github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3781] Rootless Firejail re-entry to Firejail created network namespace: Error: cannot join netns 'wgsh': Invalid argument #2385

New issue
Open
opened 2026-05-05 09:03:50 -06:00 by gitea-mirror · 0 comments
gitea-mirror commented 2026-05-05 09:03:50 -06:00
Owner
Copy link

Originally created by @bbros-dev on GitHub (Dec 1, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3781

Thanks for all the effort you have put into firejail and for making it open source.

It is not clear if the following is possible or even within scope. If the following should work, I'd appreciate any insights into what is missing or incorrect.

The sudo firejail --netns=xyz .... is unattractive because sudo is required.
In this respect Firejail is no different from using the following nsenter
command which works, but also has the sudo requirement:

$ sudo nsenter --net=/var/run/netns/wgsh --setuid=1000 --setgid=1000 socat file:$(tty),raw,echo=0 tcp-listen:2222

A naive attempt to workaround this is, from within a Firejailed sudo bash:

  • create a network namspace
  • move a WireGaurd interface into it
  • configure the WG interface

Ideally it would be possible to:

  1. preserve the netns configuration created within Firejail
  2. then allow the same unprivileged user that ran Firejail to create the network name space to, use it:
$ firejail --netns=wgsh socat file:$(tty),raw,echo=0 tcp-listen:2222

This issue reports that 1) appears to be achieved, there is a /var/run/netns/wgsh created.
However 2) does not seem possible. A simple attempt to start a shell inside this Firejail created network namespace fails.
The network namespace is present but no one has access.

$ ls -la /var/run/netns/wgsh
---------- 1 root root 0 Dec  1 12:24 /var/run/netns/wgsh

Allowing all users full rwx access produces this behavior:

First, rootless:

$ firejail --noprofile --netns=wgsh
Parent pid 2093, child pid 2094
Error: cannot join netns 'wgsh': Invalid argument
Error: proc 2093 cannot sync with peer: unexpected EOF
Peer 2094 unexpectedly exited with status 1

Then trying as root:

$ sudo firejail --noprofile --netns=wgsh
Parent pid 32558, child pid 32559
The new log directory is /proc/32559/root/var/log
Error: cannot join netns 'wgsh': Invalid argument
Error: proc 32558 cannot sync with peer: unexpected EOF
Peer 32559 unexpectedly exited with status 1

The following reports the fact that no errors were reported in setting up the network namespace.
The network namespace and WireGuard commands complete without generating any errors. Entering the network names space just created inside Firejail shows WireGuard is connected as expected. So the difficulty is getting backinto that same netns after exiting Firejail.

Bug and expected behavior

  • Describe the bug: The network namespace and WireGuard configuration commands complete without any error. However it is not possible to return into the network namespace after exiting Firejail.
  • What did you expect to happen?: Either one or several of the network namespace or WireGuard commands should have reported an error. Alternatively, the firejail --noprofile --netns=wgsh should place the rootless user back inside the netns they just created.

No profile and disabling firejail

  • What changed calling firejail --noprofile /path/to/program in a terminal? Firejail already used --noprofile
  • What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)? No change. We open a bash shell and then switch to root to initally setup the network namespace and WireGuard without issue. Trying to regain entry to that nstns is problematic.

Reproduce
Steps to reproduce the behavior:

  1. Run in bash, rootless: $ mkdir -p ~/.local/share/wgsh
  2. Run in bash, rootless: $ firejail --noprofile --net=enp2s0 --private=~/.local/share/wgsh
  3. See no errors from within the Firejail shell:
$ firejail --noprofile --net=enp2s0 --private=~/.local/share/wgsh
Parent pid 18932, child pid 18933

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP
eth0-18932       de:14:ba:b2:37:88  192.168.1.227    255.255.255.0    UP
Default gateway 192.168.1.1
Child process initialized in 999.52 ms
xxxx@desktop:~$ sudo bash
[sudo] password for xxxx:
root@desktop:~# ip netns add wgsh
root@desktop:~# ip link add dev wg0 type wireguard
root@desktop:~# ip link set wg0 netns wgsh
root@desktop:~# ip netns exec wgsh ip address add dev wg0 10.10.10.2 peer 10.10.10.1
root@desktop:~# ip netns exec wgsh wg set wg0 \
>          private-key <(echo SDubtWY7RGp2KYNBekaBX+Sdwhgl4wHnKd510TvrJnc=) \
>          listen-port 51822 \                                                                      >          peer UgIiSiCaUooirF+aUJ6YZYGzFp9xWoF0+2Nw7KPz6mU= \
>          preshared-key <(echo xOX5VnIRPJ+J6z+ypxQivNkI37TB77tvu1R7hCHUgRc=) \
>          endpoint N.N.N.N:51822 \
>          allowed-ips 10.10.10.1/32 \
>          persistent-keepalive 25
root@desktop:~# ip netns exec wgsh ip link set up dev wg0
root@desktop:~# exit
xxxx@desktop:~$ exit

Now try to re-enter the network namespace

$ firejail --noprofile --netns=wgsh
Parent pid 2093, child pid 2094
Error: cannot join netns 'wgsh': Invalid argument
Error: proc 2093 cannot sync with peer: unexpected EOF
Peer 2094 unexpectedly exited with status 1

Environment

  • Linux distribution and version:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.5 LTS
Release:        18.04
Codename:       bionic
  • Firejail version
$ firejail --version
firejail version 0.9.64

Additional context
Other context about the problem like related errors to understand the problem.

Checklist

  • We use --noprofile The upstream profile (and redirect profile if exists) have no changes fixing it.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • Programs needed for interaction are listed in the profile.
  • A short search for duplicates was performed.
  • ~If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
debug output 
Autoselecting /bin/bash as shell
Command name #/bin/bash#
get interface enp2s0 configuration
MTU of enp2s0 is 1500.
macvlan parent device enp2s0 at 192.168.1.123/24
Autoselecting /bin/bash as shell
Command name #/bin/bash#
get interface enp2s0 configuration
MTU of enp2s0 is 1500.
macvlan parent device enp2s0 at 192.168.1.123/24
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
sbox run: /run/firejail/lib/fnet ifup lo
sbox run: /run/firejail/lib/fnet ifup eth0-28854
ARP-scan eth0-28854, 192.168.1.123/24
IP address range from 192.168.1.1 to 192.168.1.255
Trying 192.168.1.252 ...
Configuring 192.168.1.252 address on interface eth0-28854
sbox run: /run/firejail/lib/fnet config interface eth0-28854 3232236028 4294967040 1500
Announce 192.168.1.252 ...
Network namespace enabled
sbox run: /run/firejail/lib/fnet printif
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1535 685 253:3 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1535 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1536 1535 253:3 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1536 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1540 1537 0:74 / /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm rw,nosuid,nodev,noexec,relatime master:321 - tmpfs shm rw,size=64000k
mountid=1540 fsname=/ dir=/var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm fstype=tmpfs
Mounting read-only /var/lib/containers/storage/overlay
1542 1541 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged rw,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off
mountid=1542 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay
Mounting read-only /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged
1543 1542 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged ro,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off
mountid=1543 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay
Mounting read-only /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm
1544 1540 0:74 / /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm ro,nosuid,nodev,noexec,relatime master:321 - tmpfs shm rw,size=64000k
mountid=1544 fsname=/ dir=/var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm fstype=tmpfs
Mounting noexec /var
1564 1563 0:74 / /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm ro,nosuid,nodev,noexec,relatime master:321 - tmpfs shm rw,size=64000k
mountid=1564 fsname=/ dir=/var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm fstype=tmpfs
Mounting noexec /var/lib/containers/storage/overlay
1567 1566 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged ro,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off
mountid=1567 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay
Mounting noexec /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged
1568 1567 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged ro,nosuid,nodev,noexec,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off
mountid=1568 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay
Mounting read-only /usr
1569 685 253:3 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1569 fsname=/usr dir=/usr fstype=ext4
Mounting read-only /bin
1570 685 253:3 /bin /bin ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1570 fsname=/bin dir=/bin fstype=ext4
Mounting read-only /sbin
1571 685 253:3 /sbin /sbin ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1571 fsname=/sbin dir=/sbin fstype=ext4
Mounting read-only /lib
1572 685 253:3 /lib /lib ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1572 fsname=/lib dir=/lib fstype=ext4
Mounting read-only /lib64
1573 685 253:3 /lib64 /lib64 ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1573 fsname=/lib64 dir=/lib64 fstype=ext4
Mounting read-only /lib32
1574 685 253:3 /lib32 /lib32 ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro
mountid=1574 fsname=/lib32 dir=/lib32 fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mount-bind /home/username/.local/share/wgsh on top of /home/username
1620 1584 253:1 /username/.local/share/wgsh /home/username rw,relatime master:35 - ext4 /dev/mapper/home--vg-lvhome rw
mountid=1620 fsname=/username/.local/share/wgsh dir=/home/username fstype=ext4
Mounting a new /root directory
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
1631 1532 0:87 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1631 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/username/.config/pulse
1632 1620 0:87 /pulse /home/username/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1632 fsname=/pulse dir=/home/username/.config/pulse fstype=tmpfs
Current directory: /home/username
Mounting read-only /run/firejail/mnt/seccomp
1634 1532 0:87 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=1634 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             220 ..
-rw-r--r-- username    username           1072 seccomp
-rw-r--r-- username    username            808 seccomp.32
-rw-r--r-- username    username              0 seccomp.postexec
-rw-r--r-- username    username              0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0
starting application
LD_PRELOAD=(null)
Running /bin/bash command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: /bin/bash
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0-28854@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 66:21:dc:94:68:ba brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.252/24 brd 192.168.1.255 scope global eth0-28854
       valid_lft forever preferred_lft forever
    inet6 fe80::6421:dcff:fe94:68ba/64 scope link
       valid_lft forever preferred_lft forever
Originally created by @bbros-dev on GitHub (Dec 1, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3781 Thanks for all the effort you have put into firejail and for making it open source. It is not clear if the following is possible or even within scope. If the following should work, I'd appreciate any insights into what is missing or incorrect. The `sudo firejail --netns=xyz ....` is unattractive because `sudo` is required. In this respect Firejail is no different from using the following `nsenter` command which works, but also has the `sudo` requirement: ```bash $ sudo nsenter --net=/var/run/netns/wgsh --setuid=1000 --setgid=1000 socat file:$(tty),raw,echo=0 tcp-listen:2222 ``` A naive attempt to workaround this is, from within a Firejailed `sudo bash`: - create a network namspace - move a WireGaurd interface into it - configure the WG interface Ideally it would be possible to: 1. preserve the netns configuration created within Firejail 2. then allow the same unprivileged user that ran Firejail to create the network name space to, use it: ```bash $ firejail --netns=wgsh socat file:$(tty),raw,echo=0 tcp-listen:2222 ``` This issue reports that 1) appears to be achieved, there is a `/var/run/netns/wgsh` created. However 2) does not seem possible. A simple attempt to start a shell inside this Firejail created network namespace fails. The network namespace is present but no one has access. ```bash $ ls -la /var/run/netns/wgsh ---------- 1 root root 0 Dec 1 12:24 /var/run/netns/wgsh ``` Allowing all users full `rwx` access produces this behavior: First, rootless: ```bash $ firejail --noprofile --netns=wgsh Parent pid 2093, child pid 2094 Error: cannot join netns 'wgsh': Invalid argument Error: proc 2093 cannot sync with peer: unexpected EOF Peer 2094 unexpectedly exited with status 1 ``` Then trying as root: ```bash $ sudo firejail --noprofile --netns=wgsh Parent pid 32558, child pid 32559 The new log directory is /proc/32559/root/var/log Error: cannot join netns 'wgsh': Invalid argument Error: proc 32558 cannot sync with peer: unexpected EOF Peer 32559 unexpectedly exited with status 1 ``` The following reports the fact that no errors were reported in setting up the network namespace. The network namespace and WireGuard commands complete without generating any errors. Entering the network names space just created inside Firejail shows WireGuard is connected as expected. So the difficulty is getting backinto that same netns after exiting Firejail. **Bug and expected behavior** - Describe the bug: The network namespace and WireGuard configuration commands complete without any error. However it is not possible to return into the network namespace after exiting Firejail. - What did you expect to happen?: Either one or several of the network namespace or WireGuard commands should have reported an error. Alternatively, the `firejail --noprofile --netns=wgsh` should place the rootless user back inside the netns they just created. **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? Firejail already used `--noprofile` - What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)? No change. We open a bash shell and then switch to root to initally setup the network namespace and WireGuard without issue. Trying to regain entry to that nstns is problematic. **Reproduce** Steps to reproduce the behavior: 1. Run in bash, rootless: `$ mkdir -p ~/.local/share/wgsh` 1. Run in bash, rootless: `$ firejail --noprofile --net=enp2s0 --private=~/.local/share/wgsh` 1. See no errors from within the Firejail shell: ```bash $ firejail --noprofile --net=enp2s0 --private=~/.local/share/wgsh Parent pid 18932, child pid 18933 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-18932 de:14:ba:b2:37:88 192.168.1.227 255.255.255.0 UP Default gateway 192.168.1.1 Child process initialized in 999.52 ms xxxx@desktop:~$ sudo bash [sudo] password for xxxx: root@desktop:~# ip netns add wgsh root@desktop:~# ip link add dev wg0 type wireguard root@desktop:~# ip link set wg0 netns wgsh root@desktop:~# ip netns exec wgsh ip address add dev wg0 10.10.10.2 peer 10.10.10.1 root@desktop:~# ip netns exec wgsh wg set wg0 \ > private-key <(echo SDubtWY7RGp2KYNBekaBX+Sdwhgl4wHnKd510TvrJnc=) \ > listen-port 51822 \ > peer UgIiSiCaUooirF+aUJ6YZYGzFp9xWoF0+2Nw7KPz6mU= \ > preshared-key <(echo xOX5VnIRPJ+J6z+ypxQivNkI37TB77tvu1R7hCHUgRc=) \ > endpoint N.N.N.N:51822 \ > allowed-ips 10.10.10.1/32 \ > persistent-keepalive 25 root@desktop:~# ip netns exec wgsh ip link set up dev wg0 root@desktop:~# exit xxxx@desktop:~$ exit ``` Now try to re-enter the network namespace ```bash $ firejail --noprofile --netns=wgsh Parent pid 2093, child pid 2094 Error: cannot join netns 'wgsh': Invalid argument Error: proc 2093 cannot sync with peer: unexpected EOF Peer 2094 unexpectedly exited with status 1 ``` **Environment** - Linux distribution and version: ```bash $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic ``` - Firejail version ```bash $ firejail --version firejail version 0.9.64 ``` **Additional context** Other context about the problem like related errors to understand the problem. **Checklist** - [x] We use `--noprofile` ~~The upstream profile (and redirect profile if exists) have no changes fixing it.~~ - [ ] ~~The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)~~ - [ ] ~~Programs needed for interaction are listed in the profile.~~ - [x] A short search for duplicates was performed. - [ ] ~~If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.~ - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. <details><summary> debug output </summary> ``` Autoselecting /bin/bash as shell Command name #/bin/bash# get interface enp2s0 configuration MTU of enp2s0 is 1500. macvlan parent device enp2s0 at 192.168.1.123/24 Autoselecting /bin/bash as shell Command name #/bin/bash# get interface enp2s0 configuration MTU of enp2s0 is 1500. macvlan parent device enp2s0 at 192.168.1.123/24 Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file sbox run: /run/firejail/lib/fnet ifup lo sbox run: /run/firejail/lib/fnet ifup eth0-28854 ARP-scan eth0-28854, 192.168.1.123/24 IP address range from 192.168.1.1 to 192.168.1.255 Trying 192.168.1.252 ... Configuring 192.168.1.252 address on interface eth0-28854 sbox run: /run/firejail/lib/fnet config interface eth0-28854 3232236028 4294967040 1500 Announce 192.168.1.252 ... Network namespace enabled sbox run: /run/firejail/lib/fnet printif Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1535 685 253:3 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1535 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 1536 1535 253:3 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1536 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 1540 1537 0:74 / /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm rw,nosuid,nodev,noexec,relatime master:321 - tmpfs shm rw,size=64000k mountid=1540 fsname=/ dir=/var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm fstype=tmpfs Mounting read-only /var/lib/containers/storage/overlay 1542 1541 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged rw,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off mountid=1542 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay Mounting read-only /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged 1543 1542 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged ro,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off mountid=1543 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay Mounting read-only /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm 1544 1540 0:74 / /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm ro,nosuid,nodev,noexec,relatime master:321 - tmpfs shm rw,size=64000k mountid=1544 fsname=/ dir=/var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm fstype=tmpfs Mounting noexec /var 1564 1563 0:74 / /var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm ro,nosuid,nodev,noexec,relatime master:321 - tmpfs shm rw,size=64000k mountid=1564 fsname=/ dir=/var/lib/containers/storage/overlay-containers/7129aea72337bfe0eee80b0cd57e71ea9d0447ddc34193a7a63999efc287f5d8/userdata/shm fstype=tmpfs Mounting noexec /var/lib/containers/storage/overlay 1567 1566 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged ro,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off mountid=1567 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay Mounting noexec /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged 1568 1567 0:75 / /var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged ro,nosuid,nodev,noexec,relatime - overlay overlay rw,lowerdir=/var/lib/containers/storage/overlay/l/TLRQS4ENZNYSGH2PIXXD3PMTCA,upperdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/diff,workdir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/work,xino=off mountid=1568 fsname=/ dir=/var/lib/containers/storage/overlay/c323bc137604f5395f8427373101c5a0065c0b44686c32e2d652654d1a8c0488/merged fstype=overlay Mounting read-only /usr 1569 685 253:3 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1569 fsname=/usr dir=/usr fstype=ext4 Mounting read-only /bin 1570 685 253:3 /bin /bin ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1570 fsname=/bin dir=/bin fstype=ext4 Mounting read-only /sbin 1571 685 253:3 /sbin /sbin ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1571 fsname=/sbin dir=/sbin fstype=ext4 Mounting read-only /lib 1572 685 253:3 /lib /lib ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1572 fsname=/lib dir=/lib fstype=ext4 Mounting read-only /lib64 1573 685 253:3 /lib64 /lib64 ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1573 fsname=/lib64 dir=/lib64 fstype=ext4 Mounting read-only /lib32 1574 685 253:3 /lib32 /lib32 ro,relatime master:1 - ext4 /dev/mapper/root--vg-lvroot rw,errors=remount-ro mountid=1574 fsname=/lib32 dir=/lib32 fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mount-bind /home/username/.local/share/wgsh on top of /home/username 1620 1584 253:1 /username/.local/share/wgsh /home/username rw,relatime master:35 - ext4 /dev/mapper/home--vg-lvhome rw mountid=1620 fsname=/username/.local/share/wgsh dir=/home/username fstype=ext4 Mounting a new /root directory blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse 1631 1532 0:87 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1631 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Mounting /run/firejail/mnt/pulse on /home/username/.config/pulse 1632 1620 0:87 /pulse /home/username/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1632 fsname=/pulse dir=/home/username/.config/pulse fstype=tmpfs Current directory: /home/username Mounting read-only /run/firejail/mnt/seccomp 1634 1532 0:87 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=1634 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 220 .. -rw-r--r-- username username 1072 seccomp -rw-r--r-- username username 808 seccomp.32 -rw-r--r-- username username 0 seccomp.postexec -rw-r--r-- username username 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 starting application LD_PRELOAD=(null) Running /bin/bash command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: /bin/bash 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0-28854@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 66:21:dc:94:68:ba brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.1.252/24 brd 192.168.1.255 scope global eth0-28854 valid_lft forever preferred_lft forever inet6 fe80::6421:dcff:fe94:68ba/64 scope link valid_lft forever preferred_lft forever ``` </details>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2385
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?