github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4331] blacklisting ${HOME}/.netrc blocks internet access for SRBMiner 0.7.5+ #2625

New issue
Closed
opened 2026-05-05 09:17:12 -06:00 by gitea-mirror · 18 comments
gitea-mirror commented 2026-05-05 09:17:12 -06:00
Owner
Copy link

Originally created by @christianskou07 on GitHub (Jun 3, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4331

Bug and expected behavior
Running SRBMiner with firejail using the default profile blocks internet access causing the miner not to work properly (crashing upon startup). However, for a period of time it was working without any issues.
I have narrowed it down to whether or not the line blacklist ${HOME}/.netrc in /etc/firejail/disable-common.inc is commented out or not makes the difference.

SRBMiner 0.7.5 and 0.7.6.

  • What did you expect to happen?
    To have internet access and work as usual. Although I know this could make me look rather naive.

No profile and disabling firejail

  • What changed calling firejail --noprofile /path/to/program in a terminal?
    Works as expected.

Reproduce
Steps to reproduce the behavior:
Setup SRBMiner using --setup, thereafter run the generated start script with firejail.

Environment

  • Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release)
NAME="Manjaro Linux"
ID=manjaro
ID_LIKE=arch
BUILD_ID=rolling
PRETTY_NAME="Manjaro Linux"
ANSI_COLOR="32;1;24;144;200"
HOME_URL="https://manjaro.org/"
DOCUMENTATION_URL="https://wiki.manjaro.org/"
SUPPORT_URL="https://manjaro.org/"
BUG_REPORT_URL="https://bugs.manjaro.org/"
LOGO=manjarolinux
  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
firejail version 0.9.64.4

Checklist

  • [?] The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • [?] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • [?] If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • [?] Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
  • [?] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
debug output

It should be noted that a rather large part of /etc/firejail/disable-common.inc is commented out when reading the output below.

Autoselecting /bin/bash as shell
Building quoted command line: './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' 
Command name #SRBMiner-MULTI#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Reading profile /etc/firejail/default.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 3030, child pid 3031
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
534 493 8:7 /etc /etc ro,noatime master:1 - ext4 /dev/sda7 rw
mountid=534 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
535 534 8:7 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda7 rw
mountid=535 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
536 493 8:7 /var /var ro,noatime master:1 - ext4 /dev/sda7 rw
mountid=536 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
537 536 8:7 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda7 rw
mountid=537 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
538 493 8:7 /usr /usr ro,noatime master:1 - ext4 /dev/sda7 rw
mountid=538 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/chr1s/.gnupg
Disable /home/chr1s/.local/share/keyrings
Disable /home/chr1s/.netrc
Disable /home/chr1s/.pki
Disable /home/chr1s/.ssh
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /home/chr1s/Arduino
Disable /home/chr1s/.android
Disable /home/chr1s/.arduino15
Disable /home/chr1s/.config/BraveSoftware
Disable /home/chr1s/.config/Code - OSS
Disable /home/chr1s/.config/GIMP
Disable /home/chr1s/.config/Mousepad
Disable /home/chr1s/.config/Thunar
Disable /home/chr1s/.config/catfish
Disable /home/chr1s/.config/chromium
Disable /home/chr1s/.config/discord
Disable /home/chr1s/.config/falkon
Disable /home/chr1s/.config/galculator
Disable /home/chr1s/.config/google-chrome
Disable /home/chr1s/.config/libreoffice
Disable /home/chr1s/.local/share/man
Disable /home/chr1s/.config/mpv
Disable /home/chr1s/.config/pavucontrol.ini
Disable /home/chr1s/.config/Pinta
Disable /home/chr1s/.config/qpdfview
Disable /home/chr1s/.config/spotify
Disable /home/chr1s/.config/torbrowser
Disable /home/chr1s/.config/viewnior
Disable /home/chr1s/.config/vlc
Disable /home/chr1s/.config/wireshark
Disable /home/chr1s/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
Disable /home/chr1s/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
Disable /home/chr1s/.config/youtube-dl
Disable /home/chr1s/.gitconfig
Disable /home/chr1s/.java
Disable /home/chr1s/.local/share/JetBrains
Disable /home/chr1s/.local/share/qpdfview
Disable /home/chr1s/.local/share/torbrowser
Disable /home/chr1s/.local/share/vlc
Disable /home/chr1s/.mozilla
Disable /home/chr1s/.nanorc
Disable /home/chr1s/.nv
Disable /home/chr1s/.pylint.d
Disable /home/chr1s/.thunderbird
Disable /home/chr1s/.vscode-oss
Disable /home/chr1s/.wget-hsts
Disable /home/chr1s/.xournalpp
Disable /tmp/ssh-XXXXXXx0uZFd
Disable /home/chr1s/.cache/babl
Disable /home/chr1s/.cache/chromium
Disable /home/chr1s/.cache/gegl-0.4
Disable /home/chr1s/.cache/gimp
Disable /home/chr1s/.cache/mozilla
Disable /home/chr1s/.cache/pip
Disable /home/chr1s/.cache/spotify
Disable /home/chr1s/.cache/thunderbird
Disable /home/chr1s/.cache/torbrowser
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
975 531 0:55 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=975 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/chr1s/.config/pulse
976 545 0:55 /pulse /home/chr1s/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=976 fsname=/pulse dir=/home/chr1s/.config/pulse fstype=tmpfs
Current directory: /home/chr1s/Documents/miners/SRBMiner-Multi-0-7-5
DISPLAY=:0.0 parsed as 0
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000006   jmp 000c
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 15 01 00 00000029   jeq socket 000c (false 000b)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 15 00 01 00000001   jeq 1 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 15 00 01 00000002   jeq 2 0010 (false 0011)
 0010: 06 00 00 7fff0000   ret ALLOW
 0011: 15 00 01 0000000a   jeq a 0012 (false 0013)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 06 00 00 0005005f   ret ERRNO(95)
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dropping all capabilities
Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 01 00000015   jeq 15 0005 (false 0006)
 0005: 06 00 00 00000001   ret KILL
 0006: 15 00 01 00000034   jeq 34 0007 (false 0008)
 0007: 06 00 00 00000001   ret KILL
 0008: 15 00 01 0000001a   jeq 1a 0009 (false 000a)
 0009: 06 00 00 00000001   ret KILL
 000a: 15 00 01 0000011b   jeq 11b 000b (false 000c)
 000b: 06 00 00 00000001   ret KILL
 000c: 15 00 01 00000155   jeq 155 000d (false 000e)
 000d: 06 00 00 00000001   ret KILL
 000e: 15 00 01 00000156   jeq 156 000f (false 0010)
 000f: 06 00 00 00000001   ret KILL
 0010: 15 00 01 0000007f   jeq 7f 0011 (false 0012)
 0011: 06 00 00 00000001   ret KILL
 0012: 15 00 01 00000080   jeq 80 0013 (false 0014)
 0013: 06 00 00 00000001   ret KILL
 0014: 15 00 01 0000015e   jeq 15e 0015 (false 0016)
 0015: 06 00 00 00000001   ret KILL
 0016: 15 00 01 00000081   jeq 81 0017 (false 0018)
 0017: 06 00 00 00000001   ret KILL
 0018: 15 00 01 0000006e   jeq 6e 0019 (false 001a)
 0019: 06 00 00 00000001   ret KILL
 001a: 15 00 01 00000065   jeq 65 001b (false 001c)
 001b: 06 00 00 00000001   ret KILL
 001c: 15 00 01 00000121   jeq 121 001d (false 001e)
 001d: 06 00 00 00000001   ret KILL
 001e: 15 00 01 00000057   jeq 57 001f (false 0020)
 001f: 06 00 00 00000001   ret KILL
 0020: 15 00 01 00000073   jeq 73 0021 (false 0022)
 0021: 06 00 00 00000001   ret KILL
 0022: 15 00 01 00000067   jeq 67 0023 (false 0024)
 0023: 06 00 00 00000001   ret KILL
 0024: 15 00 01 0000015b   jeq 15b 0025 (false 0026)
 0025: 06 00 00 00000001   ret KILL
 0026: 15 00 01 0000015c   jeq 15c 0027 (false 0028)
 0027: 06 00 00 00000001   ret KILL
 0028: 15 00 01 00000087   jeq 87 0029 (false 002a)
 0029: 06 00 00 00000001   ret KILL
 002a: 15 00 01 00000095   jeq 95 002b (false 002c)
 002b: 06 00 00 00000001   ret KILL
 002c: 15 00 01 0000007c   jeq 7c 002d (false 002e)
 002d: 06 00 00 00000001   ret KILL
 002e: 15 00 01 00000157   jeq 157 002f (false 0030)
 002f: 06 00 00 00000001   ret KILL
 0030: 15 00 01 000000fd   jeq fd 0031 (false 0032)
 0031: 06 00 00 00000001   ret KILL
 0032: 15 00 01 00000150   jeq 150 0033 (false 0034)
 0033: 06 00 00 00000001   ret KILL
 0034: 15 00 01 00000152   jeq 152 0035 (false 0036)
 0035: 06 00 00 00000001   ret KILL
 0036: 15 00 01 0000015d   jeq 15d 0037 (false 0038)
 0037: 06 00 00 00000001   ret KILL
 0038: 15 00 01 0000011e   jeq 11e 0039 (false 003a)
 0039: 06 00 00 00000001   ret KILL
 003a: 15 00 01 0000011f   jeq 11f 003b (false 003c)
 003b: 06 00 00 00000001   ret KILL
 003c: 15 00 01 00000120   jeq 120 003d (false 003e)
 003d: 06 00 00 00000001   ret KILL
 003e: 15 00 01 00000056   jeq 56 003f (false 0040)
 003f: 06 00 00 00000001   ret KILL
 0040: 15 00 01 00000033   jeq 33 0041 (false 0042)
 0041: 06 00 00 00000001   ret KILL
 0042: 15 00 01 0000007b   jeq 7b 0043 (false 0044)
 0043: 06 00 00 00000001   ret KILL
 0044: 15 00 01 000000d9   jeq d9 0045 (false 0046)
 0045: 06 00 00 00000001   ret KILL
 0046: 15 00 01 000000f5   jeq f5 0047 (false 0048)
 0047: 06 00 00 00000001   ret KILL
 0048: 15 00 01 000000f6   jeq f6 0049 (false 004a)
 0049: 06 00 00 00000001   ret KILL
 004a: 15 00 01 000000f7   jeq f7 004b (false 004c)
 004b: 06 00 00 00000001   ret KILL
 004c: 15 00 01 000000f8   jeq f8 004d (false 004e)
 004d: 06 00 00 00000001   ret KILL
 004e: 15 00 01 000000f9   jeq f9 004f (false 0050)
 004f: 06 00 00 00000001   ret KILL
 0050: 15 00 01 00000101   jeq 101 0051 (false 0052)
 0051: 06 00 00 00000001   ret KILL
 0052: 15 00 01 00000112   jeq 112 0053 (false 0054)
 0053: 06 00 00 00000001   ret KILL
 0054: 15 00 01 00000114   jeq 114 0055 (false 0056)
 0055: 06 00 00 00000001   ret KILL
 0056: 15 00 01 00000126   jeq 126 0057 (false 0058)
 0057: 06 00 00 00000001   ret KILL
 0058: 15 00 01 0000013d   jeq 13d 0059 (false 005a)
 0059: 06 00 00 00000001   ret KILL
 005a: 15 00 01 0000013c   jeq 13c 005b (false 005c)
 005b: 06 00 00 00000001   ret KILL
 005c: 15 00 01 0000003d   jeq 3d 005d (false 005e)
 005d: 06 00 00 00000001   ret KILL
 005e: 15 00 01 00000058   jeq 58 005f (false 0060)
 005f: 06 00 00 00000001   ret KILL
 0060: 15 00 01 000000a9   jeq a9 0061 (false 0062)
 0061: 06 00 00 00000001   ret KILL
 0062: 15 00 01 00000082   jeq 82 0063 (false 0064)
 0063: 06 00 00 00000001   ret KILL
 0064: 06 00 00 7fff0000   ret ALLOW
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 0000009f   jeq adjtimex 0008 (false 0009)
 0008: 06 00 00 00000001   ret KILL
 0009: 15 00 01 00000131   jeq clock_adjtime 000a (false 000b)
 000a: 06 00 00 00000001   ret KILL
 000b: 15 00 01 000000e3   jeq clock_settime 000c (false 000d)
 000c: 06 00 00 00000001   ret KILL
 000d: 15 00 01 000000a4   jeq settimeofday 000e (false 000f)
 000e: 06 00 00 00000001   ret KILL
 000f: 15 00 01 0000009a   jeq modify_ldt 0010 (false 0011)
 0010: 06 00 00 00000001   ret KILL
 0011: 15 00 01 000000d4   jeq lookup_dcookie 0012 (false 0013)
 0012: 06 00 00 00000001   ret KILL
 0013: 15 00 01 0000012a   jeq perf_event_open 0014 (false 0015)
 0014: 06 00 00 00000001   ret KILL
 0015: 15 00 01 00000137   jeq process_vm_writev 0016 (false 0017)
 0016: 06 00 00 00000001   ret KILL
 0017: 15 00 01 000000b0   jeq delete_module 0018 (false 0019)
 0018: 06 00 00 00000001   ret KILL
 0019: 15 00 01 00000139   jeq finit_module 001a (false 001b)
 001a: 06 00 00 00000001   ret KILL
 001b: 15 00 01 000000af   jeq init_module 001c (false 001d)
 001c: 06 00 00 00000001   ret KILL
 001d: 15 00 01 000000a1   jeq chroot 001e (false 001f)
 001e: 06 00 00 00000001   ret KILL
 001f: 15 00 01 000000a5   jeq mount 0020 (false 0021)
 0020: 06 00 00 00000001   ret KILL
 0021: 15 00 01 0000009b   jeq pivot_root 0022 (false 0023)
 0022: 06 00 00 00000001   ret KILL
 0023: 15 00 01 000000a6   jeq umount2 0024 (false 0025)
 0024: 06 00 00 00000001   ret KILL
 0025: 15 00 01 0000009c   jeq _sysctl 0026 (false 0027)
 0026: 06 00 00 00000001   ret KILL
 0027: 15 00 01 000000b7   jeq afs_syscall 0028 (false 0029)
 0028: 06 00 00 00000001   ret KILL
 0029: 15 00 01 000000ae   jeq create_module 002a (false 002b)
 002a: 06 00 00 00000001   ret KILL
 002b: 15 00 01 000000b1   jeq get_kernel_syms 002c (false 002d)
 002c: 06 00 00 00000001   ret KILL
 002d: 15 00 01 000000b5   jeq getpmsg 002e (false 002f)
 002e: 06 00 00 00000001   ret KILL
 002f: 15 00 01 000000b6   jeq putpmsg 0030 (false 0031)
 0030: 06 00 00 00000001   ret KILL
 0031: 15 00 01 000000b2   jeq query_module 0032 (false 0033)
 0032: 06 00 00 00000001   ret KILL
 0033: 15 00 01 000000b9   jeq security 0034 (false 0035)
 0034: 06 00 00 00000001   ret KILL
 0035: 15 00 01 0000008b   jeq sysfs 0036 (false 0037)
 0036: 06 00 00 00000001   ret KILL
 0037: 15 00 01 000000b8   jeq tuxcall 0038 (false 0039)
 0038: 06 00 00 00000001   ret KILL
 0039: 15 00 01 00000086   jeq uselib 003a (false 003b)
 003a: 06 00 00 00000001   ret KILL
 003b: 15 00 01 00000088   jeq ustat 003c (false 003d)
 003c: 06 00 00 00000001   ret KILL
 003d: 15 00 01 000000ec   jeq vserver 003e (false 003f)
 003e: 06 00 00 00000001   ret KILL
 003f: 15 00 01 000000ad   jeq ioperm 0040 (false 0041)
 0040: 06 00 00 00000001   ret KILL
 0041: 15 00 01 000000ac   jeq iopl 0042 (false 0043)
 0042: 06 00 00 00000001   ret KILL
 0043: 15 00 01 000000f6   jeq kexec_load 0044 (false 0045)
 0044: 06 00 00 00000001   ret KILL
 0045: 15 00 01 00000140   jeq kexec_file_load 0046 (false 0047)
 0046: 06 00 00 00000001   ret KILL
 0047: 15 00 01 000000a9   jeq reboot 0048 (false 0049)
 0048: 06 00 00 00000001   ret KILL
 0049: 15 00 01 000000a7   jeq swapon 004a (false 004b)
 004a: 06 00 00 00000001   ret KILL
 004b: 15 00 01 000000a8   jeq swapoff 004c (false 004d)
 004c: 06 00 00 00000001   ret KILL
 004d: 15 00 01 00000130   jeq open_by_handle_at 004e (false 004f)
 004e: 06 00 00 00000001   ret KILL
 004f: 15 00 01 0000012f   jeq name_to_handle_at 0050 (false 0051)
 0050: 06 00 00 00000001   ret KILL
 0051: 15 00 01 000000fb   jeq ioprio_set 0052 (false 0053)
 0052: 06 00 00 00000001   ret KILL
 0053: 15 00 01 00000067   jeq syslog 0054 (false 0055)
 0054: 06 00 00 00000001   ret KILL
 0055: 15 00 01 0000012c   jeq fanotify_init 0056 (false 0057)
 0056: 06 00 00 00000001   ret KILL
 0057: 15 00 01 00000138   jeq kcmp 0058 (false 0059)
 0058: 06 00 00 00000001   ret KILL
 0059: 15 00 01 000000f8   jeq add_key 005a (false 005b)
 005a: 06 00 00 00000001   ret KILL
 005b: 15 00 01 000000f9   jeq request_key 005c (false 005d)
 005c: 06 00 00 00000001   ret KILL
 005d: 15 00 01 000000ed   jeq mbind 005e (false 005f)
 005e: 06 00 00 00000001   ret KILL
 005f: 15 00 01 00000100   jeq migrate_pages 0060 (false 0061)
 0060: 06 00 00 00000001   ret KILL
 0061: 15 00 01 00000117   jeq move_pages 0062 (false 0063)
 0062: 06 00 00 00000001   ret KILL
 0063: 15 00 01 000000fa   jeq keyctl 0064 (false 0065)
 0064: 06 00 00 00000001   ret KILL
 0065: 15 00 01 000000ce   jeq io_setup 0066 (false 0067)
 0066: 06 00 00 00000001   ret KILL
 0067: 15 00 01 000000cf   jeq io_destroy 0068 (false 0069)
 0068: 06 00 00 00000001   ret KILL
 0069: 15 00 01 000000d0   jeq io_getevents 006a (false 006b)
 006a: 06 00 00 00000001   ret KILL
 006b: 15 00 01 000000d1   jeq io_submit 006c (false 006d)
 006c: 06 00 00 00000001   ret KILL
 006d: 15 00 01 000000d2   jeq io_cancel 006e (false 006f)
 006e: 06 00 00 00000001   ret KILL
 006f: 15 00 01 000000d8   jeq remap_file_pages 0070 (false 0071)
 0070: 06 00 00 00000001   ret KILL
 0071: 15 00 01 00000143   jeq userfaultfd 0072 (false 0073)
 0072: 06 00 00 00000001   ret KILL
 0073: 15 00 01 000000a3   jeq acct 0074 (false 0075)
 0074: 06 00 00 00000001   ret KILL
 0075: 15 00 01 00000141   jeq bpf 0076 (false 0077)
 0076: 06 00 00 00000001   ret KILL
 0077: 15 00 01 000000b4   jeq nfsservctl 0078 (false 0079)
 0078: 06 00 00 00000001   ret KILL
 0079: 15 00 01 000000ab   jeq setdomainname 007a (false 007b)
 007a: 06 00 00 00000001   ret KILL
 007b: 15 00 01 000000aa   jeq sethostname 007c (false 007d)
 007c: 06 00 00 00000001   ret KILL
 007d: 15 00 01 00000099   jeq vhangup 007e (false 007f)
 007e: 06 00 00 00000001   ret KILL
 007f: 15 00 01 00000065   jeq ptrace 0080 (false 0081)
 0080: 06 00 00 00000001   ret KILL
 0081: 15 00 01 00000087   jeq personality 0082 (false 0083)
 0082: 06 00 00 00000001   ret KILL
 0083: 15 00 01 00000136   jeq process_vm_readv 0084 (false 0085)
 0084: 06 00 00 00000001   ret KILL
 0085: 06 00 00 7fff0000   ret ALLOW
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
978 531 0:55 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=978 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             260 ..
-rw-r--r-- chr1s    chr1s           1072 seccomp
-rw-r--r-- chr1s    chr1s            808 seccomp.32
-rw-r--r-- chr1s    chr1s            114 seccomp.list
-rw-r--r-- chr1s    chr1s              0 seccomp.postexec
-rw-r--r-- chr1s    chr1s              0 seccomp.postexec32
-rw-r--r-- chr1s    chr1s            160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0
Warning: cleaning all supplementary groups
Starting application
LD_PRELOAD=(null)
Running './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' 
Child process initialized in 32.38 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 6

Detecting OpenCL devices...

CPU0 : AMD Ryzen 5 3600 6-Core Processor [L3:  32768 KB][L2:  3072 KB][L1:  192 KB][PU:  12]
GPU0 : radeon_rx_570_series                  [ellesmere    ][MEM:  4090 MB][CU: 32][BUS: 25]

======================================================================
SRBMiner-MULTI 0.7.5

Press 's' to display stats
Press 'h' to display hashrate
Press 'p' to switch to the next pool
Press 'o' to switch to the previous pool
Press 0-9 to disable/enable GPU 0-9, shift+0-9 for GPU 10-19
======================================================================

Algorithm/s         : autolykos2 [2.00% fee]
Gpu mining          : enabled
Cpu mining          : enabled
Gpu tweaking        : disabled
Gpu watchdog        : enabled
Huge-pages          : enabled
HW-Aes              : available

[2021-06-03 21:09:59] Please run miner as administrator/root to enable GPU tweaking
[2021-06-03 21:09:59] Run miner with root privileges to increase CPU hashrate
[2021-06-03 21:09:59] If you experience crashes on 'autolykos2' algorithm, try using 1 thread per GPU ( --gpu-intensity 0 )
[2021-06-03 21:10:02] Internet not found! Please insert internet into miner - check your firewall
Sandbox monitor: waitpid 6 retval 6 status 0

Parent is shutting down, bye...
Originally created by @christianskou07 on GitHub (Jun 3, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4331 **Bug and expected behavior** Running SRBMiner with firejail using the default profile blocks internet access causing the miner not to work properly (crashing upon startup). However, for a period of time it was working without any issues. I have narrowed it down to whether or not the line `blacklist ${HOME}/.netrc` in `/etc/firejail/disable-common.inc` is commented out or not makes the difference. SRBMiner 0.7.5 and 0.7.6. - What did you expect to happen? To have internet access and work as usual. Although I know this could make me look rather naive. **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? Works as expected. **Reproduce** Steps to reproduce the behavior: Setup SRBMiner using `--setup`, thereafter run the generated start script with firejail. **Environment** - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`) ``` NAME="Manjaro Linux" ID=manjaro ID_LIKE=arch BUILD_ID=rolling PRETTY_NAME="Manjaro Linux" ANSI_COLOR="32;1;24;144;200" HOME_URL="https://manjaro.org/" DOCUMENTATION_URL="https://wiki.manjaro.org/" SUPPORT_URL="https://manjaro.org/" BUG_REPORT_URL="https://bugs.manjaro.org/" LOGO=manjarolinux ``` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` firejail version 0.9.64.4 ``` **Checklist** - [?] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [?] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [?] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [?] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [?] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. <details><summary> debug output </summary> It should be noted that a rather large part of `/etc/firejail/disable-common.inc` is commented out when reading the output below. ``` Autoselecting /bin/bash as shell Building quoted command line: './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' Command name #SRBMiner-MULTI# Attempting to find default.profile... Found default.profile profile in /etc/firejail directory Reading profile /etc/firejail/default.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** DISPLAY=:0.0 parsed as 0 Using the local network stack Parent pid 3030, child pid 3031 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 534 493 8:7 /etc /etc ro,noatime master:1 - ext4 /dev/sda7 rw mountid=534 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 535 534 8:7 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda7 rw mountid=535 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 536 493 8:7 /var /var ro,noatime master:1 - ext4 /dev/sda7 rw mountid=536 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 537 536 8:7 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda7 rw mountid=537 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 538 493 8:7 /usr /usr ro,noatime master:1 - ext4 /dev/sda7 rw mountid=538 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Disable /run/firejail/appimage blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /home/chr1s/.gnupg Disable /home/chr1s/.local/share/keyrings Disable /home/chr1s/.netrc Disable /home/chr1s/.pki Disable /home/chr1s/.ssh Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /home/chr1s/Arduino Disable /home/chr1s/.android Disable /home/chr1s/.arduino15 Disable /home/chr1s/.config/BraveSoftware Disable /home/chr1s/.config/Code - OSS Disable /home/chr1s/.config/GIMP Disable /home/chr1s/.config/Mousepad Disable /home/chr1s/.config/Thunar Disable /home/chr1s/.config/catfish Disable /home/chr1s/.config/chromium Disable /home/chr1s/.config/discord Disable /home/chr1s/.config/falkon Disable /home/chr1s/.config/galculator Disable /home/chr1s/.config/google-chrome Disable /home/chr1s/.config/libreoffice Disable /home/chr1s/.local/share/man Disable /home/chr1s/.config/mpv Disable /home/chr1s/.config/pavucontrol.ini Disable /home/chr1s/.config/Pinta Disable /home/chr1s/.config/qpdfview Disable /home/chr1s/.config/spotify Disable /home/chr1s/.config/torbrowser Disable /home/chr1s/.config/viewnior Disable /home/chr1s/.config/vlc Disable /home/chr1s/.config/wireshark Disable /home/chr1s/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml Disable /home/chr1s/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml Disable /home/chr1s/.config/youtube-dl Disable /home/chr1s/.gitconfig Disable /home/chr1s/.java Disable /home/chr1s/.local/share/JetBrains Disable /home/chr1s/.local/share/qpdfview Disable /home/chr1s/.local/share/torbrowser Disable /home/chr1s/.local/share/vlc Disable /home/chr1s/.mozilla Disable /home/chr1s/.nanorc Disable /home/chr1s/.nv Disable /home/chr1s/.pylint.d Disable /home/chr1s/.thunderbird Disable /home/chr1s/.vscode-oss Disable /home/chr1s/.wget-hsts Disable /home/chr1s/.xournalpp Disable /tmp/ssh-XXXXXXx0uZFd Disable /home/chr1s/.cache/babl Disable /home/chr1s/.cache/chromium Disable /home/chr1s/.cache/gegl-0.4 Disable /home/chr1s/.cache/gimp Disable /home/chr1s/.cache/mozilla Disable /home/chr1s/.cache/pip Disable /home/chr1s/.cache/spotify Disable /home/chr1s/.cache/thunderbird Disable /home/chr1s/.cache/torbrowser Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse 975 531 0:55 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=975 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Mounting /run/firejail/mnt/pulse on /home/chr1s/.config/pulse 976 545 0:55 /pulse /home/chr1s/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=976 fsname=/pulse dir=/home/chr1s/.config/pulse fstype=tmpfs Current directory: /home/chr1s/Documents/miners/SRBMiner-Multi-0-7-5 DISPLAY=:0.0 parsed as 0 Install protocol filter: unix,inet,inet6 configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000002 jeq 2 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 0000000a jeq a 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 06 00 00 0005005f ret ERRNO(95) configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 00000015 jeq 15 0005 (false 0006) 0005: 06 00 00 00000001 ret KILL 0006: 15 00 01 00000034 jeq 34 0007 (false 0008) 0007: 06 00 00 00000001 ret KILL 0008: 15 00 01 0000001a jeq 1a 0009 (false 000a) 0009: 06 00 00 00000001 ret KILL 000a: 15 00 01 0000011b jeq 11b 000b (false 000c) 000b: 06 00 00 00000001 ret KILL 000c: 15 00 01 00000155 jeq 155 000d (false 000e) 000d: 06 00 00 00000001 ret KILL 000e: 15 00 01 00000156 jeq 156 000f (false 0010) 000f: 06 00 00 00000001 ret KILL 0010: 15 00 01 0000007f jeq 7f 0011 (false 0012) 0011: 06 00 00 00000001 ret KILL 0012: 15 00 01 00000080 jeq 80 0013 (false 0014) 0013: 06 00 00 00000001 ret KILL 0014: 15 00 01 0000015e jeq 15e 0015 (false 0016) 0015: 06 00 00 00000001 ret KILL 0016: 15 00 01 00000081 jeq 81 0017 (false 0018) 0017: 06 00 00 00000001 ret KILL 0018: 15 00 01 0000006e jeq 6e 0019 (false 001a) 0019: 06 00 00 00000001 ret KILL 001a: 15 00 01 00000065 jeq 65 001b (false 001c) 001b: 06 00 00 00000001 ret KILL 001c: 15 00 01 00000121 jeq 121 001d (false 001e) 001d: 06 00 00 00000001 ret KILL 001e: 15 00 01 00000057 jeq 57 001f (false 0020) 001f: 06 00 00 00000001 ret KILL 0020: 15 00 01 00000073 jeq 73 0021 (false 0022) 0021: 06 00 00 00000001 ret KILL 0022: 15 00 01 00000067 jeq 67 0023 (false 0024) 0023: 06 00 00 00000001 ret KILL 0024: 15 00 01 0000015b jeq 15b 0025 (false 0026) 0025: 06 00 00 00000001 ret KILL 0026: 15 00 01 0000015c jeq 15c 0027 (false 0028) 0027: 06 00 00 00000001 ret KILL 0028: 15 00 01 00000087 jeq 87 0029 (false 002a) 0029: 06 00 00 00000001 ret KILL 002a: 15 00 01 00000095 jeq 95 002b (false 002c) 002b: 06 00 00 00000001 ret KILL 002c: 15 00 01 0000007c jeq 7c 002d (false 002e) 002d: 06 00 00 00000001 ret KILL 002e: 15 00 01 00000157 jeq 157 002f (false 0030) 002f: 06 00 00 00000001 ret KILL 0030: 15 00 01 000000fd jeq fd 0031 (false 0032) 0031: 06 00 00 00000001 ret KILL 0032: 15 00 01 00000150 jeq 150 0033 (false 0034) 0033: 06 00 00 00000001 ret KILL 0034: 15 00 01 00000152 jeq 152 0035 (false 0036) 0035: 06 00 00 00000001 ret KILL 0036: 15 00 01 0000015d jeq 15d 0037 (false 0038) 0037: 06 00 00 00000001 ret KILL 0038: 15 00 01 0000011e jeq 11e 0039 (false 003a) 0039: 06 00 00 00000001 ret KILL 003a: 15 00 01 0000011f jeq 11f 003b (false 003c) 003b: 06 00 00 00000001 ret KILL 003c: 15 00 01 00000120 jeq 120 003d (false 003e) 003d: 06 00 00 00000001 ret KILL 003e: 15 00 01 00000056 jeq 56 003f (false 0040) 003f: 06 00 00 00000001 ret KILL 0040: 15 00 01 00000033 jeq 33 0041 (false 0042) 0041: 06 00 00 00000001 ret KILL 0042: 15 00 01 0000007b jeq 7b 0043 (false 0044) 0043: 06 00 00 00000001 ret KILL 0044: 15 00 01 000000d9 jeq d9 0045 (false 0046) 0045: 06 00 00 00000001 ret KILL 0046: 15 00 01 000000f5 jeq f5 0047 (false 0048) 0047: 06 00 00 00000001 ret KILL 0048: 15 00 01 000000f6 jeq f6 0049 (false 004a) 0049: 06 00 00 00000001 ret KILL 004a: 15 00 01 000000f7 jeq f7 004b (false 004c) 004b: 06 00 00 00000001 ret KILL 004c: 15 00 01 000000f8 jeq f8 004d (false 004e) 004d: 06 00 00 00000001 ret KILL 004e: 15 00 01 000000f9 jeq f9 004f (false 0050) 004f: 06 00 00 00000001 ret KILL 0050: 15 00 01 00000101 jeq 101 0051 (false 0052) 0051: 06 00 00 00000001 ret KILL 0052: 15 00 01 00000112 jeq 112 0053 (false 0054) 0053: 06 00 00 00000001 ret KILL 0054: 15 00 01 00000114 jeq 114 0055 (false 0056) 0055: 06 00 00 00000001 ret KILL 0056: 15 00 01 00000126 jeq 126 0057 (false 0058) 0057: 06 00 00 00000001 ret KILL 0058: 15 00 01 0000013d jeq 13d 0059 (false 005a) 0059: 06 00 00 00000001 ret KILL 005a: 15 00 01 0000013c jeq 13c 005b (false 005c) 005b: 06 00 00 00000001 ret KILL 005c: 15 00 01 0000003d jeq 3d 005d (false 005e) 005d: 06 00 00 00000001 ret KILL 005e: 15 00 01 00000058 jeq 58 005f (false 0060) 005f: 06 00 00 00000001 ret KILL 0060: 15 00 01 000000a9 jeq a9 0061 (false 0062) 0061: 06 00 00 00000001 ret KILL 0062: 15 00 01 00000082 jeq 82 0063 (false 0064) 0063: 06 00 00 00000001 ret KILL 0064: 06 00 00 7fff0000 ret ALLOW Dual 32/64 bit seccomp filter configured configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 0000009f jeq adjtimex 0008 (false 0009) 0008: 06 00 00 00000001 ret KILL 0009: 15 00 01 00000131 jeq clock_adjtime 000a (false 000b) 000a: 06 00 00 00000001 ret KILL 000b: 15 00 01 000000e3 jeq clock_settime 000c (false 000d) 000c: 06 00 00 00000001 ret KILL 000d: 15 00 01 000000a4 jeq settimeofday 000e (false 000f) 000e: 06 00 00 00000001 ret KILL 000f: 15 00 01 0000009a jeq modify_ldt 0010 (false 0011) 0010: 06 00 00 00000001 ret KILL 0011: 15 00 01 000000d4 jeq lookup_dcookie 0012 (false 0013) 0012: 06 00 00 00000001 ret KILL 0013: 15 00 01 0000012a jeq perf_event_open 0014 (false 0015) 0014: 06 00 00 00000001 ret KILL 0015: 15 00 01 00000137 jeq process_vm_writev 0016 (false 0017) 0016: 06 00 00 00000001 ret KILL 0017: 15 00 01 000000b0 jeq delete_module 0018 (false 0019) 0018: 06 00 00 00000001 ret KILL 0019: 15 00 01 00000139 jeq finit_module 001a (false 001b) 001a: 06 00 00 00000001 ret KILL 001b: 15 00 01 000000af jeq init_module 001c (false 001d) 001c: 06 00 00 00000001 ret KILL 001d: 15 00 01 000000a1 jeq chroot 001e (false 001f) 001e: 06 00 00 00000001 ret KILL 001f: 15 00 01 000000a5 jeq mount 0020 (false 0021) 0020: 06 00 00 00000001 ret KILL 0021: 15 00 01 0000009b jeq pivot_root 0022 (false 0023) 0022: 06 00 00 00000001 ret KILL 0023: 15 00 01 000000a6 jeq umount2 0024 (false 0025) 0024: 06 00 00 00000001 ret KILL 0025: 15 00 01 0000009c jeq _sysctl 0026 (false 0027) 0026: 06 00 00 00000001 ret KILL 0027: 15 00 01 000000b7 jeq afs_syscall 0028 (false 0029) 0028: 06 00 00 00000001 ret KILL 0029: 15 00 01 000000ae jeq create_module 002a (false 002b) 002a: 06 00 00 00000001 ret KILL 002b: 15 00 01 000000b1 jeq get_kernel_syms 002c (false 002d) 002c: 06 00 00 00000001 ret KILL 002d: 15 00 01 000000b5 jeq getpmsg 002e (false 002f) 002e: 06 00 00 00000001 ret KILL 002f: 15 00 01 000000b6 jeq putpmsg 0030 (false 0031) 0030: 06 00 00 00000001 ret KILL 0031: 15 00 01 000000b2 jeq query_module 0032 (false 0033) 0032: 06 00 00 00000001 ret KILL 0033: 15 00 01 000000b9 jeq security 0034 (false 0035) 0034: 06 00 00 00000001 ret KILL 0035: 15 00 01 0000008b jeq sysfs 0036 (false 0037) 0036: 06 00 00 00000001 ret KILL 0037: 15 00 01 000000b8 jeq tuxcall 0038 (false 0039) 0038: 06 00 00 00000001 ret KILL 0039: 15 00 01 00000086 jeq uselib 003a (false 003b) 003a: 06 00 00 00000001 ret KILL 003b: 15 00 01 00000088 jeq ustat 003c (false 003d) 003c: 06 00 00 00000001 ret KILL 003d: 15 00 01 000000ec jeq vserver 003e (false 003f) 003e: 06 00 00 00000001 ret KILL 003f: 15 00 01 000000ad jeq ioperm 0040 (false 0041) 0040: 06 00 00 00000001 ret KILL 0041: 15 00 01 000000ac jeq iopl 0042 (false 0043) 0042: 06 00 00 00000001 ret KILL 0043: 15 00 01 000000f6 jeq kexec_load 0044 (false 0045) 0044: 06 00 00 00000001 ret KILL 0045: 15 00 01 00000140 jeq kexec_file_load 0046 (false 0047) 0046: 06 00 00 00000001 ret KILL 0047: 15 00 01 000000a9 jeq reboot 0048 (false 0049) 0048: 06 00 00 00000001 ret KILL 0049: 15 00 01 000000a7 jeq swapon 004a (false 004b) 004a: 06 00 00 00000001 ret KILL 004b: 15 00 01 000000a8 jeq swapoff 004c (false 004d) 004c: 06 00 00 00000001 ret KILL 004d: 15 00 01 00000130 jeq open_by_handle_at 004e (false 004f) 004e: 06 00 00 00000001 ret KILL 004f: 15 00 01 0000012f jeq name_to_handle_at 0050 (false 0051) 0050: 06 00 00 00000001 ret KILL 0051: 15 00 01 000000fb jeq ioprio_set 0052 (false 0053) 0052: 06 00 00 00000001 ret KILL 0053: 15 00 01 00000067 jeq syslog 0054 (false 0055) 0054: 06 00 00 00000001 ret KILL 0055: 15 00 01 0000012c jeq fanotify_init 0056 (false 0057) 0056: 06 00 00 00000001 ret KILL 0057: 15 00 01 00000138 jeq kcmp 0058 (false 0059) 0058: 06 00 00 00000001 ret KILL 0059: 15 00 01 000000f8 jeq add_key 005a (false 005b) 005a: 06 00 00 00000001 ret KILL 005b: 15 00 01 000000f9 jeq request_key 005c (false 005d) 005c: 06 00 00 00000001 ret KILL 005d: 15 00 01 000000ed jeq mbind 005e (false 005f) 005e: 06 00 00 00000001 ret KILL 005f: 15 00 01 00000100 jeq migrate_pages 0060 (false 0061) 0060: 06 00 00 00000001 ret KILL 0061: 15 00 01 00000117 jeq move_pages 0062 (false 0063) 0062: 06 00 00 00000001 ret KILL 0063: 15 00 01 000000fa jeq keyctl 0064 (false 0065) 0064: 06 00 00 00000001 ret KILL 0065: 15 00 01 000000ce jeq io_setup 0066 (false 0067) 0066: 06 00 00 00000001 ret KILL 0067: 15 00 01 000000cf jeq io_destroy 0068 (false 0069) 0068: 06 00 00 00000001 ret KILL 0069: 15 00 01 000000d0 jeq io_getevents 006a (false 006b) 006a: 06 00 00 00000001 ret KILL 006b: 15 00 01 000000d1 jeq io_submit 006c (false 006d) 006c: 06 00 00 00000001 ret KILL 006d: 15 00 01 000000d2 jeq io_cancel 006e (false 006f) 006e: 06 00 00 00000001 ret KILL 006f: 15 00 01 000000d8 jeq remap_file_pages 0070 (false 0071) 0070: 06 00 00 00000001 ret KILL 0071: 15 00 01 00000143 jeq userfaultfd 0072 (false 0073) 0072: 06 00 00 00000001 ret KILL 0073: 15 00 01 000000a3 jeq acct 0074 (false 0075) 0074: 06 00 00 00000001 ret KILL 0075: 15 00 01 00000141 jeq bpf 0076 (false 0077) 0076: 06 00 00 00000001 ret KILL 0077: 15 00 01 000000b4 jeq nfsservctl 0078 (false 0079) 0078: 06 00 00 00000001 ret KILL 0079: 15 00 01 000000ab jeq setdomainname 007a (false 007b) 007a: 06 00 00 00000001 ret KILL 007b: 15 00 01 000000aa jeq sethostname 007c (false 007d) 007c: 06 00 00 00000001 ret KILL 007d: 15 00 01 00000099 jeq vhangup 007e (false 007f) 007e: 06 00 00 00000001 ret KILL 007f: 15 00 01 00000065 jeq ptrace 0080 (false 0081) 0080: 06 00 00 00000001 ret KILL 0081: 15 00 01 00000087 jeq personality 0082 (false 0083) 0082: 06 00 00 00000001 ret KILL 0083: 15 00 01 00000136 jeq process_vm_readv 0084 (false 0085) 0084: 06 00 00 00000001 ret KILL 0085: 06 00 00 7fff0000 ret ALLOW seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 978 531 0:55 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=978 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 260 .. -rw-r--r-- chr1s chr1s 1072 seccomp -rw-r--r-- chr1s chr1s 808 seccomp.32 -rw-r--r-- chr1s chr1s 114 seccomp.list -rw-r--r-- chr1s chr1s 0 seccomp.postexec -rw-r--r-- chr1s chr1s 0 seccomp.postexec32 -rw-r--r-- chr1s chr1s 160 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 Warning: cleaning all supplementary groups Starting application LD_PRELOAD=(null) Running './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' Child process initialized in 32.38 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 6 Detecting OpenCL devices... CPU0 : AMD Ryzen 5 3600 6-Core Processor [L3: 32768 KB][L2: 3072 KB][L1: 192 KB][PU: 12] GPU0 : radeon_rx_570_series [ellesmere ][MEM: 4090 MB][CU: 32][BUS: 25] ====================================================================== SRBMiner-MULTI 0.7.5 Press 's' to display stats Press 'h' to display hashrate Press 'p' to switch to the next pool Press 'o' to switch to the previous pool Press 0-9 to disable/enable GPU 0-9, shift+0-9 for GPU 10-19 ====================================================================== Algorithm/s : autolykos2 [2.00% fee] Gpu mining : enabled Cpu mining : enabled Gpu tweaking : disabled Gpu watchdog : enabled Huge-pages : enabled HW-Aes : available [2021-06-03 21:09:59] Please run miner as administrator/root to enable GPU tweaking [2021-06-03 21:09:59] Run miner with root privileges to increase CPU hashrate [2021-06-03 21:09:59] If you experience crashes on 'autolykos2' algorithm, try using 1 thread per GPU ( --gpu-intensity 0 ) [2021-06-03 21:10:02] Internet not found! Please insert internet into miner - check your firewall Sandbox monitor: waitpid 6 retval 6 status 0 Parent is shutting down, bye... ``` </details>
gitea-mirror commented 2026-05-05 09:17:14 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 3, 2021):

SRBMiner doesn't have a profile yet. Request one in #1139 or write it yourself.

I have narrowed it down to whether or not the line blacklist ${HOME}/.netrc in /etc/firejail/disable-common.inc is commented out or not makes the difference.

Then add noblacklist ${HOME}/.netrc if you write a custom profile.

<!-- gh-comment-id:854116677 --> @rusty-snake commented on GitHub (Jun 3, 2021): SRBMiner doesn't have a profile yet. Request one in #1139 or write it yourself. > I have narrowed it down to whether or not the line `blacklist ${HOME}/.netrc` in `/etc/firejail/disable-common.inc` is commented out or not makes the difference. Then add `noblacklist ${HOME}/.netrc` if you write a custom profile.
gitea-mirror commented 2026-05-05 09:17:14 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 3, 2021):

SRBMiner doesn't have a profile yet. Request one in #1139 or write it yourself.

I have narrowed it down to whether or not the line blacklist ${HOME}/.netrc in /etc/firejail/disable-common.inc is commented out or not makes the difference.

Then add noblacklist ${HOME}/.netrc if you write a custom profile.

Wouldn't that introduce a security risk?

<!-- gh-comment-id:854124282 --> @christianskou07 commented on GitHub (Jun 3, 2021): > SRBMiner doesn't have a profile yet. Request one in #1139 or write it yourself. > > > I have narrowed it down to whether or not the line `blacklist ${HOME}/.netrc` in `/etc/firejail/disable-common.inc` is commented out or not makes the difference. > > Then add `noblacklist ${HOME}/.netrc` if you write a custom profile. Wouldn't that introduce a security risk?
gitea-mirror commented 2026-05-05 09:17:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 3, 2021):

What is a security risk for you? Every additional file that can be accessed is possible a theoretical security risk. On the other hand keep in mind that you run it without whitelist, dbus-{user,system} none, net none, private-tmp, … and that it does not work without access to it. Allowing firefox to use chroot is a security risk but firefox needs it. W^X violations are security risks, but a lot programs (mostly OpenGL/Vulkan and interpreters like python or perl) need W&X mem.

You can also make it read-only and FYI that the current list:

$ grep netrc /etc/firejail/*
/etc/firejail/aria2c.profile:noblacklist ${HOME}/.netrc
/etc/firejail/disable-common.inc:blacklist ${HOME}/.netrc
/etc/firejail/fetchmail.profile:noblacklist ${HOME}/.netrc
/etc/firejail/firefox-common-addons.profile:noblacklist ${HOME}/.netrc
/etc/firejail/firefox-common-addons.profile:whitelist ${HOME}/.netrc
/etc/firejail/mpsyt.profile:noblacklist ${HOME}/.netrc
/etc/firejail/mpsyt.profile:whitelist ${HOME}/.netrc
/etc/firejail/mpv.profile:noblacklist ${HOME}/.netrc
/etc/firejail/mpv.profile:mkfile ${HOME}/.netrc
/etc/firejail/mpv.profile:whitelist ${HOME}/.netrc
/etc/firejail/rtv-addons.profile:noblacklist ${HOME}/.netrc
/etc/firejail/rtv-addons.profile:whitelist ${HOME}/.netrc
/etc/firejail/wget.profile:noblacklist ${HOME}/.netrc
/etc/firejail/youtube-dl.profile:noblacklist ${HOME}/.netrc
<!-- gh-comment-id:854129935 --> @rusty-snake commented on GitHub (Jun 3, 2021): What is a security risk for you? Every additional file that can be accessed is possible a theoretical security risk. On the other hand keep in mind that you run it without `whitelist`, `dbus-{user,system} none`, `net none`, `private-tmp`, … and that it does not work without access to it. Allowing firefox to use `chroot` is a security risk but firefox needs it. W^X violations are security risks, but a lot programs (mostly OpenGL/Vulkan and interpreters like python or perl) need W&X mem. You can also make it `read-only` and FYI that the current list: ``` $ grep netrc /etc/firejail/* /etc/firejail/aria2c.profile:noblacklist ${HOME}/.netrc /etc/firejail/disable-common.inc:blacklist ${HOME}/.netrc /etc/firejail/fetchmail.profile:noblacklist ${HOME}/.netrc /etc/firejail/firefox-common-addons.profile:noblacklist ${HOME}/.netrc /etc/firejail/firefox-common-addons.profile:whitelist ${HOME}/.netrc /etc/firejail/mpsyt.profile:noblacklist ${HOME}/.netrc /etc/firejail/mpsyt.profile:whitelist ${HOME}/.netrc /etc/firejail/mpv.profile:noblacklist ${HOME}/.netrc /etc/firejail/mpv.profile:mkfile ${HOME}/.netrc /etc/firejail/mpv.profile:whitelist ${HOME}/.netrc /etc/firejail/rtv-addons.profile:noblacklist ${HOME}/.netrc /etc/firejail/rtv-addons.profile:whitelist ${HOME}/.netrc /etc/firejail/wget.profile:noblacklist ${HOME}/.netrc /etc/firejail/youtube-dl.profile:noblacklist ${HOME}/.netrc ```
gitea-mirror commented 2026-05-05 09:17:16 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

Part of what you are saying is above my knowledge level, so excuse my ignorance.

As .netrc is a file which potentially could contain rather sensitive information, I consider it a security risk.

There should be no reason for SRBMiner to need any sort of access to ${HOME}/.netrc, and afaik it doesn't do so either, hence I find it odd that this is the line causing the whole issue.

The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't.

<!-- gh-comment-id:854385443 --> @christianskou07 commented on GitHub (Jun 4, 2021): Part of what you are saying is above my knowledge level, so excuse my ignorance. As `.netrc` is a file which potentially could contain rather sensitive information, I consider it a security risk. There should be no reason for SRBMiner to need any sort of access to `${HOME}/.netrc`, and afaik it doesn't do so either, hence I find it odd that this is the line causing the whole issue. The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't.
gitea-mirror commented 2026-05-05 09:17:17 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 4, 2021):

The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't.

Was there an update of SRBMiner/firejail? What happens if you remove/rename ~/.netrc?

<!-- gh-comment-id:854474045 --> @rusty-snake commented on GitHub (Jun 4, 2021): > The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't. Was there an update of SRBMiner/firejail? What happens if you remove/rename `~/.netrc`?
gitea-mirror commented 2026-05-05 09:17:17 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't.

Was there an update of SRBMiner/firejail? What happens if you remove/rename ~/.netrc?

That was my first thought too, but no.

I have gotten it a little closer, however it is still unclear to me what has happened. Just to make it clear, I have no experience with ~/.netrc and I have never used it before (at least not what I know of).

However, it seems like an empty ~/.netrc was created yesterday, and if I remove it I'm allowed to run SRBMiner with firejail and its default profile.

When ~/.netrc is blacklisted and if ~/.netrc exists, then I can't run SRBMiner with firejail. If ~/.netrc doesn't exists and is still blacklisted, then I can run SRBMiner with firejail.

Not that I think it is relevant, however I feel the need to mention it as it was almost the second after I used the script inhere the error occurred: https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications

<!-- gh-comment-id:854609374 --> @christianskou07 commented on GitHub (Jun 4, 2021): > > The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't. > > Was there an update of SRBMiner/firejail? What happens if you remove/rename `~/.netrc`? That was my first thought too, but no. I have gotten it a little closer, however it is still unclear to me what has happened. Just to make it clear, I have no experience with `~/.netrc` and I have never used it before (at least not what I know of). However, it seems like an empty `~/.netrc` was created yesterday, and if I remove it I'm allowed to run SRBMiner with firejail and its default profile. When `~/.netrc` is blacklisted and if `~/.netrc` exists, then I can't run SRBMiner with firejail. If `~/.netrc` doesn't exists and is still blacklisted, then I can run SRBMiner with firejail. Not that I think it is relevant, however I feel the need to mention it as it was almost the second after I used the script inhere the error occurred: [https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications](https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications)
gitea-mirror commented 2026-05-05 09:17:18 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 4, 2021):

empty ~/.netrc

If it is empty there is no risk.

When ~/.netrc is blacklisted and if ~/.netrc exists, then I can't run SRBMiner with firejail.

Looks like a bug in SRBMiner. A program should not die if it gets EACCES.

If ~/.netrc doesn't exists and is still blacklisted, then I can run SRBMiner with firejail.

Well at least ENOENT is handled correctly by SRBMiner.

<!-- gh-comment-id:854613229 --> @rusty-snake commented on GitHub (Jun 4, 2021): > empty `~/.netrc` If it is empty there is no risk. > When `~/.netrc` is blacklisted and if `~/.netrc` exists, then I can't run SRBMiner with firejail. Looks like a bug in SRBMiner. A program should not die if it gets `EACCES`. > If `~/.netrc` doesn't exists and is still blacklisted, then I can run SRBMiner with firejail. Well at least `ENOENT` is handled correctly by SRBMiner.
gitea-mirror commented 2026-05-05 09:17:18 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

empty ~/.netrc

If it is empty there is no risk.

When ~/.netrc is blacklisted and if ~/.netrc exists, then I can't run SRBMiner with firejail.

Looks like a bug in SRBMiner. A program should not die if it gets EACCES.

If ~/.netrc doesn't exists and is still blacklisted, then I can run SRBMiner with firejail.

Well at least ENOENT is handled correctly by SRBMiner.

Thank you for helping. Just to make sure you've seen it, I edited my comment after a little while including the link from nvidia.

Would you by any chance have a guess why an empty ~/.netrc would be created and why SRBMiner would like to access it?

<!-- gh-comment-id:854617206 --> @christianskou07 commented on GitHub (Jun 4, 2021): > > empty `~/.netrc` > > If it is empty there is no risk. > > > When `~/.netrc` is blacklisted and if `~/.netrc` exists, then I can't run SRBMiner with firejail. > > Looks like a bug in SRBMiner. A program should not die if it gets `EACCES`. > > > If `~/.netrc` doesn't exists and is still blacklisted, then I can run SRBMiner with firejail. > > Well at least `ENOENT` is handled correctly by SRBMiner. Thank you for helping. Just to make sure you've seen it, I edited my comment after a little while including the link from nvidia. Would you by any chance have a guess why an empty `~/.netrc` would be created and why SRBMiner would like to access it?
gitea-mirror commented 2026-05-05 09:17:18 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 4, 2021):

Would you by any chance have a guess why an empty ~/.netrc would be created

If you used any of this profiles grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/* ~/.config/firejail/*, it was firejail. If not I've no idea.

why SRBMiner would like to access it

IDK how SRBMiner works and which libraries/externl programs it use. But it sound ok that it looks into netrc if it has any kind of support for it.

<!-- gh-comment-id:854634941 --> @rusty-snake commented on GitHub (Jun 4, 2021): > Would you by any chance have a guess why an empty ~/.netrc would be created If you used any of this profiles `grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/* ~/.config/firejail/*`, it was firejail. If not I've no idea. > why SRBMiner would like to access it IDK how SRBMiner works and which libraries/externl programs it use. But it sound ok that it looks into netrc if it has any kind of support for it.
gitea-mirror commented 2026-05-05 09:17:19 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

If you used any of this profiles grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/* ~/.config/firejail/*, it was firejail. If not I've no idea.

All I get is grep: /home/chr1s/.config/firejail/*: No such file or directory.

IDK how SRBMiner works and which libraries/externl programs it use. But it sound ok that it looks into netrc if it has any kind of support for it.

Afaik I don't think it has any support for it, but that may be a subject to another discussion.

<!-- gh-comment-id:854709835 --> @christianskou07 commented on GitHub (Jun 4, 2021): > If you used any of this profiles `grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/* ~/.config/firejail/*`, it was firejail. If not I've no idea. > All I get is `grep: /home/chr1s/.config/firejail/*: No such file or directory`. > IDK how SRBMiner works and which libraries/externl programs it use. But it sound ok that it looks into netrc if it has any kind of support for it. Afaik I don't think it has any support for it, but that may be a subject to another discussion.
gitea-mirror commented 2026-05-05 09:17:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 4, 2021):

All I get is grep: /home/chr1s/.config/firejail/*: No such file or directory.

Depends on nullglob behaviour. Anyway grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/*.

<!-- gh-comment-id:854736011 --> @rusty-snake commented on GitHub (Jun 4, 2021): > All I get is grep: /home/chr1s/.config/firejail/*: No such file or directory. Depends on nullglob behaviour. Anyway `grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/*`.
gitea-mirror commented 2026-05-05 09:17:20 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

All I get is grep: /home/chr1s/.config/firejail/*: No such file or directory.

Depends on nullglob behaviour. Anyway grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/*.

I tried that as well, but that gives me pure nothing...

<!-- gh-comment-id:854746588 --> @christianskou07 commented on GitHub (Jun 4, 2021): > > All I get is grep: /home/chr1s/.config/firejail/*: No such file or directory. > > Depends on nullglob behaviour. Anyway `grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/*`. I tried that as well, but that gives me pure nothing...
gitea-mirror commented 2026-05-05 09:17:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 4, 2021):

Gotcha! $ need double escape grep -l -E "^mkfile \\\${HOME}\/\.netrc" /etc/firejail/*.

<!-- gh-comment-id:854753388 --> @rusty-snake commented on GitHub (Jun 4, 2021): Gotcha! `$` need double escape `grep -l -E "^mkfile \\\${HOME}\/\.netrc" /etc/firejail/*`.
gitea-mirror commented 2026-05-05 09:17:21 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

Gotcha! $ need double escape grep -l -E "^mkfile \\\${HOME}\/\.netrc" /etc/firejail/*.

Yup, /etc/firejail/mpv.profile shows up, and if I recall I might have done something in the ballpark of firejail --noprofile --noblacklist=/sys/module mpv

<!-- gh-comment-id:854755849 --> @christianskou07 commented on GitHub (Jun 4, 2021): > Gotcha! `$` need double escape `grep -l -E "^mkfile \\\${HOME}\/\.netrc" /etc/firejail/*`. Yup, `/etc/firejail/mpv.profile` shows up, and if I recall I might have done something in the ballpark of `firejail --noprofile --noblacklist=/sys/module mpv`
gitea-mirror commented 2026-05-05 09:17:21 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 4, 2021):

Running it with --noprofile actually does not create ~/.netrc however one (accidental) call w/o --noprofile does.

You can also make it read-only ...

... , use whitelist or private.

<!-- gh-comment-id:854798935 --> @rusty-snake commented on GitHub (Jun 4, 2021): Running it with `--noprofile` actually does not create `~/.netrc` however one (accidental) call w/o `--noprofile` does. --- > You can also make it `read-only` ... ... , use `whitelist` or `private`.
gitea-mirror commented 2026-05-05 09:17:21 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

Running it with --noprofile actually does not create ~/.netrc however one (accidental) call w/o --noprofile does.

You can also make it read-only ...

... , use whitelist or private.

I guess it makes more sense that I have tried to do it w/o --noprofile, as I knew it would work with.

As of right now, I have removed the ~/.netrc file and kept it blacklisted while using the default profile with no issues. Either I'll look into making a more tailored profile for both SRBMiner and NBMiner or hope someone else are interested in doing the same thing.

Nonetheless, you've been a great help. Thank you.

<!-- gh-comment-id:854811421 --> @christianskou07 commented on GitHub (Jun 4, 2021): > Running it with `--noprofile` actually does not create `~/.netrc` however one (accidental) call w/o `--noprofile` does. > > > You can also make it `read-only` ... > > ... , use `whitelist` or `private`. I guess it makes more sense that I have tried to do it w/o `--noprofile`, as I knew it would work with. As of right now, I have removed the `~/.netrc` file and kept it blacklisted while using the default profile with no issues. Either I'll look into making a more tailored profile for both SRBMiner and NBMiner or hope someone else are interested in doing the same thing. Nonetheless, you've been a great help. Thank you.
gitea-mirror commented 2026-05-05 09:17:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 4, 2021):

https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template
^ Just to make sure you're aware of the template.

<!-- gh-comment-id:854849204 --> @rusty-snake commented on GitHub (Jun 4, 2021): https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template ^ Just to make sure you're aware of the template.
gitea-mirror commented 2026-05-05 09:17:22 -06:00
Author
Owner
Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template
^ Just to make sure you're aware of the template.

Noted! Thanks.

<!-- gh-comment-id:854906564 --> @christianskou07 commented on GitHub (Jun 4, 2021): > https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template > ^ Just to make sure you're aware of the template. Noted! Thanks.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2625
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?