github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3595] ledger-live-desktop: program does not start (AppImage) #2253

New issue
Closed
opened 2026-05-05 08:56:44 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 08:56:44 -06:00
Owner
Copy link

Originally created by @eloyesp on GitHub (Aug 19, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3595

I'm trying to run ledger-live without network access but the application do not start (it stop immediately after start) without any error message.

It is an appimage, so I've always tested with the --appimage option.

The application does run when running without firejail, but always fails with it. I've tested with --noprofile and it fails anyway.

Environment

  • I'm testing on Trisquel 9 (based on ubuntu 18.4)
  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
firejail version 0.9.52

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - bind support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - git install support is disabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled
  • What other programs interact with the affected program for the functionality? NO
  • Are these listed in the profile? NO

Additional context

I don't know how to relax firejail default options (no dropping capabilities, disable seccomp, etc) on the command line, and could not find any way to use a profile with an appimage.

Checklist

  • The upstream profile (and redirect profile if exists) have no changes fixing it.
  • The upstream profile exists (find / -name 'firejail' 2>/dev/null/fd firejail to locate profiles ie in /usr/local/etc/firejail/PROGRAM.profile)
  • Programs needed for interaction are listed.
  • Error was checked in search engine and on issue list without success.
debug output 
OUTPUT OF `firejail --debug --appimage ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage`
total 0
lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null
l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483]
lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2
lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133]
lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/22939/fd
lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0
Autoselecting /bin/bash as shell
Configuring appimage environment
AppImage ELF size 188392
appimage mounted on /run/firejail/appimage/.appimage-22931
Building AppImage command line: /run/firejail/appimage/.appimage-22931/AppRun
AppImage quoted command line: '/run/firejail/appimage/.appimage-22931/AppRun' 
Command name #./ledger-live-desktop-2.10.0-linux-x86_64.AppImage#
Attempting to find default.profile...
Found default profile in /etc/firejail directory

** Note: you can use --noprofile to disable default.profile **

Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp.protocol (null) 
Dropping all Linux capabilities and enforcing default seccomp filter
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/nginx
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/username/.mysql_history
Disable /home/username/.bash_history
Disable /home/username/.python_history
Disable /home/username/.config/autostart
Disable /home/username/.config/openbox
Disable /home/username/.dotfiles/.xsession (requested /home/username/.xsession)
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Disable /home/username/.config/akonadi_newmailnotifier_agent.notifyrc
Mounting read-only /home/username/.config/kdeglobals
Disable /run/user/1000/kdeinit5__0
Disable /var/lib/systemd
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/upower
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /run/mysqld/mysqld.sock (requested /var/run/mysqld/mysqld.sock)
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/mail (requested /var/spool/mail)
Disable /etc/anacrontab
Disable /etc/cron.d
Disable /etc/cron.weekly
Disable /etc/crontab
Disable /etc/cron.daily
Disable /etc/cron.monthly
Disable /etc/cron.hourly
Disable /etc/profile.d
Disable /etc/rcS.d
Disable /etc/rc5.d
Disable /etc/rc2.d
Disable /etc/rc4.d
Disable /etc/rc0.d
Disable /etc/rc3.d
Disable /etc/rc6.d
Disable /etc/rc1.d
Disable /etc/kernel
Disable /etc/kernel-img.conf
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/selinux
Disable /etc/modules
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/adduser.conf
Mounting read-only /home/username/.bash_logout
Mounting read-only /home/username/.dotfiles/.bashrc
Mounting read-only /home/username/.dotfiles/.profile
Mounting read-only /home/username/.dotfiles
Mounting read-only /home/username/.dotfiles/.muttrc
Mounting read-only /home/username/.vim
Mounting read-only /home/username/.viminfo
Mounting read-only /home/username/.dotfiles/.total 0
lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null
l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483]
lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2
lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133]
lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/7/fd
lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0
SECCOMP Filter
  VALIDATE_ARCHITECTURE_64
  EXAMINE_SYSCALL
  WHITELIST 41 socket
  UNKNOWN ENTRY 20!
  WHITELIST 1 write
  WHITELIST 2 open
  WHITELIST 10 mprotect
  RETURN_ERRNO 95 EOPNOTSUPP
vimrc
Mounting read-only /home/username/.xmonad
Mounting read-only /home/username/.xscreensaver
Mounting read-only /home/username/.gem
Mounting read-only /home/username/bin
Disable /home/username/.local/share/Trash
Mounting read-only /home/username/.local/share/applications
Disable /home/username/.gnupg
Disable /home/username/.local/share/keyrings
Disable /home/username/.local/share/kwalletd
Disable /home/username/.dotfiles/.muttrc (requested /home/username/.muttrc)
Disable /home/username/.pki
Disable /home/username/.ssh
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /sbin
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/at
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /bin/fusermount
Disable /usr/bin/gpasswd
Disable /bin/mount
Disable /bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/ncat
Disable /usr/bin/newgrp
Disable /bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/strace
Disable /bin/su
Disable /usr/bin/sudo
Disable /bin/umount
Disable /usr/bin/xev
Disable /tmp/tmux-1000
Mounting noexec /tmp/.X11-unix
Disable /home/username/.password-store
Disable /mnt/shared/username/.bitcoin (requested /home/username/.bitcoin)
Disable /home/username/.android
Disable /home/username/.audacity-data
Disable /home/username/.config/Clementine
Disable /home/username/.config/Mumble
Disable /home/username/.config/MusicBrainz
Disable /home/username/.config/Qlipper
Disable /home/username/.config/audacious
Disable /home/username/.config/borg
Disable /home/username/.config/brave
Disable /home/username/.config/calibre
Disable /home/username/.config/cmus
Disable /home/username/.config/enchant
Disable /home/username/.config/epiphany
Disable /home/username/.config/gedit
Disable /home/username/.config/kritarc
Disable /home/username/.config/libreoffice
Disable /home/username/.config/lximage-qt
Disable /home/username/.config/mpv
Disable /home/username/.config/pix
Disable /home/username/.config/qpdfview
Disable /home/username/.config/qutebrowser
Disable /home/username/.config/redshift.conf
Disable /home/username/.config/smplayer
Disable /home/username/.config/torbrowser
Disable /home/username/.config/transmission
Disable /home/username/.config/wesnoth
Disable /mnt/shared/username/.electrum-dash (requested /home/username/.electrum-dash)
Disable /home/username/.electrum
Disable /home/username/.frozen-bubble
Disable /home/username/.gimp-2.8
Disable /home/username/.dotfiles/.gitconfig (requested /home/username/.gitconfig)
Disable /home/username/.gradle
Disable /home/username/.hedgewars
Disable /home/username/.icedove
Disable /home/username/.kodi
Disable /home/username/.local/share/data/Mumble
Disable /home/username/.local/share/epiphany
Disable /home/username/.local/share/pix
Disable /home/username/.local/share/qpdfview
Disable /home/username/.local/share/qutebrowser
Disable /home/username/.local/share/wesnoth
Disable /home/username/.mozilla
Disable /home/username/.openinvaders
Disable /home/username/.openshot_qt
Disable /home/username/.surf
Disable /home/username/.sylpheed-2.0
Disable /tmp/ssh-eSZc8rwyDdcq
Disable /home/username/.cache/MusicBrainz
Disable /home/username/.cache/borg
Disable /home/username/.cache/calibre
Disable /home/username/.cache/epiphany
Disable /home/username/.cache/icedove
Disable /home/username/.cache/mozilla
Disable /home/username/.cache/qutebrowser
Disable /home/username/.cache/simple-scan
Disable /home/username/.cache/torbrowser
Disable /home/username/.cache/transmission
Disable /home/username/.cache/wesnoth
Disable /sys/fs
Current directory: /home/username/apps
Dropping all capabilities
Install protocol filter: unix,inet,inet6
configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null) 
configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) 
sbox ftotal 0
lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null
l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483]
lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2
lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133]
lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/10/fd
lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0
SECCOMP Filter
  VALIDATE_ARCHITECTURE_32
  EXAMINE_SYSCALL
  BLACKLIST 21 access
  BLACKLIST 52 getpeername
  BLACKLIST 26 msync
  BLACKLIST 283 timerfd_create
  BLACKLIST 341 unknown
  BLACKLIST 342 unknown
  BLACKLIST 127 rt_sigpending
  BLACKLIST 128 rt_sigtimedwait
  BLACKLIST 350 unknown
  BLACKLIST 129 rt_sigqueueinfo
  BLACKLIST 110 getppid
  BLACKLIST 101 ptrace
  BLACKLIST 289 signalfd4
  BLACKLIST 87 unlink
  BLACKLIST 115 getgroups
  BLACKLIST 103 syslog
  BLACKLIST 347 unknown
  BLACKLIST 348 unknown
  BLACKLIST 135 personality
  BLACKLIST 149 mlock
  BLACKLIST 124 getsid
  BLACKLIST 343 unknown
  BLACKLIST 253 inotify_init
  BLACKLIST 336 unknown
  BLACKLIST 338 unknown
  BLACKLIST 349 unknown
  BLACKLIST 286 timerfd_settime
  BLACKLIST 287 timerfd_gettime
  BLACKLIST 288 accept4
  BLACKLIST 86 link
  BLACKLIST 51 getsockname
  BLACKLIST 123 setfsgid
  BLACKLIST 217 getdents64
  BLACKLIST 245 mq_getsetattr
  BLACKLIST 246 kexec_load
  BLACKLIST 247 waitid
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 257 openat
  BLACKLIST 274 get_robust_list
  BLACKLIST 276 tee
  BLACKLIST 294 inotify_init1
  BLACKLIST 317 seccomp
  BLACKLIST 316 renameat2
  BLACKLIST 61 wait4
  BLACKLIST 88 symlink
  BLACKLIST 169 reboot
  BLACKLIST 130 rt_sigsuspend
  RETURN_ALLOW
vimrc
Mounting read-only /home/username/.xmonad
Mounting read-only /home/username/.xscreensaver
Mounting read-only /home/username/.gem
Mounting read-only /home/username/bin
Disable /home/username/.local/share/Trash
Mounting read-only /home/username/.local/share/applications
Disable /home/username/.gnupg
Disable /home/username/.local/share/keyrings
Disable /home/username/.local/share/kwalletd
Disable /home/username/.dotfiles/.muttrc (requested /home/username/.muttrc)
Disable /home/username/.pki
Disable /home/username/.ssh
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /sbin
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/at
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /bin/fusermount
Disable /usr/bin/gpasswd
Disable /bin/mount
Disable /bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/ncat
Disable /usr/bin/newgrp
Disable /bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/strace
Disable /bin/su
Disable /usr/bin/sudo
Disable /bin/umount
Disable /usr/bin/xev
Disable /tmp/tmux-1000
Mounting noexec /tmp/.X11-unix
Disable /home/username/.password-store
Disable /mnt/shared/username/.bitcoin (requested /home/username/.bitcoin)
Disable /home/username/.android
Disable /home/username/.audacity-data
Disable /home/username/.config/Clementine
Disable /home/username/.config/Mumble
Disable /home/username/.config/MusicBrainz
Disable /home/username/.config/Qlipper
Disable /home/username/.config/audacious
Disable /home/username/.config/borg
Disable /home/username/.config/brave
Disable /home/username/.config/calibre
Disable /home/username/.config/cmus
Disable /home/username/.config/enchant
Disable /home/username/.config/epiphany
Disable /home/username/.config/gedit
Disable /home/username/.config/kritarc
Disable /home/username/.config/libreoffice
Disable /home/username/.config/lximage-qt
Disable /home/username/.config/mpv
Disable /home/username/.config/pix
Disable /home/username/.config/qpdfview
Disable /home/username/.config/qutebrowser
Disable /home/username/.config/redshift.conf
Disable /home/username/.config/smplayer
Disable /home/username/.config/torbrowser
Disable /home/username/.config/transmission
Disable /home/username/.config/wesnoth
Disable /mnt/shared/username/.electrum-dash (requested /home/username/.electrum-dash)
Disable /home/username/.electrum
Disable /home/username/.frozen-bubble
Disable /home/username/.gimp-2.8
Disable /home/username/.dotfiles/.gitconfig (requested /home/username/.gitconfig)
Disable /home/username/.gradle
Disable /home/username/.hedgewars
Disable /home/username/.icedove
Disable /home/username/.kodi
Disable /home/username/.local/share/data/Mumble
Disable /home/username/.local/share/epiphany
Disable /home/username/.local/share/pix
Disable /home/username/.local/share/qpdfview
Disable /home/username/.local/share/qutebrowser
Disable /home/username/.local/share/wesnoth
Disable /home/username/.mozilla
Disable /home/username/.openinvaders
Disable /home/username/.openshot_qt
Disable /home/username/.surf
Disable /home/username/.sylpheed-2.0
Disable /tmp/ssh-eSZc8rwyDdcq
Disable /home/username/.cache/MusicBrainz
Disable /home/username/.cache/borg
Disable /home/username/.cache/calibre
Disable /home/username/.cache/epiphany
Disable /home/username/.cache/icedove
Disable /home/username/.cache/mozilla
Disable /home/username/.cache/qutebrowser
Disable /home/username/.cache/simple-scan
Disable /home/username/.cache/torbrowser
Disable /home/username/.cache/transmission
Disable /home/username/.cache/wesnoth
Disable /sys/fs
Current directory: /home/username/apps
Dropping all capabilities
Install protocol filter: unix,inet,inet6
configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null) 
configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) 
Dual 3total 0
lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null
l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483]
lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2
lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133]
lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/13/fd
lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0
SECCOMP Filter
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCALL
  HANDLE_X32
  BLACKLIST 154 modify_ldt
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 311 process_vm_writev
  BLACKLIST 156 _sysctl
  BLACKLIST 183 afs_syscall
  BLACKLIST 174 create_module
  BLACKLIST 177 get_kernel_syms
  BLACKLIST 181 getpmsg
  BLACKLIST 182 putpmsg
  BLACKLIST 178 query_module
  BLACKLIST 185 security
  BLACKLIST 139 sysfs
  BLACKLIST 184 tuxcall
  BLACKLIST 134 uselib
  BLACKLIST 136 ustat
  BLACKLIST 236 vserver
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 227 clock_settime
  BLACKLIST 164 settimeofday
  BLACKLIST 176 delete_module
  BLACKLIST 313 finit_module
  BLACKLIST 175 init_module
  BLACKLIST 173 ioperm
  BLACKLIST 172 iopl
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 169 reboot
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 163 acct
  BLACKLIST 321 bpf
  BLACKLIST 161 chroot
  BLACKLIST 165 mount
  BLACKLIST 180 nfsservctl
  BLACKLIST 155 pivot_root
  BLACKLIST 171 setdomainname
  BLACKLIST 170 sethostname
  BLACKLIST 166 umount2
  BLACKLIST 153 vhangup
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 237 mbind
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 251 ioprio_set
  BLACKLIST 103 syslog
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 135 personality
  BLACKLIST 323 userfaultfd
  BLACKLIST 101 ptrace
  BLACKLIST 310 process_vm_readv
  RETURN_ALLOW
-rw-r--r-- 1 username username 1104 ago 19 18:06 /run/firejail/mnt/seccomp
-rw-r--r-- 1 username username  808 ago 19 18:06 /run/firejail/mnt/seccomp.32
-rw-r--r-- 1 username username  824 ago 19 18:06 /run/firejail/mnt/seccomp.64
-rw-r--r-- 1 username username    0 ago 19 18:06 /run/firejail/mnt/seccomp.postexec
-rw-r--r-- 1 username username  112 ago 19 18:06 /run/firejail/mnt/seccomp.protocol
2/64 bit seccomp filter configured
configuring 138 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null) 
seccomp filter configured

Seccomp files:

noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
il ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage utoselecting /bin/bash as shell
Configuring appimage environment
AppImage ELF size 188392
appimage mounted on /run/firejail/appimage/.appimage-22931
Building AppImage command line: /run/firejail/appimage/.appimage-22931/AppRun
AppImage quoted command line: '/run/firejail/appimage/.appimage-22931/AppRun' 
Command name #./ledger-live-desktop-2.10.0-linux-x86_64.AppImage#
Attempting to find default.profile...
Found default profile in /etc/firejail directory

** Note: you can use --noprofile to disable default.profile **

Using the local network stack
Parent pid 22931, child pid 22935

Parent is shutting down, bye...
AppImage unmounted
Originally created by @eloyesp on GitHub (Aug 19, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3595 I'm trying to run ledger-live without network access but the application do not start (it stop immediately after start) without any error message. It is an appimage, so I've always tested with the `--appimage` option. The application does run when running without firejail, but always fails with it. I've tested with `--noprofile` and it fails anyway. **Environment** - I'm testing on Trisquel 9 (based on ubuntu 18.4) - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` firejail version 0.9.52 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` - What other programs interact with the affected program for the functionality? NO - Are these listed in the profile? NO **Additional context** I don't know how to relax firejail default options (no dropping capabilities, disable seccomp, etc) on the command line, and could not find any way to use a profile with an appimage. **Checklist** - [X] The upstream profile (and redirect profile if exists) have no changes fixing it. - [X] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`) - [X] Programs needed for interaction are listed. - [X] Error was checked in search engine and on issue list without success. <details><summary> debug output </summary> ``` OUTPUT OF `firejail --debug --appimage ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage` total 0 lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483] lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2 lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133] lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/22939/fd lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0 Autoselecting /bin/bash as shell Configuring appimage environment AppImage ELF size 188392 appimage mounted on /run/firejail/appimage/.appimage-22931 Building AppImage command line: /run/firejail/appimage/.appimage-22931/AppRun AppImage quoted command line: '/run/firejail/appimage/.appimage-22931/AppRun' Command name #./ledger-live-desktop-2.10.0-linux-x86_64.AppImage# Attempting to find default.profile... Found default profile in /etc/firejail directory ** Note: you can use --noprofile to disable default.profile ** Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Build protocol filter: unix,inet,inet6 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp.protocol (null) Dropping all Linux capabilities and enforcing default seccomp filter Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/nginx Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /home/username/.mysql_history Disable /home/username/.bash_history Disable /home/username/.python_history Disable /home/username/.config/autostart Disable /home/username/.config/openbox Disable /home/username/.dotfiles/.xsession (requested /home/username/.xsession) Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Disable /home/username/.config/akonadi_newmailnotifier_agent.notifyrc Mounting read-only /home/username/.config/kdeglobals Disable /run/user/1000/kdeinit5__0 Disable /var/lib/systemd Disable /var/cache/apt Disable /var/lib/apt Disable /var/lib/upower Disable /var/mail Disable /var/opt Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /run/mysqld/mysqld.sock (requested /var/run/mysqld/mysqld.sock) Disable /var/spool/anacron Disable /var/spool/cron Disable /var/mail (requested /var/spool/mail) Disable /etc/anacrontab Disable /etc/cron.d Disable /etc/cron.weekly Disable /etc/crontab Disable /etc/cron.daily Disable /etc/cron.monthly Disable /etc/cron.hourly Disable /etc/profile.d Disable /etc/rcS.d Disable /etc/rc5.d Disable /etc/rc2.d Disable /etc/rc4.d Disable /etc/rc0.d Disable /etc/rc3.d Disable /etc/rc6.d Disable /etc/rc1.d Disable /etc/kernel Disable /etc/kernel-img.conf Disable /etc/grub.d Disable /etc/apparmor Disable /etc/apparmor.d Disable /etc/selinux Disable /etc/modules Disable /etc/modules-load.d Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/adduser.conf Mounting read-only /home/username/.bash_logout Mounting read-only /home/username/.dotfiles/.bashrc Mounting read-only /home/username/.dotfiles/.profile Mounting read-only /home/username/.dotfiles Mounting read-only /home/username/.dotfiles/.muttrc Mounting read-only /home/username/.vim Mounting read-only /home/username/.viminfo Mounting read-only /home/username/.dotfiles/.total 0 lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483] lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2 lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133] lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/7/fd lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0 SECCOMP Filter VALIDATE_ARCHITECTURE_64 EXAMINE_SYSCALL WHITELIST 41 socket UNKNOWN ENTRY 20! WHITELIST 1 write WHITELIST 2 open WHITELIST 10 mprotect RETURN_ERRNO 95 EOPNOTSUPP vimrc Mounting read-only /home/username/.xmonad Mounting read-only /home/username/.xscreensaver Mounting read-only /home/username/.gem Mounting read-only /home/username/bin Disable /home/username/.local/share/Trash Mounting read-only /home/username/.local/share/applications Disable /home/username/.gnupg Disable /home/username/.local/share/keyrings Disable /home/username/.local/share/kwalletd Disable /home/username/.dotfiles/.muttrc (requested /home/username/.muttrc) Disable /home/username/.pki Disable /home/username/.ssh Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /sbin Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/at Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/crontab Disable /usr/bin/expiry Disable /bin/fusermount Disable /usr/bin/gpasswd Disable /bin/mount Disable /bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/ncat Disable /usr/bin/newgrp Disable /bin/ntfs-3g Disable /usr/bin/pkexec Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/strace Disable /bin/su Disable /usr/bin/sudo Disable /bin/umount Disable /usr/bin/xev Disable /tmp/tmux-1000 Mounting noexec /tmp/.X11-unix Disable /home/username/.password-store Disable /mnt/shared/username/.bitcoin (requested /home/username/.bitcoin) Disable /home/username/.android Disable /home/username/.audacity-data Disable /home/username/.config/Clementine Disable /home/username/.config/Mumble Disable /home/username/.config/MusicBrainz Disable /home/username/.config/Qlipper Disable /home/username/.config/audacious Disable /home/username/.config/borg Disable /home/username/.config/brave Disable /home/username/.config/calibre Disable /home/username/.config/cmus Disable /home/username/.config/enchant Disable /home/username/.config/epiphany Disable /home/username/.config/gedit Disable /home/username/.config/kritarc Disable /home/username/.config/libreoffice Disable /home/username/.config/lximage-qt Disable /home/username/.config/mpv Disable /home/username/.config/pix Disable /home/username/.config/qpdfview Disable /home/username/.config/qutebrowser Disable /home/username/.config/redshift.conf Disable /home/username/.config/smplayer Disable /home/username/.config/torbrowser Disable /home/username/.config/transmission Disable /home/username/.config/wesnoth Disable /mnt/shared/username/.electrum-dash (requested /home/username/.electrum-dash) Disable /home/username/.electrum Disable /home/username/.frozen-bubble Disable /home/username/.gimp-2.8 Disable /home/username/.dotfiles/.gitconfig (requested /home/username/.gitconfig) Disable /home/username/.gradle Disable /home/username/.hedgewars Disable /home/username/.icedove Disable /home/username/.kodi Disable /home/username/.local/share/data/Mumble Disable /home/username/.local/share/epiphany Disable /home/username/.local/share/pix Disable /home/username/.local/share/qpdfview Disable /home/username/.local/share/qutebrowser Disable /home/username/.local/share/wesnoth Disable /home/username/.mozilla Disable /home/username/.openinvaders Disable /home/username/.openshot_qt Disable /home/username/.surf Disable /home/username/.sylpheed-2.0 Disable /tmp/ssh-eSZc8rwyDdcq Disable /home/username/.cache/MusicBrainz Disable /home/username/.cache/borg Disable /home/username/.cache/calibre Disable /home/username/.cache/epiphany Disable /home/username/.cache/icedove Disable /home/username/.cache/mozilla Disable /home/username/.cache/qutebrowser Disable /home/username/.cache/simple-scan Disable /home/username/.cache/torbrowser Disable /home/username/.cache/transmission Disable /home/username/.cache/wesnoth Disable /sys/fs Current directory: /home/username/apps Dropping all capabilities Install protocol filter: unix,inet,inet6 configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null) configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) sbox ftotal 0 lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483] lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2 lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133] lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/10/fd lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0 SECCOMP Filter VALIDATE_ARCHITECTURE_32 EXAMINE_SYSCALL BLACKLIST 21 access BLACKLIST 52 getpeername BLACKLIST 26 msync BLACKLIST 283 timerfd_create BLACKLIST 341 unknown BLACKLIST 342 unknown BLACKLIST 127 rt_sigpending BLACKLIST 128 rt_sigtimedwait BLACKLIST 350 unknown BLACKLIST 129 rt_sigqueueinfo BLACKLIST 110 getppid BLACKLIST 101 ptrace BLACKLIST 289 signalfd4 BLACKLIST 87 unlink BLACKLIST 115 getgroups BLACKLIST 103 syslog BLACKLIST 347 unknown BLACKLIST 348 unknown BLACKLIST 135 personality BLACKLIST 149 mlock BLACKLIST 124 getsid BLACKLIST 343 unknown BLACKLIST 253 inotify_init BLACKLIST 336 unknown BLACKLIST 338 unknown BLACKLIST 349 unknown BLACKLIST 286 timerfd_settime BLACKLIST 287 timerfd_gettime BLACKLIST 288 accept4 BLACKLIST 86 link BLACKLIST 51 getsockname BLACKLIST 123 setfsgid BLACKLIST 217 getdents64 BLACKLIST 245 mq_getsetattr BLACKLIST 246 kexec_load BLACKLIST 247 waitid BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 257 openat BLACKLIST 274 get_robust_list BLACKLIST 276 tee BLACKLIST 294 inotify_init1 BLACKLIST 317 seccomp BLACKLIST 316 renameat2 BLACKLIST 61 wait4 BLACKLIST 88 symlink BLACKLIST 169 reboot BLACKLIST 130 rt_sigsuspend RETURN_ALLOW vimrc Mounting read-only /home/username/.xmonad Mounting read-only /home/username/.xscreensaver Mounting read-only /home/username/.gem Mounting read-only /home/username/bin Disable /home/username/.local/share/Trash Mounting read-only /home/username/.local/share/applications Disable /home/username/.gnupg Disable /home/username/.local/share/keyrings Disable /home/username/.local/share/kwalletd Disable /home/username/.dotfiles/.muttrc (requested /home/username/.muttrc) Disable /home/username/.pki Disable /home/username/.ssh Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /sbin Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/at Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/crontab Disable /usr/bin/expiry Disable /bin/fusermount Disable /usr/bin/gpasswd Disable /bin/mount Disable /bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/ncat Disable /usr/bin/newgrp Disable /bin/ntfs-3g Disable /usr/bin/pkexec Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/strace Disable /bin/su Disable /usr/bin/sudo Disable /bin/umount Disable /usr/bin/xev Disable /tmp/tmux-1000 Mounting noexec /tmp/.X11-unix Disable /home/username/.password-store Disable /mnt/shared/username/.bitcoin (requested /home/username/.bitcoin) Disable /home/username/.android Disable /home/username/.audacity-data Disable /home/username/.config/Clementine Disable /home/username/.config/Mumble Disable /home/username/.config/MusicBrainz Disable /home/username/.config/Qlipper Disable /home/username/.config/audacious Disable /home/username/.config/borg Disable /home/username/.config/brave Disable /home/username/.config/calibre Disable /home/username/.config/cmus Disable /home/username/.config/enchant Disable /home/username/.config/epiphany Disable /home/username/.config/gedit Disable /home/username/.config/kritarc Disable /home/username/.config/libreoffice Disable /home/username/.config/lximage-qt Disable /home/username/.config/mpv Disable /home/username/.config/pix Disable /home/username/.config/qpdfview Disable /home/username/.config/qutebrowser Disable /home/username/.config/redshift.conf Disable /home/username/.config/smplayer Disable /home/username/.config/torbrowser Disable /home/username/.config/transmission Disable /home/username/.config/wesnoth Disable /mnt/shared/username/.electrum-dash (requested /home/username/.electrum-dash) Disable /home/username/.electrum Disable /home/username/.frozen-bubble Disable /home/username/.gimp-2.8 Disable /home/username/.dotfiles/.gitconfig (requested /home/username/.gitconfig) Disable /home/username/.gradle Disable /home/username/.hedgewars Disable /home/username/.icedove Disable /home/username/.kodi Disable /home/username/.local/share/data/Mumble Disable /home/username/.local/share/epiphany Disable /home/username/.local/share/pix Disable /home/username/.local/share/qpdfview Disable /home/username/.local/share/qutebrowser Disable /home/username/.local/share/wesnoth Disable /home/username/.mozilla Disable /home/username/.openinvaders Disable /home/username/.openshot_qt Disable /home/username/.surf Disable /home/username/.sylpheed-2.0 Disable /tmp/ssh-eSZc8rwyDdcq Disable /home/username/.cache/MusicBrainz Disable /home/username/.cache/borg Disable /home/username/.cache/calibre Disable /home/username/.cache/epiphany Disable /home/username/.cache/icedove Disable /home/username/.cache/mozilla Disable /home/username/.cache/qutebrowser Disable /home/username/.cache/simple-scan Disable /home/username/.cache/torbrowser Disable /home/username/.cache/transmission Disable /home/username/.cache/wesnoth Disable /sys/fs Current directory: /home/username/apps Dropping all capabilities Install protocol filter: unix,inet,inet6 configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.protocol (null) configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) Dual 3total 0 lrwx------ 1 username username 64 Aug 19 18:06 0 -> /dev/null l-wx------ 1 username username 64 Aug 19 18:06 1 -> pipe:[3630483] lrwx------ 1 username username 64 Aug 19 18:06 2 -> /dev/pts/2 lrwx------ 1 username username 64 Aug 19 18:06 20 -> socket:[26133] lr-x------ 1 username username 64 Aug 19 18:06 3 -> /proc/13/fd lrwx------ 1 username username 64 Aug 19 18:06 37 -> /dev/dri/card0 SECCOMP Filter VALIDATE_ARCHITECTURE EXAMINE_SYSCALL HANDLE_X32 BLACKLIST 154 modify_ldt BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 311 process_vm_writev BLACKLIST 156 _sysctl BLACKLIST 183 afs_syscall BLACKLIST 174 create_module BLACKLIST 177 get_kernel_syms BLACKLIST 181 getpmsg BLACKLIST 182 putpmsg BLACKLIST 178 query_module BLACKLIST 185 security BLACKLIST 139 sysfs BLACKLIST 184 tuxcall BLACKLIST 134 uselib BLACKLIST 136 ustat BLACKLIST 236 vserver BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 227 clock_settime BLACKLIST 164 settimeofday BLACKLIST 176 delete_module BLACKLIST 313 finit_module BLACKLIST 175 init_module BLACKLIST 173 ioperm BLACKLIST 172 iopl BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 169 reboot BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 163 acct BLACKLIST 321 bpf BLACKLIST 161 chroot BLACKLIST 165 mount BLACKLIST 180 nfsservctl BLACKLIST 155 pivot_root BLACKLIST 171 setdomainname BLACKLIST 170 sethostname BLACKLIST 166 umount2 BLACKLIST 153 vhangup BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 237 mbind BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 251 ioprio_set BLACKLIST 103 syslog BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 278 vmsplice BLACKLIST 135 personality BLACKLIST 323 userfaultfd BLACKLIST 101 ptrace BLACKLIST 310 process_vm_readv RETURN_ALLOW -rw-r--r-- 1 username username 1104 ago 19 18:06 /run/firejail/mnt/seccomp -rw-r--r-- 1 username username 808 ago 19 18:06 /run/firejail/mnt/seccomp.32 -rw-r--r-- 1 username username 824 ago 19 18:06 /run/firejail/mnt/seccomp.64 -rw-r--r-- 1 username username 0 ago 19 18:06 /run/firejail/mnt/seccomp.postexec -rw-r--r-- 1 username username 112 ago 19 18:06 /run/firejail/mnt/seccomp.protocol 2/64 bit seccomp filter configured configuring 138 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null) seccomp filter configured Seccomp files: noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set il ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage utoselecting /bin/bash as shell Configuring appimage environment AppImage ELF size 188392 appimage mounted on /run/firejail/appimage/.appimage-22931 Building AppImage command line: /run/firejail/appimage/.appimage-22931/AppRun AppImage quoted command line: '/run/firejail/appimage/.appimage-22931/AppRun' Command name #./ledger-live-desktop-2.10.0-linux-x86_64.AppImage# Attempting to find default.profile... Found default profile in /etc/firejail directory ** Note: you can use --noprofile to disable default.profile ** Using the local network stack Parent pid 22931, child pid 22935 Parent is shutting down, bye... AppImage unmounted ``` </details>
gitea-mirror 2026-05-05 08:56:44 -06:00
gitea-mirror commented 2026-05-05 08:56:47 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 20, 2020):

As this application seems to depend on specific hardware, it won't be easy to fully test/advise you on how to proceed. Also, your firejail installation is very old. I suggest you try to upgrade from this firejail PPA first and save this profile as ledger-live-desktop.profile into your ${HOME}/.config/firejail dir. After doing so, please run both commands below and post output here.

$ firejail --noprofile --appimage ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage
$ firejail --profile=ledger-live-desktop --appimage ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage
<!-- gh-comment-id:676823496 --> @ghost commented on GitHub (Aug 20, 2020): As this application seems to depend on **specific hardware**, it won't be easy to fully test/advise you on how to proceed. Also, your firejail installation is very old. I suggest you try to upgrade from [this firejail PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail) first and save [this profile](https://gist.github.com/glitsj16/7b83acb0f2ecf5928587436e75b1c8a8) as `ledger-live-desktop.profile` into your ${HOME}/.config/firejail dir. After doing so, please run both commands below and post output here. ``` $ firejail --noprofile --appimage ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage $ firejail --profile=ledger-live-desktop --appimage ./ledger-live-desktop-2.10.0-linux-x86_64.AppImage ```
gitea-mirror commented 2026-05-05 08:56:49 -06:00
Author
Owner
Copy link

@eloyesp commented on GitHub (Aug 22, 2020):

It seems that with the updated version it works. Thanks!

<!-- gh-comment-id:678596379 --> @eloyesp commented on GitHub (Aug 22, 2020): It seems that with the updated version it works. Thanks!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2253
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?