github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4382] Error chown: fs_logger.c:117 fs_logger_change_owner: Read-only file system #2645

New issue

Closed

opened 2026-05-05 09:18:31 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:18:31 -06:00

Owner

Originally created by @jonleivent on GitHub (Jul 3, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4382

One of my profiles that works in 0.9.58.2 fails with this error in 0.9.64.2:
Error chown: fs_logger.c:117 fs_logger_change_owner: Read-only file system
The profile (below) is for a forgetful firefox. Is there a workaround?

private
include firefox.profile
name jailed-firefox

private-tmp
mkdir /tmp/run
env XDG_RUNTIME_DIR=/tmp/run

blacklist ${PATH}/*ctl
blacklist ${PATH}/kernel-install
blacklist ${PATH}/systemd-*
blacklist ${PATH}/udevadm
blacklist /etc/systemd
blacklist /usr/lib/systemd
blacklist /usr/share/systemd
blacklist /var/lib/systemd
blacklist /var/run/systemd
blacklist /var/run/dbus

noblacklist /run/firejail
read-only /run/firejail
# firefox just wants to see inside /run/shm for some reason, but /run/shm is a sym link
# to /dev/shm anyway, and we are running with a private-dev
noblacklist /run/shm
read-only /run/shm
private-dev
# resolvconf must be readable for network access:
noblacklist /run/resolvconf
read-only /run/resolvconf

# unfortunately, firefox does not work if we do 'blacklist /run'
blacklist /run/*
blacklist /usr/src
blacklist /usr/include
blacklist /usr/games
blacklist /usr/libexec
blacklist /usr/local

#private-etc group,hostname,passwd,login.defs,fonts,timezone,localtime,resolvconf,network

net eth0
hostname office
ipc-namespace
protocol unix,inet

mkdir ${HOME}/Downloads
private-etc group,passwd,login.defs,fonts,timezone,localtime,hosts,resolv.conf,resolvconf,network

Originally created by @jonleivent on GitHub (Jul 3, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4382 One of my profiles that works in 0.9.58.2 fails with this error in 0.9.64.2: `Error chown: fs_logger.c:117 fs_logger_change_owner: Read-only file system` The profile (below) is for a forgetful firefox. Is there a workaround? ``` private include firefox.profile name jailed-firefox private-tmp mkdir /tmp/run env XDG_RUNTIME_DIR=/tmp/run blacklist ${PATH}/*ctl blacklist ${PATH}/kernel-install blacklist ${PATH}/systemd-* blacklist ${PATH}/udevadm blacklist /etc/systemd blacklist /usr/lib/systemd blacklist /usr/share/systemd blacklist /var/lib/systemd blacklist /var/run/systemd blacklist /var/run/dbus noblacklist /run/firejail read-only /run/firejail # firefox just wants to see inside /run/shm for some reason, but /run/shm is a sym link # to /dev/shm anyway, and we are running with a private-dev noblacklist /run/shm read-only /run/shm private-dev # resolvconf must be readable for network access: noblacklist /run/resolvconf read-only /run/resolvconf # unfortunately, firefox does not work if we do 'blacklist /run' blacklist /run/* blacklist /usr/src blacklist /usr/include blacklist /usr/games blacklist /usr/libexec blacklist /usr/local #private-etc group,hostname,passwd,login.defs,fonts,timezone,localtime,resolvconf,network net eth0 hostname office ipc-namespace protocol unix,inet mkdir ${HOME}/Downloads private-etc group,passwd,login.defs,fonts,timezone,localtime,hosts,resolv.conf,resolvconf,network ```

gitea-mirror

2026-05-05 09:18:31 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:18:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 3, 2021):

Error chown: fs_logger.c:117 fs_logger_change_owner: Read-only file system

Let's look at the place where this occurs:

633378e103/src/firejail/fs_logger.c (L115-L118)

and what RUN_FSLOGGER_FILE is:

0562ceb658/src/include/rundefs.h (L95)

Relevant commits:
769129a7a2
88132d9dfb
a5a02b708e

Why do you read-only /run/firejail? Does it work if you drop this line?

@rusty-snake commented on GitHub (Jul 3, 2021): > Error chown: fs_logger.c:117 fs_logger_change_owner: Read-only file system Let's look at the place where this occurs: https://github.com/netblue30/firejail/blob/633378e10386127201d79719234242dd79ed785a/src/firejail/fs_logger.c#L115-L118 and what `RUN_FSLOGGER_FILE` is: https://github.com/netblue30/firejail/blob/0562ceb658efff25583ff619846ef2c0ab697e37/src/include/rundefs.h#L95 Relevant commits: 769129a7a2d019ee4535f00cef73be0e70998bbb 88132d9dfba9db08d424f95f110547028199d661 a5a02b708e871086854fc5da3d8d69beb4acf490 Why do you `read-only /run/firejail`? Does it work if you drop this line?

gitea-mirror commented

2026-05-05 09:18:35 -06:00

Author

Owner

@jonleivent commented on GitHub (Jul 3, 2021):

Why do you read-only /run/firejail? Does it work if you drop this line?

It works if I drop that line, thanks. As to why I had that line: that was several years ago, and I have no notes on that line specifically. Probably just being very aggressive about protecting /run, which at the time (earlier versions of firejail) looked like a place where info could leak out of firejails. I think I asked around that time for something like a private-run akin to private-tmp.

@jonleivent commented on GitHub (Jul 3, 2021): > Why do you read-only /run/firejail? Does it work if you drop this line? It works if I drop that line, thanks. As to why I had that line: that was several years ago, and I have no notes on that line specifically. Probably just being very aggressive about protecting /run, which at the time (earlier versions of firejail) looked like a place where info could leak out of firejails. I think I asked around that time for something like a private-run akin to private-tmp.

gitea-mirror commented

2026-05-05 09:18:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 3, 2021):

I think I asked around that time for something like a private-run akin to private-tmp.

It was #3189 which is now solved with firejail 0.9.66.

It works if I drop that line, thanks.

So we can close here, right?

@rusty-snake commented on GitHub (Jul 3, 2021): > I think I asked around that time for something like a private-run akin to private-tmp. It was #3189 which is now solved with firejail 0.9.66. > It works if I drop that line, thanks. So we can close here, right?

gitea-mirror commented

2026-05-05 09:18:36 -06:00

Author

Owner

@jonleivent commented on GitHub (Jul 3, 2021):

So we can close here, right?

Agreed. So I guess I should look into 0.9.66. Do you publish release notes or something else (other than scanning the git commit logs) where I can figure what new/changed behaviors map to what versions?

@jonleivent commented on GitHub (Jul 3, 2021): > So we can close here, right? Agreed. So I guess I should look into 0.9.66. Do you publish release notes or something else (other than scanning the git commit logs) where I can figure what new/changed behaviors map to what versions?

gitea-mirror commented

2026-05-05 09:18:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 3, 2021):

https://github.com/netblue30/firejail/blob/master/RELNOTES

@rusty-snake commented on GitHub (Jul 3, 2021): https://github.com/netblue30/firejail/blob/master/RELNOTES

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2645

No description provided.

Rows
Columns