github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3855] "caps.drop all" fails to run commands which have capabilities set (was: node does not want to run (but the same binary renamed works)) #2427

New issue
Closed
opened 2026-05-05 09:05:59 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:05:59 -06:00
Owner
Copy link

Originally created by @haraldkubota on GitHub (Dec 30, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3855

Bug and expected behavior

  • Describe the bug.
    I tried to test firejail with a sample Node.js test program. Dart worked fine. However node does not get executed at all. When renaming the node binary to node2, it works as expected.

  • What did you expect to happen?
    I expected that node (the binary) gets executes since it's not excluded via disabled-interpreters.inc

No profile and disabling firejail

  • What changed calling firejail --noprofile /path/to/program in a terminal?

It works using node. Works also with node2.

  • What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)?

I can use absolute, relative or no path and it makes no difference.
firejail --list is not helpful since the executable does not get executed.

Reproduce
Steps to reproduce the behavior:

  1. Have a ~/.config/firejail/nodejs.profile like this:
whitelist /home/harald/js
include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile

node is in ~/js/node/bin/node and node2 is a copy of node in the same directory. PATH includes this dir.

  1. Run in bash or zsh "firejail --profile=~/.config/firejail/nodejs.profile node ./index.js"
harald@r2s1:~/js/sandbox-test$ firejail --profile=~/.config/firejail/nodejs.profile node ./index.js
Reading profile /home/harald/.config/firejail/nodejs.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 185847, child pid 185848
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized
/bin/bash: /home/harald/js/node/bin/node: Operation not permitted

Parent is shutting down, bye...
  1. The same works when using node2 instead of node. Using dart instead of node is no problem. Same for python3.

Environment

  • Ubuntu 20.04.01 on x86_64. Also tested on Armbian 20.11.3 Focal on ARM64. Same behavior (and same directory structure)
❯ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:        20.04
Codename:       focal
  • firejail installed via "apt install firejail"
firejail version 0.9.62

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Additional context
For test I renamed /etc/firejail/disable-interpreters.inc (the only place which listed node as something to blacklist)

debug output 
❯ firejail --profile=~/.config/firejail/nodejs.profile --debug ~/js/node/bin/node index.js
Reading profile /home/harald/.config/firejail/nodejs.profile
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Autoselecting /bin/zsh as shell
Building quoted command line: '/home/harald/js/node/bin/node' 'index.js' 
Command name #node#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 212925, child pid 212926
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/home/harald/.cache/ibus/dbus-cGqp92VW,guid=07456697abb498b9f393367c5fe1f835
IBUS_DAEMON_PID=1627
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 2, uid 2000, gid 100, nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/harald/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/2000/gnupg
Disable /run/user/2000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Debug 423: new_name #/home/harald/js#, whitelist
Debug 531: fname #/home/harald/js#, cfg.homedir #/home/harald#
Debug 423: new_name #/home/harald/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
        expanded: /home/harald/.XCompose
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
        expanded: /home/harald/.asoundrc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/ibus#, whitelist
Debug 531: fname #/home/harald/.config/ibus#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/ibus
Debug 423: new_name #/home/harald/.config/mimeapps.list#, whitelist
Debug 531: fname #/home/harald/.config/mimeapps.list#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/mimeapps.list
Debug 423: new_name #/home/harald/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
        expanded: /home/harald/.config/pkcs11
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/user-dirs.dirs#, whitelist
Debug 531: fname #/home/harald/.config/user-dirs.dirs#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/user-dirs.dirs
Debug 423: new_name #/home/harald/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
        expanded: /home/harald/.drirc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
        expanded: /home/harald/.icons
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.local/share/applications#, whitelist
Debug 531: fname #/home/harald/.local/share/applications#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.local/share/applications
Debug 423: new_name #/home/harald/.local/share/icons#, whitelist
Debug 531: fname #/home/harald/.local/share/icons#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.local/share/icons
Debug 423: new_name #/home/harald/.local/share/mime#, whitelist
Debug 531: fname #/home/harald/.local/share/mime#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.local/share/mime
Debug 423: new_name #/home/harald/.mime.types#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types
        expanded: /home/harald/.mime.types
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/dconf#, whitelist
Debug 531: fname #/home/harald/.config/dconf#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/dconf
Debug 423: new_name #/home/harald/.cache/fontconfig#, whitelist
Debug 531: fname #/home/harald/.cache/fontconfig#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.cache/fontconfig
Debug 423: new_name #/home/harald/.config/fontconfig#, whitelist
Debug 531: fname #/home/harald/.config/fontconfig#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/fontconfig
Debug 423: new_name #/home/harald/.fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig
        expanded: /home/harald/.fontconfig
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.fonts#, whitelist
Debug 531: fname #/home/harald/.fonts#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.fonts
Debug 423: new_name #/home/harald/.fonts.conf#, whitelist
Debug 531: fname #/home/harald/.fonts.conf#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.fonts.conf
Debug 423: new_name #/home/harald/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
        expanded: /home/harald/.fonts.conf.d
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
        expanded: /home/harald/.fonts.d
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.local/share/fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts
        expanded: /home/harald/.local/share/fonts
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
        expanded: /home/harald/.pangorc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/gtk-2.0#, whitelist
Debug 531: fname #/home/harald/.config/gtk-2.0#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/gtk-2.0
Debug 423: new_name #/home/harald/.config/gtk-3.0#, whitelist
Debug 531: fname #/home/harald/.config/gtk-3.0#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/gtk-3.0
Debug 423: new_name #/home/harald/.config/gtkrc#, whitelist
Debug 531: fname #/home/harald/.config/gtkrc#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/gtkrc
Debug 423: new_name #/home/harald/.config/gtkrc-2.0#, whitelist
Debug 531: fname #/home/harald/.config/gtkrc-2.0#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/gtkrc-2.0
Debug 423: new_name #/home/harald/.gnome2#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2
        expanded: /home/harald/.gnome2
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
        expanded: /home/harald/.gnome2-private
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
        expanded: /home/harald/.gtk-2.0
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
        expanded: /home/harald/.gtkrc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.gtkrc-2.0#, whitelist
Debug 531: fname #/home/harald/.gtkrc-2.0#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.gtkrc-2.0
Debug 423: new_name #/home/harald/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
        expanded: /home/harald/.kde/share/config/gtkrc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
        expanded: /home/harald/.kde/share/config/gtkrc-2.0
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
        expanded: /home/harald/.kde4/share/config/gtkrc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
        expanded: /home/harald/.kde4/share/config/gtkrc-2.0
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
        expanded: /home/harald/.local/share/themes
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes
        expanded: /home/harald/.themes
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.cache/kioexec/krun#, whitelist
Debug 531: fname #/home/harald/.cache/kioexec/krun#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.cache/kioexec/krun
Debug 423: new_name #/home/harald/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
        expanded: /home/harald/.config/Kvantum
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/Trolltech.conf#, whitelist
Debug 531: fname #/home/harald/.config/Trolltech.conf#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/Trolltech.conf
Debug 423: new_name #/home/harald/.config/kdeglobals#, whitelist
Debug 531: fname #/home/harald/.config/kdeglobals#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.config/kdeglobals
Debug 423: new_name #/home/harald/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
        expanded: /home/harald/.config/kio_httprc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc
        expanded: /home/harald/.config/kioslaverc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
        expanded: /home/harald/.config/ksslcablacklist
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.config/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct
        expanded: /home/harald/.config/qt5ct
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde/share/config/kdeglobals#, whitelist
Debug 531: fname #/home/harald/.kde/share/config/kdeglobals#, cfg.homedir #/home/harald#
Replaced whitelist path: whitelist /home/harald/.kde/share/config/kdeglobals
Debug 423: new_name #/home/harald/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
        expanded: /home/harald/.kde/share/config/kio_httprc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
        expanded: /home/harald/.kde/share/config/kioslaverc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
        expanded: /home/harald/.kde/share/config/ksslcablacklist
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
        expanded: /home/harald/.kde/share/config/oxygenrc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
        expanded: /home/harald/.kde/share/icons
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals
        expanded: /home/harald/.kde4/share/config/kdeglobals
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc
        expanded: /home/harald/.kde4/share/config/kio_httprc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc
        expanded: /home/harald/.kde4/share/config/kioslaverc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
        expanded: /home/harald/.kde4/share/config/ksslcablacklist
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
        expanded: /home/harald/.kde4/share/config/oxygenrc
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
        expanded: /home/harald/.kde4/share/icons
        real path: (null)
        realpath: No such file or directory
Debug 423: new_name #/home/harald/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
        expanded: /home/harald/.local/share/qt5ct
        real path: (null)
        realpath: No such file or directory
Drop privileges: pid 3, uid 2000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Drop privileges: pid 4, uid 2000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Drop privileges: pid 5, uid 2000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Whitelisting /home/harald/js
1689 1687 253:2 /harald/js /home/harald/js rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1689 fsname=/harald/js dir=/home/harald/js fstype=ext4
Whitelisting /home/harald/.config/ibus
1690 1687 253:2 /harald/.config/ibus /home/harald/.config/ibus rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1690 fsname=/harald/.config/ibus dir=/home/harald/.config/ibus fstype=ext4
Whitelisting /home/harald/.config/mimeapps.list
1691 1687 253:2 /harald/.config/mimeapps.list /home/harald/.config/mimeapps.list rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1691 fsname=/harald/.config/mimeapps.list dir=/home/harald/.config/mimeapps.list fstype=ext4
Whitelisting /home/harald/.config/user-dirs.dirs
1816 1687 253:2 /harald/.config/user-dirs.dirs /home/harald/.config/user-dirs.dirs rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1816 fsname=/harald/.config/user-dirs.dirs dir=/home/harald/.config/user-dirs.dirs fstype=ext4
Whitelisting /home/harald/.local/share/applications
1817 1687 253:2 /harald/.local/share/applications /home/harald/.local/share/applications rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1817 fsname=/harald/.local/share/applications dir=/home/harald/.local/share/applications fstype=ext4
Whitelisting /home/harald/.local/share/icons
1818 1687 253:2 /harald/.local/share/icons /home/harald/.local/share/icons rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1818 fsname=/harald/.local/share/icons dir=/home/harald/.local/share/icons fstype=ext4
Whitelisting /home/harald/.local/share/mime
1819 1687 253:2 /harald/.local/share/mime /home/harald/.local/share/mime rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1819 fsname=/harald/.local/share/mime dir=/home/harald/.local/share/mime fstype=ext4
Whitelisting /home/harald/.config/dconf
1820 1687 253:2 /harald/.config/dconf /home/harald/.config/dconf rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1820 fsname=/harald/.config/dconf dir=/home/harald/.config/dconf fstype=ext4
Whitelisting /home/harald/.cache/fontconfig
1821 1687 253:2 /harald/.cache/fontconfig /home/harald/.cache/fontconfig rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1821 fsname=/harald/.cache/fontconfig dir=/home/harald/.cache/fontconfig fstype=ext4
Whitelisting /home/harald/.config/fontconfig
1822 1687 253:2 /harald/.config/fontconfig /home/harald/.config/fontconfig rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1822 fsname=/harald/.config/fontconfig dir=/home/harald/.config/fontconfig fstype=ext4
Whitelisting /home/harald/.fonts
1823 1687 253:2 /harald/.fonts /home/harald/.fonts rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1823 fsname=/harald/.fonts dir=/home/harald/.fonts fstype=ext4
Whitelisting /home/harald/.fonts.conf
1824 1687 253:2 /harald/.fonts.conf /home/harald/.fonts.conf rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1824 fsname=/harald/.fonts.conf dir=/home/harald/.fonts.conf fstype=ext4
Whitelisting /home/harald/.config/gtk-2.0
1825 1687 253:2 /harald/.config/gtk-2.0 /home/harald/.config/gtk-2.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1825 fsname=/harald/.config/gtk-2.0 dir=/home/harald/.config/gtk-2.0 fstype=ext4
Whitelisting /home/harald/.config/gtk-3.0
1826 1687 253:2 /harald/.config/gtk-3.0 /home/harald/.config/gtk-3.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1826 fsname=/harald/.config/gtk-3.0 dir=/home/harald/.config/gtk-3.0 fstype=ext4
Whitelisting /home/harald/.config/gtkrc
1827 1687 253:2 /harald/.config/gtkrc /home/harald/.config/gtkrc rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1827 fsname=/harald/.config/gtkrc dir=/home/harald/.config/gtkrc fstype=ext4
Whitelisting /home/harald/.config/gtkrc-2.0
1828 1687 253:2 /harald/.config/gtkrc-2.0 /home/harald/.config/gtkrc-2.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1828 fsname=/harald/.config/gtkrc-2.0 dir=/home/harald/.config/gtkrc-2.0 fstype=ext4
Whitelisting /home/harald/.gtkrc-2.0
1829 1687 253:2 /harald/.gtkrc-2.0 /home/harald/.gtkrc-2.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1829 fsname=/harald/.gtkrc-2.0 dir=/home/harald/.gtkrc-2.0 fstype=ext4
Whitelisting /home/harald/.cache/kioexec/krun
1830 1687 253:2 /harald/.cache/kioexec/krun /home/harald/.cache/kioexec/krun rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1830 fsname=/harald/.cache/kioexec/krun dir=/home/harald/.cache/kioexec/krun fstype=ext4
Whitelisting /home/harald/.config/Trolltech.conf
1831 1687 253:2 /harald/.config/Trolltech.conf /home/harald/.config/Trolltech.conf rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1831 fsname=/harald/.config/Trolltech.conf dir=/home/harald/.config/Trolltech.conf fstype=ext4
Whitelisting /home/harald/.config/kdeglobals
1832 1687 253:2 /harald/.config/kdeglobals /home/harald/.config/kdeglobals rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1832 fsname=/harald/.config/kdeglobals dir=/home/harald/.config/kdeglobals fstype=ext4
Whitelisting /home/harald/.kde/share/config/kdeglobals
1833 1687 253:2 /harald/.kde/share/config/kdeglobals /home/harald/.kde/share/config/kdeglobals rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1833 fsname=/harald/.kde/share/config/kdeglobals dir=/home/harald/.kde/share/config/kdeglobals fstype=ext4
Mounting read-only /home/harald/.config/user-dirs.dirs
1835 1816 253:2 /harald/.config/user-dirs.dirs /home/harald/.config/user-dirs.dirs ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1835 fsname=/harald/.config/user-dirs.dirs dir=/home/harald/.config/user-dirs.dirs fstype=ext4
Mounting read-only /home/harald/.local/share/applications
1836 1817 253:2 /harald/.local/share/applications /home/harald/.local/share/applications ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1836 fsname=/harald/.local/share/applications dir=/home/harald/.local/share/applications fstype=ext4
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/harald/.Xauthority
1839 1687 0:101 /harald/.Xauthority /home/harald/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1839 fsname=/harald/.Xauthority dir=/home/harald/.Xauthority fstype=tmpfs
Mounting read-only /home/harald/.config/kdeglobals
1840 1832 253:2 /harald/.config/kdeglobals /home/harald/.config/kdeglobals ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1840 fsname=/harald/.config/kdeglobals dir=/home/harald/.config/kdeglobals fstype=ext4
Mounting read-only /home/harald/.kde/share/config/kdeglobals
1841 1833 253:2 /harald/.kde/share/config/kdeglobals /home/harald/.kde/share/config/kdeglobals ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1841 fsname=/harald/.kde/share/config/kdeglobals dir=/home/harald/.kde/share/config/kdeglobals fstype=ext4
Disable /run/user/2000/klauncherpyYimJ.1.slave-socket
Disable /run/user/2000/kdeinit5__0
Mounting read-only /home/harald/.config/dconf
1844 1820 253:2 /harald/.config/dconf /home/harald/.config/dconf ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw
mountid=1844 fsname=/harald/.config/dconf dir=/home/harald/.config/dconf fstype=ext4
Disable /var/lib/systemd
Disable /var/cache/apt
Disable /var/lib/apt
Disable /var/lib/upower
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /run/docker.sock (requested /var/run/docker.sock)
Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock)
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/mail (requested /var/spool/mail)
Disable /etc/anacrontab
Disable /etc/cron.hourly
Disable /etc/cron.weekly
Disable /etc/crontab
Disable /etc/cron.daily
Disable /etc/cron.monthly
Disable /etc/cron.d
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/rc5.d
Disable /etc/rc1.d
Disable /etc/rc6.d
Disable /etc/rc4.d
Disable /etc/rc2.d
Disable /etc/rc3.d
Disable /etc/rc0.d
Disable /etc/rcS.d
Disable /etc/kernel-img.conf
Disable /etc/kernel
Disable /etc/kerneloops.conf
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/selinux
Disable /etc/modules-load.d
Disable /etc/modules
Disable /etc/logrotate.d
Disable /etc/logrotate.conf
Disable /etc/adduser.conf
Mounting read-only /home/harald/.zshrc
1886 1687 0:101 /harald/.zshrc /home/harald/.zshrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1886 fsname=/harald/.zshrc dir=/home/harald/.zshrc fstype=tmpfs
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/crontab
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/nc.openbsd (requested /usr/bin/nc)
Disable /usr/bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g)
Disable /usr/bin/pkexec
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/strace
Disable /usr/bin/strace (requested /bin/strace)
Disable /usr/bin/su
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/bwrap
Disable /usr/bin/bwrap (requested /bin/bwrap)
Disable /tmp/ssh-6mDJ2R4zgvtd
Disable /tmp/ssh-e7qxLWR7AE4n
Disable /tmp/ssh-aV9tWYficYQd
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
Creating empty /home/harald/.config/pulse directory
Drop privileges: pid 6, uid 2000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting /run/firejail/mnt/pulse on /home/harald/.config/pulse
1943 1687 0:88 /pulse /home/harald/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1943 fsname=/pulse dir=/home/harald/.config/pulse fstype=tmpfs
Current directory: /home/harald/js/sandbox-test
DISPLAY=:0 parsed as 0
Install protocol filter: unix,inet,inet6
configuring 14 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 7, uid 2000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 06 00 00 0005005f   ret ERRNO(95)
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) 
Dropping all capabilities
Drop privileges: pid 8, uid 2000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00000000   ret KILL
Dual 32/64 bit seccomp filter configured
configuring 72 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 9, uid 2000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 3f 00 0000009f   jeq adjtimex 0047 (false 0008)
 0008: 15 3e 00 00000131   jeq clock_adjtime 0047 (false 0009)
 0009: 15 3d 00 000000e3   jeq clock_settime 0047 (false 000a)
 000a: 15 3c 00 000000a4   jeq settimeofday 0047 (false 000b)
 000b: 15 3b 00 0000009a   jeq modify_ldt 0047 (false 000c)
 000c: 15 3a 00 000000d4   jeq lookup_dcookie 0047 (false 000d)
 000d: 15 39 00 0000012a   jeq perf_event_open 0047 (false 000e)
 000e: 15 38 00 00000137   jeq process_vm_writev 0047 (false 000f)
 000f: 15 37 00 000000b0   jeq delete_module 0047 (false 0010)
 0010: 15 36 00 00000139   jeq finit_module 0047 (false 0011)
 0011: 15 35 00 000000af   jeq init_module 0047 (false 0012)
 0012: 15 34 00 0000009c   jeq _sysctl 0047 (false 0013)
 0013: 15 33 00 000000b7   jeq afs_syscall 0047 (false 0014)
 0014: 15 32 00 000000ae   jeq create_module 0047 (false 0015)
 0015: 15 31 00 000000b1   jeq get_kernel_syms 0047 (false 0016)
 0016: 15 30 00 000000b5   jeq getpmsg 0047 (false 0017)
 0017: 15 2f 00 000000b6   jeq putpmsg 0047 (false 0018)
 0018: 15 2e 00 000000b2   jeq query_module 0047 (false 0019)
 0019: 15 2d 00 000000b9   jeq security 0047 (false 001a)
 001a: 15 2c 00 0000008b   jeq sysfs 0047 (false 001b)
 001b: 15 2b 00 000000b8   jeq tuxcall 0047 (false 001c)
 001c: 15 2a 00 00000086   jeq uselib 0047 (false 001d)
 001d: 15 29 00 00000088   jeq ustat 0047 (false 001e)
 001e: 15 28 00 000000ec   jeq vserver 0047 (false 001f)
 001f: 15 27 00 000000ad   jeq ioperm 0047 (false 0020)
 0020: 15 26 00 000000ac   jeq iopl 0047 (false 0021)
 0021: 15 25 00 000000f6   jeq kexec_load 0047 (false 0022)
 0022: 15 24 00 00000140   jeq kexec_file_load 0047 (false 0023)
 0023: 15 23 00 000000a9   jeq reboot 0047 (false 0024)
 0024: 15 22 00 000000a7   jeq swapon 0047 (false 0025)
 0025: 15 21 00 000000a8   jeq swapoff 0047 (false 0026)
 0026: 15 20 00 00000130   jeq open_by_handle_at 0047 (false 0027)
 0027: 15 1f 00 0000012f   jeq name_to_handle_at 0047 (false 0028)
 0028: 15 1e 00 000000fb   jeq ioprio_set 0047 (false 0029)
 0029: 15 1d 00 00000067   jeq syslog 0047 (false 002a)
 002a: 15 1c 00 0000012c   jeq fanotify_init 0047 (false 002b)
 002b: 15 1b 00 00000138   jeq kcmp 0047 (false 002c)
 002c: 15 1a 00 000000f8   jeq add_key 0047 (false 002d)
 002d: 15 19 00 000000f9   jeq request_key 0047 (false 002e)
 002e: 15 18 00 000000ed   jeq mbind 0047 (false 002f)
 002f: 15 17 00 00000100   jeq migrate_pages 0047 (false 0030)
 0030: 15 16 00 00000117   jeq move_pages 0047 (false 0031)
 0031: 15 15 00 000000fa   jeq keyctl 0047 (false 0032)
 0032: 15 14 00 000000ce   jeq io_setup 0047 (false 0033)
 0033: 15 13 00 000000cf   jeq io_destroy 0047 (false 0034)
 0034: 15 12 00 000000d0   jeq io_getevents 0047 (false 0035)
 0035: 15 11 00 000000d1   jeq io_submit 0047 (false 0036)
 0036: 15 10 00 000000d2   jeq io_cancel 0047 (false 0037)
 0037: 15 0f 00 000000d8   jeq remap_file_pages 0047 (false 0038)
 0038: 15 0e 00 00000143   jeq userfaultfd 0047 (false 0039)
 0039: 15 0d 00 000000a3   jeq acct 0047 (false 003a)
 003a: 15 0c 00 00000141   jeq bpf 0047 (false 003b)
 003b: 15 0b 00 000000a1   jeq chroot 0047 (false 003c)
 003c: 15 0a 00 000000a5   jeq mount 0047 (false 003d)
 003d: 15 09 00 000000b4   jeq nfsservctl 0047 (false 003e)
 003e: 15 08 00 0000009b   jeq pivot_root 0047 (false 003f)
 003f: 15 07 00 000000ab   jeq setdomainname 0047 (false 0040)
 0040: 15 06 00 000000aa   jeq sethostname 0047 (false 0041)
 0041: 15 05 00 000000a6   jeq umount2 0047 (false 0042)
 0042: 15 04 00 00000099   jeq vhangup 0047 (false 0043)
 0043: 15 03 00 00000065   jeq ptrace 0047 (false 0044)
 0044: 15 02 00 00000087   jeq personality 0047 (false 0045)
 0045: 15 01 00 00000136   jeq process_vm_readv 0047 (false 0046)
 0046: 06 00 00 7fff0000   ret ALLOW
 0047: 06 00 01 00000000   ret KILL
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 2000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
starting application
LD_PRELOAD=(null)
Running '/home/harald/js/node/bin/node' 'index.js'  command through /bin/zsh
execvp argument 0: /bin/zsh
execvp argument 1: -c
execvp argument 2: '/home/harald/js/node/bin/node' 'index.js' 
Child process initialized in 64.02 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
zsh:1: operation not permitted: /home/harald/js/node/bin/node
monitoring pid 10

Sandbox monitor: waitpid 10 retval 10 status 32512

Parent is shutting down, bye...
Originally created by @haraldkubota on GitHub (Dec 30, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3855 **Bug and expected behavior** - Describe the bug. I tried to test firejail with a sample Node.js test program. Dart worked fine. However node does not get executed at all. When renaming the node binary to node2, it works as expected. - What did you expect to happen? I expected that node (the binary) gets executes since it's not excluded via disabled-interpreters.inc **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? It works using node. Works also with node2. - What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)? I can use absolute, relative or no path and it makes no difference. firejail --list is not helpful since the executable does not get executed. **Reproduce** Steps to reproduce the behavior: 1. Have a ~/.config/firejail/nodejs.profile like this: ``` whitelist /home/harald/js include /etc/firejail/whitelist-common.inc include /etc/firejail/default.profile ``` node is in ~/js/node/bin/node and node2 is a copy of node in the same directory. PATH includes this dir. 2. Run in bash or zsh "firejail --profile=~/.config/firejail/nodejs.profile node ./index.js" ``` harald@r2s1:~/js/sandbox-test$ firejail --profile=~/.config/firejail/nodejs.profile node ./index.js Reading profile /home/harald/.config/firejail/nodejs.profile Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 185847, child pid 185848 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized /bin/bash: /home/harald/js/node/bin/node: Operation not permitted Parent is shutting down, bye... ``` 3. The same works when using node2 instead of node. Using dart instead of node is no problem. Same for python3. **Environment** - Ubuntu 20.04.01 on x86_64. Also tested on Armbian 20.11.3 Focal on ARM64. Same behavior (and same directory structure) ``` ❯ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal ``` - firejail installed via "apt install firejail" ``` firejail version 0.9.62 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Additional context** For test I renamed /etc/firejail/disable-interpreters.inc (the only place which listed node as something to blacklist) <details><summary> debug output </summary> ``` ❯ firejail --profile=~/.config/firejail/nodejs.profile --debug ~/js/node/bin/node index.js Reading profile /home/harald/.config/firejail/nodejs.profile Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Autoselecting /bin/zsh as shell Building quoted command line: '/home/harald/js/node/bin/node' 'index.js' Command name #node# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 212925, child pid 212926 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/home/harald/.cache/ibus/dbus-cGqp92VW,guid=07456697abb498b9f393367c5fe1f835 IBUS_DAEMON_PID=1627 Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 2, uid 2000, gid 100, nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/harald/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/2000/gnupg Disable /run/user/2000/systemd Disable /dev/kmsg Disable /proc/kmsg Debug 423: new_name #/home/harald/js#, whitelist Debug 531: fname #/home/harald/js#, cfg.homedir #/home/harald# Debug 423: new_name #/home/harald/.XCompose#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose expanded: /home/harald/.XCompose real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.asoundrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc expanded: /home/harald/.asoundrc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/ibus#, whitelist Debug 531: fname #/home/harald/.config/ibus#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/ibus Debug 423: new_name #/home/harald/.config/mimeapps.list#, whitelist Debug 531: fname #/home/harald/.config/mimeapps.list#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/mimeapps.list Debug 423: new_name #/home/harald/.config/pkcs11#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11 expanded: /home/harald/.config/pkcs11 real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/user-dirs.dirs#, whitelist Debug 531: fname #/home/harald/.config/user-dirs.dirs#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/user-dirs.dirs Debug 423: new_name #/home/harald/.drirc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc expanded: /home/harald/.drirc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons expanded: /home/harald/.icons real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.local/share/applications#, whitelist Debug 531: fname #/home/harald/.local/share/applications#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.local/share/applications Debug 423: new_name #/home/harald/.local/share/icons#, whitelist Debug 531: fname #/home/harald/.local/share/icons#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.local/share/icons Debug 423: new_name #/home/harald/.local/share/mime#, whitelist Debug 531: fname #/home/harald/.local/share/mime#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.local/share/mime Debug 423: new_name #/home/harald/.mime.types#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types expanded: /home/harald/.mime.types real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/dconf#, whitelist Debug 531: fname #/home/harald/.config/dconf#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/dconf Debug 423: new_name #/home/harald/.cache/fontconfig#, whitelist Debug 531: fname #/home/harald/.cache/fontconfig#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.cache/fontconfig Debug 423: new_name #/home/harald/.config/fontconfig#, whitelist Debug 531: fname #/home/harald/.config/fontconfig#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/fontconfig Debug 423: new_name #/home/harald/.fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig expanded: /home/harald/.fontconfig real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.fonts#, whitelist Debug 531: fname #/home/harald/.fonts#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.fonts Debug 423: new_name #/home/harald/.fonts.conf#, whitelist Debug 531: fname #/home/harald/.fonts.conf#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.fonts.conf Debug 423: new_name #/home/harald/.fonts.conf.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d expanded: /home/harald/.fonts.conf.d real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.fonts.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d expanded: /home/harald/.fonts.d real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.local/share/fonts#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts expanded: /home/harald/.local/share/fonts real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.pangorc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc expanded: /home/harald/.pangorc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/gtk-2.0#, whitelist Debug 531: fname #/home/harald/.config/gtk-2.0#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/gtk-2.0 Debug 423: new_name #/home/harald/.config/gtk-3.0#, whitelist Debug 531: fname #/home/harald/.config/gtk-3.0#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/gtk-3.0 Debug 423: new_name #/home/harald/.config/gtkrc#, whitelist Debug 531: fname #/home/harald/.config/gtkrc#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/gtkrc Debug 423: new_name #/home/harald/.config/gtkrc-2.0#, whitelist Debug 531: fname #/home/harald/.config/gtkrc-2.0#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/gtkrc-2.0 Debug 423: new_name #/home/harald/.gnome2#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2 expanded: /home/harald/.gnome2 real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.gnome2-private#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private expanded: /home/harald/.gnome2-private real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.gtk-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0 expanded: /home/harald/.gtk-2.0 real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc expanded: /home/harald/.gtkrc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.gtkrc-2.0#, whitelist Debug 531: fname #/home/harald/.gtkrc-2.0#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.gtkrc-2.0 Debug 423: new_name #/home/harald/.kde/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc expanded: /home/harald/.kde/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 expanded: /home/harald/.kde/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc expanded: /home/harald/.kde4/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 expanded: /home/harald/.kde4/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.local/share/themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes expanded: /home/harald/.local/share/themes real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes expanded: /home/harald/.themes real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.cache/kioexec/krun#, whitelist Debug 531: fname #/home/harald/.cache/kioexec/krun#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.cache/kioexec/krun Debug 423: new_name #/home/harald/.config/Kvantum#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum expanded: /home/harald/.config/Kvantum real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/Trolltech.conf#, whitelist Debug 531: fname #/home/harald/.config/Trolltech.conf#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/Trolltech.conf Debug 423: new_name #/home/harald/.config/kdeglobals#, whitelist Debug 531: fname #/home/harald/.config/kdeglobals#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.config/kdeglobals Debug 423: new_name #/home/harald/.config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc expanded: /home/harald/.config/kio_httprc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc expanded: /home/harald/.config/kioslaverc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist expanded: /home/harald/.config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.config/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct expanded: /home/harald/.config/qt5ct real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde/share/config/kdeglobals#, whitelist Debug 531: fname #/home/harald/.kde/share/config/kdeglobals#, cfg.homedir #/home/harald# Replaced whitelist path: whitelist /home/harald/.kde/share/config/kdeglobals Debug 423: new_name #/home/harald/.kde/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc expanded: /home/harald/.kde/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc expanded: /home/harald/.kde/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist expanded: /home/harald/.kde/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc expanded: /home/harald/.kde/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons expanded: /home/harald/.kde/share/icons real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals expanded: /home/harald/.kde4/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc expanded: /home/harald/.kde4/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc expanded: /home/harald/.kde4/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist expanded: /home/harald/.kde4/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc expanded: /home/harald/.kde4/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.kde4/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons expanded: /home/harald/.kde4/share/icons real path: (null) realpath: No such file or directory Debug 423: new_name #/home/harald/.local/share/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct expanded: /home/harald/.local/share/qt5ct real path: (null) realpath: No such file or directory Drop privileges: pid 3, uid 2000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Mounting a new /home directory Mounting a new /root directory Create a new user directory Drop privileges: pid 4, uid 2000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Drop privileges: pid 5, uid 2000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Whitelisting /home/harald/js 1689 1687 253:2 /harald/js /home/harald/js rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1689 fsname=/harald/js dir=/home/harald/js fstype=ext4 Whitelisting /home/harald/.config/ibus 1690 1687 253:2 /harald/.config/ibus /home/harald/.config/ibus rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1690 fsname=/harald/.config/ibus dir=/home/harald/.config/ibus fstype=ext4 Whitelisting /home/harald/.config/mimeapps.list 1691 1687 253:2 /harald/.config/mimeapps.list /home/harald/.config/mimeapps.list rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1691 fsname=/harald/.config/mimeapps.list dir=/home/harald/.config/mimeapps.list fstype=ext4 Whitelisting /home/harald/.config/user-dirs.dirs 1816 1687 253:2 /harald/.config/user-dirs.dirs /home/harald/.config/user-dirs.dirs rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1816 fsname=/harald/.config/user-dirs.dirs dir=/home/harald/.config/user-dirs.dirs fstype=ext4 Whitelisting /home/harald/.local/share/applications 1817 1687 253:2 /harald/.local/share/applications /home/harald/.local/share/applications rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1817 fsname=/harald/.local/share/applications dir=/home/harald/.local/share/applications fstype=ext4 Whitelisting /home/harald/.local/share/icons 1818 1687 253:2 /harald/.local/share/icons /home/harald/.local/share/icons rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1818 fsname=/harald/.local/share/icons dir=/home/harald/.local/share/icons fstype=ext4 Whitelisting /home/harald/.local/share/mime 1819 1687 253:2 /harald/.local/share/mime /home/harald/.local/share/mime rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1819 fsname=/harald/.local/share/mime dir=/home/harald/.local/share/mime fstype=ext4 Whitelisting /home/harald/.config/dconf 1820 1687 253:2 /harald/.config/dconf /home/harald/.config/dconf rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1820 fsname=/harald/.config/dconf dir=/home/harald/.config/dconf fstype=ext4 Whitelisting /home/harald/.cache/fontconfig 1821 1687 253:2 /harald/.cache/fontconfig /home/harald/.cache/fontconfig rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1821 fsname=/harald/.cache/fontconfig dir=/home/harald/.cache/fontconfig fstype=ext4 Whitelisting /home/harald/.config/fontconfig 1822 1687 253:2 /harald/.config/fontconfig /home/harald/.config/fontconfig rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1822 fsname=/harald/.config/fontconfig dir=/home/harald/.config/fontconfig fstype=ext4 Whitelisting /home/harald/.fonts 1823 1687 253:2 /harald/.fonts /home/harald/.fonts rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1823 fsname=/harald/.fonts dir=/home/harald/.fonts fstype=ext4 Whitelisting /home/harald/.fonts.conf 1824 1687 253:2 /harald/.fonts.conf /home/harald/.fonts.conf rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1824 fsname=/harald/.fonts.conf dir=/home/harald/.fonts.conf fstype=ext4 Whitelisting /home/harald/.config/gtk-2.0 1825 1687 253:2 /harald/.config/gtk-2.0 /home/harald/.config/gtk-2.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1825 fsname=/harald/.config/gtk-2.0 dir=/home/harald/.config/gtk-2.0 fstype=ext4 Whitelisting /home/harald/.config/gtk-3.0 1826 1687 253:2 /harald/.config/gtk-3.0 /home/harald/.config/gtk-3.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1826 fsname=/harald/.config/gtk-3.0 dir=/home/harald/.config/gtk-3.0 fstype=ext4 Whitelisting /home/harald/.config/gtkrc 1827 1687 253:2 /harald/.config/gtkrc /home/harald/.config/gtkrc rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1827 fsname=/harald/.config/gtkrc dir=/home/harald/.config/gtkrc fstype=ext4 Whitelisting /home/harald/.config/gtkrc-2.0 1828 1687 253:2 /harald/.config/gtkrc-2.0 /home/harald/.config/gtkrc-2.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1828 fsname=/harald/.config/gtkrc-2.0 dir=/home/harald/.config/gtkrc-2.0 fstype=ext4 Whitelisting /home/harald/.gtkrc-2.0 1829 1687 253:2 /harald/.gtkrc-2.0 /home/harald/.gtkrc-2.0 rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1829 fsname=/harald/.gtkrc-2.0 dir=/home/harald/.gtkrc-2.0 fstype=ext4 Whitelisting /home/harald/.cache/kioexec/krun 1830 1687 253:2 /harald/.cache/kioexec/krun /home/harald/.cache/kioexec/krun rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1830 fsname=/harald/.cache/kioexec/krun dir=/home/harald/.cache/kioexec/krun fstype=ext4 Whitelisting /home/harald/.config/Trolltech.conf 1831 1687 253:2 /harald/.config/Trolltech.conf /home/harald/.config/Trolltech.conf rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1831 fsname=/harald/.config/Trolltech.conf dir=/home/harald/.config/Trolltech.conf fstype=ext4 Whitelisting /home/harald/.config/kdeglobals 1832 1687 253:2 /harald/.config/kdeglobals /home/harald/.config/kdeglobals rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1832 fsname=/harald/.config/kdeglobals dir=/home/harald/.config/kdeglobals fstype=ext4 Whitelisting /home/harald/.kde/share/config/kdeglobals 1833 1687 253:2 /harald/.kde/share/config/kdeglobals /home/harald/.kde/share/config/kdeglobals rw,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1833 fsname=/harald/.kde/share/config/kdeglobals dir=/home/harald/.kde/share/config/kdeglobals fstype=ext4 Mounting read-only /home/harald/.config/user-dirs.dirs 1835 1816 253:2 /harald/.config/user-dirs.dirs /home/harald/.config/user-dirs.dirs ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1835 fsname=/harald/.config/user-dirs.dirs dir=/home/harald/.config/user-dirs.dirs fstype=ext4 Mounting read-only /home/harald/.local/share/applications 1836 1817 253:2 /harald/.local/share/applications /home/harald/.local/share/applications ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1836 fsname=/harald/.local/share/applications dir=/home/harald/.local/share/applications fstype=ext4 Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Mounting read-only /home/harald/.Xauthority 1839 1687 0:101 /harald/.Xauthority /home/harald/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1839 fsname=/harald/.Xauthority dir=/home/harald/.Xauthority fstype=tmpfs Mounting read-only /home/harald/.config/kdeglobals 1840 1832 253:2 /harald/.config/kdeglobals /home/harald/.config/kdeglobals ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1840 fsname=/harald/.config/kdeglobals dir=/home/harald/.config/kdeglobals fstype=ext4 Mounting read-only /home/harald/.kde/share/config/kdeglobals 1841 1833 253:2 /harald/.kde/share/config/kdeglobals /home/harald/.kde/share/config/kdeglobals ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1841 fsname=/harald/.kde/share/config/kdeglobals dir=/home/harald/.kde/share/config/kdeglobals fstype=ext4 Disable /run/user/2000/klauncherpyYimJ.1.slave-socket Disable /run/user/2000/kdeinit5__0 Mounting read-only /home/harald/.config/dconf 1844 1820 253:2 /harald/.config/dconf /home/harald/.config/dconf ro,relatime master:103 - ext4 /dev/mapper/vgnvme0-home rw mountid=1844 fsname=/harald/.config/dconf dir=/home/harald/.config/dconf fstype=ext4 Disable /var/lib/systemd Disable /var/cache/apt Disable /var/lib/apt Disable /var/lib/upower Disable /var/mail Disable /var/opt Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /run/docker.sock (requested /var/run/docker.sock) Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock) Disable /var/spool/anacron Disable /var/spool/cron Disable /var/mail (requested /var/spool/mail) Disable /etc/anacrontab Disable /etc/cron.hourly Disable /etc/cron.weekly Disable /etc/crontab Disable /etc/cron.daily Disable /etc/cron.monthly Disable /etc/cron.d Disable /etc/profile.d Disable /etc/rc.local Disable /etc/rc5.d Disable /etc/rc1.d Disable /etc/rc6.d Disable /etc/rc4.d Disable /etc/rc2.d Disable /etc/rc3.d Disable /etc/rc0.d Disable /etc/rcS.d Disable /etc/kernel-img.conf Disable /etc/kernel Disable /etc/kerneloops.conf Disable /etc/grub.d Disable /etc/apparmor Disable /etc/apparmor.d Disable /etc/selinux Disable /etc/modules-load.d Disable /etc/modules Disable /etc/logrotate.d Disable /etc/logrotate.conf Disable /etc/adduser.conf Mounting read-only /home/harald/.zshrc 1886 1687 0:101 /harald/.zshrc /home/harald/.zshrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1886 fsname=/harald/.zshrc dir=/home/harald/.zshrc fstype=tmpfs Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/crontab Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/fusermount Disable /usr/bin/fusermount (requested /bin/fusermount) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/mount Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/nc.openbsd (requested /usr/bin/nc) Disable /usr/bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/ntfs-3g Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g) Disable /usr/bin/pkexec Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/strace Disable /usr/bin/strace (requested /bin/strace) Disable /usr/bin/su Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/umount Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/xev Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/xinput Disable /usr/bin/xinput (requested /bin/xinput) Disable /usr/bin/bwrap Disable /usr/bin/bwrap (requested /bin/bwrap) Disable /tmp/ssh-6mDJ2R4zgvtd Disable /tmp/ssh-e7qxLWR7AE4n Disable /tmp/ssh-aV9tWYficYQd Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse Creating empty /home/harald/.config/pulse directory Drop privileges: pid 6, uid 2000, gid 100, nogroups 0 Warning: cleaning all supplementary groups Mounting /run/firejail/mnt/pulse on /home/harald/.config/pulse 1943 1687 0:88 /pulse /home/harald/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1943 fsname=/pulse dir=/home/harald/.config/pulse fstype=tmpfs Current directory: /home/harald/js/sandbox-test DISPLAY=:0 parsed as 0 Install protocol filter: unix,inet,inet6 configuring 14 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 7, uid 2000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 06 00 00 0005005f ret ERRNO(95) configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) Dropping all capabilities Drop privileges: pid 8, uid 2000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00000000 ret KILL Dual 32/64 bit seccomp filter configured configuring 72 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) Dropping all capabilities Drop privileges: pid 9, uid 2000, gid 100, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 3f 00 0000009f jeq adjtimex 0047 (false 0008) 0008: 15 3e 00 00000131 jeq clock_adjtime 0047 (false 0009) 0009: 15 3d 00 000000e3 jeq clock_settime 0047 (false 000a) 000a: 15 3c 00 000000a4 jeq settimeofday 0047 (false 000b) 000b: 15 3b 00 0000009a jeq modify_ldt 0047 (false 000c) 000c: 15 3a 00 000000d4 jeq lookup_dcookie 0047 (false 000d) 000d: 15 39 00 0000012a jeq perf_event_open 0047 (false 000e) 000e: 15 38 00 00000137 jeq process_vm_writev 0047 (false 000f) 000f: 15 37 00 000000b0 jeq delete_module 0047 (false 0010) 0010: 15 36 00 00000139 jeq finit_module 0047 (false 0011) 0011: 15 35 00 000000af jeq init_module 0047 (false 0012) 0012: 15 34 00 0000009c jeq _sysctl 0047 (false 0013) 0013: 15 33 00 000000b7 jeq afs_syscall 0047 (false 0014) 0014: 15 32 00 000000ae jeq create_module 0047 (false 0015) 0015: 15 31 00 000000b1 jeq get_kernel_syms 0047 (false 0016) 0016: 15 30 00 000000b5 jeq getpmsg 0047 (false 0017) 0017: 15 2f 00 000000b6 jeq putpmsg 0047 (false 0018) 0018: 15 2e 00 000000b2 jeq query_module 0047 (false 0019) 0019: 15 2d 00 000000b9 jeq security 0047 (false 001a) 001a: 15 2c 00 0000008b jeq sysfs 0047 (false 001b) 001b: 15 2b 00 000000b8 jeq tuxcall 0047 (false 001c) 001c: 15 2a 00 00000086 jeq uselib 0047 (false 001d) 001d: 15 29 00 00000088 jeq ustat 0047 (false 001e) 001e: 15 28 00 000000ec jeq vserver 0047 (false 001f) 001f: 15 27 00 000000ad jeq ioperm 0047 (false 0020) 0020: 15 26 00 000000ac jeq iopl 0047 (false 0021) 0021: 15 25 00 000000f6 jeq kexec_load 0047 (false 0022) 0022: 15 24 00 00000140 jeq kexec_file_load 0047 (false 0023) 0023: 15 23 00 000000a9 jeq reboot 0047 (false 0024) 0024: 15 22 00 000000a7 jeq swapon 0047 (false 0025) 0025: 15 21 00 000000a8 jeq swapoff 0047 (false 0026) 0026: 15 20 00 00000130 jeq open_by_handle_at 0047 (false 0027) 0027: 15 1f 00 0000012f jeq name_to_handle_at 0047 (false 0028) 0028: 15 1e 00 000000fb jeq ioprio_set 0047 (false 0029) 0029: 15 1d 00 00000067 jeq syslog 0047 (false 002a) 002a: 15 1c 00 0000012c jeq fanotify_init 0047 (false 002b) 002b: 15 1b 00 00000138 jeq kcmp 0047 (false 002c) 002c: 15 1a 00 000000f8 jeq add_key 0047 (false 002d) 002d: 15 19 00 000000f9 jeq request_key 0047 (false 002e) 002e: 15 18 00 000000ed jeq mbind 0047 (false 002f) 002f: 15 17 00 00000100 jeq migrate_pages 0047 (false 0030) 0030: 15 16 00 00000117 jeq move_pages 0047 (false 0031) 0031: 15 15 00 000000fa jeq keyctl 0047 (false 0032) 0032: 15 14 00 000000ce jeq io_setup 0047 (false 0033) 0033: 15 13 00 000000cf jeq io_destroy 0047 (false 0034) 0034: 15 12 00 000000d0 jeq io_getevents 0047 (false 0035) 0035: 15 11 00 000000d1 jeq io_submit 0047 (false 0036) 0036: 15 10 00 000000d2 jeq io_cancel 0047 (false 0037) 0037: 15 0f 00 000000d8 jeq remap_file_pages 0047 (false 0038) 0038: 15 0e 00 00000143 jeq userfaultfd 0047 (false 0039) 0039: 15 0d 00 000000a3 jeq acct 0047 (false 003a) 003a: 15 0c 00 00000141 jeq bpf 0047 (false 003b) 003b: 15 0b 00 000000a1 jeq chroot 0047 (false 003c) 003c: 15 0a 00 000000a5 jeq mount 0047 (false 003d) 003d: 15 09 00 000000b4 jeq nfsservctl 0047 (false 003e) 003e: 15 08 00 0000009b jeq pivot_root 0047 (false 003f) 003f: 15 07 00 000000ab jeq setdomainname 0047 (false 0040) 0040: 15 06 00 000000aa jeq sethostname 0047 (false 0041) 0041: 15 05 00 000000a6 jeq umount2 0047 (false 0042) 0042: 15 04 00 00000099 jeq vhangup 0047 (false 0043) 0043: 15 03 00 00000065 jeq ptrace 0047 (false 0044) 0044: 15 02 00 00000087 jeq personality 0047 (false 0045) 0045: 15 01 00 00000136 jeq process_vm_readv 0047 (false 0046) 0046: 06 00 00 7fff0000 ret ALLOW 0047: 06 00 01 00000000 ret KILL seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 2000, gid 100, nogroups 0 Warning: cleaning all supplementary groups starting application LD_PRELOAD=(null) Running '/home/harald/js/node/bin/node' 'index.js' command through /bin/zsh execvp argument 0: /bin/zsh execvp argument 1: -c execvp argument 2: '/home/harald/js/node/bin/node' 'index.js' Child process initialized in 64.02 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter zsh:1: operation not permitted: /home/harald/js/node/bin/node monitoring pid 10 Sandbox monitor: waitpid 10 retval 10 status 32512 Parent is shutting down, bye... ``` </details>
gitea-mirror commented 2026-05-05 09:06:02 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Dec 30, 2020):

Is /home/harald/js/node/bin/node the node binary, or a wrapper script?

<!-- gh-comment-id:752679169 --> @reinerh commented on GitHub (Dec 30, 2020): Is `/home/harald/js/node/bin/node` the node binary, or a wrapper script?
gitea-mirror commented 2026-05-05 09:06:03 -06:00
Author
Owner
Copy link

@haraldkubota commented on GitHub (Dec 31, 2020):

It's the node binary (and node2 is a copy of it):

harald@r2s1:~/js/sandbox-test$ ls -la ~/js/node/bin/
total 141328
drwxr-xr-x 2 harald users     4096 Dec 30 22:56 .
drwxr-xr-x 6 harald users     4096 Nov 16 19:33 ..
-rwxr-xr-x 1 harald users 72354664 Nov 16 19:33 node
-rwxr-xr-x 1 harald users 72354664 Nov 16 19:33 node2
lrwxrwxrwx 1 harald users       38 Nov 16 19:33 npm -> ../lib/node_modules/npm/bin/npm-cli.js
lrwxrwxrwx 1 harald users       38 Nov 16 19:33 npx -> ../lib/node_modules/npm/bin/npx-cli.js

Digging a bit, I got the line which causes node to fail: when I comment out "#caps.drop all" in /etc/firejail/default.profile, then node works. node2 works too.
When I leave "caps.drop all" which is the sensible default, node fails and node2 still works.

That's (for me) hard to explain since it's not specific to the node binary.
Tested on ARM64 and x86_64: same behavior: "caps.drop all" somehow acts differently on my 2 seemingly identical binaries.

<!-- gh-comment-id:752795515 --> @haraldkubota commented on GitHub (Dec 31, 2020): It's the node binary (and node2 is a copy of it): ``` harald@r2s1:~/js/sandbox-test$ ls -la ~/js/node/bin/ total 141328 drwxr-xr-x 2 harald users 4096 Dec 30 22:56 . drwxr-xr-x 6 harald users 4096 Nov 16 19:33 .. -rwxr-xr-x 1 harald users 72354664 Nov 16 19:33 node -rwxr-xr-x 1 harald users 72354664 Nov 16 19:33 node2 lrwxrwxrwx 1 harald users 38 Nov 16 19:33 npm -> ../lib/node_modules/npm/bin/npm-cli.js lrwxrwxrwx 1 harald users 38 Nov 16 19:33 npx -> ../lib/node_modules/npm/bin/npx-cli.js ``` Digging a bit, I got the line which causes node to fail: when I comment out "#caps.drop all" in /etc/firejail/default.profile, then node works. node2 works too. When I leave "caps.drop all" which is the sensible default, node fails and node2 still works. That's (for me) hard to explain since it's not specific to the node binary. Tested on ARM64 and x86_64: same behavior: "caps.drop all" somehow acts differently on my 2 seemingly identical binaries.
gitea-mirror commented 2026-05-05 09:06:05 -06:00
Author
Owner
Copy link

@haraldkubota commented on GitHub (Dec 31, 2020):

Update: Also tried the latest release (master from the github repo): compiled with apparmor and selinux support. Tried without apparmor and selinux too. In all cases: same behavior (x86_64 only, ARM64 not tested): "caps.drop all" makes node not work. node2 always works.

And another test: After commenting out "#caps.drop all" from /usr/local/etc/firejail/default.profile (self-compiled 0.9.65):

❯ firejail --version
firejail version 0.9.65

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled
❯ firejail --profile=~/.config/firejail/nodejs.profile node
Reading profile /home/harald/.config/firejail/nodejs.profile
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 230441, child pid 230442
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 84.37 ms
Welcome to Node.js v14.13.1.
Type ".help" for more information.
> 

Parent is shutting down, bye...
❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node
Reading profile /home/harald/.config/firejail/nodejs.profile
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 230467, child pid 230468
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 89.84 ms
zsh:1: operation not permitted: node

Parent is shutting down, bye...
❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node2
Reading profile /home/harald/.config/firejail/nodejs.profile
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 230482, child pid 230483
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 76.41 ms
Welcome to Node.js v14.13.1.
Type ".help" for more information.
> 

Parent is shutting down, bye...

So the caps.drop is the problem.

Update: Seems the binary is the problem: When I do:

❯ cd ~/js/node/bin
❯ mv node node.original
❯ cp -p node2 node
❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node.original
Reading profile /home/harald/.config/firejail/nodejs.profile
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 230688, child pid 230689
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 83.24 ms
zsh:1: operation not permitted: node.original

Parent is shutting down, bye...
❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node
Reading profile /home/harald/.config/firejail/nodejs.profile
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Parent pid 230698, child pid 230699
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 85.48 ms
Welcome to Node.js v14.13.1.
Type ".help" for more information.
> 

Parent is shutting down, bye...

Now it works. So it's not the name "node", but something else which is part of the node binary which does not get copied over when creating a copy of it.
And it might be this:

root@m75q:/home/harald# getcap ~harald/js/node/bin/*
/home/harald/js/node/bin/node.original = cap_net_bind_service+ep

which gets lost when doing a copy. And indeed, when I set this capability to the node2 binary, it stops working once I include the "--caps.drop=all" option.

Is that expected behavior? It's not what I expect. I expected "caps.drop all" to drop all capabilities and not not-executing the program in question.

<!-- gh-comment-id:752798218 --> @haraldkubota commented on GitHub (Dec 31, 2020): **Update:** Also tried the latest release (master from the github repo): compiled with apparmor and selinux support. Tried without apparmor and selinux too. In all cases: same behavior (x86_64 only, ARM64 not tested): "caps.drop all" makes node not work. node2 always works. **And another test:** After commenting out "#caps.drop all" from /usr/local/etc/firejail/default.profile (self-compiled 0.9.65): ``` ❯ firejail --version firejail version 0.9.65 Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ❯ firejail --profile=~/.config/firejail/nodejs.profile node Reading profile /home/harald/.config/firejail/nodejs.profile Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Parent pid 230441, child pid 230442 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 84.37 ms Welcome to Node.js v14.13.1. Type ".help" for more information. > Parent is shutting down, bye... ❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node Reading profile /home/harald/.config/firejail/nodejs.profile Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Parent pid 230467, child pid 230468 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 89.84 ms zsh:1: operation not permitted: node Parent is shutting down, bye... ❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node2 Reading profile /home/harald/.config/firejail/nodejs.profile Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Parent pid 230482, child pid 230483 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 76.41 ms Welcome to Node.js v14.13.1. Type ".help" for more information. > Parent is shutting down, bye... ``` So the caps.drop is the problem. **Update:** Seems the binary is the problem: When I do: ``` ❯ cd ~/js/node/bin ❯ mv node node.original ❯ cp -p node2 node ❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node.original Reading profile /home/harald/.config/firejail/nodejs.profile Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Parent pid 230688, child pid 230689 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 83.24 ms zsh:1: operation not permitted: node.original Parent is shutting down, bye... ❯ firejail --caps.drop=all --profile=~/.config/firejail/nodejs.profile node Reading profile /home/harald/.config/firejail/nodejs.profile Reading profile /usr/local/etc/firejail/whitelist-common.inc Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Parent pid 230698, child pid 230699 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 85.48 ms Welcome to Node.js v14.13.1. Type ".help" for more information. > Parent is shutting down, bye... ``` Now it works. So it's not the name "node", but something else which is part of the node binary which does not get copied over when creating a copy of it. And it might be this: ``` root@m75q:/home/harald# getcap ~harald/js/node/bin/* /home/harald/js/node/bin/node.original = cap_net_bind_service+ep ``` which gets lost when doing a copy. And indeed, when I set this capability to the node2 binary, it stops working once I include the "--caps.drop=all" option. Is that expected behavior? It's not what I expect. I expected "caps.drop all" to _drop_ all capabilities and not not-executing the program in question.
gitea-mirror commented 2026-05-05 09:06:07 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Dec 31, 2020):

Ah ok, your node binary has capabilities set, which were not preserved when you copied it (as you already assumed).

But I'm not sure why firejail doesn't want to drop it. That might be a bug.

<!-- gh-comment-id:752812963 --> @reinerh commented on GitHub (Dec 31, 2020): Ah ok, your node binary has capabilities set, which were not preserved when you copied it (as you already assumed). But I'm not sure why firejail doesn't want to drop it. That might be a bug.
gitea-mirror commented 2026-05-05 09:06:08 -06:00
Author
Owner
Copy link

@haraldkubota commented on GitHub (Dec 31, 2020):

Not sure this helps or not:

$ getcap ~/js/node/bin/node
/home/harald/js/node/bin/node = cap_net_raw+eip
$ firejail --noprofile --caps.drop=net_raw node index.js  
Parent pid 209922, child pid 209923
Child process initialized
/bin/bash: /home/harald/js/node/bin/node: Operation not permitted

Parent is shutting down, bye...

When I do "--caps-keep=net_raw", then node executes.
node2, which has no capabilities, works:

$ getcap ~/js/node/bin/node2
harald@r2s1:~/js/sandbox-test$ firejail --noprofile --caps.drop=net_raw node2 index.js
Parent pid 210063, child pid 210065
Child process initialized
[ plenty text ]
Parent is shutting down, bye...

I don't know (yet) enough about capabilities and what exactly disables execution of a binary with capabilities set. I only use firejail since 18h ago...

<!-- gh-comment-id:752817727 --> @haraldkubota commented on GitHub (Dec 31, 2020): Not sure this helps or not: ``` $ getcap ~/js/node/bin/node /home/harald/js/node/bin/node = cap_net_raw+eip $ firejail --noprofile --caps.drop=net_raw node index.js Parent pid 209922, child pid 209923 Child process initialized /bin/bash: /home/harald/js/node/bin/node: Operation not permitted Parent is shutting down, bye... ``` When I do "--caps-keep=net_raw", then node executes. node2, which has no capabilities, works: ``` $ getcap ~/js/node/bin/node2 harald@r2s1:~/js/sandbox-test$ firejail --noprofile --caps.drop=net_raw node2 index.js Parent pid 210063, child pid 210065 Child process initialized [ plenty text ] Parent is shutting down, bye... ``` I don't know (yet) enough about capabilities and what exactly disables execution of a binary with capabilities set. I only use firejail since 18h ago...
gitea-mirror commented 2026-05-05 09:06:09 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 6, 2021):

Any progress here?

<!-- gh-comment-id:814170173 --> @rusty-snake commented on GitHub (Apr 6, 2021): Any progress here?
gitea-mirror commented 2026-05-05 09:06:10 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 10, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.

<!-- gh-comment-id:858437958 --> @rusty-snake commented on GitHub (Jun 10, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2427
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?