github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4147] Thunderbird in non-default location won't start #2552

New issue
Closed
opened 2026-05-05 09:13:40 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 09:13:40 -06:00
Owner
Copy link

Originally created by @nolanl on GitHub (Mar 30, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4147

Firejail 0.9.64.4 on Debian Bullseye x86_64

I have thunderbird installed into ${HOME}/bin/upstream/thunderbird with a symlink ${HOME}/bin/thunderbird

When I try to run it under filejail, I get:

$ firejail ${HOME}/bin/thunderbird
Reading profile /etc/firejail/thunderbird.profile
Reading profile /home/nolan/.config/firejail/thunderbird.local
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 3024247, child pid 3024248
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 106.13 ms
Error: no suitable /home/nolan/bin/thunderbird executable found

Parent is shutting down, bye...

Running with --noprofile works normally.

I found #2812 and created a ${HOME}/.config/firejail/thunderbird.local containing:

ignore noexec ${HOME}
whitelist ${HOME}/bin/upstream/thunderbird

but that didn't work, and didn't change the output.

Thinking that perhaps the symlink was confusing it (and was a difference in my setup compared to #2812), I tried skipping the symlink and running the executable directly:

$ firejail ${HOME}/bin/upstream/thunderbird/thunderbird
Reading profile /etc/firejail/thunderbird.profile
Reading profile /home/nolan/.config/firejail/thunderbird.local
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 3025815, child pid 3025816
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 104.94 ms
Exec failed with error: Permission denied

Parent is shutting down, bye...

So the error has changed to permission denied, which is progress of sorts.

Originally created by @nolanl on GitHub (Mar 30, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4147 Firejail 0.9.64.4 on Debian Bullseye x86_64 I have thunderbird installed into ${HOME}/bin/upstream/thunderbird with a symlink ${HOME}/bin/thunderbird When I try to run it under filejail, I get: ``` $ firejail ${HOME}/bin/thunderbird Reading profile /etc/firejail/thunderbird.profile Reading profile /home/nolan/.config/firejail/thunderbird.local Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3024247, child pid 3024248 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 106.13 ms Error: no suitable /home/nolan/bin/thunderbird executable found Parent is shutting down, bye... ``` Running with --noprofile works normally. I found #2812 and created a ${HOME}/.config/firejail/thunderbird.local containing: ``` ignore noexec ${HOME} whitelist ${HOME}/bin/upstream/thunderbird ``` but that didn't work, and didn't change the output. Thinking that perhaps the symlink was confusing it (and was a difference in my setup compared to #2812), I tried skipping the symlink and running the executable directly: ``` $ firejail ${HOME}/bin/upstream/thunderbird/thunderbird Reading profile /etc/firejail/thunderbird.profile Reading profile /home/nolan/.config/firejail/thunderbird.local Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3025815, child pid 3025816 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 104.94 ms Exec failed with error: Permission denied Parent is shutting down, bye... ``` So the error has changed to permission denied, which is progress of sorts.
gitea-mirror commented 2026-05-05 09:13:42 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 30, 2021):

I found #2812 and created a ${HOME}/.config/firejail/thunderbird.local containing:

ignore noexec ${HOME}
whitelist ${HOME}/bin/upstream/thunderbird

This is already moving in the right direction. But if you want to start ${HOME}/bin/thunderbird, you need to whitelist this instead (the symlink is followed IIRC; but it's impossible to follow it backward).

And there's a second barrier ...

Exec failed with error: Permission denied

If this file is owned by you and not a something crazy like FUSE, this sounds like blacklisting. Does firejail --debug ${HOME}/bin/upstream/thunderbird/thunderbird | grep bin shows anything related? Does firejail --profile=thunderbird ls -l ~/bin/upstream/thunderbird/thunderbird look normal?

<!-- gh-comment-id:810342329 --> @rusty-snake commented on GitHub (Mar 30, 2021): > I found #2812 and created a ${HOME}/.config/firejail/thunderbird.local containing: > > ``` > ignore noexec ${HOME} > whitelist ${HOME}/bin/upstream/thunderbird > ``` This is already moving in the right direction. But if you want to start `${HOME}/bin/thunderbird`, you need to whitelist this instead (the symlink is followed IIRC; but it's impossible to follow it backward). And there's a second barrier ... > Exec failed with error: Permission denied If this file is owned by you and not a something crazy like FUSE, this sounds like blacklisting. Does `firejail --debug ${HOME}/bin/upstream/thunderbird/thunderbird | grep bin` shows anything related? Does `firejail --profile=thunderbird ls -l ~/bin/upstream/thunderbird/thunderbird` look normal?
gitea-mirror commented 2026-05-05 09:13:43 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

I found #2812 and created a ${HOME}/.config/firejail/thunderbird.local containing:

ignore noexec ${HOME}
whitelist ${HOME}/bin/upstream/thunderbird

This is already moving in the right direction. But if you want to start ${HOME}/bin/thunderbird, you need to whitelist this instead (the symlink is followed IIRC; but it's impossible to follow it backward).

Adding the symlink to the whitelist and running $ firejail ${HOME}/thunderbird still results in "Error: no suitable /home/nolan/thunderbird executable found".

If this file is owned by you and not a something crazy like FUSE, this sounds like blacklisting. Does firejail --debug ${HOME}/bin/upstream/thunderbird/thunderbird | grep bin shows anything related? Does firejail --profile=thunderbird ls -l ~/bin/upstream/thunderbird/thunderbird look normal?

No FUSE, the fs is btrfs, not sure if that qualifies as crazy or not.

Nothing jumps out at me in the debug log:

$ firejail --debug ${HOME}/bin/upstream/thunderbird/thunderbird 2>&1 | grep bin
Autoselecting /bin/bash as shell
Building quoted command line: '/home/nolan/bin/upstream/thunderbird/thunderbird'
Debug 456: new_name #/home/nolan/bin/thunderbird#, whitelist
Debug 571: fname #/home/nolan/bin/upstream/thunderbird/thunderbird#, cfg.homedir #/home/nolan#
Debug 456: new_name #/home/nolan/bin/upstream/thunderbird#, whitelist
Debug 571: fname #/home/nolan/bin/upstream/thunderbird#, cfg.homedir #/home/nolan#
Disable /proc/sys/fs/binfmt_misc
Replaced whitelist path: whitelist /home/nolan/bin/upstream/thunderbird/thunderbird
Replaced whitelist path: whitelist /home/nolan/bin/upstream/thunderbird
Debug 456: new_name #/home/nolan/.alsaequal.bin#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.alsaequal.bin
	expanded: /home/nolan/.alsaequal.bin
Whitelisting /home/nolan/bin/upstream/thunderbird/thunderbird
1303 1302 0:25 /home/nolan/bin/upstream/thunderbird/thunderbird /home/nolan/bin/upstream/thunderbird/thunderbird rw,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/
mountid=1303 fsname=/home/nolan/bin/upstream/thunderbird/thunderbird dir=/home/nolan/bin/upstream/thunderbird/thunderbird fstype=btrfs
Created symbolic link /home/nolan/bin/thunderbird -> /home/nolan/bin/upstream/thunderbird/thunderbird
Whitelisting /home/nolan/bin/upstream/thunderbird
1304 1302 0:25 /home/nolan/bin/upstream/thunderbird /home/nolan/bin/upstream/thunderbird rw,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/
mountid=1304 fsname=/home/nolan/bin/upstream/thunderbird dir=/home/nolan/bin/upstream/thunderbird fstype=btrfs
Disable /usr/bin/systemd-run
Disable /usr/bin/systemd-run (requested /bin/systemd-run)
Mounting read-only /home/nolan/bin
1546 1544 0:25 /home/nolan/bin/upstream/thunderbird /home/nolan/bin/upstream/thunderbird rw,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/
mountid=1546 fsname=/home/nolan/bin/upstream/thunderbird dir=/home/nolan/bin/upstream/thunderbird fstype=btrfs
Mounting read-only /home/nolan/bin/upstream/thunderbird/thunderbird
1547 1546 0:25 /home/nolan/bin/upstream/thunderbird/thunderbird /home/nolan/bin/upstream/thunderbird/thunderbird ro,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/
mountid=1547 fsname=/home/nolan/bin/upstream/thunderbird/thunderbird dir=/home/nolan/bin/upstream/thunderbird/thunderbird fstype=btrfs
Mounting read-only /home/nolan/bin/upstream/thunderbird
1557 1548 0:25 /home/nolan/bin/upstream/thunderbird/thunderbird /home/nolan/bin/upstream/thunderbird/thunderbird ro,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/
mountid=1557 fsname=/home/nolan/bin/upstream/thunderbird/thunderbird dir=/home/nolan/bin/upstream/thunderbird/thunderbird fstype=btrfs
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/at
Disable /usr/bin/at (requested /bin/at)
Disable /usr/bin/busybox
Disable /usr/bin/busybox (requested /bin/busybox)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/crontab
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/fusermount3 (requested /usr/bin/fusermount)
Disable /usr/bin/fusermount3 (requested /bin/fusermount)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/nc.openbsd (requested /usr/bin/nc)
Disable /usr/bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g)
Disable /usr/bin/pkexec
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/strace
Disable /usr/bin/strace (requested /bin/strace)
Disable /usr/bin/su
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/bwrap
Disable /usr/bin/bwrap (requested /bin/bwrap)
Disable /usr/bin/dig
Disable /usr/bin/dig (requested /bin/dig)
Disable /usr/bin/host
Disable /usr/bin/host (requested /bin/host)
Disable /usr/bin/nslookup
Disable /usr/bin/nslookup (requested /bin/nslookup)
Disable /usr/bin/resolvectl
Disable /usr/bin/resolvectl (requested /bin/resolvectl)
Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as)
Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/cc)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/cc)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/c++)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/c++)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt)
Disable /usr/bin/c89-gcc (requested /usr/bin/c89)
Disable /usr/bin/c89-gcc
Disable /usr/bin/c89-gcc (requested /bin/c89)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/c99-gcc (requested /usr/bin/c99)
Disable /usr/bin/c99-gcc
Disable /usr/bin/c99-gcc (requested /bin/c99)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /usr/bin/cpp-10)
Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /usr/bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /bin/cpp-10)
Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/g++-10)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/g++-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/gcc-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/gcc-ar-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/gcc-nm-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/gcc-ranlib-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/gcc-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/gcc-ar-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/gcc-nm-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/gcc-ranlib-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/gcc-ranlib)
Disable /usr/bin/gdb
Disable /usr/bin/gdb (requested /bin/gdb)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld)
Disable /usr/bin/x86_64-linux-gnu-gcc-10
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10
Disable /usr/bin/c89-gcc
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/aarch64-linux-gnu-gcc-10
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10
Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /usr/bin/aarch64-linux-gnu-gcc)
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ar)
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /usr/bin/aarch64-linux-gnu-gcc-nm)
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ranlib)
Disable /usr/bin/arm-linux-gnueabihf-gcc-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /usr/bin/arm-linux-gnueabihf-gcc)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ar)
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-nm)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib-10)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc)
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar)
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm)
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib)
Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar)
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-10
Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /usr/bin/aarch64-linux-gnu-g++)
Disable /usr/bin/aarch64-linux-gnu-g++-10
Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /usr/bin/arm-linux-gnueabihf-g++)
Disable /usr/bin/arm-linux-gnueabihf-g++-10
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++-10)
Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++)
Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++-10)
Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++)
Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-10
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10
Disable /usr/bin/c89-gcc
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/aarch64-linux-gnu-gcc-10
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10
Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /usr/bin/aarch64-linux-gnu-gcc)
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ar)
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /usr/bin/aarch64-linux-gnu-gcc-nm)
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ranlib)
Disable /usr/bin/arm-linux-gnueabihf-gcc-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10
Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /usr/bin/arm-linux-gnueabihf-gcc)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ar)
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-nm)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm-10)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib-10)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib-10)
Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc)
Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar)
Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm)
Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib)
Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib-10)
Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar)
Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm)
Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-10
Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /usr/bin/aarch64-linux-gnu-g++)
Disable /usr/bin/aarch64-linux-gnu-g++-10
Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /usr/bin/arm-linux-gnueabihf-g++)
Disable /usr/bin/arm-linux-gnueabihf-g++-10
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++-10)
Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++)
Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++-10)
Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++)
Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++-10)
Disable /usr/bin/openssl
Disable /usr/bin/openssl (requested /bin/openssl)
Disable /usr/bin/valgrind
Disable /usr/bin/valgrind-di-server
Disable /usr/bin/valgrind-listener
Disable /usr/bin/valgrind.bin
Disable /usr/bin/valgrind (requested /bin/valgrind)
Disable /usr/bin/valgrind-di-server (requested /bin/valgrind-di-server)
Disable /usr/bin/valgrind-listener (requested /bin/valgrind-listener)
Disable /usr/bin/valgrind.bin (requested /bin/valgrind.bin)
Disable /usr/share/texlive/texmf-dist/scripts/luaotfload/luaotfload-tool.lua (requested /usr/bin/luaotfload-tool)
Disable /usr/bin/luahbtex (requested /usr/bin/lualatex)
Disable /usr/bin/luahbtex
Disable /usr/bin/luajithbtex
Disable /usr/bin/luajittex
Disable /usr/bin/luatex
Disable /usr/bin/luahbtex (requested /usr/bin/lualatex-dev)
Disable /usr/share/texlive/texmf-dist/scripts/luaotfload/luaotfload-tool.lua (requested /bin/luaotfload-tool)
Disable /usr/bin/luahbtex (requested /bin/lualatex)
Disable /usr/bin/luahbtex (requested /bin/luahbtex)
Disable /usr/bin/luajithbtex (requested /bin/luajithbtex)
Disable /usr/bin/luajittex (requested /bin/luajittex)
Disable /usr/bin/luatex (requested /bin/luatex)
Disable /usr/bin/luahbtex (requested /bin/lualatex-dev)
Disable /usr/bin/cpan5.28-x86_64-linDISPLAY=:0 parsed as 0
 005f: 15 00 01 000000ed   jeq mbind 0060 (false 0061)
Disable /usr/bin/cpan5.32-x86_64-linux-gnu
Disable /usr/bin/cpan
Disable /usr/bin/cpan5.28-x86_64-linux-gnu (requested /bin/cpan5.28-x86_64-linux-gnu)
Disable /usr/bin/cpan5.32-x86_64-linux-gnu (requested /bin/cpan5.32-x86_64-linux-gnu)
Disable /usr/bin/cpan (requested /bin/cpan)
Disable /usr/bin/perl
Disable /usr/bin/perl (requested /bin/perl)
Disable /usr/bin/php_count
Disable /usr/bin/php_count (requested /bin/php_count)
Disable /usr/bin/ruby2.7 (requested /usr/bin/ruby)
Disable /usr/bin/ruby2.7 (requested /bin/ruby)
Disable /usr/bin/python2-futurize
Disable /usr/bin/python2-pasteurize
Disable /usr/bin/python2.7 (requested /usr/bin/python2)
Disable /usr/bin/python2.7
Disable /usr/bin/python2-futurize (requested /bin/python2-futurize)
Disable /usr/bin/python2-pasteurize (requested /bin/python2-pasteurize)
Disable /usr/bin/python2.7 (requested /bin/python2)
Disable /usr/bin/python2.7 (requested /bin/python2.7)
Disable /usr/bin/python3-wsdump
Disable /usr/bin/python3-futurize
Disable /usr/bin/python3-pasteurize
Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /usr/bin/python3.9-config)
Disable /usr/bin/python3.9
Disable /usr/bin/python3.9 (requested /usr/bin/python3)
Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /usr/bin/python3-config)
Disable /usr/bin/python3-wsdump (requested /bin/python3-wsdump)
Disable /usr/bin/python3-futurize (requested /bin/python3-futurize)
Disable /usr/bin/python3-pasteurize (requested /bin/python3-pasteurize)
Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /bin/python3.9-config)
Disable /usr/bin/python3.9 (requested /bin/python3.9)
Disable /usr/bin/python3.9 (requested /bin/python3)
Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /bin/python3-config)
execvp argument 0: /home/nolan/bin/upstream/thunderbird/thunderbird

And the ls -l looks perfectly reasonable.

$ firejail --profile=thunderbird ls -l ~/bin/upstream/thunderbird/thunderbird 2>/dev/null
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
-rwxr-xr-x 1 nolan nolan 14656 Mar 28 07:53 /home/nolan/bin/upstream/thunderbird/thunderbird
<!-- gh-comment-id:810356397 --> @nolanl commented on GitHub (Mar 30, 2021): > > I found #2812 and created a ${HOME}/.config/firejail/thunderbird.local containing: > > ``` > > ignore noexec ${HOME} > > whitelist ${HOME}/bin/upstream/thunderbird > > ``` > > This is already moving in the right direction. But if you want to start `${HOME}/bin/thunderbird`, you need to whitelist this instead (the symlink is followed IIRC; but it's impossible to follow it backward). Adding the symlink to the whitelist and running `$ firejail ${HOME}/thunderbird` still results in "Error: no suitable /home/nolan/thunderbird executable found". > If this file is owned by you and not a something crazy like FUSE, this sounds like blacklisting. Does `firejail --debug ${HOME}/bin/upstream/thunderbird/thunderbird | grep bin` shows anything related? Does `firejail --profile=thunderbird ls -l ~/bin/upstream/thunderbird/thunderbird` look normal? No FUSE, the fs is btrfs, not sure if that qualifies as crazy or not. Nothing jumps out at me in the debug log: ``` $ firejail --debug ${HOME}/bin/upstream/thunderbird/thunderbird 2>&1 | grep bin Autoselecting /bin/bash as shell Building quoted command line: '/home/nolan/bin/upstream/thunderbird/thunderbird' Debug 456: new_name #/home/nolan/bin/thunderbird#, whitelist Debug 571: fname #/home/nolan/bin/upstream/thunderbird/thunderbird#, cfg.homedir #/home/nolan# Debug 456: new_name #/home/nolan/bin/upstream/thunderbird#, whitelist Debug 571: fname #/home/nolan/bin/upstream/thunderbird#, cfg.homedir #/home/nolan# Disable /proc/sys/fs/binfmt_misc Replaced whitelist path: whitelist /home/nolan/bin/upstream/thunderbird/thunderbird Replaced whitelist path: whitelist /home/nolan/bin/upstream/thunderbird Debug 456: new_name #/home/nolan/.alsaequal.bin#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.alsaequal.bin expanded: /home/nolan/.alsaequal.bin Whitelisting /home/nolan/bin/upstream/thunderbird/thunderbird 1303 1302 0:25 /home/nolan/bin/upstream/thunderbird/thunderbird /home/nolan/bin/upstream/thunderbird/thunderbird rw,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/ mountid=1303 fsname=/home/nolan/bin/upstream/thunderbird/thunderbird dir=/home/nolan/bin/upstream/thunderbird/thunderbird fstype=btrfs Created symbolic link /home/nolan/bin/thunderbird -> /home/nolan/bin/upstream/thunderbird/thunderbird Whitelisting /home/nolan/bin/upstream/thunderbird 1304 1302 0:25 /home/nolan/bin/upstream/thunderbird /home/nolan/bin/upstream/thunderbird rw,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/ mountid=1304 fsname=/home/nolan/bin/upstream/thunderbird dir=/home/nolan/bin/upstream/thunderbird fstype=btrfs Disable /usr/bin/systemd-run Disable /usr/bin/systemd-run (requested /bin/systemd-run) Mounting read-only /home/nolan/bin 1546 1544 0:25 /home/nolan/bin/upstream/thunderbird /home/nolan/bin/upstream/thunderbird rw,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/ mountid=1546 fsname=/home/nolan/bin/upstream/thunderbird dir=/home/nolan/bin/upstream/thunderbird fstype=btrfs Mounting read-only /home/nolan/bin/upstream/thunderbird/thunderbird 1547 1546 0:25 /home/nolan/bin/upstream/thunderbird/thunderbird /home/nolan/bin/upstream/thunderbird/thunderbird ro,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/ mountid=1547 fsname=/home/nolan/bin/upstream/thunderbird/thunderbird dir=/home/nolan/bin/upstream/thunderbird/thunderbird fstype=btrfs Mounting read-only /home/nolan/bin/upstream/thunderbird 1557 1548 0:25 /home/nolan/bin/upstream/thunderbird/thunderbird /home/nolan/bin/upstream/thunderbird/thunderbird ro,relatime master:1 - btrfs /dev/mapper/md1_crypt rw,ssd,space_cache,subvolid=5,subvol=/ mountid=1557 fsname=/home/nolan/bin/upstream/thunderbird/thunderbird dir=/home/nolan/bin/upstream/thunderbird/thunderbird fstype=btrfs Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/at Disable /usr/bin/at (requested /bin/at) Disable /usr/bin/busybox Disable /usr/bin/busybox (requested /bin/busybox) Disable /usr/bin/chage Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/crontab Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/fusermount3 (requested /usr/bin/fusermount) Disable /usr/bin/fusermount3 (requested /bin/fusermount) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/mount Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/nc.openbsd (requested /usr/bin/nc) Disable /usr/bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/newgidmap Disable /usr/bin/newgidmap (requested /bin/newgidmap) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/newuidmap Disable /usr/bin/newuidmap (requested /bin/newuidmap) Disable /usr/bin/ntfs-3g Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g) Disable /usr/bin/pkexec Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/strace Disable /usr/bin/strace (requested /bin/strace) Disable /usr/bin/su Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/umount Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/xev Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/xinput Disable /usr/bin/xinput (requested /bin/xinput) Disable /usr/bin/bwrap Disable /usr/bin/bwrap (requested /bin/bwrap) Disable /usr/bin/dig Disable /usr/bin/dig (requested /bin/dig) Disable /usr/bin/host Disable /usr/bin/host (requested /bin/host) Disable /usr/bin/nslookup Disable /usr/bin/nslookup (requested /bin/nslookup) Disable /usr/bin/resolvectl Disable /usr/bin/resolvectl (requested /bin/resolvectl) Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as) Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/cc) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/cc) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/c++) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/c++) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt) Disable /usr/bin/c89-gcc (requested /usr/bin/c89) Disable /usr/bin/c89-gcc Disable /usr/bin/c89-gcc (requested /bin/c89) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/c99-gcc (requested /usr/bin/c99) Disable /usr/bin/c99-gcc Disable /usr/bin/c99-gcc (requested /bin/c99) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /usr/bin/cpp-10) Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /usr/bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /bin/cpp-10) Disable /usr/bin/x86_64-linux-gnu-cpp-10 (requested /bin/cpp) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/g++-10) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/g++-10) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/gcc-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/gcc-ar-10) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/gcc-nm-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/gcc-ranlib-10) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/gcc-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/gcc-ar-10) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/gcc-nm-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/gcc-ranlib-10) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/gcc-ranlib) Disable /usr/bin/gdb Disable /usr/bin/gdb (requested /bin/gdb) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld) Disable /usr/bin/x86_64-linux-gnu-gcc-10 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 Disable /usr/bin/c89-gcc Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/aarch64-linux-gnu-gcc-10 Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /usr/bin/aarch64-linux-gnu-gcc) Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ar) Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /usr/bin/aarch64-linux-gnu-gcc-nm) Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ranlib) Disable /usr/bin/arm-linux-gnueabihf-gcc-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /usr/bin/arm-linux-gnueabihf-gcc) Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ar) Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-nm) Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar-10) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib-10) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc-10) Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar-10) Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm-10) Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib-10) Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc) Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar) Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm) Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib) Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc) Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar) Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm) Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-10 Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /usr/bin/aarch64-linux-gnu-g++) Disable /usr/bin/aarch64-linux-gnu-g++-10 Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /usr/bin/arm-linux-gnueabihf-g++) Disable /usr/bin/arm-linux-gnueabihf-g++-10 Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++-10) Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++) Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++-10) Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++) Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++-10) Disable /usr/bin/x86_64-linux-gnu-gcc-10 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 Disable /usr/bin/c89-gcc Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/aarch64-linux-gnu-gcc-10 Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /usr/bin/aarch64-linux-gnu-gcc) Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ar) Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /usr/bin/aarch64-linux-gnu-gcc-nm) Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /usr/bin/aarch64-linux-gnu-gcc-ranlib) Disable /usr/bin/arm-linux-gnueabihf-gcc-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /usr/bin/arm-linux-gnueabihf-gcc) Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ar) Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-nm) Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /usr/bin/arm-linux-gnueabihf-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar-10) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm-10) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib-10) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-10 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-10 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-10 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-10 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc-10) Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar-10) Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm-10) Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib-10) Disable /usr/bin/aarch64-linux-gnu-gcc-10 (requested /bin/aarch64-linux-gnu-gcc) Disable /usr/bin/aarch64-linux-gnu-gcc-ar-10 (requested /bin/aarch64-linux-gnu-gcc-ar) Disable /usr/bin/aarch64-linux-gnu-gcc-nm-10 (requested /bin/aarch64-linux-gnu-gcc-nm) Disable /usr/bin/aarch64-linux-gnu-gcc-ranlib-10 (requested /bin/aarch64-linux-gnu-gcc-ranlib) Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib-10) Disable /usr/bin/arm-linux-gnueabihf-gcc-10 (requested /bin/arm-linux-gnueabihf-gcc) Disable /usr/bin/arm-linux-gnueabihf-gcc-ar-10 (requested /bin/arm-linux-gnueabihf-gcc-ar) Disable /usr/bin/arm-linux-gnueabihf-gcc-nm-10 (requested /bin/arm-linux-gnueabihf-gcc-nm) Disable /usr/bin/arm-linux-gnueabihf-gcc-ranlib-10 (requested /bin/arm-linux-gnueabihf-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-10 Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /usr/bin/aarch64-linux-gnu-g++) Disable /usr/bin/aarch64-linux-gnu-g++-10 Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /usr/bin/arm-linux-gnueabihf-g++) Disable /usr/bin/arm-linux-gnueabihf-g++-10 Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-10 (requested /bin/x86_64-linux-gnu-g++-10) Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++) Disable /usr/bin/aarch64-linux-gnu-g++-10 (requested /bin/aarch64-linux-gnu-g++-10) Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++) Disable /usr/bin/arm-linux-gnueabihf-g++-10 (requested /bin/arm-linux-gnueabihf-g++-10) Disable /usr/bin/openssl Disable /usr/bin/openssl (requested /bin/openssl) Disable /usr/bin/valgrind Disable /usr/bin/valgrind-di-server Disable /usr/bin/valgrind-listener Disable /usr/bin/valgrind.bin Disable /usr/bin/valgrind (requested /bin/valgrind) Disable /usr/bin/valgrind-di-server (requested /bin/valgrind-di-server) Disable /usr/bin/valgrind-listener (requested /bin/valgrind-listener) Disable /usr/bin/valgrind.bin (requested /bin/valgrind.bin) Disable /usr/share/texlive/texmf-dist/scripts/luaotfload/luaotfload-tool.lua (requested /usr/bin/luaotfload-tool) Disable /usr/bin/luahbtex (requested /usr/bin/lualatex) Disable /usr/bin/luahbtex Disable /usr/bin/luajithbtex Disable /usr/bin/luajittex Disable /usr/bin/luatex Disable /usr/bin/luahbtex (requested /usr/bin/lualatex-dev) Disable /usr/share/texlive/texmf-dist/scripts/luaotfload/luaotfload-tool.lua (requested /bin/luaotfload-tool) Disable /usr/bin/luahbtex (requested /bin/lualatex) Disable /usr/bin/luahbtex (requested /bin/luahbtex) Disable /usr/bin/luajithbtex (requested /bin/luajithbtex) Disable /usr/bin/luajittex (requested /bin/luajittex) Disable /usr/bin/luatex (requested /bin/luatex) Disable /usr/bin/luahbtex (requested /bin/lualatex-dev) Disable /usr/bin/cpan5.28-x86_64-linDISPLAY=:0 parsed as 0 005f: 15 00 01 000000ed jeq mbind 0060 (false 0061) Disable /usr/bin/cpan5.32-x86_64-linux-gnu Disable /usr/bin/cpan Disable /usr/bin/cpan5.28-x86_64-linux-gnu (requested /bin/cpan5.28-x86_64-linux-gnu) Disable /usr/bin/cpan5.32-x86_64-linux-gnu (requested /bin/cpan5.32-x86_64-linux-gnu) Disable /usr/bin/cpan (requested /bin/cpan) Disable /usr/bin/perl Disable /usr/bin/perl (requested /bin/perl) Disable /usr/bin/php_count Disable /usr/bin/php_count (requested /bin/php_count) Disable /usr/bin/ruby2.7 (requested /usr/bin/ruby) Disable /usr/bin/ruby2.7 (requested /bin/ruby) Disable /usr/bin/python2-futurize Disable /usr/bin/python2-pasteurize Disable /usr/bin/python2.7 (requested /usr/bin/python2) Disable /usr/bin/python2.7 Disable /usr/bin/python2-futurize (requested /bin/python2-futurize) Disable /usr/bin/python2-pasteurize (requested /bin/python2-pasteurize) Disable /usr/bin/python2.7 (requested /bin/python2) Disable /usr/bin/python2.7 (requested /bin/python2.7) Disable /usr/bin/python3-wsdump Disable /usr/bin/python3-futurize Disable /usr/bin/python3-pasteurize Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /usr/bin/python3.9-config) Disable /usr/bin/python3.9 Disable /usr/bin/python3.9 (requested /usr/bin/python3) Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /usr/bin/python3-config) Disable /usr/bin/python3-wsdump (requested /bin/python3-wsdump) Disable /usr/bin/python3-futurize (requested /bin/python3-futurize) Disable /usr/bin/python3-pasteurize (requested /bin/python3-pasteurize) Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /bin/python3.9-config) Disable /usr/bin/python3.9 (requested /bin/python3.9) Disable /usr/bin/python3.9 (requested /bin/python3) Disable /usr/bin/x86_64-linux-gnu-python3.9-config (requested /bin/python3-config) execvp argument 0: /home/nolan/bin/upstream/thunderbird/thunderbird ``` And the ls -l looks perfectly reasonable. ``` $ firejail --profile=thunderbird ls -l ~/bin/upstream/thunderbird/thunderbird 2>/dev/null Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, -rwxr-xr-x 1 nolan nolan 14656 Mar 28 07:53 /home/nolan/bin/upstream/thunderbird/thunderbird ```
gitea-mirror commented 2026-05-05 09:13:44 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 30, 2021):

The Exec failed with error: Permission denied comes from https://searchfox.org/comm-central/source/mail/app/no-pie/NoPie.c. The whitelist maybe tampers with /proc/self/exe. Does it work with firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/thunderbird-bin?

<!-- gh-comment-id:810502441 --> @rusty-snake commented on GitHub (Mar 30, 2021): The `Exec failed with error: Permission denied` comes from <https://searchfox.org/comm-central/source/mail/app/no-pie/NoPie.c>. The `whitelist` maybe tampers with `/proc/self/exe`. Does it work with `firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/thunderbird-bin`?
gitea-mirror commented 2026-05-05 09:13:45 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/thunderbird-bin

works.

I tried adding "whitelist ${HOME}/bin/upstream/thunderbird-bin" to the list, but still got the permission denied error when running their wrapper.

<!-- gh-comment-id:810526512 --> @nolanl commented on GitHub (Mar 30, 2021): `firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/thunderbird-bin` works. I tried adding "whitelist ${HOME}/bin/upstream/thunderbird-bin" to the list, but still got the permission denied error when running their wrapper.
gitea-mirror commented 2026-05-05 09:13:45 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 30, 2021):

Here's an quick-and-dirty readlink for /proc/self/exe, if you compile it (gcc -o readlinkselfexe readlinkselfexe.c), place it in ${HOME}/bin/upstream/thunderbird and run it with firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/readlinkselfexe. What does it show? And if you symlink it from ~/bin?

#include <stdio.h>
#include <unistd.h>

int main() {
        char path[64];
        readlink("/proc/self/exe", path, 63);
        printf("%s\n", path);
}
<!-- gh-comment-id:810538902 --> @rusty-snake commented on GitHub (Mar 30, 2021): Here's an quick-and-dirty readlink for `/proc/self/exe`, if you compile it (`gcc -o readlinkselfexe readlinkselfexe.c`), place it in `${HOME}/bin/upstream/thunderbird` and run it with `firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/readlinkselfexe`. What does it show? And if you symlink it from ~/bin? ```C #include <stdio.h> #include <unistd.h> int main() { char path[64]; readlink("/proc/self/exe", path, 63); printf("%s\n", path); } ```
gitea-mirror commented 2026-05-05 09:13:46 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

$ firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/readlinkselfexe
Reading profile /etc/firejail/thunderbird.profile
Reading profile /home/nolan/.config/firejail/thunderbird.local
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 3524498, child pid 3524499
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 106.06 ms
/home/nolan/bin/upstream/thunderbird/readlinkselfexe

Parent is shutting down, bye...

and

$ firejail --profile=thunderbird ${HOME}/bin/readlinkselfexe
Reading profile /etc/firejail/thunderbird.profile
Reading profile /home/nolan/.config/firejail/thunderbird.local
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 3524620, child pid 3524621
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 107.66 ms
Error: no suitable /home/nolan/bin/readlinkselfexe executable found

Parent is shutting down, bye...
<!-- gh-comment-id:810540857 --> @nolanl commented on GitHub (Mar 30, 2021): ``` $ firejail --profile=thunderbird ${HOME}/bin/upstream/thunderbird/readlinkselfexe Reading profile /etc/firejail/thunderbird.profile Reading profile /home/nolan/.config/firejail/thunderbird.local Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3524498, child pid 3524499 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 106.06 ms /home/nolan/bin/upstream/thunderbird/readlinkselfexe Parent is shutting down, bye... ``` and ``` $ firejail --profile=thunderbird ${HOME}/bin/readlinkselfexe Reading profile /etc/firejail/thunderbird.profile Reading profile /home/nolan/.config/firejail/thunderbird.local Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3524620, child pid 3524621 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 107.66 ms Error: no suitable /home/nolan/bin/readlinkselfexe executable found Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 09:13:46 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

Ah hah! From dmesg:

[1297630.427237] audit: type=1400 audit(1617133018.672:58): apparmor="DENIED" operation="exec" profile="firejail-default" name="/home/nolan/bin/upstream/thunderbird/thunderbird-bin" pid=3513170 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000
<!-- gh-comment-id:810542399 --> @nolanl commented on GitHub (Mar 30, 2021): Ah hah! From dmesg: ``` [1297630.427237] audit: type=1400 audit(1617133018.672:58): apparmor="DENIED" operation="exec" profile="firejail-default" name="/home/nolan/bin/upstream/thunderbird/thunderbird-bin" pid=3513170 comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 ```
gitea-mirror commented 2026-05-05 09:13:47 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

Doesn't explain why the symlink isn't working, of course.

<!-- gh-comment-id:810543276 --> @nolanl commented on GitHub (Mar 30, 2021): Doesn't explain why the symlink isn't working, of course.
gitea-mirror commented 2026-05-05 09:13:47 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

From Debian's /etc/apparmor.d/firejail-default

##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,

I added

/{,run/firejail/mnt/oroot/}home/bin/** ix,

and now I get Error: no suitable /home/nolan/bin/thunderbird executable found when running both the symlink and the wrapper.

<!-- gh-comment-id:810548709 --> @nolanl commented on GitHub (Mar 30, 2021): From Debian's /etc/apparmor.d/firejail-default ``` ########## # Allow running programs only from well-known system directories. If you need # to run programs from your home directory, uncomment /home line. ########## /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, #/{,run/firejail/mnt/oroot/}home/** ix, ``` I added ``` /{,run/firejail/mnt/oroot/}home/bin/** ix, ``` and now I get ```Error: no suitable /home/nolan/bin/thunderbird executable found``` when running both the symlink and the wrapper.
gitea-mirror commented 2026-05-05 09:13:47 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 30, 2021):

I know not that much about AA but shoudn't it be home/nolan/bin/**?

<!-- gh-comment-id:810554022 --> @rusty-snake commented on GitHub (Mar 30, 2021): I know not that much about AA but shoudn't it be `home/nolan/bin/**`?
gitea-mirror commented 2026-05-05 09:13:48 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

The mnt/oroot stuff appears to be a firejail thing, but the line I added should match both /run/firejail/mnt/oroot/home/bin/** and /home/bin/**.

<!-- gh-comment-id:810556028 --> @nolanl commented on GitHub (Mar 30, 2021): The mnt/oroot stuff appears to be a firejail thing, but the line I added should match **both** /run/firejail/mnt/oroot/home/bin/** and /home/bin/**.
gitea-mirror commented 2026-05-05 09:13:48 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 30, 2021):

#/{,run/firejail/mnt/oroot/}home/** ix,

The mnt/oroot stuff appears to be a firejail thing, but the line I added should match both /run/firejail/mnt/oroot/home/bin/** and /home/bin/**.

@nolanl It does, but that won't do much good. It would be surprising to hear home/bin/thunderbird actually exists on your system - which is different from ${HOME}/bin/thunderbird.

On a side-note, the recommended way to enable this is not to uncomment it in /etc/apparmor.d/firejail-default, which is overwritten by a future firejail upgrade. We could improve the comment to stress doing so in /etc/apparmor.d/local/firejail-default.

<!-- gh-comment-id:810577224 --> @ghost commented on GitHub (Mar 30, 2021): > #/{,run/firejail/mnt/oroot/}home/** ix, > The mnt/oroot stuff appears to be a firejail thing, but the line I added should match both /run/firejail/mnt/oroot/home/bin/** and /home/bin/**. @nolanl It does, but that won't do much good. It would be surprising to hear `home/bin/thunderbird` actually exists on your system - which is different from ${HOME}/bin/thunderbird. On a side-note, the recommended way to enable this is not to uncomment it in /etc/apparmor.d/firejail-default, which is overwritten by a future firejail upgrade. We could improve the comment to stress doing so in `/etc/apparmor.d/local/firejail-default`.
gitea-mirror commented 2026-05-05 09:13:49 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

@nolanl It does, but that won't do much good. It would be surprising to hear home/bin/thunderbird actually exists on your system - which is different from ${HOME}/bin/thunderbird.

Oh, hah, you're right, I totally misread that, and then misunderstood @rusty-snake's comment.

Fixing my apparmor (and the .config/firejail/thunderbird.local fix) makes both the bin/thunderbird symlink and the bin/upstream/thunderbird/thunderbird wrapper work fine.

On a side-note, the recommended way to enable this is not to uncomment it in /etc/apparmor.d/firejail-default, which is overwritten by a future firejail upgrade. We could improve the comment to stress doing so in /etc/apparmor.d/local/firejail-default.

Yeah, that is where I ended up putting it.

<!-- gh-comment-id:810585073 --> @nolanl commented on GitHub (Mar 30, 2021): > @nolanl It does, but that won't do much good. It would be surprising to hear `home/bin/thunderbird` actually exists on your system - which is different from ${HOME}/bin/thunderbird. Oh, hah, you're right, I totally misread that, and then misunderstood @rusty-snake's comment. Fixing my apparmor (and the .config/firejail/thunderbird.local fix) makes both the bin/thunderbird symlink and the bin/upstream/thunderbird/thunderbird wrapper work fine. > On a side-note, the recommended way to enable this is not to uncomment it in /etc/apparmor.d/firejail-default, which is overwritten by a future firejail upgrade. We could improve the comment to stress doing so in `/etc/apparmor.d/local/firejail-default`. Yeah, that is where I ended up putting it.
gitea-mirror commented 2026-05-05 09:13:49 -06:00
Author
Owner
Copy link

@nolanl commented on GitHub (Mar 30, 2021):

Thank you @rusty-snake and @glitsj16 for your help tracking this down!

And to hopefully draw in any folks searching because they have the same problem with firefox: firefox firefox firefox

<!-- gh-comment-id:810585786 --> @nolanl commented on GitHub (Mar 30, 2021): Thank you @rusty-snake and @glitsj16 for your help tracking this down! And to hopefully draw in any folks searching because they have the same problem with firefox: firefox firefox firefox
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2552
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?