github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3671] GDB a process inside FireJail #2311

New issue

Open

opened 2026-05-05 09:00:07 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 09:00:07 -06:00

Owner

Originally created by @mtayyab01 on GitHub (Oct 14, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3671

With --allow-debuggers flag when gdb is executed inside the firejail, Firejail crashes. If with gdb a breakpoint is set, the run command to gdb will crash firejail parent process and exit.

Here is an example of simple helloworld firejailed program (app) to be debugged. I could not find another way to debug a jailed program from man pages.

firejail --allow-debuggers gdb ./app
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 10812, child pid 10813
Warning: cleaning all supplementary groups
Child process initialized in 33.96 ms
GNU gdb (Ubuntu 8.2-0ubuntu1~18.04) 8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./app...done.
(gdb) run
Starting program: /home/mtayyab/Desktop/Code/Example/build/app
Hello world
[Inferior 1 (process 5) exited normally]
[12]+ Stopped firejail --allow-debuggers gdb ./app

mtayyab@mtayyab:$ firejail --allow-debuggers gdb ./app
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 10822, child pid 10823
Warning: cleaning all supplementary groups
Child process initialized in 33.72 ms
GNU gdb (Ubuntu 8.2-0ubuntu1~18.04) 8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./app...done.
(gdb) break main
Breakpoint 1 at 0x862: file /home/mtayyab/Desktop/Code/Example/main.cpp, line 7.
(gdb) run
Starting program: /home/mtayyab/Desktop/Code/Example/build/app
Breakpoint 1, main () at /home/mtayyab/Desktop/Code/Example/main.cpp:7
7 int variable=0;
[13]+ Stopped firejail --allow-debuggers gdb ./app

Originally created by @mtayyab01 on GitHub (Oct 14, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3671 With --allow-debuggers flag when gdb is executed inside the firejail, Firejail crashes. If with gdb a breakpoint is set, the run command to gdb will crash firejail parent process and exit. Here is an example of simple helloworld firejailed program (app) to be debugged. I could not find another way to debug a jailed program from man pages. firejail --allow-debuggers gdb ./app Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 10812, child pid 10813 Warning: cleaning all supplementary groups Child process initialized in 33.96 ms GNU gdb (Ubuntu 8.2-0ubuntu1~18.04) 8.2 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./app...done. (gdb) run Starting program: /home/mtayyab/Desktop/Code/Example/build/app Hello world [Inferior 1 (process 5) exited normally] **[12]+ Stopped firejail --allow-debuggers gdb ./app** mtayyab@mtayyab:$ firejail --allow-debuggers gdb ./app Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 10822, child pid 10823 Warning: cleaning all supplementary groups Child process initialized in 33.72 ms GNU gdb (Ubuntu 8.2-0ubuntu1~18.04) 8.2 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./app...done. (gdb) break main Breakpoint 1 at 0x862: file /home/mtayyab/Desktop/Code/Example/main.cpp, line 7. (gdb) run Starting program: /home/mtayyab/Desktop/Code/Example/build/app Breakpoint 1, main () at /home/mtayyab/Desktop/Code/Example/main.cpp:7 **7 int variable=0; [13]+ Stopped firejail --allow-debuggers gdb ./app**

gitea-mirror commented

2026-05-05 09:00:09 -06:00

Author

Owner

@ScoreUnder commented on GitHub (Oct 14, 2020):

This says "stopped" and gives a job ID, so what happens if you fg it?

@ScoreUnder commented on GitHub (Oct 14, 2020): This says "stopped" and gives a job ID, so what happens if you `fg` it?

gitea-mirror commented

2026-05-05 09:00:10 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 16, 2020):

It hangs/freezes on my system with firejail --allow-debuggers gdb ./hello and hello.c

#include <stdio.h>

int main() {
	printf("Hello, Wolrd!\n");
}

journalctl:

SECCOMP … comm="gdb" exe="/usr/libexec/gdb" sig=31 arch=c000003e syscall=135 c…

Looks like --allow-debuggers does not switch seccomp from @default-nodebuggers to @default anymore.

cc @topimiettinen

@rusty-snake commented on GitHub (Oct 16, 2020): It hangs/freezes on my system with `firejail --allow-debuggers gdb ./hello` and hello.c ```C #include <stdio.h> int main() { printf("Hello, Wolrd!\n"); } ``` journalctl: ``` SECCOMP … comm="gdb" exe="/usr/libexec/gdb" sig=31 arch=c000003e syscall=135 c… ``` Looks like `--allow-debuggers` does not switch `seccomp` from @default-nodebuggers to @default anymore. cc @topimiettinen

gitea-mirror commented

2026-05-05 09:00:11 -06:00

Author

Owner

@topimiettinen commented on GitHub (Oct 18, 2020):

Gdb works for me with --allow-debuggers (not fully, as with OP it stops) but not at all without, so I think the seccomp list is changed with --allow-debuggers. Syscall 135 is rt_sigprocmask, which should not be blocked. I don't see this error in logs either. Maybe this is not related to seccomp, has something changed with signal handling recently?

@topimiettinen commented on GitHub (Oct 18, 2020): Gdb works for me with `--allow-debuggers` (not fully, as with OP it stops) but not at all without, so I think the seccomp list is changed with `--allow-debuggers`. Syscall 135 is `rt_sigprocmask`, which should not be blocked. I don't see this error in logs either. Maybe this is not related to seccomp, has something changed with signal handling recently?

gitea-mirror commented

2026-05-05 09:00:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 18, 2020):

$ firejail --debug-syscalls | grep 135                                                       
135	- personality
$ ausyscall 135
personality

seccomp blocks all syscalls in @default-nodebuggers (which is @default-nodebuggers=@default,ptrace,personality,process_vm_readv) except if it is used with allow-debuggers, then it only blocks @default.

I bisect this tomorrow.

@rusty-snake commented on GitHub (Oct 18, 2020): ``` $ firejail --debug-syscalls | grep 135 135 - personality $ ausyscall 135 personality ``` `seccomp` blocks all syscalls in @default-nodebuggers (which is `@default-nodebuggers=@default,ptrace,personality,process_vm_readv`) except if it is used with `allow-debuggers`, then it only blocks @default. I bisect this tomorrow.

gitea-mirror commented

2026-05-05 09:00:13 -06:00

Author

Owner

@topimiettinen commented on GitHub (Oct 18, 2020):

Nice tricks, I used

$ grep 135 /usr/include/*/unistd.h 
/usr/include/asm-generic/unistd.h:#define __NR_rt_sigprocmask 135

Even easier is if you have ausearch, flag -i in for example ausearch -ts boot -i -m SECCOMP replaces the number of system call with its name.

@topimiettinen commented on GitHub (Oct 18, 2020): Nice tricks, I used ``` $ grep 135 /usr/include/*/unistd.h /usr/include/asm-generic/unistd.h:#define __NR_rt_sigprocmask 135 ``` Even easier is if you have `ausearch`, flag `-i` in for example `ausearch -ts boot -i -m SECCOMP` replaces the number of system call with its name.

gitea-mirror commented

2026-05-05 09:00:14 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 19, 2020):

ok firejail --noprofile --allow-debuggers --seccomp gdb ./test does not fail on seccomp.
But even just noprfoile (firejail --noprofile gdb ./test) goes in background with break main, run. You can bring is back with fg and it goes in background again if you enter run again.

@rusty-snake commented on GitHub (Oct 19, 2020): ok `firejail --noprofile --allow-debuggers --seccomp gdb ./test` does not fail on seccomp. But even just noprfoile (`firejail --noprofile gdb ./test`) goes in background with `break main`, `run`. You can bring is back with `fg` and it goes in background again if you enter run again.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2311

No description provided.

Rows
Columns