[GH-ISSUE #3536] Custom/local applications doesn't start #2222

New issue

Closed

opened 2026-05-05 08:54:32 -06:00 by gitea-mirror · 10 comments

gitea-mirror commented 2026-05-05 08:54:32 -06:00

Owner

Copy link

Originally created by @tjerry on GitHub (Jul 22, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3536

I'm trying to start some custom applications, which are not installed in the system.
For instance, I'd like to start an app in /home/user/Apps.
But firejails exists with an error.

$ firejail --net=none --private=/var/tmp/home /home/user/Apps/pencil/pencil
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 23389, child pid 23390
Child process initialized in 34.87 ms
/bin/bash: /home/user/Apps/pencil/pencil: No such file or directory

Parent is shutting down, bye...

Does firejail work with custom/local applications, or do they have to be installed in the system?

Originally created by @tjerry on GitHub (Jul 22, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3536 I'm trying to start some custom applications, which are not installed in the system. For instance, I'd like to start an app in /home/user/Apps. But firejails exists with an error. ``` $ firejail --net=none --private=/var/tmp/home /home/user/Apps/pencil/pencil Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 23389, child pid 23390 Child process initialized in 34.87 ms /bin/bash: /home/user/Apps/pencil/pencil: No such file or directory Parent is shutting down, bye... ``` Does firejail work with custom/local applications, or do they have to be installed in the system?

gitea-mirror 2026-05-05 08:54:32 -06:00

• closed this issue
• added the
  question_old
  label

gitea-mirror commented 2026-05-05 08:54:34 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 22, 2020):

Does firejail work with custom/local applications

Yes.

1. The default.profile works not with every program.
2. You need to allow ignore noexec ${HOME} if disbale-exec.in is included.
3. The binary must be inside a private $HOME if private is used.

The last point is important for you now.

<!-- gh-comment-id:662554679 --> @rusty-snake commented on GitHub (Jul 22, 2020): > Does firejail work with custom/local applications Yes. 1. The default.profile works not with every program. 2. You need to allow `ignore noexec ${HOME}` if disbale-exec.in is `include`d. 3. The binary must be inside a `private` $HOME if `private` is used. The last point is important for you now.

gitea-mirror commented 2026-05-05 08:54:35 -06:00

Author

Owner

Copy link

@tjerry commented on GitHub (Jul 22, 2020):

OK.
So I copied an app to a private $HOME and another error came up.
I haven't been able to find anything about that error.

$ firejail --net=none --private=/var/tmp/home /var/tmp/home/edraw/EdrawMax 
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 3305, child pid 3306
Error opening private directory: fs_home.c:262 fs_private_homedir: No such file or directory
Error: proc 3305 cannot sync with peer: unexpected EOF
Peer 3306 unexpectedly exited with status 1

<!-- gh-comment-id:662650813 --> @tjerry commented on GitHub (Jul 22, 2020): OK. So I copied an app to a private $HOME and another error came up. I haven't been able to find anything about that error. ``` $ firejail --net=none --private=/var/tmp/home /var/tmp/home/edraw/EdrawMax Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 3305, child pid 3306 Error opening private directory: fs_home.c:262 fs_private_homedir: No such file or directory Error: proc 3305 cannot sync with peer: unexpected EOF Peer 3306 unexpectedly exited with status 1 ```

gitea-mirror commented 2026-05-05 08:54:36 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 22, 2020):

I haven't been able to find anything about that error.

No such file or directory: Did you created /var/tmp/home?

You need to add keep-var-tmp likey this firejail --net=none --private=/var/tmp/home --keep-var-tmp /path/to/app.

<!-- gh-comment-id:662662351 --> @rusty-snake commented on GitHub (Jul 22, 2020): > I haven't been able to find anything about that error. ~`No such file or directory`: Did you created /var/tmp/home?~ You need to add `keep-var-tmp` likey this `firejail --net=none --private=/var/tmp/home --keep-var-tmp /path/to/app`.

gitea-mirror commented 2026-05-05 08:54:38 -06:00

Author

Owner

Copy link

@tjerry commented on GitHub (Jul 22, 2020):

It looks like --keep-var-tmp did the trick.
However, edraw needs some shard libraries, that my system is missing.
So I tried other apps, like Pencil or Typora.

$ firejail --net=none --private=/var/tmp/home --keep-var-tmp /var/tmp/home/typora/Typora

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 25499, child pid 25500
Child process initialized in 33.71 ms

Parent is shutting down, bye...

There is no error, but the application doesn't start and firejail just quits.

Is there a way to debug this?
If this helps, I'm on Gentoo and firejail was compiled with chroot file-transfer globalcfg network overlayfs private-home seccomp suid userns whitelist -apparmor -contrib -debug -test -vim-syntax -x11

<!-- gh-comment-id:662670809 --> @tjerry commented on GitHub (Jul 22, 2020): It looks like `--keep-var-tmp` did the trick. However, edraw needs some shard libraries, that my system is missing. So I tried other apps, like `Pencil` or `Typora`. ``` $ firejail --net=none --private=/var/tmp/home --keep-var-tmp /var/tmp/home/typora/Typora Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 25499, child pid 25500 Child process initialized in 33.71 ms Parent is shutting down, bye... ``` There is no error, but the application doesn't start and `firejail` just quits. Is there a way to debug this? If this helps, I'm on `Gentoo` and `firejail` was compiled with `chroot file-transfer globalcfg network overlayfs private-home seccomp suid userns whitelist -apparmor -contrib -debug -test -vim-syntax -x11`

gitea-mirror commented 2026-05-05 08:54:38 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jul 23, 2020):

By default, the sandbox /var is mounted read-only and noexec. You may want to disable that with --writable-var

<!-- gh-comment-id:663253969 --> @smitsohu commented on GitHub (Jul 23, 2020): By default, the sandbox /var is mounted read-only and noexec. You may want to disable that with `--writable-var`

gitea-mirror commented 2026-05-05 08:54:39 -06:00

Author

Owner

Copy link

@tjerry commented on GitHub (Jul 24, 2020):

No, it's not it.
For the sake of simplicity I'll start it from my home directory.
So:

$ firejai --net=none /home/user/apps/Typora/Typora
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 27884, child pid 27885
Child process initialized in 30.20 ms

Parent is shutting down, bye...

<!-- gh-comment-id:663512671 --> @tjerry commented on GitHub (Jul 24, 2020): No, it's not it. For the sake of simplicity I'll start it from my home directory. So: ``` $ firejai --net=none /home/user/apps/Typora/Typora Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 27884, child pid 27885 Child process initialized in 30.20 ms Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 08:54:40 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 24, 2020):

works this?

<!-- gh-comment-id:663513642 --> @rusty-snake commented on GitHub (Jul 24, 2020): works this?

gitea-mirror commented 2026-05-05 08:54:41 -06:00

Author

Owner

Copy link

@tjerry commented on GitHub (Jul 24, 2020):

works this?

$ firejai --net=none /home/user/apps/Typora/Typora
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 27884, child pid 27885
Child process initialized in 30.20 ms

Parent is shutting down, bye...

There is no error. But the Typora doesn't start. Firejail just quits.

However, the following works.
$ firejail --noprofile --net=none /home/static/Data/Software/Linux/Typora/Typora

<!-- gh-comment-id:663552781 --> @tjerry commented on GitHub (Jul 24, 2020): > works this? ``` $ firejai --net=none /home/user/apps/Typora/Typora Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 27884, child pid 27885 Child process initialized in 30.20 ms Parent is shutting down, bye... ``` There is no error. But the Typora doesn't start. Firejail just quits. However, the following works. `$ firejail --noprofile --net=none /home/static/Data/Software/Linux/Typora/Typora`

gitea-mirror commented 2026-05-05 08:54:41 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 25, 2020):

Then you need to write a profile for it (or request one in #1139).

<!-- gh-comment-id:663855953 --> @rusty-snake commented on GitHub (Jul 25, 2020): Then you need to write a profile for it (or request one in #1139).

gitea-mirror commented 2026-05-05 08:54:42 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 1, 2020):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

<!-- gh-comment-id:684922689 --> @rusty-snake commented on GitHub (Sep 1, 2020): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2222

No description provided.