github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #47] Arch non-issues and issues #23

New issue

Closed

opened 2026-05-05 04:46:09 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 04:46:09 -06:00

Owner

Originally created by @ghost on GitHub (Aug 28, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/47

First: I'm happy to report that the Arch warnings in the todo list are gone for me using the current git version! Probably worth confirming with someone else though.

Second: I've been having an issue with getting "execvp: Permission denied" -- I've narrowed it down to (the profile or manually) blacklisting either /sbin or /usr/sbin

$ firejail --noprofile --blacklist=/mnt
Parent pid 1619, child pid 1620
Child process initialized
$ exit

parent is shutting down, bye...
$ firejail --noprofile --blacklist=/sbin
Parent pid 1630, child pid 1631
Child process initialized
execvp: Permission denied

parent is shutting down, bye...
$

The reason is because both /sbin and /usr/sbin are symlinks to /usr/bin and firejail is unable to execvp /usr/bin/bash, or most programs on my system for that matter, after blacklisting the folder. The system defaulted these symlinks at some point.

Interestingly, this is not an issue with firejail-0.9.28, only the git head version.

Checking the --debug for both, the 0.9.28 version is actually failing to blacklist the symlink /sbin folder. Of course I get the same error when I blacklist /usr/bin explictly.

It looks like in fixing symlinks during some commit, it actually broke systems that use symlinks for /sbin and /usr/sbin. Note that I do think there are perfectly valid scenarios for blacklisting /usr/bin.

How do you want to proceed? Check the symlink to see if it ends up blacklisting the command we're calling and ignore the blacklist it if it does? Force explict, non-symlink paths to blacklist bin/sbin FHS-compliant folders?

Originally created by @ghost on GitHub (Aug 28, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/47 First: I'm happy to report that the Arch warnings in the todo list are gone for me using the current git version! Probably worth confirming with someone else though. Second: I've been having an issue with getting "execvp: Permission denied" -- I've narrowed it down to (the profile or manually) blacklisting either /sbin or /usr/sbin ``` $ firejail --noprofile --blacklist=/mnt Parent pid 1619, child pid 1620 Child process initialized $ exit parent is shutting down, bye... $ firejail --noprofile --blacklist=/sbin Parent pid 1630, child pid 1631 Child process initialized execvp: Permission denied parent is shutting down, bye... $ ``` The reason is because both /sbin and /usr/sbin are symlinks to /usr/bin and firejail is unable to execvp /usr/bin/bash, or most programs on my system for that matter, after blacklisting the folder. The system defaulted these symlinks at some point. Interestingly, this is not an issue with firejail-0.9.28, only the git head version. Checking the --debug for both, the 0.9.28 version is actually failing to blacklist the symlink /sbin folder. Of course I get the same error when I blacklist /usr/bin explictly. It looks like in fixing symlinks during some commit, it actually broke systems that use symlinks for /sbin and /usr/sbin. Note that I do think there are perfectly valid scenarios for blacklisting /usr/bin. How do you want to proceed? Check the symlink to see if it ends up blacklisting the command we're calling and ignore the blacklist it if it does? Force explict, non-symlink paths to blacklist bin/sbin FHS-compliant folders?

gitea-mirror closed this issue

2026-05-05 04:46:10 -06:00

gitea-mirror commented

2026-05-05 04:46:13 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 28, 2015):

I'll look into it, thanks! There were lots of fixes for --blacklist going into the branch recently. I'll make it so it rejects the blacklist command if the file is a symlink.

@netblue30 commented on GitHub (Aug 28, 2015): I'll look into it, thanks! There were lots of fixes for --blacklist going into the branch recently. I'll make it so it rejects the blacklist command if the file is a symlink.

gitea-mirror commented

2026-05-05 04:46:15 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 28, 2015):

I have a fix, you can try it. Thanks for the bug!

@netblue30 commented on GitHub (Aug 28, 2015): I have a fix, you can try it. Thanks for the bug!

gitea-mirror commented

2026-05-05 04:46:17 -06:00

Author

Owner

@ghost commented on GitHub (Aug 29, 2015):

Looks beautiful now. Thanks so much!

@ghost commented on GitHub (Aug 29, 2015): Looks beautiful now. Thanks so much!

gitea-mirror commented

2026-05-05 04:46:19 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 30, 2015):

You're welcome!

@netblue30 commented on GitHub (Aug 30, 2015): You're welcome!

gitea-mirror referenced this issue

2026-05-05 10:02:44 -06:00

[PR #23] [CLOSED] Some profile work (jitsi/[he]xchat) #3507

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#23

No description provided.

Rows
Columns