented on GitHub (Jul 20, 2020): If i run the appimage like so: `firejail ./KeePassXC-2.5.4-x86_64.AppImage` i get this error (if it helps) not sure what execv is? `execv error: No such file or directory` Possibly related to https://github.com/netblue30/firejail/issues/2690 ?
gitea-mirror commented 2026-05-05 08:54:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 20, 2020):

Where is the AI stored?

To sum-up:

$ firejail --noprofile --appimage KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --noprofile ./KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --profile=keepassxc --appimage KeePassXC-2.5.4-x86_64.AppImage
Fails with execvp: Permission denied
$ firejail --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage
Fails with execv error: No such file or directory
<!-- gh-comment-id:660950218 --> @rusty-snake commented on GitHub (Jul 20, 2020): Where is the AI stored? To sum-up: ``` $ firejail --noprofile --appimage KeePassXC-2.5.4-x86_64.AppImage Works $ firejail --noprofile ./KeePassXC-2.5.4-x86_64.AppImage Works $ firejail --profile=keepassxc --appimage KeePassXC-2.5.4-x86_64.AppImage Fails with execvp: Permission denied $ firejail --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage Fails with execv error: No such file or directory ```
gitea-mirror commented 2026-05-05 08:54:20 -06:00
Author
Owner
Copy link

@svc88 commented on GitHub (Jul 20, 2020):

Where is the AI stored?

Do you mean where do i run it from? just from $HOME

To sum-up:

$ firejail --noprofile --appimage KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --noprofile ./KeePassXC-2.5.4-x86_64.AppImage
Works
$ firejail --profile=keepassxc --appimage KeePassXC-2.5.4-x86_64.AppImage
Fails with execvp: Permission denied
$ firejail --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage
Fails with execv error: No such file or directory

Yes exactly. Not sure if this is related to the issue i mentioned.

<!-- gh-comment-id:660951970 --> @svc88 commented on GitHub (Jul 20, 2020): > Where is the AI stored? Do you mean where do i run it from? just from $HOME > To sum-up: > > ``` > $ firejail --noprofile --appimage KeePassXC-2.5.4-x86_64.AppImage > Works > $ firejail --noprofile ./KeePassXC-2.5.4-x86_64.AppImage > Works > $ firejail --profile=keepassxc --appimage KeePassXC-2.5.4-x86_64.AppImage > Fails with execvp: Permission denied > $ firejail --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage > Fails with execv error: No such file or directory > ``` Yes exactly. Not sure if this is related to the issue i mentioned.
gitea-mirror commented 2026-05-05 08:54:21 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 20, 2020):

The last may work with firejail '--ignore=noexec ${HOME}' --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage.

<!-- gh-comment-id:660955005 --> @rusty-snake commented on GitHub (Jul 20, 2020): The last may work with `firejail '--ignore=noexec ${HOME}' --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage`.
gitea-mirror commented 2026-05-05 08:54:22 -06:00
Author
Owner
Copy link

@svc88 commented on GitHub (Jul 20, 2020):

firejail '--ignore=noexec ${HOME}' --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage

Reading profile /usr/local/etc/firejail/keepassxc.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-exec.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-shell.inc
Reading profile /usr/local/etc/firejail/disable-xdg.inc
Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.talk com.canonical.Unity.Session" and 6 other dbus-user filter rules.
Parent pid 1027, child pid 1028
3 programs installed in 6.86 ms
Warning fcopy: skipping /etc/alternatives/lzdiff, cannot find inode
Warning fcopy: skipping /etc/alternatives/updatedb, cannot find inode
Warning fcopy: skipping /etc/alternatives/nc, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzmore, cannot find inode
Warning fcopy: skipping /etc/alternatives/phar, cannot find inode
Warning fcopy: skipping /etc/alternatives/vim, cannot find inode
Warning fcopy: skipping /etc/alternatives/gnome-www-browser, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzcat, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzegrep, cannot find inode
Warning fcopy: skipping /etc/alternatives/php-cgi, cannot find inode
Warning fcopy: skipping /etc/alternatives/mt, cannot find inode
Warning fcopy: skipping /etc/alternatives/editor, cannot find inode
Warning fcopy: skipping /etc/alternatives/view, cannot find inode
Warning fcopy: skipping /etc/alternatives/ftp, cannot find inode
Warning fcopy: skipping /etc/alternatives/telnet, cannot find inode
Warning fcopy: skipping /etc/alternatives/c89, cannot find inode
Warning fcopy: skipping /etc/alternatives/php, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-session-manager, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-window-manager, cannot find inode
Warning fcopy: skipping /etc/alternatives/aclocal, cannot find inode
Warning fcopy: skipping /etc/alternatives/rlogin, cannot find inode
Warning fcopy: skipping /etc/alternatives/phar.phar, cannot find inode
Warning fcopy: skipping /etc/alternatives/www-browser, cannot find inode
Warning fcopy: skipping /etc/alternatives/cpp, cannot find inode
Warning fcopy: skipping /etc/alternatives/c++, cannot find inode
Warning fcopy: skipping /etc/alternatives/pico, cannot find inode
Warning fcopy: skipping /etc/alternatives/rmt, cannot find inode
Warning fcopy: skipping /etc/alternatives/traceroute6, cannot find inode
Warning fcopy: skipping /etc/alternatives/w, cannot find inode
Warning fcopy: skipping /etc/alternatives/fakeroot, cannot find inode
Warning fcopy: skipping /etc/alternatives/nodejs, cannot find inode
Warning fcopy: skipping /etc/alternatives/vi, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsonpointer, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzgrep, cannot find inode
Warning fcopy: skipping /etc/alternatives/pinentry, cannot find inode
Warning fcopy: skipping /etc/alternatives/locate, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsonschema, cannot find inode
Warning fcopy: skipping /etc/alternatives/automake, cannot find inode
Warning fcopy: skipping /etc/alternatives/infobrowser, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-www-browser, cannot find inode
Warning fcopy: skipping /etc/alternatives/unlzma, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsonpatch, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzcmp, cannot find inode
Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Warning fcopy: skipping /etc/alternatives/pftp, cannot find inode
Warning fcopy: skipping /etc/alternatives/cc, cannot find inode
Warning fcopy: skipping /etc/alternatives/google-chrome, cannot find inode
Warning fcopy: skipping /etc/alternatives/vimdiff, cannot find inode
Warning fcopy: skipping /etc/alternatives/unrar, cannot find inode
Warning fcopy: skipping /etc/alternatives/jsondiff, cannot find inode
Warning fcopy: skipping /etc/alternatives/awk, cannot find inode
Warning fcopy: skipping /etc/alternatives/rsh, cannot find inode
Warning fcopy: skipping /etc/alternatives/rvim, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/rcp, cannot find inode
Warning fcopy: skipping /etc/alternatives/pager, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzless, cannot find inode
Warning fcopy: skipping /etc/alternatives/rview, cannot find inode
Warning fcopy: skipping /etc/alternatives/x-terminal-emulator, cannot find inode
Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Warning fcopy: skipping /etc/alternatives/pinentry-x11, cannot find inode
Warning fcopy: skipping /etc/alternatives/nawk, cannot find inode
Warning fcopy: skipping /etc/alternatives/netcat, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzma, cannot find inode
Warning fcopy: skipping /etc/alternatives/from, cannot find inode
Warning fcopy: skipping /etc/alternatives/gnome-text-editor, cannot find inode
Warning fcopy: skipping /etc/alternatives/lzfgrep, cannot find inode
Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Warning fcopy: skipping /etc/alternatives/write, cannot find inode
Warning fcopy: skipping /etc/alternatives/ex, cannot find inode
Warning fcopy: skipping /etc/alternatives/c99, cannot find inode
Private /etc installed in 8.94 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.19 ms
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 108.48 ms
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...
<!-- gh-comment-id:660958419 --> @svc88 commented on GitHub (Jul 20, 2020): firejail '--ignore=noexec ${HOME}' --profile=keepassxc ./KeePassXC-2.5.4-x86_64.AppImage ``` Reading profile /usr/local/etc/firejail/keepassxc.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/disable-exec.inc Reading profile /usr/local/etc/firejail/disable-interpreters.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/disable-shell.inc Reading profile /usr/local/etc/firejail/disable-xdg.inc Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.talk com.canonical.Unity.Session" and 6 other dbus-user filter rules. Parent pid 1027, child pid 1028 3 programs installed in 6.86 ms Warning fcopy: skipping /etc/alternatives/lzdiff, cannot find inode Warning fcopy: skipping /etc/alternatives/updatedb, cannot find inode Warning fcopy: skipping /etc/alternatives/nc, cannot find inode Warning fcopy: skipping /etc/alternatives/lzmore, cannot find inode Warning fcopy: skipping /etc/alternatives/phar, cannot find inode Warning fcopy: skipping /etc/alternatives/vim, cannot find inode Warning fcopy: skipping /etc/alternatives/gnome-www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/lzcat, cannot find inode Warning fcopy: skipping /etc/alternatives/lzegrep, cannot find inode Warning fcopy: skipping /etc/alternatives/php-cgi, cannot find inode Warning fcopy: skipping /etc/alternatives/mt, cannot find inode Warning fcopy: skipping /etc/alternatives/editor, cannot find inode Warning fcopy: skipping /etc/alternatives/view, cannot find inode Warning fcopy: skipping /etc/alternatives/ftp, cannot find inode Warning fcopy: skipping /etc/alternatives/telnet, cannot find inode Warning fcopy: skipping /etc/alternatives/c89, cannot find inode Warning fcopy: skipping /etc/alternatives/php, cannot find inode Warning fcopy: skipping /etc/alternatives/x-session-manager, cannot find inode Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode Warning fcopy: skipping /etc/alternatives/x-window-manager, cannot find inode Warning fcopy: skipping /etc/alternatives/aclocal, cannot find inode Warning fcopy: skipping /etc/alternatives/rlogin, cannot find inode Warning fcopy: skipping /etc/alternatives/phar.phar, cannot find inode Warning fcopy: skipping /etc/alternatives/www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/cpp, cannot find inode Warning fcopy: skipping /etc/alternatives/c++, cannot find inode Warning fcopy: skipping /etc/alternatives/pico, cannot find inode Warning fcopy: skipping /etc/alternatives/rmt, cannot find inode Warning fcopy: skipping /etc/alternatives/traceroute6, cannot find inode Warning fcopy: skipping /etc/alternatives/w, cannot find inode Warning fcopy: skipping /etc/alternatives/fakeroot, cannot find inode Warning fcopy: skipping /etc/alternatives/nodejs, cannot find inode Warning fcopy: skipping /etc/alternatives/vi, cannot find inode Warning fcopy: skipping /etc/alternatives/jsonpointer, cannot find inode Warning fcopy: skipping /etc/alternatives/lzgrep, cannot find inode Warning fcopy: skipping /etc/alternatives/pinentry, cannot find inode Warning fcopy: skipping /etc/alternatives/locate, cannot find inode Warning fcopy: skipping /etc/alternatives/jsonschema, cannot find inode Warning fcopy: skipping /etc/alternatives/automake, cannot find inode Warning fcopy: skipping /etc/alternatives/infobrowser, cannot find inode Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode Warning fcopy: skipping /etc/alternatives/x-www-browser, cannot find inode Warning fcopy: skipping /etc/alternatives/unlzma, cannot find inode Warning fcopy: skipping /etc/alternatives/jsonpatch, cannot find inode Warning fcopy: skipping /etc/alternatives/lzcmp, cannot find inode Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode Warning fcopy: skipping /etc/alternatives/pftp, cannot find inode Warning fcopy: skipping /etc/alternatives/cc, cannot find inode Warning fcopy: skipping /etc/alternatives/google-chrome, cannot find inode Warning fcopy: skipping /etc/alternatives/vimdiff, cannot find inode Warning fcopy: skipping /etc/alternatives/unrar, cannot find inode Warning fcopy: skipping /etc/alternatives/jsondiff, cannot find inode Warning fcopy: skipping /etc/alternatives/awk, cannot find inode Warning fcopy: skipping /etc/alternatives/rsh, cannot find inode Warning fcopy: skipping /etc/alternatives/rvim, cannot find inode Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode Warning fcopy: skipping /etc/alternatives/rcp, cannot find inode Warning fcopy: skipping /etc/alternatives/pager, cannot find inode Warning fcopy: skipping /etc/alternatives/lzless, cannot find inode Warning fcopy: skipping /etc/alternatives/rview, cannot find inode Warning fcopy: skipping /etc/alternatives/x-terminal-emulator, cannot find inode Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode Warning fcopy: skipping /etc/alternatives/pinentry-x11, cannot find inode Warning fcopy: skipping /etc/alternatives/nawk, cannot find inode Warning fcopy: skipping /etc/alternatives/netcat, cannot find inode Warning fcopy: skipping /etc/alternatives/lzma, cannot find inode Warning fcopy: skipping /etc/alternatives/from, cannot find inode Warning fcopy: skipping /etc/alternatives/gnome-text-editor, cannot find inode Warning fcopy: skipping /etc/alternatives/lzfgrep, cannot find inode Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode Warning fcopy: skipping /etc/alternatives/write, cannot find inode Warning fcopy: skipping /etc/alternatives/ex, cannot find inode Warning fcopy: skipping /etc/alternatives/c99, cannot find inode Private /etc installed in 8.94 ms Warning: skipping alternatives for private /usr/etc Warning: skipping fonts for private /usr/etc Warning: skipping ld.so.cache for private /usr/etc Warning: skipping machine-id for private /usr/etc Private /usr/etc installed in 0.19 ms Warning: not remounting /run/user/1000/gvfs Blacklist violations are logged to syslog Child process initialized in 108.48 ms fuse: device not found, try 'modprobe fuse' first Cannot mount AppImage, please check your FUSE setup. You might still be able to extract the contents of this AppImage if you run it with the --appimage-extract option. See https://github.com/AppImage/AppImageKit/wiki/FUSE for more information open dir error: No such file or directory Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 08:54:22 -06:00
Author
Owner
Copy link

@bbhtt commented on GitHub (Jul 20, 2020):

Comment include disable-shell.inc and run firejail --profile=/home/korte/firejail/etc/profile-a-l/keepassxc.profile --appimage KeePassXC-2.6.0-x86_64.AppImage, works for me. Appimage is in /home/korte,firejail from git master.

<!-- gh-comment-id:660972712 --> @bbhtt commented on GitHub (Jul 20, 2020): Comment `include disable-shell.inc` and run `firejail --profile=/home/korte/firejail/etc/profile-a-l/keepassxc.profile --appimage KeePassXC-2.6.0-x86_64.AppImage`, works for me. Appimage is in `/home/korte`,firejail from git master.
gitea-mirror commented 2026-05-05 08:54:22 -06:00
Author
Owner
Copy link

@svc88 commented on GitHub (Jul 20, 2020):

@kortewegdevries thank you, it works. What is the significance of include disable-shell.inc? And why isnt it working with it enabled?

<!-- gh-comment-id:660975473 --> @svc88 commented on GitHub (Jul 20, 2020): @kortewegdevries thank you, it works. What is the significance of `include disable-shell.inc`? And why isnt it working with it enabled?
gitea-mirror commented 2026-05-05 08:54:23 -06:00
Author
Owner
Copy link

@svc88 commented on GitHub (Jul 20, 2020):

Also if we disable it, what are the security risks?

<!-- gh-comment-id:661037781 --> @svc88 commented on GitHub (Jul 20, 2020): Also if we disable it, what are the security risks?
gitea-mirror commented 2026-05-05 08:54:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 20, 2020):

My question: Why does it work?!! There is no shell in its private-bin!

<!-- gh-comment-id:661039052 --> @rusty-snake commented on GitHub (Jul 20, 2020): My question: Why does it work?!! There is no shell in its private-bin!
gitea-mirror commented 2026-05-05 08:54:24 -06:00
Author
Owner
Copy link

@svc88 commented on GitHub (Jul 20, 2020):

@rusty-snake so is this a bug? If i keep it disabled will that mean that the sandbox is less secure?

<!-- gh-comment-id:661243797 --> @svc88 commented on GitHub (Jul 20, 2020): @rusty-snake so is this a bug? If i keep it disabled will that mean that the sandbox is less secure?
gitea-mirror commented 2026-05-05 08:54:24 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 21, 2020):

The reason is that private-bin and private-lib are disabled when appimage is enabled. This doesn't seem to be documented in the man pages, which is a bug in my opinion.

fb145c33eb/src/firejail/sandbox.c (L910-L911)

fb145c33eb/src/firejail/sandbox.c (L930-L931)

That's probably because, the way it works right now, a shell is needed to run the AppImage.

<!-- gh-comment-id:661877470 --> @smitsohu commented on GitHub (Jul 21, 2020): The reason is that `private-bin` and `private-lib` are disabled when `appimage` is enabled. This doesn't seem to be documented in the man pages, which is a bug in my opinion. https://github.com/netblue30/firejail/blob/fb145c33ebf4de35396502217cf9663e3176a96c/src/firejail/sandbox.c#L910-L911 https://github.com/netblue30/firejail/blob/fb145c33ebf4de35396502217cf9663e3176a96c/src/firejail/sandbox.c#L930-L931 That's probably because, the way it works right now, a shell is needed to run the AppImage.
gitea-mirror commented 2026-05-05 08:54:24 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 21, 2020):

This doesn't seem to be documented in the man pages, which is a bug in my opinion.

Maybe it would be good if Firejail could also print a warning.

<!-- gh-comment-id:661882314 --> @smitsohu commented on GitHub (Jul 21, 2020): > This doesn't seem to be documented in the man pages, which is a bug in my opinion. Maybe it would be good if Firejail could also print a warning.
gitea-mirror commented 2026-05-05 08:54:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 21, 2020):

Can we do something like this?
https://github.com/netblue30/firejail/blob/master/src/firejail/profile.c#L1615

if (arg_appimage && strcmp(fname, "disable-shell.inc"))
    return;
<!-- gh-comment-id:661904773 --> @rusty-snake commented on GitHub (Jul 21, 2020): Can we do something like this? https://github.com/netblue30/firejail/blob/master/src/firejail/profile.c#L1615 ```C if (arg_appimage && strcmp(fname, "disable-shell.inc")) return; ```
gitea-mirror commented 2026-05-05 08:54:25 -06:00
Author
Owner
Copy link

@bbhtt commented on GitHub (Jul 21, 2020):

The reason is that private-bin and private-lib are disabled when appimage is enabled.

Then is there a point in adding ?HAS_APPIMAGE: ignore private-bin to a profile?

<!-- gh-comment-id:661958315 --> @bbhtt commented on GitHub (Jul 21, 2020): > The reason is that `private-bin` and `private-lib` are disabled when `appimage` is enabled. Then is there a point in adding `?HAS_APPIMAGE: ignore private-bin` to a profile?
gitea-mirror commented 2026-05-05 08:54:26 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 21, 2020):

Then is there a point in adding ?HAS_APPIMAGE: ignore private-bin to all profile?

<!-- gh-comment-id:661959906 --> @rusty-snake commented on GitHub (Jul 21, 2020): > Then is there a point in adding `?HAS_APPIMAGE: ignore private-bin` to a**ll** profile?
gitea-mirror commented 2026-05-05 08:54:26 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Jul 24, 2020):

If i keep it disabled will that mean that the sandbox is less secure?

@svc88 Security does not degrade with regards to 0.9.62. As a matter of fact a shell is needed currently, so there is no degree of freedom anyway.

<!-- gh-comment-id:663662748 --> @smitsohu commented on GitHub (Jul 24, 2020): > If i keep it disabled will that mean that the sandbox is less secure? @svc88 Security does not degrade with regards to 0.9.62. As a matter of fact a shell is needed currently, so there is no degree of freedom anyway.
gitea-mirror commented 2026-05-05 08:54:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 25, 2020):

I tried my Idea and it is not working (as I expected). firejail --profile=keepassxc --appimage KeePassXC-2.6.0-x86_64.AppImage will first read keepassxc.profile and the set arg_appimage = 1.

skip-disable-shell-if-appimage.patch 
iff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a8722282..8d9a8d5d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1607,6 +1607,11 @@ static int include_level = 0;
 void profile_read(const char *fname) {
        EUID_ASSERT();
 
+       if (arg_appimage && strcmp(fname, "disable-shell.inc") == 0) {
+               fprintf(stderr, "Skipping disable-shell because of --appimage\n");
+               return;
+       }
+
        // exit program if maximum include level was reached
        if (include_level > MAX_INCLUDE_LEVEL) {
                fprintf(stderr, "Error: maximum profile include level was reached\n");

@netblue30 @smitsohu This fact make me thinking about ?HAS_APPIMAGE:. firejail -profile=kpxc.profile --appimage KeePassXC-2.6.0-x86_64.AppImage is broken! This means ?HAS_APPIMAGE: is broken with firejail [OPTIONS] --appimage [appimage-file and arguments].

kpxc.profile:

?HAS_APPIMAGE: noblacklist /bin/bash
blacklist /bin/bash
<!-- gh-comment-id:663859640 --> @rusty-snake commented on GitHub (Jul 25, 2020): I tried my Idea and it is not working (as I expected). `firejail --profile=keepassxc --appimage KeePassXC-2.6.0-x86_64.AppImage` will first read keepassxc.profile and the set `arg_appimage = 1`. <details><summary> skip-disable-shell-if-appimage.patch </summary> ```patch iff --git a/src/firejail/profile.c b/src/firejail/profile.c index a8722282..8d9a8d5d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1607,6 +1607,11 @@ static int include_level = 0; void profile_read(const char *fname) { EUID_ASSERT(); + if (arg_appimage && strcmp(fname, "disable-shell.inc") == 0) { + fprintf(stderr, "Skipping disable-shell because of --appimage\n"); + return; + } + // exit program if maximum include level was reached if (include_level > MAX_INCLUDE_LEVEL) { fprintf(stderr, "Error: maximum profile include level was reached\n"); ``` </details> @netblue30 @smitsohu This fact make me thinking about `?HAS_APPIMAGE:`. `firejail -profile=kpxc.profile --appimage KeePassXC-2.6.0-x86_64.AppImage` is broken! This means `?HAS_APPIMAGE:` is broken with `firejail [OPTIONS] --appimage [appimage-file and arguments]`. `kpxc.profile`: ``` ?HAS_APPIMAGE: noblacklist /bin/bash blacklist /bin/bash ```
gitea-mirror commented 2026-05-05 08:54:28 -06:00
Author
Owner
Copy link

@bbhtt commented on GitHub (Aug 1, 2020):

if (arg_appimage && strcmp(fname, "disable-shell.inc") == 0)

Add an option --allow-shell (arg_allow_shell) and force it whenever arg_appimage is set and skip like 1633-1641?

<!-- gh-comment-id:667511739 --> @bbhtt commented on GitHub (Aug 1, 2020): > `if (arg_appimage && strcmp(fname, "disable-shell.inc") == 0)` Add an option --allow-shell (arg_allow_shell) and force it whenever arg_appimage is set and skip like 1633-1641?
gitea-mirror commented 2026-05-05 08:54:28 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 1, 2020):

--allow-shell could be confusing (comparing to shell none, does it support private-bin, ...). For what is it good?

<!-- gh-comment-id:667575107 --> @rusty-snake commented on GitHub (Aug 1, 2020): `--allow-shell` could be confusing (comparing to `shell none`, does it support `private-bin`, ...). For what is it good?
gitea-mirror commented 2026-05-05 08:54:29 -06:00
Author
Owner
Copy link

@bbhtt commented on GitHub (Aug 2, 2020):

arg_shell_none = 0 is already set when --appimage is specified? And shell none executes by path,different from allow shell which would allow shell inside a sandbox? What other way to ignore a line "include" from profile? Print a warning and exit like smitsohu said I guess.

<!-- gh-comment-id:667635567 --> @bbhtt commented on GitHub (Aug 2, 2020): `arg_shell_none = 0` is already set when `--appimage` is specified? And `shell none` executes by path,different from `allow shell` which would allow shell inside a sandbox? What other way to ignore a line "include" from profile? Print a warning and exit like smitsohu said I guess.
gitea-mirror commented 2026-05-05 08:54:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 4, 2020):

What other way to ignore a line "include" from profile?

patch and ignore 🙄 🤣
https://github.com/netblue30/firejail/issues/2153#issuecomment-609049079

Obvious patching is no solution for the majority, but it would be nice to have this patch in (after someone provided feedback).

<!-- gh-comment-id:668445372 --> @rusty-snake commented on GitHub (Aug 4, 2020): > What other way to ignore a line "include" from profile? patch and `ignore` :roll_eyes: :rofl: https://github.com/netblue30/firejail/issues/2153#issuecomment-609049079 Obvious patching is no solution for the majority, but it would be nice to have this patch in (after someone provided feedback).
gitea-mirror commented 2026-05-05 08:54:29 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 2, 2020):

Should we go through the conditionals after all command line and profile processing? Then, with 102f8d1fdc in , this bug could be solved just by updating the profiles. It also would avoid #3358 and similar problems.

<!-- gh-comment-id:685777653 --> @smitsohu commented on GitHub (Sep 2, 2020): Should we go through the conditionals after all command line and profile processing? Then, with 102f8d1fdca62dd0ca0fb355c1ef926f2594b48b in , this bug could be solved just by updating the profiles. It also would avoid #3358 and similar problems.
gitea-mirror commented 2026-05-05 08:54:30 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 2, 2020):

Should we go through the conditionals after all command line and profile processing?

👍

Then, with 102f8d1 in , this bug could be solved just by updating the profiles.

Where do you want to add ?HAS_APPIMAGE: ignore …? In globals.local?

<!-- gh-comment-id:685797350 --> @rusty-snake commented on GitHub (Sep 2, 2020): > Should we go through the conditionals after all command line and profile processing? :+1: > Then, with 102f8d1 in , this bug could be solved just by updating the profiles. Where do you want to add `?HAS_APPIMAGE: ignore …`? In globals.local?
gitea-mirror commented 2026-05-05 08:54:30 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 2, 2020):

Turns out it's not so straightforward with noblacklist and ignore and so on, obviously applying them at the very end doesn't make much sense. So one would need to parse them late, but push the commands in front. Then it also wouldn't matter where ?HAS_APPIMAGE: ignore include disable-shell.inc goes. Crazy or reasonable? I'm not sure anymore.

<!-- gh-comment-id:685846213 --> @smitsohu commented on GitHub (Sep 2, 2020): Turns out it's not so straightforward with `noblacklist` and `ignore` and so on, obviously applying them at the very end doesn't make much sense. So one would need to parse them late, but push the commands in front. Then it also wouldn't matter where `?HAS_APPIMAGE: ignore include disable-shell.inc` goes. Crazy or reasonable? I'm not sure anymore.
gitea-mirror commented 2026-05-05 08:54:31 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Sep 2, 2020):

Or we do go through the conditionals at the end, after all other command line and profile options, and offer negated conditionals in addition to what we have now, something like ?HAS_NO_APPIMAGE:

This would sacrifice some flexibility, but make a cleaner interface. There could be a ?HAS_NO_APPIMAGE: include disable-shell.inc or similar line in the profiles.

Honestly I'm somewhat at a loss what to do here.

<!-- gh-comment-id:686055522 --> @smitsohu commented on GitHub (Sep 2, 2020): Or we do go through the conditionals at the end, after all other command line and profile options, and offer negated conditionals in addition to what we have now, something like `?HAS_NO_APPIMAGE:` This would sacrifice some flexibility, but make a cleaner interface. There could be a `?HAS_NO_APPIMAGE: include disable-shell.inc` or similar line in the profiles. Honestly I'm somewhat at a loss what to do here.
gitea-mirror commented 2026-05-05 08:54:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 22, 2020):

For now we could enforce that --profile is used after --appimage. The general issue with conditions can be then solved later.

<!-- gh-comment-id:696757440 --> @rusty-snake commented on GitHub (Sep 22, 2020): For now we could enforce that `--profile` is used after `--appimage`. The general issue with conditions can be then solved later.
gitea-mirror commented 2026-05-05 08:54:31 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 1, 2020):

Fixed! We were doing something similar for --allow-debuggers and disable-devel.inc. Give it a try, thanks.

<!-- gh-comment-id:702204967 --> @netblue30 commented on GitHub (Oct 1, 2020): Fixed! We were doing something similar for --allow-debuggers and disable-devel.inc. Give it a try, thanks.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2220
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?