github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3943] Parent is shutting down, bye... AppImage unmounted #2466

New issue
Closed
opened 2026-05-05 09:08:51 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 09:08:51 -06:00
Owner
Copy link

Originally created by @gonzaloamadio on GitHub (Feb 2, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3943

Write clear, concise and in textual form.

Bug and expected behavior

  • Describe the bug.
    I created an app image from a nodejs app, using Electron. And I want to execute it with firejail, but I get the message that parent is shutting down.

  • What did you expect to happen?
    I expect to open it as it opens without Firejail

No profile and disabling firejail

  • What changed calling firejail --noprofile /path/to/program in a terminal?
    Nothing,
  • What changed calling the program by path (check which <program> or firejail --list while the sandbox is running)?
    I cant make it run, so I do not know

Reproduce
Steps to reproduce the behavior:

  1. Run in bash firejail PROGRAM
└──> firejail --appimage ./app.AppImage 
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **

Parent pid 372, child pid 377
Dropping all Linux capabilities and enforcing default seccomp filter
Child process initialized in 79.47 ms

Parent is shutting down, bye...
AppImage unmounted

└──> firejail --noprofile --appimage ./app.AppImage 
Parent pid 433, child pid 436
Dropping all Linux capabilities and enforcing default seccomp filter
Child process initialized in 60.34 ms

Parent is shutting down, bye...
AppImage unmounted

Environment

  • Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release)
 No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.5 LTS
Release:	18.04
Codename:	bionic
  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
└──> firejail --version
firejail version 0.9.52

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
debug output 
└──> firejail --debug --noprofile --appimage ./app.AppImage 
Autoselecting /bin/bash as shell
Configuring appimage environment
AppImage ELF size 188392
appimage mounted on /run/firejail/appimage/.appimage-943
Building AppImage command line: /run/firejail/appimage/.appimage-943/AppRun
AppImage quoted command line: '/run/firejail/appimage/.appimage-943/AppRun' 
Command name #./app.AppImage#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 943, child pid 948
Host network configured
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/tmp/dbus-B6VMFXET,guid=5d7ba5e74842952f41130d456004ee9e
IBUS_DAEMON_PID=10947
Dropping all Linux capabilities and enforcing default seccomp filter
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/181935182/gnupg
Disable /run/user/181935182/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Current directory: /home/user/Downloads/appimages
DISPLAY=:0 parsed as 0
Dropping all capabilities
configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) 
sbox file descriptors:
total 0
lrwx------ 1 user domain^users 64 Feb  2 16:20 0 -> /dev/null
lrwx------ 1 user domain^users 64 Feb  2 16:20 1 -> /dev/pts/2
lrwx------ 1 user domain^users 64 Feb  2 16:20 2 -> /dev/pts/2
lrwx------ 1 user domain^users 64 Feb  2 16:20 3 -> 'socket:[53626395]'
lr-x------ 1 user domain^users 64 Feb  2 16:20 4 -> /proc/4/fd
Dropping all capabilities
Username user, no supplementary groups
SECCOMP Filter
  VALIDATE_ARCHITECTURE_32
  EXAMINE_SYSCALL
  BLACKLIST 21 access
  BLACKLIST 52 getpeername
  BLACKLIST 26 msync
  BLACKLIST 283 timerfd_create
  BLACKLIST 341 unknown
  BLACKLIST 342 unknown
  BLACKLIST 127 rt_sigpending
  BLACKLIST 128 rt_sigtimedwait
  BLACKLIST 350 unknown
  BLACKLIST 129 rt_sigqueueinfo
  BLACKLIST 110 getppid
  BLACKLIST 101 ptrace
  BLACKLIST 289 signalfd4
  BLACKLIST 87 unlink
  BLACKLIST 115 getgroups
  BLACKLIST 103 syslog
  BLACKLIST 347 unknown
  BLACKLIST 348 unknown
  BLACKLIST 135 personality
  BLACKLIST 149 mlock
  BLACKLIST 124 getsid
  BLACKLIST 343 unknown
  BLACKLIST 253 inotify_init
  BLACKLIST 336 unknown
  BLACKLIST 338 unknown
  BLACKLIST 349 unknown
  BLACKLIST 286 timerfd_settime
  BLACKLIST 287 timerfd_gettime
  BLACKLIST 288 accept4
  BLACKLIST 86 link
  BLACKLIST 51 getsockname
  BLACKLIST 123 setfsgid
  BLACKLIST 217 getdents64
  BLACKLIST 245 mq_getsetattr
  BLACKLIST 246 kexec_load
  BLACKLIST 247 waitid
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 257 openat
  BLACKLIST 274 get_robust_list
  BLACKLIST 276 tee
  BLACKLIST 294 inotify_init1
  BLACKLIST 317 seccomp
  BLACKLIST 316 renameat2
  BLACKLIST 61 wait4
  BLACKLIST 88 symlink
  BLACKLIST 169 reboot
  BLACKLIST 130 rt_sigsuspend
  RETURN_ALLOW
Dual 32/64 bit seccomp filter configured
configuring 138 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null) 
sbox file descriptors:
total 0
lrwx------ 1 user domain^users 64 Feb  2 16:20 0 -> /dev/null
lrwx------ 1 user domain^users 64 Feb  2 16:20 1 -> /dev/pts/2
lrwx------ 1 user domain^users 64 Feb  2 16:20 2 -> /dev/pts/2
lrwx------ 1 user domain^users 64 Feb  2 16:20 3 -> 'socket:[53622460]'
lr-x------ 1 user domain^users 64 Feb  2 16:20 4 -> /proc/7/fd
Dropping all capabilities
Username user, no supplementary groups
SECCOMP Filter
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCALL
  HANDLE_X32
  BLACKLIST 154 modify_ldt
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 311 process_vm_writev
  BLACKLIST 156 _sysctl
  BLACKLIST 183 afs_syscall
  BLACKLIST 174 create_module
  BLACKLIST 177 get_kernel_syms
  BLACKLIST 181 getpmsg
  BLACKLIST 182 putpmsg
  BLACKLIST 178 query_module
  BLACKLIST 185 security
  BLACKLIST 139 sysfs
  BLACKLIST 184 tuxcall
  BLACKLIST 134 uselib
  BLACKLIST 136 ustat
  BLACKLIST 236 vserver
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 227 clock_settime
  BLACKLIST 164 settimeofday
  BLACKLIST 176 delete_module
  BLACKLIST 313 finit_module
  BLACKLIST 175 init_module
  BLACKLIST 173 ioperm
  BLACKLIST 172 iopl
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 169 reboot
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 163 acct
  BLACKLIST 321 bpf
  BLACKLIST 161 chroot
  BLACKLIST 165 mount
  BLACKLIST 180 nfsservctl
  BLACKLIST 155 pivot_root
  BLACKLIST 171 setdomainname
  BLACKLIST 170 sethostname
  BLACKLIST 166 umount2
  BLACKLIST 153 vhangup
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 237 mbind
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 251 ioprio_set
  BLACKLIST 103 syslog
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 135 personality
  BLACKLIST 323 userfaultfd
  BLACKLIST 101 ptrace
  BLACKLIST 310 process_vm_readv
  RETURN_ALLOW
seccomp filter configured

Seccomp files:
-rw-r--r-- 1 user domain^users 1104 feb  2 16:20 /run/firejail/mnt/seccomp
-rw-r--r-- 1 user domain^users  808 feb  2 16:20 /run/firejail/mnt/seccomp.32
-rw-r--r-- 1 user domain^users  824 feb  2 16:20 /run/firejail/mnt/seccomp.64
-rw-r--r-- 1 user domain^users    0 feb  2 16:20 /run/firejail/mnt/seccomp.postexec
-rw-r--r-- 1 user domain^users    0 feb  2 16:20 /run/firejail/mnt/seccomp.protocol

Username user, no supplementary groups
starting application
LD_PRELOAD=(null)
Running '/run/firejail/appimage/.appimage-943/AppRun'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/run/firejail/appimage/.appimage-943/AppRun' 
Child process initialized in 76.62 ms
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.32 seccomp filter
monitoring pid 10

Sandbox monitor: waitpid 10 retval 10 status 133
Sandbox monitor: monitoring 13
monitoring pid 13

Sandbox monitor: waitpid 13 retval 13 status 0
Sandbox monitor: monitoring 14
monitoring pid 14

Sandbox monitor: waitpid 14 retval 14 status 31

Parent is shutting down, bye...
AppImage unmounted
Originally created by @gonzaloamadio on GitHub (Feb 2, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3943 Write clear, concise and in textual form. **Bug and expected behavior** - Describe the bug. I created an app image from a nodejs app, using Electron. And I want to execute it with firejail, but I get the message that parent is shutting down. - What did you expect to happen? I expect to open it as it opens without Firejail **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? Nothing, - What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)? I cant make it run, so I do not know **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail PROGRAM` ``` └──> firejail --appimage ./app.AppImage Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 372, child pid 377 Dropping all Linux capabilities and enforcing default seccomp filter Child process initialized in 79.47 ms Parent is shutting down, bye... AppImage unmounted └──> firejail --noprofile --appimage ./app.AppImage Parent pid 433, child pid 436 Dropping all Linux capabilities and enforcing default seccomp filter Child process initialized in 60.34 ms Parent is shutting down, bye... AppImage unmounted ``` **Environment** - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) ``` No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic ``` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` └──> firejail --version firejail version 0.9.52 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Checklist** - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. <details><summary> debug output </summary> ``` └──> firejail --debug --noprofile --appimage ./app.AppImage Autoselecting /bin/bash as shell Configuring appimage environment AppImage ELF size 188392 appimage mounted on /run/firejail/appimage/.appimage-943 Building AppImage command line: /run/firejail/appimage/.appimage-943/AppRun AppImage quoted command line: '/run/firejail/appimage/.appimage-943/AppRun' Command name #./app.AppImage# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 943, child pid 948 Host network configured Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/tmp/dbus-B6VMFXET,guid=5d7ba5e74842952f41130d456004ee9e IBUS_DAEMON_PID=10947 Dropping all Linux capabilities and enforcing default seccomp filter Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Mounting tmpfs on /var/cache/apache2 Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/181935182/gnupg Disable /run/user/181935182/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Current directory: /home/user/Downloads/appimages DISPLAY=:0 parsed as 0 Dropping all capabilities configuring 101 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp.32 (null) sbox file descriptors: total 0 lrwx------ 1 user domain^users 64 Feb 2 16:20 0 -> /dev/null lrwx------ 1 user domain^users 64 Feb 2 16:20 1 -> /dev/pts/2 lrwx------ 1 user domain^users 64 Feb 2 16:20 2 -> /dev/pts/2 lrwx------ 1 user domain^users 64 Feb 2 16:20 3 -> 'socket:[53626395]' lr-x------ 1 user domain^users 64 Feb 2 16:20 4 -> /proc/4/fd Dropping all capabilities Username user, no supplementary groups SECCOMP Filter VALIDATE_ARCHITECTURE_32 EXAMINE_SYSCALL BLACKLIST 21 access BLACKLIST 52 getpeername BLACKLIST 26 msync BLACKLIST 283 timerfd_create BLACKLIST 341 unknown BLACKLIST 342 unknown BLACKLIST 127 rt_sigpending BLACKLIST 128 rt_sigtimedwait BLACKLIST 350 unknown BLACKLIST 129 rt_sigqueueinfo BLACKLIST 110 getppid BLACKLIST 101 ptrace BLACKLIST 289 signalfd4 BLACKLIST 87 unlink BLACKLIST 115 getgroups BLACKLIST 103 syslog BLACKLIST 347 unknown BLACKLIST 348 unknown BLACKLIST 135 personality BLACKLIST 149 mlock BLACKLIST 124 getsid BLACKLIST 343 unknown BLACKLIST 253 inotify_init BLACKLIST 336 unknown BLACKLIST 338 unknown BLACKLIST 349 unknown BLACKLIST 286 timerfd_settime BLACKLIST 287 timerfd_gettime BLACKLIST 288 accept4 BLACKLIST 86 link BLACKLIST 51 getsockname BLACKLIST 123 setfsgid BLACKLIST 217 getdents64 BLACKLIST 245 mq_getsetattr BLACKLIST 246 kexec_load BLACKLIST 247 waitid BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 257 openat BLACKLIST 274 get_robust_list BLACKLIST 276 tee BLACKLIST 294 inotify_init1 BLACKLIST 317 seccomp BLACKLIST 316 renameat2 BLACKLIST 61 wait4 BLACKLIST 88 symlink BLACKLIST 169 reboot BLACKLIST 130 rt_sigsuspend RETURN_ALLOW Dual 32/64 bit seccomp filter configured configuring 138 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp print /run/firejail/mnt/seccomp (null) sbox file descriptors: total 0 lrwx------ 1 user domain^users 64 Feb 2 16:20 0 -> /dev/null lrwx------ 1 user domain^users 64 Feb 2 16:20 1 -> /dev/pts/2 lrwx------ 1 user domain^users 64 Feb 2 16:20 2 -> /dev/pts/2 lrwx------ 1 user domain^users 64 Feb 2 16:20 3 -> 'socket:[53622460]' lr-x------ 1 user domain^users 64 Feb 2 16:20 4 -> /proc/7/fd Dropping all capabilities Username user, no supplementary groups SECCOMP Filter VALIDATE_ARCHITECTURE EXAMINE_SYSCALL HANDLE_X32 BLACKLIST 154 modify_ldt BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 311 process_vm_writev BLACKLIST 156 _sysctl BLACKLIST 183 afs_syscall BLACKLIST 174 create_module BLACKLIST 177 get_kernel_syms BLACKLIST 181 getpmsg BLACKLIST 182 putpmsg BLACKLIST 178 query_module BLACKLIST 185 security BLACKLIST 139 sysfs BLACKLIST 184 tuxcall BLACKLIST 134 uselib BLACKLIST 136 ustat BLACKLIST 236 vserver BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 227 clock_settime BLACKLIST 164 settimeofday BLACKLIST 176 delete_module BLACKLIST 313 finit_module BLACKLIST 175 init_module BLACKLIST 173 ioperm BLACKLIST 172 iopl BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 169 reboot BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 163 acct BLACKLIST 321 bpf BLACKLIST 161 chroot BLACKLIST 165 mount BLACKLIST 180 nfsservctl BLACKLIST 155 pivot_root BLACKLIST 171 setdomainname BLACKLIST 170 sethostname BLACKLIST 166 umount2 BLACKLIST 153 vhangup BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 237 mbind BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 251 ioprio_set BLACKLIST 103 syslog BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 278 vmsplice BLACKLIST 135 personality BLACKLIST 323 userfaultfd BLACKLIST 101 ptrace BLACKLIST 310 process_vm_readv RETURN_ALLOW seccomp filter configured Seccomp files: -rw-r--r-- 1 user domain^users 1104 feb 2 16:20 /run/firejail/mnt/seccomp -rw-r--r-- 1 user domain^users 808 feb 2 16:20 /run/firejail/mnt/seccomp.32 -rw-r--r-- 1 user domain^users 824 feb 2 16:20 /run/firejail/mnt/seccomp.64 -rw-r--r-- 1 user domain^users 0 feb 2 16:20 /run/firejail/mnt/seccomp.postexec -rw-r--r-- 1 user domain^users 0 feb 2 16:20 /run/firejail/mnt/seccomp.protocol Username user, no supplementary groups starting application LD_PRELOAD=(null) Running '/run/firejail/appimage/.appimage-943/AppRun' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/run/firejail/appimage/.appimage-943/AppRun' Child process initialized in 76.62 ms Installing /run/firejail/mnt/seccomp seccomp filter Installing /run/firejail/mnt/seccomp.32 seccomp filter monitoring pid 10 Sandbox monitor: waitpid 10 retval 10 status 133 Sandbox monitor: monitoring 13 monitoring pid 13 Sandbox monitor: waitpid 13 retval 13 status 0 Sandbox monitor: monitoring 14 monitoring pid 14 Sandbox monitor: waitpid 14 retval 14 status 31 Parent is shutting down, bye... AppImage unmounted ``` </details>
gitea-mirror commented 2026-05-05 09:08:54 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 2, 2021):

firejail version 0.9.52

There were a lot AI related fixes/changes since 0.9.52, can you try with a newer version (e.g. 0.9.64.2).

<!-- gh-comment-id:771958118 --> @rusty-snake commented on GitHub (Feb 2, 2021): > firejail version 0.9.52 There were a lot AI related fixes/changes since 0.9.52, can you try with a newer version (e.g. 0.9.64.2).
gitea-mirror commented 2026-05-05 09:08:55 -06:00
Author
Owner
Copy link

@gonzaloamadio commented on GitHub (Feb 3, 2021):

Indeed.. i had to remove old firejail and install new one, and then it worked =)


└──> sudo dpkg --purge firejail-profiles
(Reading database ... 275559 files and directories currently installed.)
Removing firejail-profiles (0.9.52-2) ...
Purging configuration files for firejail-profiles (0.9.52-2) ...

└──> sudo dpkg --purge firejail
(Reading database ... 275130 files and directories currently installed.)
Removing firejail (0.9.52-2) ...
Purging configuration files for firejail (0.9.52-2) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

└──> sudo dpkg -i firejail_0.9.64.2_1_amd64.deb
Selecting previously unselected package firejail.
(Reading database ... 275071 files and directories currently installed.)
Preparing to unpack firejail_0.9.64.2_1_amd64.deb ...
Unpacking firejail (0.9.64.2-1) ...
Setting up firejail (0.9.64.2-1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

└──> firejail  --noprofile --appimage ./app.AppImage

Now I should make a good profile for it

<!-- gh-comment-id:772546141 --> @gonzaloamadio commented on GitHub (Feb 3, 2021): Indeed.. i had to remove old firejail and install new one, and then it worked =) ``` └──> sudo dpkg --purge firejail-profiles (Reading database ... 275559 files and directories currently installed.) Removing firejail-profiles (0.9.52-2) ... Purging configuration files for firejail-profiles (0.9.52-2) ... └──> sudo dpkg --purge firejail (Reading database ... 275130 files and directories currently installed.) Removing firejail (0.9.52-2) ... Purging configuration files for firejail (0.9.52-2) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... └──> sudo dpkg -i firejail_0.9.64.2_1_amd64.deb Selecting previously unselected package firejail. (Reading database ... 275071 files and directories currently installed.) Preparing to unpack firejail_0.9.64.2_1_amd64.deb ... Unpacking firejail (0.9.64.2-1) ... Setting up firejail (0.9.64.2-1) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... └──> firejail --noprofile --appimage ./app.AppImage ``` Now I should make a good profile for it
gitea-mirror commented 2026-05-05 09:08:56 -06:00
Author
Owner
Copy link

@gonzaloamadio commented on GitHub (Feb 3, 2021):

If I run it with default profile, should it work? Because it is not:

└──> firejail  --appimage ./app.AppImage 
Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 18726, child pid 18731

**     Warning: dropping all Linux capabilities     **

Child process initialized in 135.32 ms

Parent is shutting down, bye...
AppImage unmounted
<!-- gh-comment-id:772547662 --> @gonzaloamadio commented on GitHub (Feb 3, 2021): If I run it with default profile, should it work? Because it is not: ``` └──> firejail --appimage ./app.AppImage Mounting appimage type 2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 18726, child pid 18731 ** Warning: dropping all Linux capabilities ** Child process initialized in 135.32 ms Parent is shutting down, bye... AppImage unmounted ```
gitea-mirror commented 2026-05-05 09:08:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 3, 2021):

The default.profile (used if no matching profile is found) has a balance between compatibility (weak and insecure) and security (more broken programs). It may work (partial) for a program or completely breaks it.

If you run chromium based software in firejail and don't pass --no-sandbox to it (chromium), remember to allow the chroot syscall and, if you the kernel of the system where you do this has no support for unprivileged userns clone or it is disable, you can not set the NO_NEW_PRIVS prctl (nonewprivs), you need to drop all seccomp filters (seccomp*, protocol, mdwe) and keep the userns (noroot) and the CAP_SYS_ADMIN and CAP_SYS_CHROOT capabilities (caps*).

If you want to write a profile for it, start with the profile.template and have a look at other electron profiles (grep -lE "^include electron.profile$" /etc/firejail/*.profile).

<!-- gh-comment-id:772596858 --> @rusty-snake commented on GitHub (Feb 3, 2021): The default.profile (used if no matching profile is found) has a balance between compatibility (weak and insecure) and security (more broken programs). It may work (partial) for a program or completely breaks it. --- If you run chromium based software in firejail and don't pass `--no-sandbox` to it (chromium), remember to allow the chroot syscall and, if you the kernel of the system where you do this has no support for unprivileged userns clone or it is disable, you can not set the NO_NEW_PRIVS prctl (nonewprivs), you need to drop all seccomp filters (seccomp*, protocol, mdwe) and keep the userns (noroot) and the CAP_SYS_ADMIN and CAP_SYS_CHROOT capabilities (caps*). If you want to write a profile for it, start with the [profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template) and have a look at other electron profiles (`grep -lE "^include electron.profile$" /etc/firejail/*.profile`).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2466
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?