github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3754] Can't run Discord with Linux-Hardened kernel #2367

New issue
Closed
opened 2026-05-05 09:02:59 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 09:02:59 -06:00
Owner
Copy link

Originally created by @seonwoolee on GitHub (Nov 15, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3754

Bug and expected behavior
To be clear, I'm not calling this a bug, but seeking support.

Discord works perfectly fine with the default profile and default kernel on my Arch Linux system. However, when I use the linux-hardened kernel, I get the error The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/discord/chrome-sandbox is owned by root and has mode 4755

And /opt/discord/chrome-sandbox does have the correct permissions (because again, this works perfectly fine with the standard Linux kernel.

$ ls -alh /opt/discord
drwxr-xr-x  5 root root   19 Oct 30 09:59 .
drwxr-xr-x 11 root root   11 Nov  9 21:55 ..
-rwxr-xr-x  1 root root 110M Oct 22 10:38 Discord
-rwsr-xr-x  1 root root 235K Oct 22 10:38 chrome-sandbox
-rw-r--r--  1 root root 174K Oct 22 10:38 chrome_100_percent.pak
-rw-r--r--  1 root root 310K Oct 22 10:38 chrome_200_percent.pak
-rw-r--r--  1 root root  313 Oct 22 10:38 discord.desktop
-rw-r--r--  1 root root  29K Oct 22 10:38 discord.png
-rw-r--r--  1 root root  10M Oct 22 10:38 icudtl.dat
-rw-r--r--  1 root root 243K Oct 22 10:38 libEGL.so
-rw-r--r--  1 root root 8.0M Oct 22 10:38 libGLESv2.so
-rw-r--r--  1 root root 2.9M Oct 22 10:38 libffmpeg.so
drwxr-xr-x  2 root root   55 Oct 30 09:59 locales
-rw-r--r--  1 root root  81K Oct 22 10:38 natives_blob.bin
drwxr-xr-x  3 root root    5 Oct 30 09:59 resources
-rw-r--r--  1 root root 8.3M Oct 22 10:38 resources.pak
-rw-r--r--  1 root root 274K Oct 22 10:38 snapshot_blob.bin
drwxr-xr-x  2 root root    5 Oct 30 09:59 swiftshader
-rw-r--r--  1 root root 685K Oct 22 10:38 v8_context_snapshot.bin

How can I determine what kernel parameter I need to change to make this work while using the hardened kernel?

Environment

  • Arch Linux
firejail version 0.9.64

Compile time support:
   - AppArmor support is enabled
   - AppImage support is enabled
   - chroot support is enabled
   - D-BUS proxy support is enabled
   - file and directory whitelisting support is enabled
   - file transfer support is enabled
   - firetunnel support is enabled
   - networking support is enabled
   - overlayfs support is enabled
   - private-home support is enabled
   - SELinux support is disabled
   - user namespace support is enabled
   - X11 sandboxing support is enabled

Checklist

  • The upstream profile (and redirect profile if exists) have no changes fixing it.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • Programs needed for interaction are listed in the profile.
  • A short search for duplicates was performed.
  • [] If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
debug output 
$ firejail --debug discord
Autoselecting /bin/bash as shell
Building quoted command line: 'discord' 
Command name #discord#
Found discord.profile profile in /etc/firejail directory
Reading profile /etc/firejail/discord.profile
Found globals.local profile in /home/seonwoo/.config/firejail directory
Reading profile /home/seonwoo/.config/firejail/globals.local
Found discord-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/discord-common.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 504567, child pid 504568
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 100, nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1301 800 0:24 /etc /etc ro,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1301 fsname=/etc dir=/etc fstype=zfs
Mounting noexec /etc
1506 1301 0:24 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1506 fsname=/etc dir=/etc fstype=zfs
Mounting read-only /var
1509 1507 0:53 / /var/lib/docker rw,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1509 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting read-only /var/lib/docker
1510 1509 0:53 / /var/lib/docker ro,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1510 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting noexec /var
1567 1566 0:53 / /var/lib/docker ro,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1567 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting noexec /var/lib/docker
1569 1567 0:53 / /var/lib/docker ro,nosuid,nodev,noexec,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1569 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting read-only /usr
1570 800 0:24 /usr /usr ro,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1570 fsname=/usr dir=/usr fstype=zfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/seonwoo/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Drop privileges: pid 3, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting a new /root directory
Mounting a new /home directory
Create a new user directory
Drop privileges: pid 4, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Drop privileges: pid 5, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Copying files in the new /opt directory:
copying /opt/discord to private /opt
Creating empty /run/firejail/mnt/opt/discord directory
sbox run: /run/firejail/lib/fcopy /opt/discord /run/firejail/mnt/opt/discord 
Mount-bind /run/firejail/mnt/opt on top of /opt
Private /opt installed in 535.89 ms
Copying files in the new bin directory
Checking /usr/local/bin/discord
Checking /usr/bin/discord
file /opt/discord/Discord not found
sbox run: /run/firejail/lib/fcopy /usr/bin/discord /run/firejail/mnt/bin 
Checking /usr/local/bin/bash
Checking /usr/bin/bash
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin 
Checking /usr/local/bin/cut
Checking /usr/bin/cut
sbox run: /run/firejail/lib/fcopy /usr/bin/cut /run/firejail/mnt/bin 
Checking /usr/local/bin/echo
Checking /usr/bin/echo
sbox run: /run/firejail/lib/fcopy /usr/bin/echo /run/firejail/mnt/bin 
Checking /usr/local/bin/egrep
Checking /usr/bin/egrep
sbox run: /run/firejail/lib/fcopy /usr/bin/egrep /run/firejail/mnt/bin 
Checking /usr/local/bin/fish
Checking /usr/bin/fish
Checking /bin/fish
Checking /usr/games/fish
Checking /usr/local/games/fish
Checking /usr/local/sbin/fish
Checking /usr/sbin/fish
Checking /sbin/fish
Warning: file fish not found
Checking /usr/local/bin/grep
Checking /usr/bin/grep
sbox run: /run/firejail/lib/fcopy /usr/bin/grep /run/firejail/mnt/bin 
Checking /usr/local/bin/head
Checking /usr/bin/head
sbox run: /run/firejail/lib/fcopy /usr/bin/head /run/firejail/mnt/bin 
Checking /usr/local/bin/sed
Checking /usr/bin/sed
sbox run: /run/firejail/lib/fcopy /usr/bin/sed /run/firejail/mnt/bin 
Checking /usr/local/bin/sh
Checking /usr/bin/sh
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin 
sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin 
Checking /usr/local/bin/tclsh
Checking /usr/bin/tclsh
sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh8.6 /run/firejail/mnt/bin 
sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh /run/firejail/mnt/bin 
Checking /usr/local/bin/tr
Checking /usr/bin/tr
sbox run: /run/firejail/lib/fcopy /usr/bin/tr /run/firejail/mnt/bin 
Checking /usr/local/bin/xdg-mime
Checking /usr/bin/xdg-mime
sbox run: /run/firejail/lib/fcopy /usr/bin/xdg-mime /run/firejail/mnt/bin 
Checking /usr/local/bin/xdg-open
Checking /usr/bin/xdg-open
sbox run: /run/firejail/lib/fcopy /usr/bin/xdg-open /run/firejail/mnt/bin 
Checking /usr/local/bin/zsh
Checking /usr/bin/zsh
sbox run: /run/firejail/lib/fcopy /usr/bin/zsh /run/firejail/mnt/bin 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
16 programs installed in 27.33 ms
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /usr/lib/modules/5.9.8-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Copying files in the new /etc directory:
Warning: file /etc/alternatives not found.
Warning: skipping alternatives for private /etc
copying /etc/ca-certificates to private /etc
Creating empty /run/firejail/mnt/etc/ca-certificates directory
sbox run: /run/firejail/lib/fcopy /etc/ca-certificates /run/firejail/mnt/etc/ca-certificates 
Warning: file /etc/crypto-policies not found.
Warning: skipping crypto-policies for private /etc
copying /etc/fonts to private /etc
Creating empty /run/firejail/mnt/etc/fonts directory
sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts 
copying /etc/group to private /etc
sbox run: /run/firejail/lib/fcopy /etc/group /run/firejail/mnt/etc 
copying /etc/ld.so.cache to private /etc
sbox run: /run/firejail/lib/fcopy /etc/ld.so.cache /run/firejail/mnt/etc 
copying /etc/localtime to private /etc
sbox run: /run/firejail/lib/fcopy /etc/localtime /run/firejail/mnt/etc 
copying /etc/login.defs to private /etc
sbox run: /run/firejail/lib/fcopy /etc/login.defs /run/firejail/mnt/etc 
copying /etc/machine-id to private /etc
sbox run: /run/firejail/lib/fcopy /etc/machine-id /run/firejail/mnt/etc 
Warning: file /etc/password not found.
Warning: skipping password for private /etc
Warning: file /etc/pki not found.
Warning: skipping pki for private /etc
copying /etc/resolv.conf to private /etc
sbox run: /run/firejail/lib/fcopy /etc/resolv.conf /run/firejail/mnt/etc 
copying /etc/ssl to private /etc
Creating empty /run/firejail/mnt/etc/ssl directory
sbox run: /run/firejail/lib/fcopy /etc/ssl /run/firejail/mnt/etc/ssl 
Mount-bind /run/firejail/mnt/etc on top of /etc
Private /etc installed in 57.94 ms
Cannot find /usr/etc
Debug 456: new_name #/home/seonwoo/.config/discord#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/discord
	expanded: /home/seonwoo/.config/discord
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/BetterDiscord#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/BetterDiscord
	expanded: /home/seonwoo/.config/BetterDiscord
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/betterdiscordctl#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/betterdiscordctl
	expanded: /home/seonwoo/.local/share/betterdiscordctl
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
	expanded: /home/seonwoo/.XCompose
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
	expanded: /home/seonwoo/.asoundrc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/ibus#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ibus
	expanded: /home/seonwoo/.config/ibus
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/mimeapps.list#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/mimeapps.list
	expanded: /home/seonwoo/.config/mimeapps.list
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
	expanded: /home/seonwoo/.config/pkcs11
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/user-dirs.dirs#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/user-dirs.dirs
	expanded: /home/seonwoo/.config/user-dirs.dirs
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/user-dirs.locale#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/user-dirs.locale
	expanded: /home/seonwoo/.config/user-dirs.locale
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
	expanded: /home/seonwoo/.drirc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
	expanded: /home/seonwoo/.icons
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/applications#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/applications
	expanded: /home/seonwoo/.local/share/applications
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/icons
	expanded: /home/seonwoo/.local/share/icons
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/mime#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/mime
	expanded: /home/seonwoo/.local/share/mime
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.mime.types#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types
	expanded: /home/seonwoo/.mime.types
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.uim.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.uim.d
	expanded: /home/seonwoo/.uim.d
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/dconf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/dconf
	expanded: /home/seonwoo/.config/dconf
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.cache/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/fontconfig
	expanded: /home/seonwoo/.cache/fontconfig
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/fontconfig
	expanded: /home/seonwoo/.config/fontconfig
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig
	expanded: /home/seonwoo/.fontconfig
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts
	expanded: /home/seonwoo/.fonts
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
	expanded: /home/seonwoo/.fonts.conf
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
	expanded: /home/seonwoo/.fonts.conf.d
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
	expanded: /home/seonwoo/.fonts.d
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts
	expanded: /home/seonwoo/.local/share/fonts
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
	expanded: /home/seonwoo/.pangorc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-2.0
	expanded: /home/seonwoo/.config/gtk-2.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtk-3.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-3.0
	expanded: /home/seonwoo/.config/gtk-3.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtk-4.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-4.0
	expanded: /home/seonwoo/.config/gtk-4.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc
	expanded: /home/seonwoo/.config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0
	expanded: /home/seonwoo/.config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gnome2#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2
	expanded: /home/seonwoo/.gnome2
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
	expanded: /home/seonwoo/.gnome2-private
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
	expanded: /home/seonwoo/.gtk-2.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
	expanded: /home/seonwoo/.gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0
	expanded: /home/seonwoo/.gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
	expanded: /home/seonwoo/.kde/share/config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
	expanded: /home/seonwoo/.kde/share/config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
	expanded: /home/seonwoo/.kde4/share/config/gtkrc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
	expanded: /home/seonwoo/.kde4/share/config/gtkrc-2.0
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
	expanded: /home/seonwoo/.local/share/themes
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes
	expanded: /home/seonwoo/.themes
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.cache/kioexec/krun#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
	expanded: /home/seonwoo/.cache/kioexec/krun
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
	expanded: /home/seonwoo/.config/Kvantum
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/Trolltech.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf
	expanded: /home/seonwoo/.config/Trolltech.conf
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kdeglobals
	expanded: /home/seonwoo/.config/kdeglobals
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
	expanded: /home/seonwoo/.config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc
	expanded: /home/seonwoo/.config/kioslaverc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
	expanded: /home/seonwoo/.config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct
	expanded: /home/seonwoo/.config/qt5ct
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals
	expanded: /home/seonwoo/.kde/share/config/kdeglobals
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
	expanded: /home/seonwoo/.kde/share/config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
	expanded: /home/seonwoo/.kde/share/config/kioslaverc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
	expanded: /home/seonwoo/.kde/share/config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
	expanded: /home/seonwoo/.kde/share/config/oxygenrc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
	expanded: /home/seonwoo/.kde/share/icons
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals
	expanded: /home/seonwoo/.kde4/share/config/kdeglobals
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc
	expanded: /home/seonwoo/.kde4/share/config/kio_httprc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc
	expanded: /home/seonwoo/.kde4/share/config/kioslaverc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
	expanded: /home/seonwoo/.kde4/share/config/ksslcablacklist
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
	expanded: /home/seonwoo/.kde4/share/config/oxygenrc
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
	expanded: /home/seonwoo/.kde4/share/icons
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
	expanded: /home/seonwoo/.local/share/qt5ct
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/var/lib/ca-certificates#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/ca-certificates
	expanded: /var/lib/ca-certificates
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/var/lib/dbus#, whitelist
Debug 456: new_name #/var/lib/menu-xdg#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
	expanded: /var/lib/menu-xdg
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/var/lib/uim#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/uim
	expanded: /var/lib/uim
	real path: (null)
	realpath: No such file or directory
Debug 456: new_name #/var/cache/fontconfig#, whitelist
Debug 456: new_name #/var/tmp#, whitelist
Debug 456: new_name #/var/run#, whitelist
Replaced whitelist path: whitelist /run
Debug 456: new_name #/var/lock#, whitelist
Replaced whitelist path: whitelist /run/lock
Debug 456: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Mounting tmpfs on /var directory
Whitelisting /var/lib/dbus
1808 1807 0:24 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1808 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=zfs
Whitelisting /var/cache/fontconfig
1809 1807 0:24 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1809 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=zfs
Whitelisting /var/tmp
1810 1807 0:137 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1810 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/.X11-unix
1811 1800 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1811 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Drop privileges: pid 32, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting read-only /home/seonwoo/.Xauthority
1814 1773 0:144 /seonwoo/.Xauthority /home/seonwoo/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1814 fsname=/seonwoo/.Xauthority dir=/home/seonwoo/.Xauthority fstype=tmpfs
Disable /run/user/1000/systemd
Disable /usr/share/applications/veracrypt.desktop
Disable /usr/share/pixmaps/veracrypt.xpm
Disable /run/screens (requested /var/run/screens)
Mounting read-only /home/seonwoo/.bashrc
1819 1773 0:144 /seonwoo/.bashrc /home/seonwoo/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1819 fsname=/seonwoo/.bashrc dir=/home/seonwoo/.bashrc fstype=tmpfs
Warning: /sbin directory link was not blacklisted
Disable /usr/local/sbin
Warning: /usr/sbin directory link was not blacklisted
Disable /proc/config.gz
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/lib/jvm/default/bin/java)
Disable /usr/share/java
Disable /usr/lib/valgrind
Disable /usr/src
Disable /usr/local/src
Disable /usr/include
Disable /usr/local/include
Mounting noexec /run/user/1000
1833 1832 0:22 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,relatime master:16 - tmpfs run rw,mode=755,inode64
mountid=1833 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Warning: not remounting /run/user/1000/gvfs
Mounting noexec /dev/shm
1834 1780 0:145 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1834 fsname=/shm dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1836 1835 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1836 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
1837 1836 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1837 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /var
1841 1838 0:137 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1841 fsname=/ dir=/var/tmp fstype=tmpfs
Not blacklist /home/seonwoo/.config/discord
Drop privileges: pid 33, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting read-only /tmp/.X11-unix
1842 1837 0:48 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1842 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /sys/fs
Disable /sys/module
Disable /mnt
Disable /run/mount
Disable /run/media
/etc/pulse/client.conf not found
Current directory: /home/seonwoo
DISPLAY=:0.0 parsed as 0
Install protocol filter: unix,inet,inet6,netlink
configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 34, uid 1000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000006   jmp 000c
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 15 01 00 00000029   jeq socket 000c (false 000b)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 15 00 01 00000001   jeq 1 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 15 00 01 00000002   jeq 2 0010 (false 0011)
 0010: 06 00 00 7fff0000   ret ALLOW
 0011: 15 00 01 0000000a   jeq a 0012 (false 0013)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 01 00000010   jeq 10 0014 (false 0015)
 0014: 06 00 00 7fff0000   ret ALLOW
 0015: 06 00 00 0005005f   ret ERRNO(95)
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dropping all capabilities
Drop privileges: pid 35, uid 1000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 01 00000015   jeq 15 0005 (false 0006)
 0005: 06 00 00 00000001   ret KILL
 0006: 15 00 01 00000034   jeq 34 0007 (false 0008)
 0007: 06 00 00 00000001   ret KILL
 0008: 15 00 01 0000001a   jeq 1a 0009 (false 000a)
 0009: 06 00 00 00000001   ret KILL
 000a: 15 00 01 0000011b   jeq 11b 000b (false 000c)
 000b: 06 00 00 00000001   ret KILL
 000c: 15 00 01 00000155   jeq 155 000d (false 000e)
 000d: 06 00 00 00000001   ret KILL
 000e: 15 00 01 00000156   jeq 156 000f (false 0010)
 000f: 06 00 00 00000001   ret KILL
 0010: 15 00 01 0000007f   jeq 7f 0011 (false 0012)
 0011: 06 00 00 00000001   ret KILL
 0012: 15 00 01 00000080   jeq 80 0013 (false 0014)
 0013: 06 00 00 00000001   ret KILL
 0014: 15 00 01 0000015e   jeq 15e 0015 (false 0016)
 0015: 06 00 00 00000001   ret KILL
 0016: 15 00 01 00000081   jeq 81 0017 (false 0018)
 0017: 06 00 00 00000001   ret KILL
 0018: 15 00 01 0000006e   jeq 6e 0019 (false 001a)
 0019: 06 00 00 00000001   ret KILL
 001a: 15 00 01 00000065   jeq 65 001b (false 001c)
 001b: 06 00 00 00000001   ret KILL
 001c: 15 00 01 00000121   jeq 121 001d (false 001e)
 001d: 06 00 00 00000001   ret KILL
 001e: 15 00 01 00000057   jeq 57 001f (false 0020)
 001f: 06 00 00 00000001   ret KILL
 0020: 15 00 01 00000073   jeq 73 0021 (false 0022)
 0021: 06 00 00 00000001   ret KILL
 0022: 15 00 01 00000067   jeq 67 0023 (false 0024)
 0023: 06 00 00 00000001   ret KILL
 0024: 15 00 01 0000015b   jeq 15b 0025 (false 0026)
 0025: 06 00 00 00000001   ret KILL
 0026: 15 00 01 0000015c   jeq 15c 0027 (false 0028)
 0027: 06 00 00 00000001   ret KILL
 0028: 15 00 01 00000087   jeq 87 0029 (false 002a)
 0029: 06 00 00 00000001   ret KILL
 002a: 15 00 01 00000095   jeq 95 002b (false 002c)
 002b: 06 00 00 00000001   ret KILL
 002c: 15 00 01 0000007c   jeq 7c 002d (false 002e)
 002d: 06 00 00 00000001   ret KILL
 002e: 15 00 01 00000157   jeq 157 002f (false 0030)
 002f: 06 00 00 00000001   ret KILL
 0030: 15 00 01 000000fd   jeq fd 0031 (false 0032)
 0031: 06 00 00 00000001   ret KILL
 0032: 15 00 01 00000150   jeq 150 0033 (false 0034)
 0033: 06 00 00 00000001   ret KILL
 0034: 15 00 01 00000152   jeq 152 0035 (false 0036)
 0035: 06 00 00 00000001   ret KILL
 0036: 15 00 01 0000015d   jeq 15d 0037 (false 0038)
 0037: 06 00 00 00000001   ret KILL
 0038: 15 00 01 0000011e   jeq 11e 0039 (false 003a)
 0039: 06 00 00 00000001   ret KILL
 003a: 15 00 01 0000011f   jeq 11f 003b (false 003c)
 003b: 06 00 00 00000001   ret KILL
 003c: 15 00 01 00000120   jeq 120 003d (false 003e)
 003d: 06 00 00 00000001   ret KILL
 003e: 15 00 01 00000056   jeq 56 003f (false 0040)
 003f: 06 00 00 00000001   ret KILL
 0040: 15 00 01 00000033   jeq 33 0041 (false 0042)
 0041: 06 00 00 00000001   ret KILL
 0042: 15 00 01 0000007b   jeq 7b 0043 (false 0044)
 0043: 06 00 00 00000001   ret KILL
 0044: 15 00 01 000000d9   jeq d9 0045 (false 0046)
 0045: 06 00 00 00000001   ret KILL
 0046: 15 00 01 000000f5   jeq f5 0047 (false 0048)
 0047: 06 00 00 00000001   ret KILL
 0048: 15 00 01 000000f6   jeq f6 0049 (false 004a)
 0049: 06 00 00 00000001   ret KILL
 004a: 15 00 01 000000f7   jeq f7 004b (false 004c)
 004b: 06 00 00 00000001   ret KILL
 004c: 15 00 01 000000f8   jeq f8 004d (false 004e)
 004d: 06 00 00 00000001   ret KILL
 004e: 15 00 01 000000f9   jeq f9 004f (false 0050)
 004f: 06 00 00 00000001   ret KILL
 0050: 15 00 01 00000101   jeq 101 0051 (false 0052)
 0051: 06 00 00 00000001   ret KILL
 0052: 15 00 01 00000112   jeq 112 0053 (false 0054)
 0053: 06 00 00 00000001   ret KILL
 0054: 15 00 01 00000114   jeq 114 0055 (false 0056)
 0055: 06 00 00 00000001   ret KILL
 0056: 15 00 01 00000126   jeq 126 0057 (false 0058)
 0057: 06 00 00 00000001   ret KILL
 0058: 15 00 01 0000013d   jeq 13d 0059 (false 005a)
 0059: 06 00 00 00000001   ret KILL
 005a: 15 00 01 0000013c   jeq 13c 005b (false 005c)
 005b: 06 00 00 00000001   ret KILL
 005c: 15 00 01 0000003d   jeq 3d 005d (false 005e)
 005d: 06 00 00 00000001   ret KILL
 005e: 15 00 01 00000058   jeq 58 005f (false 0060)
 005f: 06 00 00 00000001   ret KILL
 0060: 15 00 01 000000a9   jeq a9 0061 (false 0062)
 0061: 06 00 00 00000001   ret KILL
 0062: 15 00 01 00000082   jeq 82 0063 (false 0064)
 0063: 06 00 00 00000001   ret KILL
 0064: 06 00 00 7fff0000   ret ALLOW
Dual 32/64 bit seccomp filter configured
Build default+drop seccomp filter
sbox run: /run/firejail/lib/fseccomp default drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec !chroot 
Dropping all capabilities
Drop privileges: pid 36, uid 1000, gid 100, nogroups 1
No supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 37, uid 1000, gid 100, nogroups 1
No supplementary groups
configuring 136 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 38, uid 1000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 000000a1   jeq chroot 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 0000009f   jeq adjtimex 000a (false 000b)
 000a: 06 00 00 00050001   ret ERRNO(1)
 000b: 15 00 01 00000131   jeq clock_adjtime 000c (false 000d)
 000c: 06 00 00 00050001   ret ERRNO(1)
 000d: 15 00 01 000000e3   jeq clock_settime 000e (false 000f)
 000e: 06 00 00 00050001   ret ERRNO(1)
 000f: 15 00 01 000000a4   jeq settimeofday 0010 (false 0011)
 0010: 06 00 00 00050001   ret ERRNO(1)
 0011: 15 00 01 0000009a   jeq modify_ldt 0012 (false 0013)
 0012: 06 00 00 00050001   ret ERRNO(1)
 0013: 15 00 01 000000d4   jeq lookup_dcookie 0014 (false 0015)
 0014: 06 00 00 00050001   ret ERRNO(1)
 0015: 15 00 01 0000012a   jeq perf_event_open 0016 (false 0017)
 0016: 06 00 00 00050001   ret ERRNO(1)
 0017: 15 00 01 00000137   jeq process_vm_writev 0018 (false 0019)
 0018: 06 00 00 00050001   ret ERRNO(1)
 0019: 15 00 01 000000b0   jeq delete_module 001a (false 001b)
 001a: 06 00 00 00050001   ret ERRNO(1)
 001b: 15 00 01 00000139   jeq finit_module 001c (false 001d)
 001c: 06 00 00 00050001   ret ERRNO(1)
 001d: 15 00 01 000000af   jeq init_module 001e (false 001f)
 001e: 06 00 00 00050001   ret ERRNO(1)
 001f: 15 00 01 000000a1   jeq chroot 0020 (false 0021)
 0020: 06 00 00 00050001   ret ERRNO(1)
 0021: 15 00 01 000000a5   jeq mount 0022 (false 0023)
 0022: 06 00 00 00050001   ret ERRNO(1)
 0023: 15 00 01 0000009b   jeq pivot_root 0024 (false 0025)
 0024: 06 00 00 00050001   ret ERRNO(1)
 0025: 15 00 01 000000a6   jeq umount2 0026 (false 0027)
 0026: 06 00 00 00050001   ret ERRNO(1)
 0027: 15 00 01 0000009c   jeq _sysctl 0028 (false 0029)
 0028: 06 00 00 00050001   ret ERRNO(1)
 0029: 15 00 01 000000b7   jeq afs_syscall 002a (false 002b)
 002a: 06 00 00 00050001   ret ERRNO(1)
 002b: 15 00 01 000000ae   jeq create_module 002c (false 002d)
 002c: 06 00 00 00050001   ret ERRNO(1)
 002d: 15 00 01 000000b1   jeq get_kernel_syms 002e (false 002f)
 002e: 06 00 00 00050001   ret ERRNO(1)
 002f: 15 00 01 000000b5   jeq getpmsg 0030 (false 0031)
 0030: 06 00 00 00050001   ret ERRNO(1)
 0031: 15 00 01 000000b6   jeq putpmsg 0032 (false 0033)
 0032: 06 00 00 00050001   ret ERRNO(1)
 0033: 15 00 01 000000b2   jeq query_module 0034 (false 0035)
 0034: 06 00 00 00050001   ret ERRNO(1)
 0035: 15 00 01 000000b9   jeq security 0036 (false 0037)
 0036: 06 00 00 00050001   ret ERRNO(1)
 0037: 15 00 01 0000008b   jeq sysfs 0038 (false 0039)
 0038: 06 00 00 00050001   ret ERRNO(1)
 0039: 15 00 01 000000b8   jeq tuxcall 003a (false 003b)
 003a: 06 00 00 00050001   ret ERRNO(1)
 003b: 15 00 01 00000086   jeq uselib 003c (false 003d)
 003c: 06 00 00 00050001   ret ERRNO(1)
 003d: 15 00 01 00000088   jeq ustat 003e (false 003f)
 003e: 06 00 00 00050001   ret ERRNO(1)
 003f: 15 00 01 000000ec   jeq vserver 0040 (false 0041)
 0040: 06 00 00 00050001   ret ERRNO(1)
 0041: 15 00 01 000000ad   jeq ioperm 0042 (false 0043)
 0042: 06 00 00 00050001   ret ERRNO(1)
 0043: 15 00 01 000000ac   jeq iopl 0044 (false 0045)
 0044: 06 00 00 00050001   ret ERRNO(1)
 0045: 15 00 01 000000f6   jeq kexec_load 0046 (false 0047)
 0046: 06 00 00 00050001   ret ERRNO(1)
 0047: 15 00 01 00000140   jeq kexec_file_load 0048 (false 0049)
 0048: 06 00 00 00050001   ret ERRNO(1)
 0049: 15 00 01 000000a9   jeq reboot 004a (false 004b)
 004a: 06 00 00 00050001   ret ERRNO(1)
 004b: 15 00 01 000000a7   jeq swapon 004c (false 004d)
 004c: 06 00 00 00050001   ret ERRNO(1)
 004d: 15 00 01 000000a8   jeq swapoff 004e (false 004f)
 004e: 06 00 00 00050001   ret ERRNO(1)
 004f: 15 00 01 00000130   jeq open_by_handle_at 0050 (false 0051)
 0050: 06 00 00 00050001   ret ERRNO(1)
 0051: 15 00 01 0000012f   jeq name_to_handle_at 0052 (false 0053)
 0052: 06 00 00 00050001   ret ERRNO(1)
 0053: 15 00 01 000000fb   jeq ioprio_set 0054 (false 0055)
 0054: 06 00 00 00050001   ret ERRNO(1)
 0055: 15 00 01 00000067   jeq syslog 0056 (false 0057)
 0056: 06 00 00 00050001   ret ERRNO(1)
 0057: 15 00 01 0000012c   jeq fanotify_init 0058 (false 0059)
 0058: 06 00 00 00050001   ret ERRNO(1)
 0059: 15 00 01 00000138   jeq kcmp 005a (false 005b)
 005a: 06 00 00 00050001   ret ERRNO(1)
 005b: 15 00 01 000000f8   jeq add_key 005c (false 005d)
 005c: 06 00 00 00050001   ret ERRNO(1)
 005d: 15 00 01 000000f9   jeq request_key 005e (false 005f)
 005e: 06 00 00 00050001   ret ERRNO(1)
 005f: 15 00 01 000000ed   jeq mbind 0060 (false 0061)
 0060: 06 00 00 00050001   ret ERRNO(1)
 0061: 15 00 01 00000100   jeq migrate_pages 0062 (false 0063)
 0062: 06 00 00 00050001   ret ERRNO(1)
 0063: 15 00 01 00000117   jeq move_pages 0064 (false 0065)
 0064: 06 00 00 00050001   ret ERRNO(1)
 0065: 15 00 01 000000fa   jeq keyctl 0066 (false 0067)
 0066: 06 00 00 00050001   ret ERRNO(1)
 0067: 15 00 01 000000ce   jeq io_setup 0068 (false 0069)
 0068: 06 00 00 00050001   ret ERRNO(1)
 0069: 15 00 01 000000cf   jeq io_destroy 006a (false 006b)
 006a: 06 00 00 00050001   ret ERRNO(1)
 006b: 15 00 01 000000d0   jeq io_getevents 006c (false 006d)
 006c: 06 00 00 00050001   ret ERRNO(1)
 006d: 15 00 01 000000d1   jeq io_submit 006e (false 006f)
 006e: 06 00 00 00050001   ret ERRNO(1)
 006f: 15 00 01 000000d2   jeq io_cancel 0070 (false 0071)
 0070: 06 00 00 00050001   ret ERRNO(1)
 0071: 15 00 01 000000d8   jeq remap_file_pages 0072 (false 0073)
 0072: 06 00 00 00050001   ret ERRNO(1)
 0073: 15 00 01 00000143   jeq userfaultfd 0074 (false 0075)
 0074: 06 00 00 00050001   ret ERRNO(1)
 0075: 15 00 01 000000a3   jeq acct 0076 (false 0077)
 0076: 06 00 00 00050001   ret ERRNO(1)
 0077: 15 00 01 00000141   jeq bpf 0078 (false 0079)
 0078: 06 00 00 00050001   ret ERRNO(1)
 0079: 15 00 01 000000b4   jeq nfsservctl 007a (false 007b)
 007a: 06 00 00 00050001   ret ERRNO(1)
 007b: 15 00 01 000000ab   jeq setdomainname 007c (false 007d)
 007c: 06 00 00 00050001   ret ERRNO(1)
 007d: 15 00 01 000000aa   jeq sethostname 007e (false 007f)
 007e: 06 00 00 00050001   ret ERRNO(1)
 007f: 15 00 01 00000099   jeq vhangup 0080 (false 0081)
 0080: 06 00 00 00050001   ret ERRNO(1)
 0081: 15 00 01 00000065   jeq ptrace 0082 (false 0083)
 0082: 06 00 00 00050001   ret ERRNO(1)
 0083: 15 00 01 00000087   jeq personality 0084 (false 0085)
 0084: 06 00 00 00050001   ret ERRNO(1)
 0085: 15 00 01 00000136   jeq process_vm_readv 0086 (false 0087)
 0086: 06 00 00 00050001   ret ERRNO(1)
 0087: 06 00 00 7fff0000   ret ALLOW
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
1848 1278 0:66 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1848 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             380 ..
-rw-r--r-- 1000     users           1088 seccomp
-rw-r--r-- 1000     users            808 seccomp.32
-rw-r--r-- 1000     users            114 seccomp.list
-rw-r--r-- 1000     users              0 seccomp.postexec
-rw-r--r-- 1000     users              0 seccomp.postexec32
-rw-r--r-- 1000     users            176 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
Running 'discord'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'discord' 
Child process initialized in 815.66 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 39

[39:1114/235127.042627:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/discord/chrome-sandbox is owned by root and has mode 4755.
Sandbox monitor: waitpid 39 retval 39 status 133

Parent is shutting down, bye...
Originally created by @seonwoolee on GitHub (Nov 15, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3754 **Bug and expected behavior** To be clear, I'm not calling this a bug, but seeking support. Discord works perfectly fine with the default profile and default kernel on my Arch Linux system. However, when I use the [linux-hardened kernel](https://github.com/anthraxx/linux-hardened), I get the error `The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/discord/chrome-sandbox is owned by root and has mode 4755` And `/opt/discord/chrome-sandbox` does have the correct permissions (because again, this works perfectly fine with the standard Linux kernel. ``` $ ls -alh /opt/discord drwxr-xr-x 5 root root 19 Oct 30 09:59 . drwxr-xr-x 11 root root 11 Nov 9 21:55 .. -rwxr-xr-x 1 root root 110M Oct 22 10:38 Discord -rwsr-xr-x 1 root root 235K Oct 22 10:38 chrome-sandbox -rw-r--r-- 1 root root 174K Oct 22 10:38 chrome_100_percent.pak -rw-r--r-- 1 root root 310K Oct 22 10:38 chrome_200_percent.pak -rw-r--r-- 1 root root 313 Oct 22 10:38 discord.desktop -rw-r--r-- 1 root root 29K Oct 22 10:38 discord.png -rw-r--r-- 1 root root 10M Oct 22 10:38 icudtl.dat -rw-r--r-- 1 root root 243K Oct 22 10:38 libEGL.so -rw-r--r-- 1 root root 8.0M Oct 22 10:38 libGLESv2.so -rw-r--r-- 1 root root 2.9M Oct 22 10:38 libffmpeg.so drwxr-xr-x 2 root root 55 Oct 30 09:59 locales -rw-r--r-- 1 root root 81K Oct 22 10:38 natives_blob.bin drwxr-xr-x 3 root root 5 Oct 30 09:59 resources -rw-r--r-- 1 root root 8.3M Oct 22 10:38 resources.pak -rw-r--r-- 1 root root 274K Oct 22 10:38 snapshot_blob.bin drwxr-xr-x 2 root root 5 Oct 30 09:59 swiftshader -rw-r--r-- 1 root root 685K Oct 22 10:38 v8_context_snapshot.bin ``` How can I determine what kernel parameter I need to change to make this work while using the hardened kernel? **Environment** - Arch Linux ``` firejail version 0.9.64 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Checklist** - [x] The upstream profile (and redirect profile if exists) have no changes fixing it. - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] Programs needed for interaction are listed in the profile. - [x] A short search for duplicates was performed. - [] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. <details><summary> debug output </summary> ``` $ firejail --debug discord Autoselecting /bin/bash as shell Building quoted command line: 'discord' Command name #discord# Found discord.profile profile in /etc/firejail directory Reading profile /etc/firejail/discord.profile Found globals.local profile in /home/seonwoo/.config/firejail directory Reading profile /home/seonwoo/.config/firejail/globals.local Found discord-common.profile profile in /etc/firejail directory Reading profile /etc/firejail/discord-common.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found whitelist-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-common.inc Found whitelist-var-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, DISPLAY=:0.0 parsed as 0 Using the local network stack Parent pid 504567, child pid 504568 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 100, nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1301 800 0:24 /etc /etc ro,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl mountid=1301 fsname=/etc dir=/etc fstype=zfs Mounting noexec /etc 1506 1301 0:24 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl mountid=1506 fsname=/etc dir=/etc fstype=zfs Mounting read-only /var 1509 1507 0:53 / /var/lib/docker rw,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl mountid=1509 fsname=/ dir=/var/lib/docker fstype=zfs Mounting read-only /var/lib/docker 1510 1509 0:53 / /var/lib/docker ro,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl mountid=1510 fsname=/ dir=/var/lib/docker fstype=zfs Mounting noexec /var 1567 1566 0:53 / /var/lib/docker ro,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl mountid=1567 fsname=/ dir=/var/lib/docker fstype=zfs Mounting noexec /var/lib/docker 1569 1567 0:53 / /var/lib/docker ro,nosuid,nodev,noexec,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl mountid=1569 fsname=/ dir=/var/lib/docker fstype=zfs Mounting read-only /usr 1570 800 0:24 /usr /usr ro,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl mountid=1570 fsname=/usr dir=/usr fstype=zfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/seonwoo/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Drop privileges: pid 3, uid 1000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Mounting a new /root directory Mounting a new /home directory Create a new user directory Drop privileges: pid 4, uid 1000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Drop privileges: pid 5, uid 1000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory Process /dev/shm directory Copying files in the new /opt directory: copying /opt/discord to private /opt Creating empty /run/firejail/mnt/opt/discord directory sbox run: /run/firejail/lib/fcopy /opt/discord /run/firejail/mnt/opt/discord Mount-bind /run/firejail/mnt/opt on top of /opt Private /opt installed in 535.89 ms Copying files in the new bin directory Checking /usr/local/bin/discord Checking /usr/bin/discord file /opt/discord/Discord not found sbox run: /run/firejail/lib/fcopy /usr/bin/discord /run/firejail/mnt/bin Checking /usr/local/bin/bash Checking /usr/bin/bash sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin Checking /usr/local/bin/cut Checking /usr/bin/cut sbox run: /run/firejail/lib/fcopy /usr/bin/cut /run/firejail/mnt/bin Checking /usr/local/bin/echo Checking /usr/bin/echo sbox run: /run/firejail/lib/fcopy /usr/bin/echo /run/firejail/mnt/bin Checking /usr/local/bin/egrep Checking /usr/bin/egrep sbox run: /run/firejail/lib/fcopy /usr/bin/egrep /run/firejail/mnt/bin Checking /usr/local/bin/fish Checking /usr/bin/fish Checking /bin/fish Checking /usr/games/fish Checking /usr/local/games/fish Checking /usr/local/sbin/fish Checking /usr/sbin/fish Checking /sbin/fish Warning: file fish not found Checking /usr/local/bin/grep Checking /usr/bin/grep sbox run: /run/firejail/lib/fcopy /usr/bin/grep /run/firejail/mnt/bin Checking /usr/local/bin/head Checking /usr/bin/head sbox run: /run/firejail/lib/fcopy /usr/bin/head /run/firejail/mnt/bin Checking /usr/local/bin/sed Checking /usr/bin/sed sbox run: /run/firejail/lib/fcopy /usr/bin/sed /run/firejail/mnt/bin Checking /usr/local/bin/sh Checking /usr/bin/sh sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin Checking /usr/local/bin/tclsh Checking /usr/bin/tclsh sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh8.6 /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh /run/firejail/mnt/bin Checking /usr/local/bin/tr Checking /usr/bin/tr sbox run: /run/firejail/lib/fcopy /usr/bin/tr /run/firejail/mnt/bin Checking /usr/local/bin/xdg-mime Checking /usr/bin/xdg-mime sbox run: /run/firejail/lib/fcopy /usr/bin/xdg-mime /run/firejail/mnt/bin Checking /usr/local/bin/xdg-open Checking /usr/bin/xdg-open sbox run: /run/firejail/lib/fcopy /usr/bin/xdg-open /run/firejail/mnt/bin Checking /usr/local/bin/zsh Checking /usr/bin/zsh sbox run: /run/firejail/lib/fcopy /usr/bin/zsh /run/firejail/mnt/bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin 16 programs installed in 27.33 ms Generate private-tmp whitelist commands blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kallsyms Disable /usr/lib/modules/5.9.8-arch1-1/build (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Copying files in the new /etc directory: Warning: file /etc/alternatives not found. Warning: skipping alternatives for private /etc copying /etc/ca-certificates to private /etc Creating empty /run/firejail/mnt/etc/ca-certificates directory sbox run: /run/firejail/lib/fcopy /etc/ca-certificates /run/firejail/mnt/etc/ca-certificates Warning: file /etc/crypto-policies not found. Warning: skipping crypto-policies for private /etc copying /etc/fonts to private /etc Creating empty /run/firejail/mnt/etc/fonts directory sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts copying /etc/group to private /etc sbox run: /run/firejail/lib/fcopy /etc/group /run/firejail/mnt/etc copying /etc/ld.so.cache to private /etc sbox run: /run/firejail/lib/fcopy /etc/ld.so.cache /run/firejail/mnt/etc copying /etc/localtime to private /etc sbox run: /run/firejail/lib/fcopy /etc/localtime /run/firejail/mnt/etc copying /etc/login.defs to private /etc sbox run: /run/firejail/lib/fcopy /etc/login.defs /run/firejail/mnt/etc copying /etc/machine-id to private /etc sbox run: /run/firejail/lib/fcopy /etc/machine-id /run/firejail/mnt/etc Warning: file /etc/password not found. Warning: skipping password for private /etc Warning: file /etc/pki not found. Warning: skipping pki for private /etc copying /etc/resolv.conf to private /etc sbox run: /run/firejail/lib/fcopy /etc/resolv.conf /run/firejail/mnt/etc copying /etc/ssl to private /etc Creating empty /run/firejail/mnt/etc/ssl directory sbox run: /run/firejail/lib/fcopy /etc/ssl /run/firejail/mnt/etc/ssl Mount-bind /run/firejail/mnt/etc on top of /etc Private /etc installed in 57.94 ms Cannot find /usr/etc Debug 456: new_name #/home/seonwoo/.config/discord#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/discord expanded: /home/seonwoo/.config/discord real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/BetterDiscord#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/BetterDiscord expanded: /home/seonwoo/.config/BetterDiscord real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.local/share/betterdiscordctl#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/betterdiscordctl expanded: /home/seonwoo/.local/share/betterdiscordctl real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.XCompose#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose expanded: /home/seonwoo/.XCompose real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.asoundrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc expanded: /home/seonwoo/.asoundrc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/ibus#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ibus expanded: /home/seonwoo/.config/ibus real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/mimeapps.list#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/mimeapps.list expanded: /home/seonwoo/.config/mimeapps.list real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/pkcs11#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11 expanded: /home/seonwoo/.config/pkcs11 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/user-dirs.dirs#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/user-dirs.dirs expanded: /home/seonwoo/.config/user-dirs.dirs real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/user-dirs.locale#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/user-dirs.locale expanded: /home/seonwoo/.config/user-dirs.locale real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.drirc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc expanded: /home/seonwoo/.drirc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons expanded: /home/seonwoo/.icons real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.local/share/applications#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/applications expanded: /home/seonwoo/.local/share/applications real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.local/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/icons expanded: /home/seonwoo/.local/share/icons real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.local/share/mime#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/mime expanded: /home/seonwoo/.local/share/mime real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.mime.types#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types expanded: /home/seonwoo/.mime.types real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.uim.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.uim.d expanded: /home/seonwoo/.uim.d real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/dconf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/dconf expanded: /home/seonwoo/.config/dconf real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.cache/fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/fontconfig expanded: /home/seonwoo/.cache/fontconfig real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/fontconfig expanded: /home/seonwoo/.config/fontconfig real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig expanded: /home/seonwoo/.fontconfig real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.fonts#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts expanded: /home/seonwoo/.fonts real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.fonts.conf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf expanded: /home/seonwoo/.fonts.conf real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.fonts.conf.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d expanded: /home/seonwoo/.fonts.conf.d real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.fonts.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d expanded: /home/seonwoo/.fonts.d real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.local/share/fonts#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts expanded: /home/seonwoo/.local/share/fonts real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.pangorc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc expanded: /home/seonwoo/.pangorc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/gtk-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-2.0 expanded: /home/seonwoo/.config/gtk-2.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/gtk-3.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-3.0 expanded: /home/seonwoo/.config/gtk-3.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/gtk-4.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-4.0 expanded: /home/seonwoo/.config/gtk-4.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc expanded: /home/seonwoo/.config/gtkrc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0 expanded: /home/seonwoo/.config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.gnome2#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2 expanded: /home/seonwoo/.gnome2 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.gnome2-private#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private expanded: /home/seonwoo/.gnome2-private real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.gtk-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0 expanded: /home/seonwoo/.gtk-2.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc expanded: /home/seonwoo/.gtkrc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0 expanded: /home/seonwoo/.gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc expanded: /home/seonwoo/.kde/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 expanded: /home/seonwoo/.kde/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc expanded: /home/seonwoo/.kde4/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 expanded: /home/seonwoo/.kde4/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.local/share/themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes expanded: /home/seonwoo/.local/share/themes real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes expanded: /home/seonwoo/.themes real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.cache/kioexec/krun#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun expanded: /home/seonwoo/.cache/kioexec/krun real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/Kvantum#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum expanded: /home/seonwoo/.config/Kvantum real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/Trolltech.conf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf expanded: /home/seonwoo/.config/Trolltech.conf real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kdeglobals expanded: /home/seonwoo/.config/kdeglobals real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc expanded: /home/seonwoo/.config/kio_httprc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc expanded: /home/seonwoo/.config/kioslaverc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist expanded: /home/seonwoo/.config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.config/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct expanded: /home/seonwoo/.config/qt5ct real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals expanded: /home/seonwoo/.kde/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc expanded: /home/seonwoo/.kde/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc expanded: /home/seonwoo/.kde/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist expanded: /home/seonwoo/.kde/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc expanded: /home/seonwoo/.kde/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons expanded: /home/seonwoo/.kde/share/icons real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals expanded: /home/seonwoo/.kde4/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc expanded: /home/seonwoo/.kde4/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc expanded: /home/seonwoo/.kde4/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist expanded: /home/seonwoo/.kde4/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc expanded: /home/seonwoo/.kde4/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.kde4/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons expanded: /home/seonwoo/.kde4/share/icons real path: (null) realpath: No such file or directory Debug 456: new_name #/home/seonwoo/.local/share/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct expanded: /home/seonwoo/.local/share/qt5ct real path: (null) realpath: No such file or directory Debug 456: new_name #/var/lib/ca-certificates#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/ca-certificates expanded: /var/lib/ca-certificates real path: (null) realpath: No such file or directory Debug 456: new_name #/var/lib/dbus#, whitelist Debug 456: new_name #/var/lib/menu-xdg#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg expanded: /var/lib/menu-xdg real path: (null) realpath: No such file or directory Debug 456: new_name #/var/lib/uim#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/uim expanded: /var/lib/uim real path: (null) realpath: No such file or directory Debug 456: new_name #/var/cache/fontconfig#, whitelist Debug 456: new_name #/var/tmp#, whitelist Debug 456: new_name #/var/run#, whitelist Replaced whitelist path: whitelist /run Debug 456: new_name #/var/lock#, whitelist Replaced whitelist path: whitelist /run/lock Debug 456: new_name #/tmp/.X11-unix#, whitelist Mounting tmpfs on /tmp directory Mounting tmpfs on /var directory Whitelisting /var/lib/dbus 1808 1807 0:24 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl mountid=1808 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=zfs Whitelisting /var/cache/fontconfig 1809 1807 0:24 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl mountid=1809 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=zfs Whitelisting /var/tmp 1810 1807 0:137 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64 mountid=1810 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/.X11-unix 1811 1800 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64 mountid=1811 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Drop privileges: pid 32, uid 1000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Mounting read-only /home/seonwoo/.Xauthority 1814 1773 0:144 /seonwoo/.Xauthority /home/seonwoo/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1814 fsname=/seonwoo/.Xauthority dir=/home/seonwoo/.Xauthority fstype=tmpfs Disable /run/user/1000/systemd Disable /usr/share/applications/veracrypt.desktop Disable /usr/share/pixmaps/veracrypt.xpm Disable /run/screens (requested /var/run/screens) Mounting read-only /home/seonwoo/.bashrc 1819 1773 0:144 /seonwoo/.bashrc /home/seonwoo/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1819 fsname=/seonwoo/.bashrc dir=/home/seonwoo/.bashrc fstype=tmpfs Warning: /sbin directory link was not blacklisted Disable /usr/local/sbin Warning: /usr/sbin directory link was not blacklisted Disable /proc/config.gz Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/lib/jvm/default/bin/java) Disable /usr/share/java Disable /usr/lib/valgrind Disable /usr/src Disable /usr/local/src Disable /usr/include Disable /usr/local/include Mounting noexec /run/user/1000 1833 1832 0:22 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,relatime master:16 - tmpfs run rw,mode=755,inode64 mountid=1833 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs Warning: not remounting /run/user/1000/gvfs Mounting noexec /dev/shm 1834 1780 0:145 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1834 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 1836 1835 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64 mountid=1836 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 1837 1836 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64 mountid=1837 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /var 1841 1838 0:137 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64 mountid=1841 fsname=/ dir=/var/tmp fstype=tmpfs Not blacklist /home/seonwoo/.config/discord Drop privileges: pid 33, uid 1000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Mounting read-only /tmp/.X11-unix 1842 1837 0:48 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64 mountid=1842 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /sys/fs Disable /sys/module Disable /mnt Disable /run/mount Disable /run/media /etc/pulse/client.conf not found Current directory: /home/seonwoo DISPLAY=:0.0 parsed as 0 Install protocol filter: unix,inet,inet6,netlink configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 34, uid 1000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000002 jeq 2 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 0000000a jeq a 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 01 00000010 jeq 10 0014 (false 0015) 0014: 06 00 00 7fff0000 ret ALLOW 0015: 06 00 00 0005005f ret ERRNO(95) configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 35, uid 1000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 00000015 jeq 15 0005 (false 0006) 0005: 06 00 00 00000001 ret KILL 0006: 15 00 01 00000034 jeq 34 0007 (false 0008) 0007: 06 00 00 00000001 ret KILL 0008: 15 00 01 0000001a jeq 1a 0009 (false 000a) 0009: 06 00 00 00000001 ret KILL 000a: 15 00 01 0000011b jeq 11b 000b (false 000c) 000b: 06 00 00 00000001 ret KILL 000c: 15 00 01 00000155 jeq 155 000d (false 000e) 000d: 06 00 00 00000001 ret KILL 000e: 15 00 01 00000156 jeq 156 000f (false 0010) 000f: 06 00 00 00000001 ret KILL 0010: 15 00 01 0000007f jeq 7f 0011 (false 0012) 0011: 06 00 00 00000001 ret KILL 0012: 15 00 01 00000080 jeq 80 0013 (false 0014) 0013: 06 00 00 00000001 ret KILL 0014: 15 00 01 0000015e jeq 15e 0015 (false 0016) 0015: 06 00 00 00000001 ret KILL 0016: 15 00 01 00000081 jeq 81 0017 (false 0018) 0017: 06 00 00 00000001 ret KILL 0018: 15 00 01 0000006e jeq 6e 0019 (false 001a) 0019: 06 00 00 00000001 ret KILL 001a: 15 00 01 00000065 jeq 65 001b (false 001c) 001b: 06 00 00 00000001 ret KILL 001c: 15 00 01 00000121 jeq 121 001d (false 001e) 001d: 06 00 00 00000001 ret KILL 001e: 15 00 01 00000057 jeq 57 001f (false 0020) 001f: 06 00 00 00000001 ret KILL 0020: 15 00 01 00000073 jeq 73 0021 (false 0022) 0021: 06 00 00 00000001 ret KILL 0022: 15 00 01 00000067 jeq 67 0023 (false 0024) 0023: 06 00 00 00000001 ret KILL 0024: 15 00 01 0000015b jeq 15b 0025 (false 0026) 0025: 06 00 00 00000001 ret KILL 0026: 15 00 01 0000015c jeq 15c 0027 (false 0028) 0027: 06 00 00 00000001 ret KILL 0028: 15 00 01 00000087 jeq 87 0029 (false 002a) 0029: 06 00 00 00000001 ret KILL 002a: 15 00 01 00000095 jeq 95 002b (false 002c) 002b: 06 00 00 00000001 ret KILL 002c: 15 00 01 0000007c jeq 7c 002d (false 002e) 002d: 06 00 00 00000001 ret KILL 002e: 15 00 01 00000157 jeq 157 002f (false 0030) 002f: 06 00 00 00000001 ret KILL 0030: 15 00 01 000000fd jeq fd 0031 (false 0032) 0031: 06 00 00 00000001 ret KILL 0032: 15 00 01 00000150 jeq 150 0033 (false 0034) 0033: 06 00 00 00000001 ret KILL 0034: 15 00 01 00000152 jeq 152 0035 (false 0036) 0035: 06 00 00 00000001 ret KILL 0036: 15 00 01 0000015d jeq 15d 0037 (false 0038) 0037: 06 00 00 00000001 ret KILL 0038: 15 00 01 0000011e jeq 11e 0039 (false 003a) 0039: 06 00 00 00000001 ret KILL 003a: 15 00 01 0000011f jeq 11f 003b (false 003c) 003b: 06 00 00 00000001 ret KILL 003c: 15 00 01 00000120 jeq 120 003d (false 003e) 003d: 06 00 00 00000001 ret KILL 003e: 15 00 01 00000056 jeq 56 003f (false 0040) 003f: 06 00 00 00000001 ret KILL 0040: 15 00 01 00000033 jeq 33 0041 (false 0042) 0041: 06 00 00 00000001 ret KILL 0042: 15 00 01 0000007b jeq 7b 0043 (false 0044) 0043: 06 00 00 00000001 ret KILL 0044: 15 00 01 000000d9 jeq d9 0045 (false 0046) 0045: 06 00 00 00000001 ret KILL 0046: 15 00 01 000000f5 jeq f5 0047 (false 0048) 0047: 06 00 00 00000001 ret KILL 0048: 15 00 01 000000f6 jeq f6 0049 (false 004a) 0049: 06 00 00 00000001 ret KILL 004a: 15 00 01 000000f7 jeq f7 004b (false 004c) 004b: 06 00 00 00000001 ret KILL 004c: 15 00 01 000000f8 jeq f8 004d (false 004e) 004d: 06 00 00 00000001 ret KILL 004e: 15 00 01 000000f9 jeq f9 004f (false 0050) 004f: 06 00 00 00000001 ret KILL 0050: 15 00 01 00000101 jeq 101 0051 (false 0052) 0051: 06 00 00 00000001 ret KILL 0052: 15 00 01 00000112 jeq 112 0053 (false 0054) 0053: 06 00 00 00000001 ret KILL 0054: 15 00 01 00000114 jeq 114 0055 (false 0056) 0055: 06 00 00 00000001 ret KILL 0056: 15 00 01 00000126 jeq 126 0057 (false 0058) 0057: 06 00 00 00000001 ret KILL 0058: 15 00 01 0000013d jeq 13d 0059 (false 005a) 0059: 06 00 00 00000001 ret KILL 005a: 15 00 01 0000013c jeq 13c 005b (false 005c) 005b: 06 00 00 00000001 ret KILL 005c: 15 00 01 0000003d jeq 3d 005d (false 005e) 005d: 06 00 00 00000001 ret KILL 005e: 15 00 01 00000058 jeq 58 005f (false 0060) 005f: 06 00 00 00000001 ret KILL 0060: 15 00 01 000000a9 jeq a9 0061 (false 0062) 0061: 06 00 00 00000001 ret KILL 0062: 15 00 01 00000082 jeq 82 0063 (false 0064) 0063: 06 00 00 00000001 ret KILL 0064: 06 00 00 7fff0000 ret ALLOW Dual 32/64 bit seccomp filter configured Build default+drop seccomp filter sbox run: /run/firejail/lib/fseccomp default drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec !chroot Dropping all capabilities Drop privileges: pid 36, uid 1000, gid 100, nogroups 1 No supplementary groups Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 37, uid 1000, gid 100, nogroups 1 No supplementary groups configuring 136 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 38, uid 1000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 000000a1 jeq chroot 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 0000009f jeq adjtimex 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 15 00 01 00000131 jeq clock_adjtime 000c (false 000d) 000c: 06 00 00 00050001 ret ERRNO(1) 000d: 15 00 01 000000e3 jeq clock_settime 000e (false 000f) 000e: 06 00 00 00050001 ret ERRNO(1) 000f: 15 00 01 000000a4 jeq settimeofday 0010 (false 0011) 0010: 06 00 00 00050001 ret ERRNO(1) 0011: 15 00 01 0000009a jeq modify_ldt 0012 (false 0013) 0012: 06 00 00 00050001 ret ERRNO(1) 0013: 15 00 01 000000d4 jeq lookup_dcookie 0014 (false 0015) 0014: 06 00 00 00050001 ret ERRNO(1) 0015: 15 00 01 0000012a jeq perf_event_open 0016 (false 0017) 0016: 06 00 00 00050001 ret ERRNO(1) 0017: 15 00 01 00000137 jeq process_vm_writev 0018 (false 0019) 0018: 06 00 00 00050001 ret ERRNO(1) 0019: 15 00 01 000000b0 jeq delete_module 001a (false 001b) 001a: 06 00 00 00050001 ret ERRNO(1) 001b: 15 00 01 00000139 jeq finit_module 001c (false 001d) 001c: 06 00 00 00050001 ret ERRNO(1) 001d: 15 00 01 000000af jeq init_module 001e (false 001f) 001e: 06 00 00 00050001 ret ERRNO(1) 001f: 15 00 01 000000a1 jeq chroot 0020 (false 0021) 0020: 06 00 00 00050001 ret ERRNO(1) 0021: 15 00 01 000000a5 jeq mount 0022 (false 0023) 0022: 06 00 00 00050001 ret ERRNO(1) 0023: 15 00 01 0000009b jeq pivot_root 0024 (false 0025) 0024: 06 00 00 00050001 ret ERRNO(1) 0025: 15 00 01 000000a6 jeq umount2 0026 (false 0027) 0026: 06 00 00 00050001 ret ERRNO(1) 0027: 15 00 01 0000009c jeq _sysctl 0028 (false 0029) 0028: 06 00 00 00050001 ret ERRNO(1) 0029: 15 00 01 000000b7 jeq afs_syscall 002a (false 002b) 002a: 06 00 00 00050001 ret ERRNO(1) 002b: 15 00 01 000000ae jeq create_module 002c (false 002d) 002c: 06 00 00 00050001 ret ERRNO(1) 002d: 15 00 01 000000b1 jeq get_kernel_syms 002e (false 002f) 002e: 06 00 00 00050001 ret ERRNO(1) 002f: 15 00 01 000000b5 jeq getpmsg 0030 (false 0031) 0030: 06 00 00 00050001 ret ERRNO(1) 0031: 15 00 01 000000b6 jeq putpmsg 0032 (false 0033) 0032: 06 00 00 00050001 ret ERRNO(1) 0033: 15 00 01 000000b2 jeq query_module 0034 (false 0035) 0034: 06 00 00 00050001 ret ERRNO(1) 0035: 15 00 01 000000b9 jeq security 0036 (false 0037) 0036: 06 00 00 00050001 ret ERRNO(1) 0037: 15 00 01 0000008b jeq sysfs 0038 (false 0039) 0038: 06 00 00 00050001 ret ERRNO(1) 0039: 15 00 01 000000b8 jeq tuxcall 003a (false 003b) 003a: 06 00 00 00050001 ret ERRNO(1) 003b: 15 00 01 00000086 jeq uselib 003c (false 003d) 003c: 06 00 00 00050001 ret ERRNO(1) 003d: 15 00 01 00000088 jeq ustat 003e (false 003f) 003e: 06 00 00 00050001 ret ERRNO(1) 003f: 15 00 01 000000ec jeq vserver 0040 (false 0041) 0040: 06 00 00 00050001 ret ERRNO(1) 0041: 15 00 01 000000ad jeq ioperm 0042 (false 0043) 0042: 06 00 00 00050001 ret ERRNO(1) 0043: 15 00 01 000000ac jeq iopl 0044 (false 0045) 0044: 06 00 00 00050001 ret ERRNO(1) 0045: 15 00 01 000000f6 jeq kexec_load 0046 (false 0047) 0046: 06 00 00 00050001 ret ERRNO(1) 0047: 15 00 01 00000140 jeq kexec_file_load 0048 (false 0049) 0048: 06 00 00 00050001 ret ERRNO(1) 0049: 15 00 01 000000a9 jeq reboot 004a (false 004b) 004a: 06 00 00 00050001 ret ERRNO(1) 004b: 15 00 01 000000a7 jeq swapon 004c (false 004d) 004c: 06 00 00 00050001 ret ERRNO(1) 004d: 15 00 01 000000a8 jeq swapoff 004e (false 004f) 004e: 06 00 00 00050001 ret ERRNO(1) 004f: 15 00 01 00000130 jeq open_by_handle_at 0050 (false 0051) 0050: 06 00 00 00050001 ret ERRNO(1) 0051: 15 00 01 0000012f jeq name_to_handle_at 0052 (false 0053) 0052: 06 00 00 00050001 ret ERRNO(1) 0053: 15 00 01 000000fb jeq ioprio_set 0054 (false 0055) 0054: 06 00 00 00050001 ret ERRNO(1) 0055: 15 00 01 00000067 jeq syslog 0056 (false 0057) 0056: 06 00 00 00050001 ret ERRNO(1) 0057: 15 00 01 0000012c jeq fanotify_init 0058 (false 0059) 0058: 06 00 00 00050001 ret ERRNO(1) 0059: 15 00 01 00000138 jeq kcmp 005a (false 005b) 005a: 06 00 00 00050001 ret ERRNO(1) 005b: 15 00 01 000000f8 jeq add_key 005c (false 005d) 005c: 06 00 00 00050001 ret ERRNO(1) 005d: 15 00 01 000000f9 jeq request_key 005e (false 005f) 005e: 06 00 00 00050001 ret ERRNO(1) 005f: 15 00 01 000000ed jeq mbind 0060 (false 0061) 0060: 06 00 00 00050001 ret ERRNO(1) 0061: 15 00 01 00000100 jeq migrate_pages 0062 (false 0063) 0062: 06 00 00 00050001 ret ERRNO(1) 0063: 15 00 01 00000117 jeq move_pages 0064 (false 0065) 0064: 06 00 00 00050001 ret ERRNO(1) 0065: 15 00 01 000000fa jeq keyctl 0066 (false 0067) 0066: 06 00 00 00050001 ret ERRNO(1) 0067: 15 00 01 000000ce jeq io_setup 0068 (false 0069) 0068: 06 00 00 00050001 ret ERRNO(1) 0069: 15 00 01 000000cf jeq io_destroy 006a (false 006b) 006a: 06 00 00 00050001 ret ERRNO(1) 006b: 15 00 01 000000d0 jeq io_getevents 006c (false 006d) 006c: 06 00 00 00050001 ret ERRNO(1) 006d: 15 00 01 000000d1 jeq io_submit 006e (false 006f) 006e: 06 00 00 00050001 ret ERRNO(1) 006f: 15 00 01 000000d2 jeq io_cancel 0070 (false 0071) 0070: 06 00 00 00050001 ret ERRNO(1) 0071: 15 00 01 000000d8 jeq remap_file_pages 0072 (false 0073) 0072: 06 00 00 00050001 ret ERRNO(1) 0073: 15 00 01 00000143 jeq userfaultfd 0074 (false 0075) 0074: 06 00 00 00050001 ret ERRNO(1) 0075: 15 00 01 000000a3 jeq acct 0076 (false 0077) 0076: 06 00 00 00050001 ret ERRNO(1) 0077: 15 00 01 00000141 jeq bpf 0078 (false 0079) 0078: 06 00 00 00050001 ret ERRNO(1) 0079: 15 00 01 000000b4 jeq nfsservctl 007a (false 007b) 007a: 06 00 00 00050001 ret ERRNO(1) 007b: 15 00 01 000000ab jeq setdomainname 007c (false 007d) 007c: 06 00 00 00050001 ret ERRNO(1) 007d: 15 00 01 000000aa jeq sethostname 007e (false 007f) 007e: 06 00 00 00050001 ret ERRNO(1) 007f: 15 00 01 00000099 jeq vhangup 0080 (false 0081) 0080: 06 00 00 00050001 ret ERRNO(1) 0081: 15 00 01 00000065 jeq ptrace 0082 (false 0083) 0082: 06 00 00 00050001 ret ERRNO(1) 0083: 15 00 01 00000087 jeq personality 0084 (false 0085) 0084: 06 00 00 00050001 ret ERRNO(1) 0085: 15 00 01 00000136 jeq process_vm_readv 0086 (false 0087) 0086: 06 00 00 00050001 ret ERRNO(1) 0087: 06 00 00 7fff0000 ret ALLOW seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 1848 1278 0:66 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=1848 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 380 .. -rw-r--r-- 1000 users 1088 seccomp -rw-r--r-- 1000 users 808 seccomp.32 -rw-r--r-- 1000 users 114 seccomp.list -rw-r--r-- 1000 users 0 seccomp.postexec -rw-r--r-- 1000 users 0 seccomp.postexec32 -rw-r--r-- 1000 users 176 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 100, nogroups 1 No supplementary groups starting application LD_PRELOAD=(null) Running 'discord' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'discord' Child process initialized in 815.66 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 39 [39:1114/235127.042627:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/discord/chrome-sandbox is owned by root and has mode 4755. Sandbox monitor: waitpid 39 retval 39 status 133 Parent is shutting down, bye... ``` </details>
gitea-mirror commented 2026-05-05 09:03:01 -06:00
Author
Owner
Copy link

@bbhtt commented on GitHub (Nov 15, 2020):

How can I determine what kernel parameter I need to change to make this work while using the hardened kernel?

What does cat /proc/sys/kernel/unprivileged_userns_clone say?

Your options:

A) Try commenting caps.drop all, noroot, nonewprivs, protocol and seccomp in /etc/firejail/discord-common.profileif it works with that only that it's good but Firejail's sandbox becomes loose. The caps.drop all can be changed to caps.keep and similarly seccomp if it works.

B) Turn that sysctl knob and use firejail.

C) Disable internal sandbox of chromium with --no-sandbox. (This might not work with recent electron versions)

I suggest B and C as a last resort since both have security implications.

<!-- gh-comment-id:727523969 --> @bbhtt commented on GitHub (Nov 15, 2020): > How can I determine what kernel parameter I need to change to make this work while using the hardened kernel? What does `cat /proc/sys/kernel/unprivileged_userns_clone` say? Your options: A) Try commenting `caps.drop all, noroot, nonewprivs, protocol` and `seccomp` in `/etc/firejail/discord-common.profile`if it works with that only that it's good but Firejail's sandbox becomes loose. The `caps.drop all` can be changed to `caps.keep` and similarly `seccomp` if it works. B) Turn that sysctl knob and use firejail. C) Disable internal sandbox of chromium with `--no-sandbox`. (This might not work with recent electron versions) I suggest B and C as a last resort since both have security implications.
gitea-mirror commented 2026-05-05 09:03:02 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 15, 2020):

Additions:

A) The caps.keep line would be caps.keep sys_admin,sys_chroot.

C) There is also a --disable-setuid-sandbox switch AFAICTY.

<!-- gh-comment-id:727533667 --> @rusty-snake commented on GitHub (Nov 15, 2020): Additions: A) The `caps.keep` line would be `caps.keep sys_admin,sys_chroot`. C) There is also a `--disable-setuid-sandbox` switch AFAICTY.
gitea-mirror commented 2026-05-05 09:03:03 -06:00
Author
Owner
Copy link

@seonwoolee commented on GitHub (Nov 15, 2020):

A) didn't work at all unfortunately.
B) works
C) Did you mean firejail --no-sandbox discord and firejail --disable-setuid-sandbox discord? Because neither of them are recognized as valid parameters to firejail

<!-- gh-comment-id:727649633 --> @seonwoolee commented on GitHub (Nov 15, 2020): A) didn't work at all unfortunately. B) works C) Did you mean `firejail --no-sandbox discord` and `firejail --disable-setuid-sandbox discord`? Because neither of them are recognized as valid parameters to firejail
gitea-mirror commented 2026-05-05 09:03:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 16, 2020):

A) What's in your globals.local?
C) To "Disable [the] internal sandbox of chromium" you need to add these parameters to discord: firejail discord --no-sandbox or firejail discord --disable-setuid-sandbox.

<!-- gh-comment-id:727898789 --> @rusty-snake commented on GitHub (Nov 16, 2020): A) What's in your globals.local? C) To "Disable [the] internal sandbox of chromium" you need to add these parameters to discord: `firejail discord --no-sandbox` or `firejail discord --disable-setuid-sandbox`.
gitea-mirror commented 2026-05-05 09:03:05 -06:00
Author
Owner
Copy link

@seonwoolee commented on GitHub (Nov 17, 2020):

A) Nothing
C) Gotcha. --no-sandbox works, --disable-setuid-sandbox does not

<!-- gh-comment-id:728667628 --> @seonwoolee commented on GitHub (Nov 17, 2020): A) Nothing C) Gotcha. `--no-sandbox` works, `--disable-setuid-sandbox` does not
gitea-mirror commented 2026-05-05 09:03:05 -06:00
Author
Owner
Copy link

@bbhtt commented on GitHub (Nov 17, 2020):

I suggest going with (B) because:

  1. Reduce profile maintenance since all electron applications will be affected.

  2. Enjoy advantage of both Firejail and chromium-sandbox.

But do know that while no mainline distro kernels except Debian and RHEL(see below) ship with that patch there are security reasons for enabling it. That's why non-mainline/hardened kernels have it. You can find information on Security SE and LWN threads. Here are some newer CVEs (older on SSE threads) relating to it:

(1) https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14386.html

(2) https://nvd.nist.gov/vuln/detail/CVE-2019-20794

(3) https://security.archlinux.org/CVE-2020-16120

  • The arch linux bug thread in the first firejail link below.

Bottomline: (+) With that any container or sandbox won't work; browser sandbox take advantage of it; reduces usability.
(-) Priv esc/root exploit vulns..

Debian is going to reconsider that patch in the next year since at the time of enabling it 5-6 years it was said to be a temporary mitigation.

Kernel thread: https://lkml.org/lkml/2016/1/22/7

Firejail thread: https://github.com/netblue30/firejail/issues/ 1347

About --no-sandbox it disables chromium's internal sandbox; you rely entirely on Firejail to sandbox. Comparison between the two:
https://github.com/netblue30/firejail/issues/ 554

  • Look at chromium googlesource>sandbox>Linux implementation guide.

Firejail offers more granular permissions like directory restrictions,dbus restrictions, apparmor,selinux,shell/lib/bin/program restrictions etc. Bottomline here: I recommend not disabling the internal sandbox of chromium if you are able.

Feel free to correct me/add.

On November 17, 2020 3:45:47 AM UTC, Seonwoo Lee notifications@github.com wrote:

A) Nothing
C) Gotcha. --no-sandbox works, --disable-setuid-sandbox does not

--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/3754#issuecomment-728667628

<!-- gh-comment-id:728695321 --> @bbhtt commented on GitHub (Nov 17, 2020): I suggest going with (B) because: 1. Reduce profile maintenance since all electron applications will be affected. 2. Enjoy advantage of both Firejail and chromium-sandbox. But do know that while no mainline distro kernels except Debian and RHEL(**see below**) ship with that patch there are security reasons for enabling it. That's why non-mainline/hardened kernels have it. You can find information on Security SE and LWN threads. Here are some newer CVEs (older on SSE threads) relating to it: (1) https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14386.html (2) https://nvd.nist.gov/vuln/detail/CVE-2019-20794 (3) https://security.archlinux.org/CVE-2020-16120 + The arch linux bug thread in the first firejail link below. Bottomline: (+) With that any container or sandbox won't work; browser sandbox take advantage of it; reduces usability. (-) Priv esc/root exploit vulns.. Debian is going to reconsider that patch in the next year since at the time of enabling it 5-6 years it was said to be a temporary mitigation. Kernel thread: https://lkml.org/lkml/2016/1/22/7 Firejail thread: https://github.com/netblue30/firejail/issues/ 1347 About --no-sandbox it disables chromium's internal sandbox; you rely entirely on Firejail to sandbox. Comparison between the two: https://github.com/netblue30/firejail/issues/ 554 + Look at chromium googlesource>sandbox>Linux implementation guide. Firejail offers more granular permissions like directory restrictions,dbus restrictions, apparmor,selinux,shell/lib/bin/program restrictions etc. Bottomline here: I recommend not disabling the internal sandbox of chromium if you are able. Feel free to correct me/add. On November 17, 2020 3:45:47 AM UTC, Seonwoo Lee <notifications@github.com> wrote: >A) Nothing >C) Gotcha. `--no-sandbox` works, `--disable-setuid-sandbox` does not > >-- >You are receiving this because you commented. >Reply to this email directly or view it on GitHub: >https://github.com/netblue30/firejail/issues/3754#issuecomment-728667628
gitea-mirror commented 2026-05-05 09:03:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 17, 2020):

I suggest going with (B) because:

  1. You can set force-nonewprivs yes in /etc/firejail/firejail.config
  1. Reduce profile maintenance since all electron applications will be affected.

Since we need to fix such things upstream anyway, you need to add nonewprivs, caps.drop all, ... after the next firejail update manualy

But do know that while no mainline distro kernels except Debian and RHEL ship with that patch

AFAIK only Debian and ArchLinux have this patch (Arch: linux has it opt-in via sysctl and linux-hardened has it opt-out via sysctl Debian: always opt-out).

Mainline/Fedora/RHEL: Don't have this patch. However RHEL (but not Fedora) disables userns completely by default via user.max_user_namespaces=0 AFAIK (is there a difference between 7 and 8?).

there are security reasons for enabling it.

The main argument is that some exploits (user to root) require unprivileged userns. On the other hand you can remove the setuid bit from bwrap, chrome-sandbox and vivaldi-sandbox if you enable unprivileged userns. This prevents other user to root exploits which are unrelated to userns but require suid.

A) Nothing

The debug log says ~.config/firejail/globals.local is read. If this file is empty, you can remove it for performance reasons (less disk I/O on sandbox startup).

Have you set force-nonewprivs yes in /etc/firejail/firejail.config?

<!-- gh-comment-id:728893312 --> @rusty-snake commented on GitHub (Nov 17, 2020): > I suggest going with (B) because: 3. You can set `force-nonewprivs yes` in `/etc/firejail/firejail.config` > 1. Reduce profile maintenance since all electron applications will be affected. Since we need to fix such things upstream anyway, you need to add `nonewprivs`, `caps.drop all`, ... after the next firejail update manualy > But do know that while no mainline distro kernels except Debian and RHEL ship with that patch AFAIK only Debian and ArchLinux have this patch (Arch: linux has it opt-in via sysctl and linux-hardened has it opt-out via sysctl Debian: always opt-out). Mainline/Fedora/RHEL: Don't have this patch. However RHEL (but not Fedora) disables userns completely by default via `user.max_user_namespaces=0` AFAIK (is there a difference between 7 and 8?). > there are security reasons for enabling it. The main argument is that some exploits (user to root) require unprivileged userns. On the other hand you can remove the setuid bit from bwrap, chrome-sandbox and vivaldi-sandbox if you enable unprivileged userns. This prevents other user to root exploits which are unrelated to userns but require suid. > A) Nothing The debug log says `~.config/firejail/globals.local` is read. If this file is empty, you can remove it for performance reasons (less disk I/O on sandbox startup). Have you set `force-nonewprivs yes` in `/etc/firejail/firejail.config`?
gitea-mirror commented 2026-05-05 09:03:06 -06:00
Author
Owner
Copy link

@seonwoolee commented on GitHub (Nov 20, 2020):

Gotcha, I'll go with B) then.

I hadn't set force-nonewprivs yes, doing that now

<!-- gh-comment-id:730714298 --> @seonwoolee commented on GitHub (Nov 20, 2020): Gotcha, I'll go with B) then. I hadn't set `force-nonewprivs yes`, doing that now
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2367
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?